New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[SeeRM 8458] Use RopDb mixin for browser exploits #2483
Conversation
All targets tested except for Vista. Will need additional testing during review.
All targets tested except for Vista, so additional testing will need to be done during review.
All targets tested.
Target tested
Start to work on testing all these modules! |
By the way, @wchen-r7, if you want to link this change to a redmine ticket, |
Will have into account! |
While testing IE8 / Win XP SP3 / msvcrt rop chain I'm getting this crash consistently with ie_cgenericelement_uaf. I've not been able to get any session on several tries:
@wchen-r7 , could you confirm if it's working/crashing for you on the described test case? |
Yeah I tested that in this commit: 67228ba If you switch back to upstream-master, does the exploit still work for you? |
checking right now! :) |
Working from master:
|
|
The only exploit not working is ie_cgenericelement_uaf for Win XP SP3 and Win2003 SP2 / IE8 / msvcrt. |
0x77c35459 # ptr to 'push esp # ret ' [msvcrt.dll] | ||
].pack("V*") | ||
|
||
rop_payload = generate_rop_payload('msvcrt', p, {'target'=>'xp'}) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
it should be:
rop_payload = generate_rop_payload('msvcrt', align + p, {'target'=>'xp'})
cool! last test and hopefully landing! |
ie_cgenericelement_uaf working again, on both WXPSP3 and W2003SP2 Landing! Full testing results:
Windows 7 SP1 - IE8 - msvcr71
Windows 2003 SP2 - IE8 - msvcrt
|
These browser exploits should be using ROP chains from RopDb. All the targets should be tested except for Windows Vista.