Re: [Feature] Tweaking Rex::Exploitation::Seh#generate_dynamic_seh_record

[HD Moore <hdm () metasploit com>]

On 12/22/2011 6:14 PM, lukasz skrzeszewski wrote:
> HI, I would like to use this post to say HelloWorld.rb to the community!
>
>
> I would like to suggest small change to:
> *Rex::Exploitation::Seh#**generate_dynamic_seh_record* function. Just to
> make *Msf::Exploit::Seh *mixin* *a bit more usable.
>
> At the moment when we are mixing *Msf::Exploit::Seh* module we have two
> options about how to create our seh record:
>
>   - first default one is *generate_static_seh_record* which is classic
> "\xeb\x06" short 6 bytes jump.
>
>   - second is *generate_dynamic_seh_record* which is a random short jump
> for up to 128 bytes.
>
>
>
> What if we have to jump for at least 50 bytes??

The SEH mixin is there to assist in evasion when selected, its not there
to provide a way around memory corruption of the payload in the scenario
you outlined. The reason this doesn't work - the user could change the
datastore option to a value that breaks the exploit (something we try to
avoid letting them do). It would make more sense to ignore the mixin
entirely and just implemented a custom jump to work around the case you
specified (this is how like exploits do it today).

-HD

_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework