[framework] MoAxB in the MSF world: target OS detection with JavaScript
Kurt Grutzmacher
grutz at jingojango.net
Fri May 18 10:38:21 CDT 2007
On Fri, May 18, 2007 at 02:11:33PM +0200, Jerome Athias wrote:
> giveMeRET() function in an exploit, it will retrieve the Windows version
> and locale of the target and return a good ret address.
That's awesome. Adding other locales and OS variations would continue to
keep exploits usable! In some of my activex exploit code I've built a 2K
and XP encoded buffer and used this:
"var #{version}=navigator.userAgent.toLowerCase();\n" +
"if (#{version}.indexOf(\"windows nt 5.0\")!=-1) {\n"+
" #{strname} = unescape(\"#{encw2buf}\");\n"+
"} else {\n"+
" #{strname} = unescape(\"#{encxpbuf}\");\n"+
"}\n"+
Which worked but is kind of a kludge.
> To obfuscate the exploit code, people should use both the rand_text_alpha()
> and obfuscate_js() functions. [Ref4]
...and sometimes an SEH isn't just an SEH!
--
..:[ grutz at jingojango dot net ]:..
GPG fingerprint: 5FD6 A27D 63DB 3319 140F B3FB EC95 2A03 8CB3 ECB4
"There's just no amusing way to say, 'I have a CISSP'."
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 191 bytes
Desc: not available
Url : http://spool.metasploit.com/pipermail/framework/attachments/20070518/030d80f4/attachment.pgp
More information about the framework
mailing list