background image

230

Chapter 15

Figure 15-5: Quick TFTP buffer with random characters

Now that we know that the module is still behaving properly, we can set 

the return address in the 

'Targets'

 definition. The address in this example is 

POP-POP-RETN 

from 

oledlg.dll

, as in the original exploit. Remember that if 

we can find a memory instruction set in the same application that is loaded 
every time, we can create a universal exploit that is not dependent on Microsoft 
DLLs and that can target every operating system. In this case, we use 

oledlg.dll

 

to make this exploit universal.

'Targets'        =>
      [

[ 'Windows XP SP2',  { 'Ret' => 0x74d31458 } ], # p/p/r oledlg

      ],

We now have our target of Windows XP SP2 and a return address of 

0x74d31458, as shown at  .

Next, we create a random, alphabetical, uppercase string of 1019 bytes:

evil = rand_text_alpha_upper(1019)
evil << 

generate_seh_payload

(target.ret)

evil << make_nops(16)

The 

generate_seh_payload

 function uses the declared return address and 

will automatically insert the short jump (which jumps us over the SEH han-
dler). The 

generate_seh_payload

 function calculates the jumps for us, so it will 

go straight to the 

POP-POP-RETN

.

We run the module one last time with the dummy shellcode and see that 

our debugger contains numerous random characters, but everything is still 
under our direct control, as shown in Figure 15-6. Random characters can be 
better than NOPs in some cases, because they serve to trip up many IDSs that 
may be monitoring the network. Many signature-based IDSs can trigger over 
large volumes of NOPs.