metasploit-framework

https://github.com/rapid7/metasploit-framework

Ruby

Metasploit Framework

MetasploitModule#trigger_w7

* 15 C1TAB objects are used to defragement the heap, so objects are stored after the vulnerable buffer.
* Based on empirical tests, 5th C1TAB comes after the vulnerable buffer.
* Using the 7th CITAB is possible to overflow itself and get control before finishing the set of the
TabCaption property.

Source | Google | Stack overflow

Edit

git clone [email protected]:rapid7/metasploit-framework.git

cd metasploit-framework

open modules/exploits/windows/browser/ibm_spss_c1sizer.rb

Contribute

# Make a new branch

git checkout -b -your-name--update-docs-MetasploitModule-trigger_w7-for-pr

# Commit to git

git add modules/exploits/windows/browser/ibm_spss_c1sizer.rbgit commit -m "better docs for MetasploitModule#trigger_w7"

# Open pull request

gem install hub # on a mac you can `brew install hub`

hub fork

git push <your name> -your-name--update-docs-MetasploitModule-trigger_w7-for-pr

hub pull-request

# Celebrate!