MoAxB in the MSF world: target OS detection with JavaScript

[grutz at jingojango.net (Kurt Grutzmacher)]

On Fri, May 18, 2007 at 02:11:33PM +0200, Jerome Athias wrote:
> giveMeRET() function in an exploit, it will retrieve the Windows version 
> and locale of the target and return a good ret address.

That's awesome. Adding other locales and OS variations would continue to
keep exploits usable! In some of my activex exploit code I've built a 2K
and XP encoded buffer and used this:

   "var #{version}=navigator.userAgent.toLowerCase();\n" +
   "if (#{version}.indexOf(\"windows nt 5.0\")!=-1) {\n"+
   "    #{strname} = unescape(\"#{encw2buf}\");\n"+
   "} else {\n"+
   " #{strname} = unescape(\"#{encxpbuf}\");\n"+
   "}\n"+

Which worked but is kind of a kludge.

> To obfuscate the exploit code, people should use both the rand_text_alpha() 
> and obfuscate_js() functions. [Ref4]

...and sometimes an SEH isn't just an SEH!


-- 
                 ..:[ grutz at jingojango dot net ]:..
     GPG fingerprint: 5FD6 A27D 63DB 3319 140F  B3FB EC95 2A03 8CB3 ECB4
        "There's just no amusing way to say, 'I have a CISSP'."
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 191 bytes
Desc: not available
URL: <http://mail.metasploit.com/pipermail/framework/attachments/20070518/030d80f4/attachment.pgp>