MoAxB in the MSF world: target OS detection with JavaScript

[mwhite22 at caledonian.ac.uk (Mike Whitehead)]

Very nice bit of work there jerome :)  Lots to read over, I'm sure this is going to make for some good reading and make 
some things a lot quicker and easier :)MikeP.S. Not got time to read anything properly just now, but does it have any 
limitations to which Windows versions it can detect or can it do all?> Date: Fri, 18 May 2007 14:11:33 +0200> From: 
jerome.athias at free.fr> To: framework at metasploit.com> Subject: [framework] MoAxB in the MSF world: target OS 
detection with JavaScript> > Hi there,> > since multiple vulnerabilities are released during the> > >   MoAxB - Month 
of ActiveX Bug [Ref1]> > > some guys started to release exploit modules for the Metasploit Framework.> For example:> 
NCTAudioFile2.AudioFile ActiveX Remote Stack Overfl0w> 
http://metasploit.com/svn/framework3/trunk/modules/exploits/windows/browser/bearshare_setformatlikesample.rb> > This 
one is interesting due to the numbers of softwares using it, ref:> http://www.milw0rm.com/exploits/3728> (and 
http://www.milw0rm.com/exploits/3808 )> > > When using a Windows' DLL-based return address, OS fingerprinting > 
introduces itself as a key point.> Fortunately, when targeting a browser, JavaScript can help to > drastically increase 
the chance of a successful exploitation. [Ref2] [Ref3]> For this, i released the os_detect JavaScript script:> 
https://www.securinfos.info/jerome/os_detect.js> By using the included> > giveMeRET() function in an exploit, it will 
retrieve the Windows version and locale of the target and return a good ret address.> > > To obfuscate the exploit 
code, people should use both the rand_text_alpha() and > obfuscate_js() functions. [Ref4]> > > os_detect.js will be 
enhanced soon (using arrays, adding support for more opcodes support, adding support for more locales, etc).> > People 
can help me to improve the return addresses database by following > these steps:> 1) Download this package: 
https://www.securinfos.info/OPCODES_LIST.zip > on one Windows box> 2) Extract it and run the OPCODES_LIST.bat script> 
3) Send the results file OPCODES_LIST.txt to me> > > To help people to write reliable ActiveX exploit modules for the > 
Metasploit Framework, i have also coded some useful functionnalities in > the MSF eXploit Builder tool.> 
https://www.securinfos.info/metasploit/MSF_XB.php> ie:> * it now retrieves automatically the CLSID of a given .OCX/.DLL 
file > from the registry> * it is now possible to enter the design of the exploit (ie: buff + EIP > + nop + shellcode + 
nop) and it will automatically generate the matching > code> * and others ;-)> -- available soon> > References:> [Ref1] 
MoAxB: http://moaxb.blogspot.com/> [Ref2] Metasploit Browser Assessment: > 
http://www.metasploit.com/research/misc/browserscan/> [Ref3] > 
http://kartoush.ibelgique.com/pdf/SSTIC06-article-Delalleau_Feil-Vulnerabilite_des_postes_clients.pdf > (French)> 
[Ref4] > http://blog.metasploit.com/2007/04/heaplib-support-added-to-metasploit-3.html> > Again, you can find copies of 
vulnerable softwares versions on:> https://www.securinfos.info/old-softwares-vulnerable.php> > Enjoy! I hope it will 
help before an AJAX request to the msfopcodes > database is released :p> /JA> > Note: i'll appreciate a little credit 
if you use some return addresses > from os_detect.js ;-) thanks> Regards to my friends, you know who you are ;-)> > 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.metasploit.com/pipermail/framework/attachments/20070518/48c9378f/attachment.htm>