New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add module for EDB-35948, X360 Software actvx buffer overflow #4726
Conversation
return template, binding() | ||
end | ||
|
||
def strip_comments(input) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Damn it, Pls, gimme some mins. Did it because was having some problems with JsObfu. Was to fill a bug, but I've discovered I was just using it incorrectly. Please, gimme some mins to use JsObfu here :)
thanks!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nvm, I don't find an easy (or not easy) way of obfuscating different JS files which are related between them. And I'd like to keep the JS as is, because it's easier to read and reuse in the future than a super big JS file :\ If there is a way to do it with the current JSObfu I'm glad of listening, maybe I'm overlooking it!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What are you trying to do? Tracking variables?
Comments should be automatically stripped.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Already discussed with @wchen-r7, for the record: the thing is which JS is split in several files. We need to reference classes and its methods from other files.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I can't really remember if this is one of those limitations @joevennix and I have discussed before with Jsobfu. Tagging him here so he can take a look maybe. If yes I probably need to mention this in the wiki documentation.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ohh I see, the obfuscated code is running correctly for you, but the obfuscation screws up your heap spray.
Yeah. jsobfu
is not very gentle on memory allocation/consumption. Not sure what you can do here. Probably jsobfu
needs some options to specify what types of obfuscation you want to use: that way you can turn off everything but variable renaming and whitespace-stripping.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@joevennix if you use the JS from this branch, but with JSObfu I get:
SCRIPT5009: 'Exploit' is undefined
whGOvE, line 9 character 1
From <body onload="e = new Exploit(); e.run();">
If I use https://github.com/jvazquez-r7/metasploit-framework/tree/edb_35948_jsobfu_no_var (having into account your recommendations), the JS loads okey, unfortunately the heap spray isn't reliable anymore on my tests :( and it can't get a reliable address where an array will live.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Now tracked as an issue in jsobfu: rapid7/jsobfu#8
With those features, you'd be able to set obfuscate_strings: false
, and rewrite_globals: false
.
It looks like we already support passing scope
in as a constructor option, so you could have gotten away with persisting the same scope
and just passing it into each JSObfu()
constructor.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@joevennix oo you answered again before my last comment haha, yeah, that! not a big deal, just something to work on :)
We already have filled a ticket #4728 with some enhancements for BES in case you would like to follow! :)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@joevennix ooo thanks for filling rapid7/jsobfu#8 !!
def rop_builder_template(cli, target_info) | ||
path = ::File.join(Msf::Config.data_directory, 'exploits', 'edb-35948', 'js', 'rop_builder.js') | ||
f = File.new(path, 'rb') | ||
template = strip_comments(f.read) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No block based?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@wchen-r7 is saying this is safer and maybe more canonical, don't remember for sure:
def informer_template(cli, target_info)
path = ::File.join(Msf::Config.data_directory, 'exploits', 'edb-35948', 'js', 'informer.js')
template = nil
# and I would recommend this check
if File.readable?(path)
# this will automatically close the file handle
File.new(path, 'rb') {|f| template = strip_comments(f.read)}
[template, binding]
else
# decide if you want to throw an error here, or return "" instead of nil if you want
# if you're going to return nil anyways, you can pull the [template, binding] out & put it after the if
['', binding]
end
end
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I can make it block based, of course.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@kernelsmith yeah, it ensures resource deallocation.
Pretty good idea with your external files. I might do that too. |
super(update_info(info, | ||
'Name' => "X360 VideoPlayer ActiveX Control Buffer Overflow", | ||
'Description' => %q{ | ||
This module exploits a based buffer overflow in the VideoPlayer.ocx ActiveX installed |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You're missing a word here.
This pr is waiting for rapid7/jsobfu#9 to add obfuscation. Otherwise, can be landed without obfuscation and I can do a new PR once rapid7/jsobfu#9 is landed and the new gem published. |
I don't really believe the obfuscation PRs are blockers for this one, so I'm just gonna go ahead and process this. |
|
Full bug history here: https://rh0dev.github.io/blog/2015/fun-with-info-leaks/
The exploit is kinda nice because bypasses ASLR/DEP from a .data buffer overflow. So, it's a nice case study, and worths to have it into the framework I think!
Verification
DEMO