Metasploit mailing list archives
MoAxB in the MSF world: target OS detection with JavaScript
From: mwhite22 at caledonian.ac.uk (Mike Whitehead)
Date: Fri, 18 May 2007 13:09:23 +0000
Very nice bit of work there jerome :) Lots to read over, I'm sure this is going to make for some good reading and make some things a lot quicker and easier :)MikeP.S. Not got time to read anything properly just now, but does it have any limitations to which Windows versions it can detect or can it do all?> Date: Fri, 18 May 2007 14:11:33 +0200> From: jerome.athias at free.fr> To: framework at metasploit.com> Subject: [framework] MoAxB in the MSF world: target OS detection with JavaScript> > Hi there,> > since multiple vulnerabilities are released during the> > > MoAxB - Month of ActiveX Bug [Ref1]> > > some guys started to release exploit modules for the Metasploit Framework.> For example:> NCTAudioFile2.AudioFile ActiveX Remote Stack Overfl0w> http://metasploit.com/svn/framework3/trunk/modules/exploits/windows/browser/bearshare_setformatlikesample.rb> > This one is interesting due to the numbers of softwares using it, ref:> http://www.milw0rm.com/exploits/3728> (and http://www.milw0rm.com/exploits/3808 )> > > When using a Windows' DLL-based return address, OS fingerprinting > introduces itself as a key point.> Fortunately, when targeting a browser, JavaScript can help to > drastically increase the chance of a successful exploitation. [Ref2] [Ref3]> For this, i released the os_detect JavaScript script:> https://www.securinfos.info/jerome/os_detect.js> By using the included> > giveMeRET() function in an exploit, it will retrieve the Windows version and locale of the target and return a good ret address.> > > To obfuscate the exploit code, people should use both the rand_text_alpha() and > obfuscate_js() functions. [Ref4]> > > os_detect.js will be enhanced soon (using arrays, adding support for more opcodes support, adding support for more locales, etc).> > People can help me to improve the return addresses database by following > these steps:> 1) Download this package: https://www.securinfos.info/OPCODES_LIST.zip > on one Windows box> 2) Extract it and run the OPCODES_LIST.bat script> 3) Send the results file OPCODES_LIST.txt to me> > > To help people to write reliable ActiveX exploit modules for the > Metasploit Framework, i have also coded some useful functionnalities in > the MSF eXploit Builder tool.> https://www.securinfos.info/metasploit/MSF_XB.php> ie:> * it now retrieves automatically the CLSID of a given .OCX/.DLL file > from the registry> * it is now possible to enter the design of the exploit (ie: buff + EIP > + nop + shellcode + nop) and it will automatically generate the matching > code> * and others ;-)> -- available soon> > References:> [Ref1] MoAxB: http://moaxb.blogspot.com/> [Ref2] Metasploit Browser Assessment: > http://www.metasploit.com/research/misc/browserscan/> [Ref3] > http://kartoush.ibelgique.com/pdf/SSTIC06-article-Delalleau_Feil-Vulnerabilite_des_postes_clients.pdf > (French)> [Ref4] > http://blog.metasploit.com/2007/04/heaplib-support-added-to-metasploit-3.html> > Again, you can find copies of vulnerable softwares versions on:> https://www.securinfos.info/old-softwares-vulnerable.php> > Enjoy! I hope it will help before an AJAX request to the msfopcodes > database is released :p> /JA> > Note: i'll appreciate a little credit if you use some return addresses > from os_detect.js ;-) thanks> Regards to my friends, you know who you are ;-)> > -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mail.metasploit.com/pipermail/framework/attachments/20070518/48c9378f/attachment.htm>
Current thread:
- MoAxB in the MSF world: target OS detection with JavaScript Jerome Athias (May 18)
- MoAxB in the MSF world: target OS detection with JavaScript Kurt Grutzmacher (May 18)
- MoAxB in the MSF world: target OS detection with JavaScript Jerome Athias (May 21)
- MoAxB in the MSF world: target OS detection with JavaScript Nicob (May 21)
- MoAxB in the MSF world: target OS detection with JavaScript Jerome Athias (May 21)
- MoAxB in the MSF world: target OS detection with JavaScript Jerome Athias (May 21)
- MoAxB in the MSF world: target OS detection with JavaScript Kurt Grutzmacher (May 18)
- <Possible follow-ups>
- MoAxB in the MSF world: target OS detection with JavaScript Mike Whitehead (May 18)
- MoAxB in the MSF world: target OS detection with JavaScript Jerome Athias (May 18)