230
Chapter 15
Figure 15-5: Quick TFTP buffer with random characters
Now that we know that the module is still behaving properly, we can set
the return address in the
'Targets'
definition. The address in this example is
a
POP-POP-RETN
from
oledlg.dll
, as in the original exploit. Remember that if
we can find a memory instruction set in the same application that is loaded
every time, we can create a universal exploit that is not dependent on Microsoft
DLLs and that can target every operating system. In this case, we use
oledlg.dll
to make this exploit universal.
'Targets' =>
[
[ 'Windows XP SP2', { 'Ret' => 0x74d31458 } ], # p/p/r oledlg
],
We now have our target of Windows XP SP2 and a return address of
0x74d31458, as shown at .
Next, we create a random, alphabetical, uppercase string of 1019 bytes:
evil = rand_text_alpha_upper(1019)
evil <<
generate_seh_payload
(target.ret)
evil << make_nops(16)
The
generate_seh_payload
function uses the declared return address and
will automatically insert the short jump (which jumps us over the SEH han-
dler). The
generate_seh_payload
function calculates the jumps for us, so it will
go straight to the
POP-POP-RETN
.
We run the module one last time with the dummy shellcode and see that
our debugger contains numerous random characters, but everything is still
under our direct control, as shown in Figure 15-6. Random characters can be
better than NOPs in some cases, because they serve to trip up many IDSs that
may be monitoring the network. Many signature-based IDSs can trigger over
large volumes of NOPs.