change the payload space to 5000. This allows all the payloads I test…

…ed to work but also allows all the 3 gadget chains I tested to work. ClaimsPrincipal and TypeConfuseDelegate will fail if the space is too large.
rapid7 · Oct 4, 2023 · ccd8c71 · ccd8c71
1 parent 1be8e02
commit ccd8c71
Showing 1 changed file with 5 additions and 1 deletion.
diff --git a/modules/exploits/windows/http/ws_ftp_rce_cve_2023_40044.rb b/modules/exploits/windows/http/ws_ftp_rce_cve_2023_40044.rb
@@ -33,7 +33,11 @@ def initialize(info = {})
         'DisclosureDate' => '2023-09-27',
         'Platform' => %w[win],
         'Arch' => [ARCH_CMD],
-        'Payload' => { 'Space' => 8192 },
+        # 5000 will allow the powershell payloads to work as they require ~4200 bytes. Notably, the ClaimsPrincipal and
+        # TypeConfuseDelegate (but not TextFormattingRunProperties) gadget chains will fail if Space is too large (e.g.
+        # 8192 bytes), as the encoded payload command is padded with leading whitespace characters (0x20) to consume
+        # all the available payload space via ./modules/nops/cmd/generic.rb).
+        'Payload' => { 'Space' => 5000 },
         'Privileged' => false, # Code execution as `NT AUTHORITY\NETWORK SERVICE`.
         'Targets' => [
           [