[framework] MoAxB in the MSF world: target OS detection with JavaScript
Jerome Athias
jerome.athias at free.fr
Fri May 18 07:11:33 CDT 2007
Hi there,
since multiple vulnerabilities are released during the
MoAxB - Month of ActiveX Bug [Ref1]
some guys started to release exploit modules for the Metasploit Framework.
For example:
NCTAudioFile2.AudioFile ActiveX Remote Stack Overfl0w
http://metasploit.com/svn/framework3/trunk/modules/exploits/windows/browser/bearshare_setformatlikesample.rb
This one is interesting due to the numbers of softwares using it, ref:
http://www.milw0rm.com/exploits/3728
(and http://www.milw0rm.com/exploits/3808 )
When using a Windows' DLL-based return address, OS fingerprinting
introduces itself as a key point.
Fortunately, when targeting a browser, JavaScript can help to
drastically increase the chance of a successful exploitation. [Ref2] [Ref3]
For this, i released the os_detect JavaScript script:
https://www.securinfos.info/jerome/os_detect.js
By using the included
giveMeRET() function in an exploit, it will retrieve the Windows version and locale of the target and return a good ret address.
To obfuscate the exploit code, people should use both the rand_text_alpha() and
obfuscate_js() functions. [Ref4]
os_detect.js will be enhanced soon (using arrays, adding support for more opcodes support, adding support for more locales, etc).
People can help me to improve the return addresses database by following
these steps:
1) Download this package: https://www.securinfos.info/OPCODES_LIST.zip
on one Windows box
2) Extract it and run the OPCODES_LIST.bat script
3) Send the results file OPCODES_LIST.txt to me
To help people to write reliable ActiveX exploit modules for the
Metasploit Framework, i have also coded some useful functionnalities in
the MSF eXploit Builder tool.
https://www.securinfos.info/metasploit/MSF_XB.php
ie:
* it now retrieves automatically the CLSID of a given .OCX/.DLL file
from the registry
* it is now possible to enter the design of the exploit (ie: buff + EIP
+ nop + shellcode + nop) and it will automatically generate the matching
code
* and others ;-)
-- available soon
References:
[Ref1] MoAxB: http://moaxb.blogspot.com/
[Ref2] Metasploit Browser Assessment:
http://www.metasploit.com/research/misc/browserscan/
[Ref3]
http://kartoush.ibelgique.com/pdf/SSTIC06-article-Delalleau_Feil-Vulnerabilite_des_postes_clients.pdf
(French)
[Ref4]
http://blog.metasploit.com/2007/04/heaplib-support-added-to-metasploit-3.html
Again, you can find copies of vulnerable softwares versions on:
https://www.securinfos.info/old-softwares-vulnerable.php
Enjoy! I hope it will help before an AJAX request to the msfopcodes
database is released :p
/JA
Note: i'll appreciate a little credit if you use some return addresses
from os_detect.js ;-) thanks
Regards to my friends, you know who you are ;-)
More information about the framework
mailing list