Search the Community

The game is a foot! ......no, actually it's a game. I've been doing some sleuthing and thought this might be fun to share. I have a few crashes on my user base's PC's and it looks to me like exploitation attempts. I'm also hoping some of you my be able to help me focus on the right stuff. I'm not 100% sure what I'm looking at, but I know this isn't the usual DMP output because I see Jscript in my crash dump stack! For this post I will be analyzing crashdump files from the C:\users\%username%\appdata\local\crashdumps In the past month the performance monitoring software we use is showing IE crashes. most of the IE crashes are usually simple fixes, but as you will see below some are getting crashes from Jscript running. Usually I also see a reference to Flash OCX in the dmp. Is this what I think it is? can you offer any further enlightenment on the situation or potential solutions? Jscript Cannot be disabled because I work for lawyers so everything is mine mine mine now now now...... The following crash dump is slightly different from the ones I saw last week, but are still very close in nature. oh one more thing, if any of you know how I can get symbols paths to fix the first three ERRORS in the dump output I'd really appreciate it. I can't get a straight answer from anyone on the web, and I'm starting to think I'm the only one doing this these days. kind of like how I'm the only person I've ever met that actually read the 9/11 commission report (HINT, that report said we should attack Iraq and nothing about what happened on 9/11, and to secure the northern border because obviously we have a problem here in America with undocumented Canadians are poll vaulting across the boarder.) I digress..... ************************************************************ ******************* * * * Exception Analysis * * * ******************************************************************************* *** ERROR: Symbol file could not be found. Defaulted to export symbols for EMET.dll - *** ERROR: Symbol file could not be found. Defaulted to export symbols for HooksCore.dll - *** ERROR: Symbol file could not be found. Defaulted to export symbols for Flash32_20_0_0_228.ocx - FAULTING_IP: jscript9!NativeCodeGenerator::IsNativeFunctionAddr+c 0a5b4e21 8b7074 mov esi,dword ptr [eax+74h] EXCEPTION_RECORD: ffffffff -- (.exr 0xffffffffffffffff) ExceptionAddress: 0a5b4e21 (jscript9!NativeCodeGenerator::IsNativeFunctionAddr+0x0000000c) ExceptionCode: c0000005 (Access violation) ExceptionFlags: 00000001 NumberParameters: 2 Parameter[0]: 00000000 Parameter[1]: 8542d2a7 Attempt to read from address 8542d2a7 CONTEXT: 00000000 -- (.cxr 0x0;r) eax=8542d233 ebx=042eb170 ecx=8542d233 edx=34600120 esi=0a646e75 edi=34600120 eip=0a5b4e21 esp=042ea848 ebp=042ea85c iopl=0 nv up ei ng nz na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00210286 jscript9!NativeCodeGenerator::IsNativeFunctionAddr+0xc: 0a5b4e21 8b7074 mov esi,dword ptr [eax+74h] ds:002b:8542d2a7=???????? DEFAULT_BUCKET_ID: INVALID_POINTER_READ PROCESS_NAME: iexplore.exe ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s. EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s. EXCEPTION_PARAMETER1: 00000000 EXCEPTION_PARAMETER2: 8542d2a7 READ_ADDRESS: 8542d2a7 FOLLOWUP_IP: jscript9!NativeCodeGenerator::IsNativeFunctionAddr+c 0a5b4e21 8b7074 mov esi,dword ptr [eax+74h] NTGLOBALFLAG: 0 APPLICATION_VERIFIER_FLAGS: 0 APP: iexplore.exe ANALYSIS_VERSION: 6.3.9600.17336 (debuggers(dbg).150226-1500) x86fre FAULTING_THREAD: 00001348 PRIMARY_PROBLEM_CLASS: INVALID_POINTER_READ BUGCHECK_STR: APPLICATION_FAULT_INVALID_POINTER_READ LAST_CONTROL_TRANSFER: from 0a5b4cc2 to 0a5b4e21 STACK_TEXT: 042ea85c 0a5b4cc2 34600120 042ea8e0 042ea8ac jscript9!NativeCodeGenerator::IsNativeFunctionAddr+0xc 042ea86c 0a5b4c8d 34600120 042ea8e0 042ea8e0 jscript9!ThreadContext::IsNativeAddress+0x22 042ea880 0a5b4cf7 00000001 042ea8e0 00000000 jscript9!Js::JavascriptStackWalker::CheckJavascriptFrame+0x3e 042ea890 0a5b4d85 042ea8e0 042ea8e0 042ea8e0 jscript9!Js::JavascriptStackWalker::UpdateFrame+0xc 042ea8a0 0a5b4da5 042ea954 042ea8c4 0a5b5a77 jscript9!Js::JavascriptStackWalker::Walk+0x35 042ea8ac 0a5b5a77 042ea954 042ea8d0 042ea930 jscript9!Js::JavascriptStackWalker::GetCaller+0xf 042ea8c4 0a5b5d5e 042ea954 ba7ed600 3ffc7de0 jscript9!Js::JavascriptStackWalker::GetNonLibraryCodeCaller+0x15 042ea968 0a5b538d 3ffc7de0 042ea990 0000000a jscript9!Js::JavascriptExceptionOperators::WalkStackForExceptionContextInternal+0x15c 042ea994 0a5b52d0 3ffc7de0 0000000a 00000000 jscript9!Js::JavascriptExceptionOperators::WalkStackForExceptionContext+0x20 042ea9e0 0a6a5782 00000001 00000001 00000000 jscript9!Js::JavascriptExceptionOperators::ThrowExceptionObjectInternal+0x6c 042ea9f4 0a629620 00000001 00000000 00000000 jscript9!Js::JavascriptExceptionOperators::ThrowExceptionObject+0x12 042eaa20 0a609c8d 14f10470 14f10470 042eab08 jscript9!Js::JavascriptExceptionOperators::Throw+0x7d 042eaa48 0a5ee9b7 00000000 00000000 00000000 jscript9!Js::JavascriptError::ThrowError+0x55 042eaa64 0a60a3c4 00000000 00000000 00000000 jscript9!Js::JavascriptError::MapAndThrowError+0x34 042eaa88 0a60a397 227089c0 80070005 22708a00 jscript9!Js::JavascriptError::MapAndThrowError+0x27 042eaab4 0a60a363 042eab08 042eab2c 0a6559f5 jscript9!HostDispatch::HandleDispatchError+0x4d 042eaac0 0a6559f5 80070005 042eab08 042eabd0 jscript9!HostDispatch::HandleDispatchError+0x1c 042eab2c 0a518bc7 002dc789 042eabd0 22708a00 jscript9!HostDispatch::GetValueByDispId+0xf8 042eab44 0a518b6c 0a892e04 042eabd0 0a518ae0 jscript9!HostDispatch::GetValue+0x2a 042eab6c 0a486a06 22708a00 000000d4 042eabd0 jscript9!HostDispatch::GetProperty+0x88 042eaba0 0a4c063d 000000d4 042eabd0 14f10470 jscript9!Js::JavascriptOperators::GetProperty_Internal<0>+0x64 042eabec 0a50a70d 14f10470 042eb170 042eb170 jscript9!Js::JavascriptOperators::TypeofFld_Internal<0>+0x5b 042eae8c 0a50aa8f ba7ed1ac 042eb170 02f3ee80 jscript9!Js::InterpreterStackFrame::Process+0x6222 042eaec4 0a50aaee 042eb15c 20e70d8e 02f3ee80 jscript9!Js::InterpreterStackFrame::OP_TryCatch+0x49 042eb168 0a48d749 20e70da0 34600120 20e70d80 jscript9!Js::InterpreterStackFrame::Process+0x49a8 042eb29c 170114c9 042eb2b0 042eb558 0a489b13 jscript9!Js::InterpreterStackFrame::InterpreterThunk<1>+0x200 WARNING: Frame IP not in any known module. Following frames may be wrong. 042eb2a8 0a489b13 31923520 02000002 37abf800 0x170114c9 042eb558 0a48d749 3de922d6 34601000 3de91d90 jscript9!Js::InterpreterStackFrame::Process+0x2040 042eb6dc 170114e9 042eb6f0 042eb998 0a48d3e1 jscript9!Js::InterpreterStackFrame::InterpreterThunk<1>+0x200 042eb6e8 0a48d3e1 31923500 10000002 1620e3c0 0x170114e9 042eb998 0a48d749 3de352ea 3da70d80 3de35010 jscript9!Js::InterpreterStackFrame::Process+0x1e62 042ebb1c 17011559 042ebb30 042ebb78 0a48671a jscript9!Js::InterpreterStackFrame::InterpreterThunk<1>+0x200 042ebb28 0a48671a 25d4de60 10000003 1620e3c0 0x17011559 042ebb78 0a48a394 10000003 042ec1f4 042ec100 jscript9!Js::JavascriptFunction::CallFunction<1>+0x91 042ebe1c 0a50aa8f ba7ec13c 042ec100 02f3ee80 jscript9!Js::InterpreterStackFrame::Process+0x3a10 042ebe54 0a50aaee 042ec0ec 1f33d6fa 02f3ee80 jscript9!Js::InterpreterStackFrame::OP_TryCatch+0x49 042ec0f8 0a48d749 1f33d72e 25d4f120 1f33d680 jscript9!Js::InterpreterStackFrame::Process+0x49a8 042ec26c 17011561 042ec280 042ec2bc 0a48671a jscript9!Js::InterpreterStackFrame::InterpreterThunk<1>+0x200 042ec278 0a48671a 25d4de80 00000000 00000000 0x17011561 042ec2bc 0a486d28 00000000 00000000 ba7ebc58 jscript9!Js::JavascriptFunction::CallFunction<1>+0x91 042ec330 0a486c5d 14f10470 00000000 00000000 jscript9!Js::JavascriptFunction::CallRootFunction+0xb5 042ec378 0a486bf0 042ec3a4 00000000 00000000 jscript9!ScriptSite::CallRootFunction+0x42 042ec3c4 0a59207b 25d4de80 042ec408 00000000 jscript9!ScriptSite::Execute+0xd2 042ec44c 0a591247 042ec6d8 042ec6f8 ba7ebb88 jscript9!ScriptEngine::ExecutePendingScripts+0x1c6 042ec4e0 0a5928da 3d093a58 09f763b4 1611dd24 jscript9!ScriptEngine::ParseScriptTextCore+0x300 042ec530 04a2f434 14f056c0 3d093a58 09f763b4 jscript9!ScriptEngine::ParseScriptText+0x5a 042ec568 04568438 3d093a58 00000000 00000000 mshtml!CActiveScriptHolder::ParseScriptText+0x51 042ec5c0 0499515b 3d093a58 00000000 00000000 mshtml!CJScript9Holder::ParseScriptText+0x5f 042ec630 0456896e 00000000 14208a00 3c782200 mshtml!CScriptCollection::ParseScriptText+0x175 042ec71c 04568fd9 00000000 00000000 00000000 mshtml!CScriptData::CommitCode+0x31e 042ec798 04938751 049386f0 042ec7c8 05780000 mshtml!CScriptData::Execute+0x232 042ec7b8 0437d2cb 1611dca4 00000000 00000001 mshtml!CScriptData::AsyncExecute+0x67 042ec800 0437cbf4 b873d32c 00000000 0437bf20 mshtml!GlobalWndOnMethodCall+0x17b 042ec854 759162fa 00080b9e 00008002 00000000 mshtml!GlobalWndProc+0x103 042ec880 75916d3a 0437bf20 00080b9e 00008002 user32!InternalCallWinProc+0x23 042ec8f8 759177d3 00000000 0437bf20 00080b9e user32!UserCallWinProcCheckWow+0x109 042ec95c 7591789a 0437bf20 00000000 042efb3c user32!DispatchMessageWorker+0x3cb 042ec96c 0f59a7ac 042ec9ac 02efe9b8 00614fe0 user32!DispatchMessageW+0xf 042efb3c 0f5d3158 042efc08 0f5d2dd0 0024afc8 ieframe!CTabWindow::_TabWindowThreadProc+0x464 042efbfc 7757ebec 02efe9b8 042efc20 0f621f00 ieframe!LCIETab_ThreadProc+0x3e7 042efc14 60c13a31 0024afc8 00000000 00000000 iertutil!CMemBlockRegistrar::_LoadProcs+0x67 042efc4c 75d8338a 005dc8c0 042efc98 77b99882 IEShims!NS_CreateThread::DesktopIE_ThreadProc+0x94 042efc58 77b99882 005dc8c0 7295cad2 00000000 kernel32!BaseThreadInitThunk+0xe 042efc98 77b99855 60c139a0 005dc8c0 00000000 ntdll!__RtlUserThreadStart+0x70 042efcb0 00000000 60c139a0 005dc8c0 00000000 ntdll!_RtlUserThreadStart+0x1b STACK_COMMAND: ~6s; .ecxr ; kb SYMBOL_STACK_INDEX: 0 SYMBOL_NAME: jscript9!NativeCodeGenerator::IsNativeFunctionAddr+c FOLLOWUP_NAME: MachineOwner MODULE_NAME: jscript9 IMAGE_NAME: jscript9.dll DEBUG_FLR_IMAGE_TIMESTAMP: 566c54b7 FAILURE_BUCKET_ID: INVALID_POINTER_READ_c0000005_jscript9.dll!NativeCodeGenerator::IsNativeFunctionAddr BUCKET_ID: APPLICATION_FAULT_INVALID_POINTER_READ_jscript9!NativeCodeGenerator::IsNativeFunctionAddr+c ANALYSIS_SOURCE: UM FAILURE_ID_HASH_STRING: um:invalid_pointer_read_c0000005_jscript9.dll!nativecodegenerator::isnativefunctionaddr FAILURE_ID_HASH: {f79b47ef-ea32-0b27-5ba9-8a665e65198e} Followup: MachineOwner

I am completely unable to install exploits of my own or those downloaded from https://www.exploit-db.com in metasploit and went through the instructions set in this link:https://github.com/rapid7/metasploit-framework/wiki/Loading-External-Modules and all I get after i reload the modules in metasploit is "Failed to load module:........" I have entered in all of the correct file names and locations, and i just cannot think of anything else that could cure this solution. I have even tried copying the files to the parallel spot in the metasploit-framework file, I have tried everything I can possible think of. In short, the msfconsole will not recognize the new module path that I have created through the exploits folder in the .msf4 file, no matter what I try. I have tried reloading the modules, updating the msfconsole, etc. and whenever I tell the msfconsole to show me the new module path all I receive is an Invalid Parameter response and the number of exploits remains the same as if I had never created the new module path. Am I missing any steps to install exploits into metasploit??