search

rapid7 / metasploit-framework

Metasploit Framework
https://www.metasploit.com/
Other
34.14k stars 13.97k forks source link

metasploit module mswin_tiff_overflow.rb crashes, partial bugfix included #3706

Closed egyjuzer closed 10 years ago

egyjuzer commented 10 years ago

Tried to reproduce (http://www.rapid7.com/db/modules/exploit/windows/fileformat/mswin_tiff_overflow) on a Windows XP SP3, with Office 2010 Professional. The guide says the exploit works on Office 2010 Standard SP1.

Another user discovered the same issue with the module: (http://www.crowdstrike.com/blog/analysis-cve-2013-3906-exploit/).

I have found a semi-solution to the problem, that at least allowed the rop-chain to reach and successfully execute VirtualProtect.

Here is the fix:

block << [ 0x77c34fbf, 0x200f0704 ].pack("V") # pop esp # ret # from msvcrt

change to:

block << [ 0x77c34fbf ].pack("V") # pop esp # ret # from msvcrt
block << [ 0x200f0704 ].pack("V")
hdm commented 10 years ago

How stable is "msvcrt" going to be? New application installs can upgrade this, even across the same OS/SP combination, let alone language pack.

wvu commented 10 years ago

Hi. From irb:

1.9.3-p547 :001 > [ 0x77c34fbf, 0x200f0704 ].pack("V")
 => "\xBFO\xC3w"
1.9.3-p547 :002 > "" << [ 0x77c34fbf ].pack("V")
 => "\xBFO\xC3w"
1.9.3-p547 :003 > _ << [ 0x200f0704 ].pack("V")
 => "\xBFO\xC3w\x04\a\x0F "
1.9.3-p547 :004 > [ 0x77c34fbf, 0x200f0704 ].pack("VV")
 => "\xBFO\xC3w\x04\a\x0F "
1.9.3-p547 :005 > [ 0x77c34fbf, 0x200f0704 ].pack("V*")
 => "\xBFO\xC3w\x04\a\x0F "
1.9.3-p547 :006 >

So, it looks like the pack should be either VV or V*. Thanks.

egyjuzer commented 10 years ago

the problem as i saw saw not with msvcrt, but the source code itself. i'm mainly a asm/c developer, so beyond python i don't know any other widely used scripting language in detail, but i noticed that the way it was originally, the actual generated file did not contain the stack address 0x200f0704. i dont know ruby that well but it was as if the " , 0x200f0704 ] " part was ignored

so it was like:

[generated junk] [generated junk] [generated junk] [generated junk] [0x77c34fbf]# pop esp # ret # from msvcrt [generated junk] [generated junk] [generated junk] [generated junk]

instead of

[generated junk] [generated junk] [generated junk] [generated junk] [0x77c34fbf]# pop esp # ret # from msvcrt [0x200f0704] [generated junk] [generated junk] [generated junk]

you may be right, but what bothers me is that this particular installation was a freshly installed xp, sp3, with absolutely no updates, i think it was installed from an few yeard old cd.

i just wanted to share this information because i thought that it could help others to know where to look if any problem arises when trying to run the exploit

On Tue, Aug 26, 2014 at 6:59 PM, HD Moore notifications@github.com wrote:

How stable is "msvcrt" going to be? New application installs can upgrade this, even across the same OS/SP combination, let alone language pack.

— Reply to this email directly or view it on GitHub https://github.com/rapid7/metasploit-framework/issues/3706#issuecomment-53444539 .

wvu commented 10 years ago

@egyjuzer, @hmoore-r7: Fix is up at #3710. Closing this. We can resume discussion there.