infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Added description, urls, and another author

unstable
Sam Sharps 2012-01-06 00:47:01 -06:00
parent 5c05cebaf7
commit b26ed37467
1 changed files with 14 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
modules/exploits/windows/browser/ms05_054_onload.rb
View File

@ -18,24 +18,30 @@ class Metasploit3 < Msf::Exploit::Remote
def initialize(info = {})
super(update_info(info,
'Name' => 'Internet Explorer Mismatched Document Object Model Objects Memory Corruption',
'Name' => 'Microsoft Internet Explorer JavaScript OnLoad Handler Remote Code Execution Vulnerability',
'Description' => %q{
This exploit results in a call to somewhere in the heap. The javascript prompt() call places our
shellcode in a location near to what gets called. To hide the prompt boxes, this exploit creates a popup
that is then hidden behind the main window. In this popup are multiple iframes each calling prompt.
Since the heap is read only memory, we have some staging shellcode move the payload into some read/write
memory.
This bug is triggered when the browser handles a JavaScript 'onLoad' handler in
conjunction with an improperly initialized 'window()' JavaScript function.
This exploit results in a call to somewhere in the heap. The javascript prompt() puts our shellcode
near where the call jumps to. We call prompt multiple times in separate iframes to spray the heap.
We hide the prompts in a popup window behind the main window. The call then jumps to to our spray value
which also acts as a sled down to the actual shellcode. Since the heap is read only, we have some staging shellcode
which copies the metasploit payload to some read/write memory and then jumps to it. IE will crash when the exploit
finishes.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Stuart Pearson',
'Sam Sharps' # Metasploit port
'Benjamin Tobias Franz', # Discovery
'Stuart Pearson', # Proof of Concept
'revenge' # Metasploit port
],
'References' =>
[
['MSB', 'MS05-054'],
['CVE', '2005-1790'],
['URL', 'http://www.securityfocus.com/bid/13799/info'],
['URL', 'http://www.cvedetails.com/cve/CVE-2005-1790'],
],
'DefaultOptions' =>
{