From f1a39c76ed6a5b4e8691f1cbb251d470e850802e Mon Sep 17 00:00:00 2001 From: kernelsmith Date: Wed, 19 Sep 2012 14:10:02 -0500 Subject: [PATCH 1/5] update to ie_execcommand_uaf's info to add ROP info This module requires the following dependencies on the target for the ROP chain to function. For WinXP SP3 with IE8, msvcrt must be present (which it is on default installs). For Vista/Win7 with IE8 or Win7 with IE9, ire 1.6.x or below must be installed. --- modules/exploits/windows/browser/ie_execcommand_uaf.rb | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/modules/exploits/windows/browser/ie_execcommand_uaf.rb b/modules/exploits/windows/browser/ie_execcommand_uaf.rb index 25d395d13c..2f48d8575e 100644 --- a/modules/exploits/windows/browser/ie_execcommand_uaf.rb +++ b/modules/exploits/windows/browser/ie_execcommand_uaf.rb @@ -30,6 +30,10 @@ class Metasploit3 < Msf::Exploit::Remote to a use-after-free condition. Please note that this vulnerability has been exploited in the wild since Sep 14 2012, and there is currently no official patch for it. + + This module requires the following dependencies on the target for the ROP chain to function. + For WinXP SP3 with IE8, msvcrt must be present (which it is on default installs). For + Vista/Win7 with IE8 or Win7 with IE9, jre 1.6.x or below must be installed. }, 'License' => MSF_LICENSE, 'Author' => From 56d5c1375545f7e34247b061b460d79d819e9de6 Mon Sep 17 00:00:00 2001 From: kernelsmith Date: Thu, 20 Sep 2012 12:23:48 -0500 Subject: [PATCH 2/5] adds -s Execute the specified string as console commands to msfconsole for convenience when you don't need/want a full resource file, you just want to run something quick example usage: # say you have a saved config ready to go on load ./msfconsole -s 'exploit -j' # you can run multiple commands too ./msfconsole -s 'set ConsoleLogging true\nshow options' --- lib/msf/ui/console/driver.rb | 7 +++++++ msfconsole | 5 +++++ 2 files changed, 12 insertions(+) diff --git a/lib/msf/ui/console/driver.rb b/lib/msf/ui/console/driver.rb index 399c0781c2..00547a5aed 100644 --- a/lib/msf/ui/console/driver.rb +++ b/lib/msf/ui/console/driver.rb @@ -249,6 +249,13 @@ class Driver < Msf::Ui::Driver # If the opt is nil here, we load ~/.msf3/msfconsole.rc load_resource(opts['Resource']) end + + # Process any additional startup commands + if opts['SCommands'] and opts['SCommands'].kind_of? Array + opts['SCommands'].each { |c| + run_single(c) + } + end end # diff --git a/msfconsole b/msfconsole index c21594147f..17296a4c30 100755 --- a/msfconsole +++ b/msfconsole @@ -101,6 +101,11 @@ class OptsConsole options['DisableBanner'] = true end + opts.on("-s", "-s ", "Execute the specified string as console commands") do |s| + options['SCommands'] ||= [] + options['SCommands'] += s.split('\n') + end + opts.separator "" opts.separator "Common options:" From cf8edf8570306e46f219adc891f9c41de9d74978 Mon Sep 17 00:00:00 2001 From: Tod Beardsley Date: Thu, 20 Sep 2012 13:34:29 -0500 Subject: [PATCH 3/5] Touchups to msfconsole command parsing Move from -s to -x and use a semicolon. --- lib/msf/ui/console/driver.rb | 4 ++-- msfconsole | 6 +++--- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/lib/msf/ui/console/driver.rb b/lib/msf/ui/console/driver.rb index 00547a5aed..eac24a576d 100644 --- a/lib/msf/ui/console/driver.rb +++ b/lib/msf/ui/console/driver.rb @@ -251,8 +251,8 @@ class Driver < Msf::Ui::Driver end # Process any additional startup commands - if opts['SCommands'] and opts['SCommands'].kind_of? Array - opts['SCommands'].each { |c| + if opts['XCommands'] and opts['XCommands'].kind_of? Array + opts['XCommands'].each { |c| run_single(c) } end diff --git a/msfconsole b/msfconsole index 17296a4c30..ea8add619e 100755 --- a/msfconsole +++ b/msfconsole @@ -101,9 +101,9 @@ class OptsConsole options['DisableBanner'] = true end - opts.on("-s", "-s ", "Execute the specified string as console commands") do |s| - options['SCommands'] ||= [] - options['SCommands'] += s.split('\n') + opts.on("-x", "-x ", "Execute the specified string as console commands (use ; for multiples)") do |s| + options['XCommands'] ||= [] + options['XCommands'] += s.split(/\s*;\s*/) end opts.separator "" From a5ffe7297f0fa3e25eb21c9a408da1dc18492811 Mon Sep 17 00:00:00 2001 From: Tod Beardsley Date: Thu, 20 Sep 2012 14:52:52 -0500 Subject: [PATCH 4/5] Touching up Kernelsmith's wording. It is merely the ROP chain, not the vuln, that requires Java. --- .../exploits/windows/browser/ie_execcommand_uaf.rb | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/modules/exploits/windows/browser/ie_execcommand_uaf.rb b/modules/exploits/windows/browser/ie_execcommand_uaf.rb index 2f48d8575e..26145f29c2 100644 --- a/modules/exploits/windows/browser/ie_execcommand_uaf.rb +++ b/modules/exploits/windows/browser/ie_execcommand_uaf.rb @@ -27,13 +27,15 @@ class Metasploit3 < Msf::Exploit::Remote This module exploits a vulnerability found in Microsoft Internet Explorer (MSIE). When rendering an HTML page, the CMshtmlEd object gets deleted in an unexpected manner, but the same memory is reused again later in the CMshtmlEd::Exec() function, leading - to a use-after-free condition. Please note that this vulnerability has - been exploited in the wild since Sep 14 2012, and there is currently no official - patch for it. + to a use-after-free condition. - This module requires the following dependencies on the target for the ROP chain to function. - For WinXP SP3 with IE8, msvcrt must be present (which it is on default installs). For - Vista/Win7 with IE8 or Win7 with IE9, jre 1.6.x or below must be installed. + Please note that this vulnerability has been exploited in the wild since Sep 14 2012, + and there is currently no official patch for it. + + Also note that presently, this module has some target dependencies for the ROP chain to be + valid. For WinXP SP3 with IE8, msvcrt must be present (as it is by default). + For Vista or Win7 with IE8, or Win7 with IE9, JRE 1.6.x or below must be installed (which + is often the case). }, 'License' => MSF_LICENSE, 'Author' => From 7fcc34766a3e74069bdf4a23b250c0794f64181e Mon Sep 17 00:00:00 2001 From: David Maloney Date: Thu, 20 Sep 2012 15:20:20 -0500 Subject: [PATCH 5/5] Added datastore items to BAP handlers Added two datastore items to handlers created by BAP --- modules/auxiliary/server/browser_autopwn.rb | 2 ++ 1 file changed, 2 insertions(+) diff --git a/modules/auxiliary/server/browser_autopwn.rb b/modules/auxiliary/server/browser_autopwn.rb index d07b1d4468..9a3314c7cd 100644 --- a/modules/auxiliary/server/browser_autopwn.rb +++ b/modules/auxiliary/server/browser_autopwn.rb @@ -476,6 +476,8 @@ class Metasploit3 < Msf::Auxiliary multihandler.datastore['MODULE_OWNER'] = self.datastore['MODULE_OWNER'] multihandler.datastore['WORKSPACE'] = datastore["WORKSPACE"] if datastore["WORKSPACE"] multihandler.datastore['ParentUUID'] = datastore["ParentUUID"] if datastore["ParentUUID"] + multihandler.datastore['CAMPAIGN_ID'] = datastore["CAMPAIGN_ID"] if datastore["CAMPAIGN_ID"] + multihandler.datastore['BAP'] = true multihandler.datastore['AutopwnUUID'] = self.uuid multihandler.datastore['LPORT'] = lport multihandler.datastore['LHOST'] = @lhost