metasploit-framework

https://github.com/rapid7/metasploit-framework

Ruby

Metasploit Framework

MetasploitModule#attempt_race

Attempt to overwrite the freed BIO struct with stage 1 and implicitly trigger the
use-after-free in a race.

For non-Windows 8+ targets, we need to race Backup Exec after the BIO struct is freed.
This is because these versions of Windows overwrite the start of freed objects on the
heap with the next offset in the freelist. We need to then overwrite this with our
stage 1 spray otherwise Backup Exec will crash upon attempting to call the BIO
struct's read callback upon re-entering SSL mode. This is less successful than the
Windows 8+ case (which doesn't use a freelist, instead using a free bitmap), but it
still works OK.

Source | Google | Stack overflow

Edit

git clone [email protected]:rapid7/metasploit-framework.git

cd metasploit-framework

open modules/exploits/windows/backupexec/ssl_uaf.rb

Contribute

# Make a new branch

git checkout -b -your-name--update-docs-MetasploitModule-attempt_race-for-pr

# Commit to git

git add modules/exploits/windows/backupexec/ssl_uaf.rbgit commit -m "better docs for MetasploitModule#attempt_race"

# Open pull request

gem install hub # on a mac you can `brew install hub`

hub fork

git push <your name> -your-name--update-docs-MetasploitModule-attempt_race-for-pr

hub pull-request

# Celebrate!