Module: Msf::Exploit::Seh

Defined in:
lib/msf/core/exploit/seh.rb

Overview

This mixin provides an interface to generating SEH registration records in a robust fashion using the Rex::Exploitation::Seh class.

Instance Method Summary collapse

Instance Method Details

#generate_seh_payload(handler, opts = {}) ⇒ Object



53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
# File 'lib/msf/core/exploit/seh.rb', line 53

def generate_seh_payload(handler, opts = {})

  # The boilerplate this replaces always has 8 bytes for seh + addr
  seh_space = 8 + payload.nop_sled_size

  seh = Rex::Exploitation::Seh.new(
      payload_badchars,
      seh_space,
      opts['NopGenerator'] || nop_generator)

  # Generate the record
  rec = seh.generate_seh_record(handler, datastore['DynamicSehRecord'])

  # Append the payload, minus the nop sled that we replaced
  rec << payload.encoded.slice(payload.nop_sled_size, payload.encoded.length)
end

#generate_seh_record(handler, opts = {}) ⇒ Object

Generates an SEH record with zero or more options. The supported options are:

NopGenerator

  The NOP generator instance to use, if any.

Space

  The amount of room the SEH record generator has to play with for
  random padding.  This should be derived from the maximum amount of
  space available to the exploit for payloads minus the current payload
  size.


43
44
45
46
47
48
49
50
51
# File 'lib/msf/core/exploit/seh.rb', line 43

def generate_seh_record(handler, opts = {})
  seh = Rex::Exploitation::Seh.new(
      payload_badchars,
      opts['Space'] || payload_space,
      opts['NopGenerator'] || nop_generator)

  # Generate the record
  seh.generate_seh_record(handler, datastore['DynamicSehRecord'])
end

#initialize(info = {}) ⇒ Object

Creates an instance of an exploit that uses an SEH overwrite.



17
18
19
20
21
22
23
24
25
26
# File 'lib/msf/core/exploit/seh.rb', line 17

def initialize(info = {})
  super

  # Register an advanced option that allows users to specify whether or
  # not a dynamic SEH record should be used.
  register_advanced_options(
    [
      OptBool.new('DynamicSehRecord', [ false, "Generate a dynamic SEH record (more stealthy)", false ])
    ], Msf::Exploit::Seh)
end